[Bug]: aws_api_gateway_integration adding connection_type attribute causing change which conflicts with aws_api_gateway_deployment

[jufemaiz]

Terraform Core Version

1.3.7

AWS Provider Version

4.51.0

Affected Resource(s)

• aws_api_gateway_integration
• aws_api_gateway_deployment

Using aws provider v4.51.0 and no changes of attributes to the resources, the plan indicated the following.

resource "aws_api_gateway_deployment" "this" {
  description = "The deployment"
  rest_api_id = aws_api_gateway_rest_api.this.id

  # Triggers - add any `aws_api_gateway_integration`s.
  triggers = {
    redeployment = sha1(join(",", tolist([
      # API V1
      jsonencode(aws_api_gateway_integration.api),
    ])))
  }

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_api_gateway_integration" "api" {
  rest_api_id = aws_api_gateway_rest_api.this.id
  resource_id = aws_api_gateway_resource.api_v1_proxy.id
  http_method = aws_api_gateway_method.api.http_method

  integration_http_method = "POST"      # lambda may be invoked with POST
  type                    = "AWS_PROXY" # for lambda invocation
  uri                     = module.api.lambda_function_invoke_arn
}

Expected Behavior

aws_api_gateway_deployment can be managed.

Actual Behavior

Yields:

# module.bob.module.api_cors.aws_api_gateway_integration.this will be updated in-place
--
  | ~ resource "aws_api_gateway_integration" "this" {
  | + connection_type      = "INTERNET"
  | id                   = "ID"
  | # (10 unchanged attributes hidden)
  | }
  |  

This then had a downstream impact on aws_api_gateway_deployment resources that had a redeployment condition.

│ Error: Provider produced inconsistent final plan
--
  | │
  | │ When expanding the plan for module.bob.aws_api_gateway_deployment.this to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an invalid new value for .triggers["redeployment"]: was cty.StringVal("1d26d1d182c77be4e8e38b5dc87dcfaad3986e38"), but now cty.StringVal("8fdf3224234cc20973c590a6e92cc651fbd2637d").
  | │
  | │ This is a bug in the provider, which should be reported in the provider's own issue tracker.
  | ╵
  | ERROR: 1

This is then fine when pinning the aws provider to v4.50.0.

Relevant Error/Panic Output Snippet

Breaking change @ https://github.com/hashicorp/terraform-provider-aws/compare/v4.50.0...v4.51.0#diff-2ca7337426fbff02f724c7eb270b79baa92c8497bb30fedd09df3149c8c85ecbR277

Terraform Configuration Files

resource "aws_api_gateway_deployment" "this" {
  description = "The deployment"
  rest_api_id = aws_api_gateway_rest_api.this.id

  # Triggers - add any `aws_api_gateway_integration`s.
  triggers = {
    redeployment = sha1(join(",", tolist([
      # API V1
      jsonencode(aws_api_gateway_integration.api),
    ])))
  }

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_api_gateway_integration" "api" {
  rest_api_id = aws_api_gateway_rest_api.this.id
  resource_id = aws_api_gateway_resource.api_v1_proxy.id
  http_method = aws_api_gateway_method.api.http_method

  integration_http_method = "POST"      # lambda may be invoked with POST
  type                    = "AWS_PROXY" # for lambda invocation
  uri                     = module.api.lambda_function_invoke_arn
}

Steps to Reproduce

Unsure of the exact nature that causes the state, but it is one where there is a change to the deployment and a change to the integration.#16682

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

• Originating change: Remove extraneous nil checks before d.Set() #16682

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ewbankkit]

@jufemaiz Thanks for raising this issue and sorry that you hit the problem.
None of our acceptance tests exposed the behavior you are seeing, but after adapting your example configuration I can reproduce it:

% make testacc TESTARGS='-run=TestAccAPIGatewayDeployment_conflictingConnectionType' PKG=apigateway
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/apigateway/... -v -count 1 -parallel 3  -run=TestAccAPIGatewayDeployment_conflictingConnectionType -timeout 180m
=== RUN   TestAccAPIGatewayDeployment_conflictingConnectionType
=== PAUSE TestAccAPIGatewayDeployment_conflictingConnectionType
=== CONT  TestAccAPIGatewayDeployment_conflictingConnectionType
    deployment_test.go:271: Step 1/1 error: After applying this test step, the plan was not empty.
        stdout:
        
        
        Terraform used the selected providers to generate the following execution
        plan. Resource actions are indicated with the following symbols:
          ~ update in-place
        +/- create replacement and then destroy
        
        Terraform will perform the following actions:
        
          # aws_api_gateway_deployment.test must be replaced
        +/- resource "aws_api_gateway_deployment" "test" {
              ~ created_date  = "2023-01-20T16:28:49Z" -> (known after apply)
              ~ execution_arn = "arn:aws:execute-api:us-west-2:187416307283:omb77gq5w6/" -> (known after apply)
              ~ id            = "cn78jr" -> (known after apply)
              ~ invoke_url    = "https://omb77gq5w6.execute-api.us-west-2.amazonaws.com/" -> (known after apply)
              ~ triggers      = { # forces replacement
                  ~ "redeployment" = "8596956da9c859f00f1c36ded4503030bede9d5e" -> "d0ebf389b80c403aeca3b44ee94e6ac52bf1e21d"
                }
                # (2 unchanged attributes hidden)
            }
        
          # aws_api_gateway_integration.test will be updated in-place
          ~ resource "aws_api_gateway_integration" "test" {
              + connection_type         = "INTERNET"
                id                      = "agi-omb77gq5w6-qy43r9-GET"
                # (9 unchanged attributes hidden)
            }
        
        Plan: 1 to add, 1 to change, 1 to destroy.
--- FAIL: TestAccAPIGatewayDeployment_conflictingConnectionType (36.42s)
FAIL
FAIL	github.com/hashicorp/terraform-provider-aws/internal/service/apigateway	41.512s
FAIL
make: *** [testacc] Error 1

We will get a fix in place for next week's Terraform AWS Provider release. Until then you can pin the provider version to 4.50.0.

[jufemaiz]

@jufemaiz Thanks for raising this issue and sorry that you hit the problem. None of our acceptance tests exposed the behavior you are seeing, but after adapting your example configuration I can reproduce it:

Thanks @ewbankkit! I was tearing my hair out for a while trying to track down the source of the issue!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.