[Bug]: v5.23.0 - aws_lb - Load balancer attribute key 'dns_record.client_routing_policy' is not supported on load balancers with type 'network'

[jseiser]

Terraform Core Version

1.5.2

AWS Provider Version

v5.23.0

Affected Resource(s)

aws_lb

Expected Behavior

Existing NLB would be updated with the additional target group we added.

Actual Behavior

NLB update fails, because an unsupported setting was attempted to be configured

Relevant Error/Panic Output Snippet

# aws_lb.tempo_nlb will be updated in-place
~ resource "aws_lb" "tempo_nlb" {
    + dns_record_client_routing_policy = "any_availability_zone"
      id                               = "arn:aws-us-gov:elasticloadbalancing:us-gov-west-1:xxxx:loadbalancer/net/removed-TEMPO-jaeger-DEV/d6d17df92d966d89"
      name                             = "removed-TEMPO-jaeger-DEV"
      tags                             = {
          "Attribution"  = "removed-Foundation_DEV ID: jaeger"
          "DeploymentID" = "jaeger"
          "Description"  = "removed GovCloud Environment"
          "Environment"  = "DEV"
          "Layer"        = "Monitoring"
          "Name"         = "removed-TEMPO-jaeger-DEV"
          "Owner"        = "RDT"
      }
      # (13 unchanged attributes hidden)

      # (3 unchanged blocks hidden)
  }

Error: failure configuring LB attributes: InvalidConfigurationRequest: Load balancer attribute key 'dns_record.client_routing_policy' is not supported on load balancers with type 'network'
	status code: 400, request id: 32defad6-f7ed-45e5-96b4-3add90b61c9b

Terraform Configuration Files

resource "aws_lb" "tempo_nlb" {
  name               = "removed-TEMPO-${var.vpc_id_tag}-${var.platform_env}"
  internal           = true
  load_balancer_type = "network"
  subnets            = [data.aws_subnet.MonitoringSN1.id, data.aws_subnet.MonitoringSN2.id]

  enable_deletion_protection = false

  tags = merge(
    local.tags,
    {
      "Name" = "removed-TEMPO-${var.vpc_id_tag}-${var.platform_env}"
    }
  )
}

Steps to Reproduce

1. Govcloud Account
2. Deploy basic NLB

Debug Output

No response

Panic Output

No response

Important Factoids

We operate in AWS Govcloud, Client routing policy (DNS record) is not supported in Govcloud, so the default provider deployment is now broken.

Introduced Here: #33992

References

These features are available in all commercial and China Regions.

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[jseiser]

This type of problem is already looked out for in the provider, so I assume something similar needs done: https://github.com/ddericco/terraform-provider-aws/blob/4d82b807c7910a4b82e37acdb55062391ebcc94d/internal/service/elbv2/load_balancer.go#L487

I dont know go, but I imagine something like

		if d.HasChange("dns_record_client_routing_policy") {
			attributes = append(attributes, &elbv2.LoadBalancerAttribute{
				Key:   aws.String("dns_record.client_routing_policy"),
				Value: aws.String(d.Get("dns_record_client_routing_policy").(string)),
			})
		}

[ewbankkit]

% make testacc TESTARGS='-run=TestAccELBV2LoadBalancer_NLB_basic$$' PKG=elbv2
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/elbv2/... -v -count 1 -parallel 20  -run=TestAccELBV2LoadBalancer_NLB_basic$ -timeout 360m
=== RUN   TestAccELBV2LoadBalancer_NLB_basic
=== PAUSE TestAccELBV2LoadBalancer_NLB_basic
=== CONT  TestAccELBV2LoadBalancer_NLB_basic
    load_balancer_test.go:118: Step 1/1 error: Error running apply: exit status 1
        
        Error: failure configuring LB attributes: InvalidConfigurationRequest: Load balancer attribute key 'dns_record.client_routing_policy' is not supported on load balancers with type 'network'
                status code: 400, request id: 9fb24738-db31-4fae-b887-351c781cc65a
        
          with aws_lb.test,
          on terraform_plugin_test.tf line 32, in resource "aws_lb" "test":
          32: resource "aws_lb" "test" {
        
--- FAIL: TestAccELBV2LoadBalancer_NLB_basic (206.26s)
FAIL
FAIL    github.com/hashicorp/terraform-provider-aws/internal/service/elbv2      211.831s
FAIL
make: *** [testacc] Error 1

[jseiser]

@ewbankkit

Are you getting that error against #34140 ?

[kevinlmadison]

Until this gets merged, is there a workaround in terraform?

[Mike-Nahmias]

Until this gets merged, is there a workaround in terraform?

@kevinlmadison my workaround was to add logic so if I'm deploying an NLB the argument is null
I think the above worked for me in Commercial, but doesn't seem to be working for GovCloud. Now I'm pinning the provider version until this is fixed.

[dan-glass]

My workaround was to pin the aws provider to an older version:

terraform {
  required_providers {
    aws = {
      version = "= 4.42"
    }
  }
}

[yixin-wei]

My workaround was to pin the aws provider to an older version

Yeah, we can limit aws provider to older versions:

terraform {
  required_providers {
    aws = {
      version = "<= 5.22" 
    }
  }
}

[jseiser]

This is becoming an issue, as more of the well supported TF modules are requiring >=5.25 for the provider

[tanadeau]

As @Mike-Nahmias mentioned, explicitly setting dns_record_client_routing_policy = null is a valid workaround. I just used it with the latest provider version with no issues.

[MetricMike]

The dns_record_client_routing_policy = null workaround is insufficient for newly created NLBs, as 5.23.0+ will always send that attribute. Setting it to null still sends the attribute on creation. The same pattern is used for the enable_waf_fail_open attribute https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/elbv2/load_balancer.go#L483-L488

#34140 fixes

[github-actions]

This functionality has been released in v5.31.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[Mike-Nahmias]

This doesn't seem like it's fixed in v5.31.0. On my GovCloud NLB resource I have dns_record_client_routing_policy = null, but the plan still shows + dns_record_client_routing_policy = "any_availability_zone"

[ghost]

@Mike-Nahmias I concur. I just upgraded to v5.31.0 and attempted to re-apply. I got the following error (no other changes to my configuration):

Terraform will perform the following actions:

  # module.lb.aws_lb.this will be updated in-place
  ~ resource "aws_lb" "this" {
      + dns_record_client_routing_policy = "any_availability_zone"
        id                               = "<REDACTED>"
        name                             = "<REDACTED>"
        tags                             = {}
        # (13 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.lb.aws_lb.this: Modifying... [id=<REDACTED>]
|
│ Error: modifying ELBv2 Load Balancer (<REDACTED>) attributes: ValidationError: Attributes cannot be empty
│       status code: 400, request id: c3bdeeec-4853-4edb-8d81-30a404f52223
│ 
│   with module.lb.aws_lb.this,
│   on .terraform/modules/lb/main.tf line 9, in resource "aws_lb" "this":
│    9: resource "aws_lb" "this" {
│ 
|

[jseiser]

Do you have the problem on NEW NLB creations?

Also, I would open an issue, I doubt anyone is looking at this closed one. There were so many changes in the commit that I have no idea what the issue would be.

[ghost]

Opened #35014

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.