terraform icon indicating copy to clipboard operation
terraform copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Cycle errors in 1.3.2

Open jack-parsons-bjss opened this issue 3 years ago • 2 comments

Terraform Version

1.3.2

Terraform Configuration Files

Unable to provide due to volume

Debug Output

N/A

Expected Behavior

Terraform plans/applies as usual

Actual Behavior

In 1.3.2 a cycle is detected:

Error: Cycle: module.ous.aws_organizations_organizational_unit.level<redacted>["<redacted>"], module.ous.aws_organizations_organizational_unit.level<redacted>["<redacted>"], module.ous.aws_organizations_organizational_unit.level<redacted>["<redacted>"], module.ous.aws_organizations_organizational_unit.level<redacted>["<redacted>"], module.ous.aws_organizations_organizational_unit.level<redacted>["<redacted>"], module.ous.aws_organizations_organizational_unit.level<redacted>["<redacted>"], module.bs_gr_audit.module.lambdacron_remove_shield.aws_iam_role.main (destroy), module.bs_gr_shared.module.lambdacron_remove_shield.aws_iam_role.main (destroy), module.bs_gr_audit.aws_cloudwatch_event_rule.ec2_deletetags[0] (destroy), module.bs_gr_audit.module.lambdacron_remove_shield.aws_sns_topic_policy.main[0] (destroy), module.bs_gr_audit.module.lambdacron_remove_shield.aws_sns_topic.main[0] (destroy), module.bs_gr_audit.module.lambdacron_remove_shield.module.kms.aws_kms_key.main (destroy), module.bs_gr_shared.aws_cloudwatch_event_rule.elasticloadbalancing_removetags[0] (destroy), module.bs_gr_shared.module.lambdacron_remove_shield.module.kms.aws_iam_policy.user (destroy), module.bs_gr_audit.module.lambdacron_remove_shield.module.kms.aws_iam_policy.admin (destroy), module.bs_gr_audit.module.lambdacron_remove_shield.module.kms.aws_iam_policy.user (destroy), aws_organizations_organization.main, module.ous.var.organization_root_id (expand), module.bs_gr_audit.aws_lambda_permission.cloudtrail_delivery[0] (destroy), module.bs_gr_shared.module.lambdacron_remove_shield.module.kms.aws_iam_policy.admin (destroy), module.bs_gr_audit.module.lambdacron_remove_shield.module.kms.aws_kms_alias.main (destroy), module.bs_gr_audit.module.lambdacron_remove_shield.aws_lambda_function.main (destroy), module.bs_gr_audit.aws_lambda_permission.remove_shield_ec2_deletetags[0] (destroy), module.bs_gr_audit.aws_cloudwatch_event_target.ec2_deletetags[0] (destroy), module.bs_gr_audit.module.lambdacron_remove_shield.aws_cloudwatch_log_group.main (destroy), module.bs_gr_shared.module.lambdacron_remove_shield.aws_iam_role_policy_attachment.lambda_execution (destroy), module.bs_gr_shared.module.lambdacron_remove_shield.aws_iam_policy.lambda_execution (destroy), module.bs_gr_shared.aws_cloudwatch_event_rule.ec2_deletetags[0] (destroy), module.bs_gr_network.aws_cloudwatch_event_rule.ec2_deletetags[0] (destroy), module.bs_gr_network.module.lambdacron_remove_shield.aws_iam_role.main (destroy), module.bs_gr_network.module.lambdacron_remove_shield.module.kms.aws_iam_policy.admin (destroy), module.bs_gr_network.module.lambdacron_remove_shield.aws_iam_policy.lambda_execution (destroy), module.bs_gr_network.module.lambdacron_remove_shield.module.kms.aws_iam_policy.user (destroy), module.bs_gr_network.module.lambdacron_remove_shield.aws_iam_role_policy_attachment.lambda_execution (destroy), module.bs_gr_network.aws_cloudwatch_event_rule.elasticloadbalancing_removetags[0] (destroy), module.bs_gr_network.aws_lambda_permission.cloudtrail_delivery[0] (destroy), module.bs_gr_network.module.lambdacron_remove_shield.aws_lambda_function.main (destroy), module.bs_gr_network.aws_lambda_permission.remove_shield_ec2_deletetags[0] (destroy), module.bs_gr_network.module.lambdacron_remove_shield.aws_sns_topic.main[0] (destroy), module.bs_gr_network.aws_cloudwatch_event_target.ec2_deletetags[0] (destroy), module.bs_gr_network.aws_cloudwatch_event_target.elasticloadbalancing_removetags[0] (destroy), module.bs_gr_network.module.lambdacron_remove_shield.module.kms.aws_kms_alias.main (destroy), module.bs_gr_network.module.lambdacron_remove_shield.aws_sns_topic_policy.main[0] (destroy), module.bs_gr_network.module.lambdacron_remove_shield.module.kms.aws_kms_key.main (destroy), aws_organizations_account.network, provider["registry.terraform.io/hashicorp/aws"].network, module.bs_gr_network.aws_lambda_permission.remove_shield_elasticloadbalancing_removetags[0] (destroy), module.bs_gr_network.module.lambdacron_remove_shield.aws_cloudwatch_log_group.main (destroy), module.bs_gr_audit.aws_cloudwatch_event_target.elasticloadbalancing_removetags[0] (destroy), module.bs_gr_audit.aws_lambda_permission.remove_shield_elasticloadbalancing_removetags[0] (destroy), module.bs_gr_audit.aws_cloudwatch_event_rule.elasticloadbalancing_removetags[0] (destroy), module.bs_gr_shared.module.lambdacron_remove_shield.aws_cloudwatch_log_group.main (destroy), module.bs_gr_shared.module.lambdacron_remove_shield.module.kms.aws_kms_alias.main (destroy), module.bs_gr_shared.module.lambdacron_remove_shield.aws_sns_topic_policy.main[0] (destroy), module.bs_gr_shared.aws_lambda_permission.remove_shield_elasticloadbalancing_removetags[0] (destroy), module.bs_gr_shared.aws_cloudwatch_event_target.ec2_deletetags[0] (destroy), module.bs_gr_shared.module.lambdacron_remove_shield.aws_lambda_function.main (destroy), module.bs_gr_shared.aws_cloudwatch_event_target.elasticloadbalancing_removetags[0] (destroy), module.bs_gr_shared.module.lambdacron_remove_shield.aws_sns_topic.main[0] (destroy), module.bs_gr_shared.aws_lambda_permission.remove_shield_ec2_deletetags[0] (destroy), module.bs_gr_shared.module.lambdacron_remove_shield.module.kms.aws_kms_key.main (destroy), module.bs_gr_security.aws_cloudwatch_event_rule.ec2_deletetags[0] (destroy), module.bs_gr_security.module.lambdacron_remove_shield.aws_iam_policy.lambda_execution (destroy), module.bs_gr_security.module.lambdacron_remove_shield.aws_iam_role_policy_attachment.lambda_execution (destroy), module.bs_gr_security.module.lambdacron_remove_shield.aws_iam_role.main (destroy), module.bs_gr_security.aws_cloudwatch_event_rule.elasticloadbalancing_removetags[0] (destroy), module.bs_gr_security.module.lambdacron_remove_shield.aws_cloudwatch_log_group.main (destroy), module.bs_gr_security.aws_lambda_permission.cloudtrail_delivery[0] (destroy), module.bs_gr_security.module.lambdacron_remove_shield.module.kms.aws_iam_policy.user (destroy), module.bs_gr_security.module.lambdacron_remove_shield.aws_sns_topic_policy.main[0] (destroy), module.bs_gr_security.module.lambdacron_remove_shield.aws_lambda_function.main (destroy), module.bs_gr_security.aws_cloudwatch_event_target.elasticloadbalancing_removetags[0] (destroy), module.bs_gr_security.module.lambdacron_remove_shield.aws_sns_topic.main[0] (destroy), module.bs_gr_security.aws_lambda_permission.remove_shield_ec2_deletetags[0] (destroy), module.bs_gr_security.aws_lambda_permission.remove_shield_elasticloadbalancing_removetags[0] (destroy), module.bs_gr_security.module.lambdacron_remove_shield.module.kms.aws_kms_alias.main (destroy), module.bs_gr_security.aws_cloudwatch_event_target.ec2_deletetags[0] (destroy), module.bs_gr_security.module.lambdacron_remove_shield.module.kms.aws_kms_key.main (destroy), aws_organizations_account.security, provider["registry.terraform.io/hashicorp/aws"].security, module.bs_gr_security.module.lambdacron_remove_shield.module.kms.aws_iam_policy.admin (destroy), module.bs_gr_audit.module.lambdacron_remove_shield.aws_iam_role_policy_attachment.lambda_execution (destroy), module.bs_gr_audit.module.lambdacron_remove_shield.aws_iam_policy.lambda_execution (destroy), module.ous.aws_organizations_organizational_unit.level<redacted>["<redacted>"], module.ous.local.ous (expand), module.ous.output.ous (expand), aws_organizations_account.shared, provider["registry.terraform.io/hashicorp/aws"].shared, module.bs_gr_shared.aws_lambda_permission.cloudtrail_delivery[0] (destroy), aws_organizations_account.audit, provider["registry.terraform.io/hashicorp/aws"].audit

Thought to be resolved in 1.3.2 from #31843 however is still occurring. Downgrading to 1.2.9 causes this same configuration to succeed.

