In the initial setting of NLB, deregistration_delay is not applied.

[notemusic110]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Relates #19953

Terraform CLI and Terraform AWS Provider Version

Terraform CLI : Terraform v0.12.24
Terraform AWS Provider Version : 3.25.0

Affected Resource(s)

• resource_aws_lb_target_group

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

resource "aws_lb" "nlb" {
  name                             = "staging-choong-nlb-test"
  internal                         = true
  load_balancer_type               = "network"
  enable_cross_zone_load_balancing = true
  enable_deletion_protection       = false
  ip_address_type                  = "ipv4"
  subnets                          = ### SUBNET id list ###
  tags = {
    Name          = "staging-choong-nlb-test"
  }
}

resource "aws_lb_target_group" "target_group" {
  vpc_id               = ### VPC ID ###
  name                 = "staging-choong-nlb-test-22"
  port                 = "22"
  protocol             = "TCP"
  target_type          = "instance"
  deregistration_delay = "0"
  slow_start           = "0"
  proxy_protocol_v2    = "false"

  health_check {
    enabled             = true
    interval            = "30"
    port                = "22"
    protocol            = "TCP"
    healthy_threshold   = "3"
    unhealthy_threshold = "3"
  }

  tags = {
    Name          = "staging-choong-nlb-test"
  }
}

resource "aws_lb_listener" "port_list" {
  load_balancer_arn = aws_lb.nlb.arn
  port              = "22"
  protocol          = "TCP"

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.target_group.arn
  }
}

Expected Behavior

i was expect that deregistration_delay.timeout_seconds is "0". terraform apply result as below:

# aws_lb_target_group.target_group will be created
  + resource "aws_lb_target_group" "target_group" {
      + arn                                = (known after apply)
      + arn_suffix                         = (known after apply)
      + deregistration_delay               = 0
      + id                                 = (known after apply)
      + lambda_multi_value_headers_enabled = false
      + load_balancing_algorithm_type      = (known after apply)
      + name                               = "staging-choong-nlb-test-22"
      + port                               = 22
      + protocol                           = "TCP"
      + proxy_protocol_v2                  = false
      + slow_start                         = 0
      + tags                               = {
          + "Name" = "staging-choong-nlb-test"
        }
      + target_type                        = "instance"
      + vpc_id                             = ### VPC ID ###

      + health_check {
          + enabled             = true
          + healthy_threshold   = 3
          + interval            = 30
          + matcher             = (known after apply)
          + path                = (known after apply)
          + port                = "22"
          + protocol            = "TCP"
          + timeout             = (known after apply)
          + unhealthy_threshold = 3
        }

      + stickiness {
          + cookie_duration = (known after apply)
          + enabled         = (known after apply)
          + type            = (known after apply)
        }
    }

Actual Behavior

The terraform plan and terraform apply results were all the values ​​I wanted, but they were actually different. the deregistration_delay.timeout_seconds was set to the default value of 300 seconds.
Also, when the plan is executed once more, it is confirmed that it changes from 300 seconds to 0 seconds. I found something wrong in the resource_aws_lb_target_group.so source.

$ aws elbv2 describe-target-group-attributes --target-group-arn= ### ARN Value###
{
    "Attributes": [
        {
            "Value": "false",
            "Key": "proxy_protocol_v2.enabled"
        },
        {
            "Value": "false",
            "Key": "stickiness.enabled"
        },
        {
            "Value": "300",
            "Key": "deregistration_delay.timeout_seconds"
        },
        {
            "Value": "source_ip",
            "Key": "stickiness.type"
        },
        {
            "Value": "false",
            "Key": "deregistration_delay.connection_termination.enabled"
        }
    ]
}

Steps to Reproduce

1. terraform apply

[bflad]

This certainly looks like a bug and if I had to offer a guess, it could be this d.HasChanges():

terraform-provider-aws/aws/resource_aws_lb_target_group.go

Lines 427 to 432 in 0d3fd79

	if d.HasChange("deregistration_delay") {
	attrs = append(attrs, &elbv2.TargetGroupAttribute{
	Key: aws.String("deregistration_delay.timeout_seconds"),
	Value: aws.String(fmt.Sprintf("%d", d.Get("deregistration_delay").(int))),
	})
	}

Is not triggering on creation because the Terraform Plugin SDK is hiding the null -> 0 difference due to legacy type handling. This issue is compounded because this resource is currently following an old practice of calling Update after Create, which is no longer followed in newer resources due to reasons like these. Ideally, the resource Create function should be performing its own ModifyTargetGroupAttributes call if necessary, then returning the Read function instead of returning the Update function.

(The linked PR #17310 is also a valid bug fix, however I would guess that it won't solve this problem since it is only adjusting the Read functionality.)

[notemusic110]

i'm find root cause why Target Group Attribute was not applied custom value. The elbv2 api of aws-sdk-go repo is not exist CreateTargetGroupAttributes method. so, to put a non-default value, you have to induce to modify the attribute once more, as you said. But I don't know if this is the right way.

reference link : https://github.com/aws/aws-sdk-go/blob/master/service/elbv2/api.go

[github-actions]

This functionality has been released in v3.62.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.