Changing the name of an AWS Config Rule creates a duplicate rule

[jbscare]

Terraform Version

+$ terraform -v
Terraform v0.11.7
+ provider.aws v1.16.0

Affected Resource(s)

• aws_config_config_rule

Terraform Configuration Files

{
  "provider": {
    "aws": {
      "__DEFAULT__": {
        "region": "us-east-1"
      }
    }
  },
  "resource": {
    "aws_config_config_rule": {
      "jbstest-certcheck": {
        "name": "jbstest-certcheck",
        "source": {
          "owner": "AWS",
          "source_identifier": "ACM_CERTIFICATE_EXPIRATION_CHECK"
        }
      }
    }
  }
}

Debug Output

https://gist.github.com/jbscare/daa09aceb771e8d6cddcb9931d83e396

Expected Behavior

When I created a Config Rule with a name that had a typo, and then fixed the typo in the name, I expected the Rule's name to change.

Actual Behavior

Terraform created a second Config rule, leaving the old one around.

Steps to Reproduce

I started with no "jbstest" config rules:

+$ aws configservice describe-config-rules --query "ConfigRules[*].ConfigRuleName" | grep jbstest || echo none
none

I created one:

+$ cat jbstest.tf.json  
{
  "provider": {
    "aws": {
      "__DEFAULT__": {
        "region": "us-east-1"
      }
    }
  },
  "resource": {
    "aws_config_config_rule": {
      "jbstest-certcheck": {
        "name": "jbstest-cetrcehck",
        "source": {
          "owner": "AWS",
          "source_identifier": "ACM_CERTIFICATE_EXPIRATION_CHECK"
        }
      }
    }
  }
}

+$ terraform apply 
aws_config_config_rule.jbstest-certcheck: Refreshing state... (ID: jbstest-certcheck)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  + aws_config_config_rule.jbstest-certcheck
      id:                         <computed>
      arn:                        <computed>
      name:                       "jbstest-cetrcehck"
      rule_id:                    <computed>
      source.#:                   "1"
      source.0.owner:             "AWS"
      source.0.source_identifier: "ACM_CERTIFICATE_EXPIRATION_CHECK"


Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_config_config_rule.jbstest-certcheck: Creating...
  arn:                        "" => "<computed>"
  name:                       "" => "jbstest-cetrcehck"
  rule_id:                    "" => "<computed>"
  source.#:                   "0" => "1"
  source.0.owner:             "" => "AWS"
  source.0.source_identifier: "" => "ACM_CERTIFICATE_EXPIRATION_CHECK"
aws_config_config_rule.jbstest-certcheck: Creation complete after 0s (ID: jbstest-cetrcehck)

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Now I've got a jbstest Config Rule:

+$ aws configservice describe-config-rules --query "ConfigRules[*].ConfigRuleName" | grep jbstest || echo none  
    "jbstest-cetrcehck",

I spot a typo in the name, and fix my .tf.json file:

+$ cat jbstest.tf.json  
{
  "provider": {
    "aws": {
      "__DEFAULT__": {
        "region": "us-east-1"
      }
    }
  },
  "resource": {
    "aws_config_config_rule": {
      "jbstest-certcheck": {
        "name": "jbstest-certcheck",
        "source": {
          "owner": "AWS",
          "source_identifier": "ACM_CERTIFICATE_EXPIRATION_CHECK"
        }
      }
    }
  }
}

The only difference from before is the 'name' parameter. terraform plan looks good, it just wants to change the name:

+$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

aws_config_config_rule.jbstest-certcheck: Refreshing state... (ID: jbstest-cetrcehck)

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ aws_config_config_rule.jbstest-certcheck
      name: "jbstest-cetrcehck" => "jbstest-certcheck"


Plan: 0 to add, 1 to change, 0 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

I apply that:

+$ terraform apply
aws_config_config_rule.jbstest-certcheck: Refreshing state... (ID: jbstest-cetrcehck)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ aws_config_config_rule.jbstest-certcheck
      name: "jbstest-cetrcehck" => "jbstest-certcheck"


Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_config_config_rule.jbstest-certcheck: Modifying... (ID: jbstest-cetrcehck)
  name: "jbstest-cetrcehck" => "jbstest-certcheck"
aws_config_config_rule.jbstest-certcheck: Modifications complete after 0s (ID: jbstest-certcheck)

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

But now I've got two jbstest Config Rules:

+$ aws configservice describe-config-rules --query "ConfigRules[*].ConfigRuleName" | grep jbstest || echo none
    "jbstest-certcheck",
    "jbstest-cetrcehck",

Important Factoids

none

References

none

[cob16]

Can confirm this is still an issue on 2.23.

It would seem the fix here is to make a name change on the resource force recreation.

[pboruszczak-drgn]

Any chances for resolution? This bug is also available on:
Terraform v0.12.13
provider.aws v2.39.0

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[jbscare]

It looks like #15136 is still open to fix this, and that this is therefore not stale?

[martincastrocm]

Hi I can confirm this issue is still happening with Terraform v1.6.5 and aws provider v5.37. Is there an ETA for the fix?

A tricky workaround to this could be using both null_resource + replace_triggered_by lifecylce meta-argument.
Something like:

locals {
  rule_name = "my-rule-name"
}

resource "null_resource" "config_rule_trigger" {
  triggers = {
    rule_name = local.rule_name
  }
}

resource "aws_config_config_rule" "config_rule" {
  name = local.rule_name
  
   # ... other configuration ...
   
  lifecycle {
    replace_triggered_by = [null_resource.config_rule_trigger]
  }

}

Of course ideally this behaviour is achieved nativelly by the tf resource :)

[github-actions]

This functionality has been released in v5.39.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.