[Bug]: Unable to add/remove AS2

[saikrishnagaddipati]

Terraform Core Version

0.14.11

AWS Provider Version

4.66.1

Affected Resource(s)

aws_transfer_server

identity_provider_type = "SERVICE_MANAGED"
protocols = ["AS2","SFTP"]

Expected Behavior

AS2 protocol should be added/removed to AWS transfer server.

Actual Behavior

AS2 tries to delete transfer workflow and fails because workflow is still use by transfer server.

Relevant Error/Panic Output Snippet

Error: deleting Transfer Workflow (w-434d33afbecbbf7e4): InvalidRequestException: Workflow is still in use by server s-81c8f4c167ca42109

Terraform Configuration Files

resource "aws_transfer_server" "example" {
endpoint_type = "VPC"

endpoint_details {
subnet_ids = [aws_subnet.example.id]
vpc_id = aws_vpc.example.id
}

protocols = ["SFTP", "AS2"]
certificate = aws_acm_certificate.example.arn

identity_provider_type = "SERVICE_MANAGED"
url = "${aws_api_gateway_deployment.example.invoke_url}${aws_api_gateway_resource.example.path}"
}

Steps to Reproduce

create a transfer server with "SFTP" protocol with workflow_details.
After the transfer server with SFTP is created.
Add AS2 protocol and apply terraform.

terraform fails with below error.
Error: deleting Transfer Workflow (w-434d33afbecbbf7e4): InvalidRequestException: Workflow is still in use by server s-81c8f4c167ca42109

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

My code with workflow

#Creates transfer server
resource "aws_transfer_server" "my_transfer_server" {
  depends_on           = [aws_transfer_workflow.call_avscan_lambda]
  security_policy_name = "TransferSecurityPolicy-2020-06"
  endpoint_type        = "VPC"
  endpoint_details {
    address_allocation_ids = [EIP1, EIP2, EIP3]
    subnet_ids             = [subPub1, subPub2, subPub3]
    security_group_ids     = [transfer-sg-id]
    vpc_id                 = myvpcID
  }
  identity_provider_type = "SERVICE_MANAGED"
  protocols              = ["SFTP", "AS2"]
  protocol_details {
    as2_transports = ["HTTP"]
  }

  workflow_details {
    on_upload {
      execution_role = "transfer-workflow-role"
      workflow_id    = aws_transfer_workflow.call_avscan_lambda.id
    }
  }
  logging_role = "transfer-cloudwatch-logging-role"
  lifecycle {
    ignore_changes = [
      protocols
    ]
  }
}

#AWS Transfer Workflow to trigger avscan
resource "aws_transfer_workflow" "call_avscan_lambda" {
  description = "call-avscan-lambda"
  steps {
    custom_step_details {
      name            = "call_avscan_lambda"
      target          = "trigger_mylambda"
      timeout_seconds = 600
    }
    type = "CUSTOM"
  }
}

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Related: #29406
Related: #27689

[jud-waite]

Hi @saikrishnagaddipati, do you have a need to use workflows with AS2? Or only with SFTP? Beyond the expectation of adding/removing AS2 from the server, would you expect workflows to work / be invoked by both SFTP and AS2? Currently, workflows are not supported with AS2, though we do plan to add support in the coming months. Could you reach out to me at [email protected], I'd like to learn more about your use case and needs.

[saikrishnagaddipati]

@jud-waite
currently workflows aren't supported by AS2.
I am not using workflows with AS2 currently. But i am using workflows with SFTP.
Would be great if we have the workflows supported by both SFTP & AS2.

[jud-waite]

Hello @saikrishnagaddipati, could you please attempt to enable AS2 on an SFTP server without a workflow? Do you receive an error? What about creating a new AS2 server from Terraform with or without a workflow? Do you receive an error then? We are currently working to support Terraform for our AS2 protocol, but is likely the source of your problem. Please watch this issue to be notified when we official support AS2 for Terraform. #29406

[seanfisher]

Hi, this is happening for us on Terraform 1.3.1 and hashicorp/aws 5.55.0.

For us it has nothing to do with AS2. To reproduce, create an SFTP server with an associated workflow with Terraform.

Then change something about the workflow that forces replacement (e.g., change one of the step names).

Terraform tries to delete the workflow to replace it, but AWS doesn't allow it with:

operation error Transfer: DeleteWorkflow, InvalidRequestException: Workflow is still in use by server s-xxxxxxxxxxxxx

Workaround is to use the console to create a dummy Workflow, change the server to point to the dummy workflow, then run the Terraform, which can now delete the original workflow, re-create it, and update the Transfer server to point to the new workflow. Then manually delete the dummy Workflow.

I assume there's some limitation on the AWS API side that doesn't allow un-associating a workflow with a transfer server, it just allows switching to a different workflow. At least, in the console it doesn't allow it.