efs_volume_configuration transit_encryption_port causing replace of task definition

[InbarRose]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

$ terraform -v
Terraform v1.1.6
on linux_amd64

• provider registry.terraform.io/hashicorp/aws v3.74.3
• provider registry.terraform.io/hashicorp/external v2.2.0
• provider registry.terraform.io/hashicorp/local v2.1.0
• provider registry.terraform.io/hashicorp/null v3.1.0
• provider registry.terraform.io/hashicorp/template v2.2.0

Affected Resource(s)

aws_ecs_task_definition -> volume - > efs_volume_configuration -> transit_encryption_port

relevant code:

terraform-provider-aws/internal/service/ecs/task_definition.go

Line 355 in de6e94d

"transit_encryption_port": {

reference: https://www.reddit.com/r/Terraform/comments/px60pb/terraform_constantly_reattaches_volumes_when/

• aws_XXXXX

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

volume {
    name = var.efs_volume_name
    efs_volume_configuration {
      file_system_id     = data.aws_efs_file_system.shared_fs.id
      root_directory     = "/"
      transit_encryption = "DISABLED"
      authorization_config {
        iam = "DISABLED"
      }
    }
  }

Expected Behavior

no change

Actual Behavior

it wants to replace

  - volume {
      - name = "efs" -> null
      - efs_volume_configuration {
          - file_system_id          = "fs-07d0e24a8153ed93c" -> null
          - root_directory          = "/" -> null
          - transit_encryption      = "DISABLED" -> null
          - transit_encryption_port = 0 -> null
          - authorization_config {
              - iam = "DISABLED" -> null
            }
        }
    }
  + volume {
      + name = "efs"
      + efs_volume_configuration {
          + file_system_id     = "fs-07d0e24a8153ed93c"
          + root_directory     = "/"
          + transit_encryption = "DISABLED"
          + authorization_config {
              + iam = "DISABLED"
            }
        }
    }

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[InbarRose]

any movement on this?

[markbaird]

I'm also seeing this. I would add that you can't set the transit encryption port value to 0 in Terraform. It seems to store it as 0 internally when the value is null or unset, but Terraform doesn't handle that well and results in this perpetual diff.

[amh-mw]

Duplicate of #19549?

[dsoprea]

So annoying. Every time.

[ragumix]

Try to explicitly specify transit_encryption_port = null.

[markbaird]

Try to explicitly specify transit_encryption_port = null.

@ragumix I've done that before. The value is stored as 0 in the state file when the value null is specified. That is the entire issue. It causes the plan to show this diff every time, even when nothing is actually changing.

[dsoprea]

Try to explicitly specify transit_encryption_port = null.

Mentioned earlier in 2022, above.

#23541 (comment)

[bpmb82]

Has anyone found a workaround for this? I tried adding transit_encryption_port as a lifecycle ignore but then it starts complaining about it not being set. I can try setting it to some random value I suppose, anyone tried that?

[sethjeffery]

The following works for me and does not recreate it on next apply:

  volume {
    name = "efs"
    efs_volume_configuration {
      file_system_id = data.aws_efs_file_system.efs.file_system_id
      transit_encryption_port = null
      transit_encryption = "DISABLED"
      root_directory = "/"
    }
  }

[markbaird]

The following works for me and does not recreate it on next apply:

  volume {
    name = "efs"
    efs_volume_configuration {
      file_system_id = data.aws_efs_file_system.efs.file_system_id
      transit_encryption_port = null
      transit_encryption = "DISABLED"
      root_directory = "/"
    }
  }

It makes sense that disabling encryption would fix the issue with the encryption port. However, those of us that need to keep encryption enabled can't use this as a solution.

[github-actions]

This functionality has been released in v5.23.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.