terraform-provider-aws: [Bug]: v5.23.0 - aws_lb - Load balancer attribute key 'dns_record.client_routing_policy' is not supported on load balancers with type 'network'

Terraform Core Version

1.5.2

AWS Provider Version

v5.23.0

Affected Resource(s)

aws_lb

Expected Behavior

Existing NLB would be updated with the additional target group we added.

Actual Behavior

NLB update fails, because an unsupported setting was attempted to be configured

Relevant Error/Panic Output Snippet

# aws_lb.tempo_nlb will be updated in-place
~ resource "aws_lb" "tempo_nlb" {
    + dns_record_client_routing_policy = "any_availability_zone"
      id                               = "arn:aws-us-gov:elasticloadbalancing:us-gov-west-1:xxxx:loadbalancer/net/removed-TEMPO-jaeger-DEV/d6d17df92d966d89"
      name                             = "removed-TEMPO-jaeger-DEV"
      tags                             = {
          "Attribution"  = "removed-Foundation_DEV ID: jaeger"
          "DeploymentID" = "jaeger"
          "Description"  = "removed GovCloud Environment"
          "Environment"  = "DEV"
          "Layer"        = "Monitoring"
          "Name"         = "removed-TEMPO-jaeger-DEV"
          "Owner"        = "RDT"
      }
      # (13 unchanged attributes hidden)

      # (3 unchanged blocks hidden)
  }

Error: failure configuring LB attributes: InvalidConfigurationRequest: Load balancer attribute key 'dns_record.client_routing_policy' is not supported on load balancers with type 'network'
	status code: 400, request id: 32defad6-f7ed-45e5-96b4-3add90b61c9b

Terraform Configuration Files

resource "aws_lb" "tempo_nlb" {
  name               = "removed-TEMPO-${var.vpc_id_tag}-${var.platform_env}"
  internal           = true
  load_balancer_type = "network"
  subnets            = [data.aws_subnet.MonitoringSN1.id, data.aws_subnet.MonitoringSN2.id]

  enable_deletion_protection = false

  tags = merge(
    local.tags,
    {
      "Name" = "removed-TEMPO-${var.vpc_id_tag}-${var.platform_env}"
    }
  )
}

Steps to Reproduce

  1. Govcloud Account
  2. Deploy basic NLB

Debug Output

No response

Panic Output

No response

Important Factoids

We operate in AWS Govcloud, Client routing policy (DNS record) is not supported in Govcloud, so the default provider deployment is now broken.

Introduced Here: https://github.com/hashicorp/terraform-provider-aws/issues/33992

References

These features are available in all commercial and China Regions.

Would you like to implement a fix?

No

About this issue

  • Original URL
  • State: closed
  • Created 8 months ago
  • Reactions: 19
  • Comments: 16 (6 by maintainers)

Commits related to this issue

Most upvoted comments

The dns_record_client_routing_policy = null workaround is insufficient for newly created NLBs, as 5.23.0+ will always send that attribute. Setting it to null still sends the attribute on creation. The same pattern is used for the enable_waf_fail_open attribute https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/elbv2/load_balancer.go#L483-L488

#34140 fixes

+2
MetricMike on Nov 22, 2023

Opened #35014

+1
jonbackhaus-mt on Dec 20, 2023

@Mike-Nahmias I concur. I just upgraded to v5.31.0 and attempted to re-apply. I got the following error (no other changes to my configuration):

Terraform will perform the following actions:

  # module.lb.aws_lb.this will be updated in-place
  ~ resource "aws_lb" "this" {
      + dns_record_client_routing_policy = "any_availability_zone"
        id                               = "<REDACTED>"
        name                             = "<REDACTED>"
        tags                             = {}
        # (13 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.lb.aws_lb.this: Modifying... [id=<REDACTED>]
|
│ Error: modifying ELBv2 Load Balancer (<REDACTED>) attributes: ValidationError: Attributes cannot be empty
│       status code: 400, request id: c3bdeeec-4853-4edb-8d81-30a404f52223
│ 
│   with module.lb.aws_lb.this,
│   on .terraform/modules/lb/main.tf line 9, in resource "aws_lb" "this":
│    9: resource "aws_lb" "this" {
│ 
|
+1
jonbackhaus-mt on Dec 20, 2023

My workaround was to pin the aws provider to an older version

Yeah, we can limit aws provider to older versions:

terraform {
  required_providers {
    aws = {
      version = "<= 5.22" 
    }
  }
}
+1
yixin-wei on Nov 7, 2023

My workaround was to pin the aws provider to an older version:

terraform {
  required_providers {
    aws = {
      version = "= 4.42"
    }
  }
}
+1
dan-glass on Nov 7, 2023
Read more comments on GitHub
← terraform-provider-aws: [Bug]: UnknownOperationException for data.aws_identitystore_group.alternate_identifier.unique_attribute with aws v5.0.0
terraform-provider-aws: Cannot create multiple path-pattern conditions for ALB Rules →