aws_appautoscaling_target.RoleArn should be optional

[batkuip]

Terraform Version

0.11.0

Affected Resource(s)

• aws_appautoscaling_target

Terraform Configuration Files

resource "aws_appautoscaling_target" "dynamodb_table_read_target" {
  max_capacity       = 100
  min_capacity       = 5
  resource_id        = "table/tableName"
  role_arn           = "${data.aws_iam_role.DynamoDBAutoscaleRole.arn}"
  scalable_dimension = "dynamodb:table:ReadCapacityUnits"
  service_namespace  = "dynamodb"
}

Expected Behavior

role_arn is set to appriopriate role for that autoscaling_target

Actual Behavior

role_arn is set to 'AWSServiceRoleForApplicationAutoScaling_DynamoDBTable' - this causes this future deployments to always try and update this autoscaling target

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. ensure us-east-1
2. terraform apply

Important Factoids

I've been talking AWS service team about this issue as it also happened through the AWS Console. Turns out this is a new "feature" currently only active on "us-east-1". Basically it creates it own role regardless of what you specify. See http://docs.aws.amazon.com/ApplicationAutoScaling/latest/APIReference/application-autoscaling-service-linked-roles.html

I'm fine either way but RoleArn is 'required' by the terraform resource. I've worked around it by hardcoding the RoleArn to when deploying to 'us-east-1'. Probably should makes this property optional (it's optional in AWS CLI btw)

[armanshan12]

+1 I just ran into this issue as well

[itarchmerc]

There is another workaround to this issue. You can Deny the CreateServiceLinkedRole action for the user/role that's being used by TerraForm to create/update the service. These workarounds will only work for a short time, as the role field is being deprecated from the API.

[maxblaze]

+1 I started seeing this in 0.10.8 last week and I'm assuming that it also applies to all previous versions of terraform that support ECS since it's an AWS backend change.

[levand]

I am encountering this as well. Thanks for taking the time to research the cause and file a report!

[yishaibeeri]

Also happening in other regions, e.g. us-west-1

[CumpsD]

Same in eu-central-1, I tried to manually change it in the console, but keeps on reverting back to AWSServiceRoleForApplicationAutoScaling_DynamoDBTable, which forces terraform to keep on trying to update it.

Currently dealing with it by using:

data "aws_iam_role" "autoscale-service-linked-role" {
  name = "AWSServiceRoleForApplicationAutoScaling_DynamoDBTable"
}

[armanshan12]

To add to @CumpsD's temporary fix, AWS does not automatically create that role, so you have to manually turn on and off autoscaling to push AWS to create it for you, then you can run your terraform.

[bflad]

This has been released in terraform-provider-aws version 1.7.0. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!