terraform-provider-aws: Unable to define http/s health checks for Network Loadbalancer

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

Terraform 0.11.1 with AWS Provider 1.6

Affected Resource(s)

Please list the resources as a list, for example:

aws_lb_target_group

If this issue appears to affect multiple resources, it may be an issue with Terraform’s core, so please mention this.

Terraform Configuration Files

resource "aws_lb_target_group" "tcp" {
 # ...
 protocol    = "TCP"
 # ...
 health_check {
    healthy_threshold   = 2
    unhealthy_threshold = 2
    timeout             = "10"
    port                = "443"
    path                = "/healthz"
    protocol            = "HTTPS"
    interval            = 30
    matcher             = "200-399"
  }
}

Debug Output

Please provider a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

Expected Behavior

Setup the expected network loadbalancer like in 1.5

Actual Behavior

* module.lb_internal_master.aws_lb_target_group.tcp: 1 error(s) occurred:

* module.lb_internal_master.aws_lb_target_group.tcp: arn:aws:elasticloadbalancing:eu-central-1:191844718867:targetgroup/openshift-tg-internal-master-443/652998c18664d76d: custom matcher is not supported for target_groups with TCP protocol

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

terraform apply

Important Factoids

N/A

References

N/A

About this issue

Original URL
State: closed
Created 7 years ago
Reactions: 7
Comments: 28 (9 by maintainers)

Commits related to this issue

data/aws/vpc: Use HTTPS for load balancer health checks As suggested by Dani Comnea [1]. When we switched to network load balancers in 16dfbb35 (data/aws: use nlbs instead of elbs, 2018-11-01, #594)... — committed to wking/openshift-installer by wking 6 years ago
pkg/server/api: Add /healthz for load-balancer health checks The server currently 404s the root path. From a master: [core@ip-10-0-26-134 ~]$ curl -ik https://wking-api.devcluster.openshift.com:4... — committed to wking/machine-config-operator by wking 6 years ago
data/aws/vpc: Use HTTPS for load balancer health checks As suggested by Dani Comnea [1]. When we switched to network load balancers in 16dfbb35 (data/aws: use nlbs instead of elbs, 2018-11-01, #594)... — committed to wking/openshift-installer by wking 6 years ago
correct health check for nlb tls target group as per https://github.com/terraform-providers/terraform-provider-aws/issues/2708\#issuecomment-353041848 and try to use HTTP as protocol to support a heal... — committed to goci-io/aws-api-gateway-proxy by etwillbefine 5 years ago

Most upvoted comments

Unfortunately problem persist for Terraform v0.11.11

resource "aws_lb_target_group" "hapee_nlb_target" {
  name = "hapee-test-nlb-tg"

  vpc_id = "${aws_vpc.default.id}"

  port     = 443
  protocol = "TCP"

  health_check {
    interval            = 30
    path                = "/haproxy_status"
    port                = 8080
    timeout             = 5
    healthy_threshold   = 3
    unhealthy_threshold = 3
    matcher             = "200,202"
  }
aws_lb_target_group.hapee_nlb_target: Error creating LB Target Group: InvalidConfigurationRequest: Custom health check timeouts are not supported for health checks for target groups with the TCP protocol

MichalPloski on Jan 25, 2019

PR #2906 lets you create HTTP/HTTPS health checks now 🎉, but it doesn’t fully resolve validation. The protocol can be changed between HTTP and HTTPS, but changing to or from TCP should trigger a recreation plan for the Target Group.

* module.nlb.aws_lb_target_group.nlb[0]: 1 error(s) occurred:

* aws_lb_target_group.nlb.0: Error modifying Target Group: InvalidConfigurationRequest: You cannot change the health check protocol for a target group with the TCP protocol
        status code: 400, request id: 1234567-f7db-11e7-8d49-f37d7e7f4cf3

whereisaaron on Jan 12, 2018

@whereisaaron I just ran into issue switch from TCP to HTTP/HTTPs (it needs to be re-created and terraform doesn’t know that); was a separate issue ever opened to address that?

iancward on Apr 4, 2018

This has been released in terraform-provider-aws version 1.7.0. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

bflad on Jan 12, 2018

After playing with this some more it seems like the current validation is correct here, per what’s enforced by the underlying API. After weakening the check in the provider, I see the following error from the remote API during apply:

InvalidConfigurationRequest: Custom health check matchers are not supported for health checks for target groups with the TCP protocol

The logic I’d implemented – based on the documentation – was to allow custom health check matchers if the healthcheck protocol is HTTP, but it seems that there is an undocumented additional restriction that Matcher may not be set for TCP target groups, regardless of the healthcheck protocol.

However, I see that you all saw something working prior to this validation being added, so I’m now trying to figure out what the old implementation (prior to 1.6) was actually doing in this scenario that was allowing it to work.

apparentlymart on Dec 20, 2017