Steps to Reproduce

  1. terraform apply

Additional Context

N/A

References

#31843

jack-parsons-bjss avatar Oct 20 '22 08:10 jack-parsons-bjss

Hi @jack-parsons-bjss,

Thanks for filing the issue. Without an example we unfortunately are not going to be able to diagnose the problem, or validate any solutions. If you could generate a standalone reproduction, it would help greatly. The next v1.3.4 release will have some more improvements here which may help if you have the ability to test with the current development branch.

One thing I can tell from the given cycle output, is that you have multiple providers which depend on managed resources in the same configuration. This is not fully supported (It's mentioned that you cannot safely access managed resource attributes from provider configuration in the docs here). This type of configuration also inherently causes cycles in some situations, which Terraform tries to detect and avoid, but there is not yet a universal mechanism to do this. You can see the issue #30465 showing the same problem from earlier versions too.

I also just mentioned in the linked issue that most of the known cases of these cycles should be resolved, so it would be very helpful to get an example here if the next release does not remedy the situation.

Thanks!

jbardin avatar Oct 21 '22 13:10 jbardin

We are getting the same issue too on the 1.3x (1.3.2, 1.3.3) releases:

Error: Cycle: module.aws.module.org_medview.aws_organizations_account.environments["production"], module.aws.module.org_medview.local.account_master_role_arns (expand), module.aws.module.org_medview.output.account_master_role_arns (expand), module.aws.provider["registry.terraform.io/hashicorp/aws"].medview_production, module.aws.module.zone_medvieweducation_org.aws_route53_record.cname_records["em2636"] (destroy), module.aws.module.org_medview.aws_organizations_organizational_unit.unit, module.aws.module.org_medview.aws_organizations_account.environments["staging"]

We use dynamic providers in the current approach, as we dynamically provision AWS Subaccounts. This works on Terraform 1.2x.

Our approach is necessary for the lack of https://github.com/hashicorp/terraform/issues/25244 Lol, didn't even remember I created that issue!

WilliamABradley avatar Oct 25 '22 03:10 WilliamABradley

Happening to us as well. Works on 1.2.4, does not work on 1.3.1, 1.3.3.

Attempting to track it down via graph nothing ends up being circled red.

It's occurring during plans that result in resources being removed...specifically in our case the plan is attempting to remove all the resources that exist in a module

module "stuff" {
  for_each = {stuff}
  ...
}

to

module "stuff" {
  for_each = {}
  ...
}

Error: Cycle:
module.eks.aws_iam_role_policy_attachment.policies["arn:aws:iam::aws:policy/AmazonEKSServicePolicy"],
module.eks.aws_kms_key.eks,
module.eks.aws_iam_role_policy_attachment.policies["arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"],
module.security_groups.aws_security_group.allow_jenkins,
module.security_groups.output.allow_jenkins_id (expand),
module.security_groups.aws_security_group.eks_master,
module.security_groups.output.eks_master_id (expand),
module.eks.var.master_security_group_ids (expand),
module.eks.aws_iam_role.eks_service,
module.airflow_eks_resources["name"].module.airflow_namespace.kubernetes_secret.image_pull_secrets["docker-cfg"] (destroy),
module.airflow_eks_resources["name"].module.airflow_namespace.kubernetes_namespace.this (destroy),
module.airflow_eks_resources["name"].module.airflow_namespace.kubernetes_default_service_account.this (destroy),
module.eks.output.cluster_name (expand),
module.eks.output.certificate_authority (expand),
module.eks.output.endpoint (expand),
provider["registry.terraform.io/hashicorp/kubernetes"],
module.airflow_eks_resources["name"].kubernetes_persistent_volume_claim.claim (destroy),
module.airflow_eks_resources["name"].module.airflow_namespace.aws_eks_fargate_profile.this[0] (destroy),
module.eks.aws_cloudwatch_log_group.log_group,
module.eks.aws_eks_cluster.eks

nwsparks avatar Nov 02 '22 14:11 nwsparks

@jbardin i just tested with the v1.3 branch and also main and the problem goes away in both.

nwsparks avatar Nov 02 '22 15:11 nwsparks

I can confirm that 1.3.4 that was just release has fixed it on our side! 🙂

WilliamABradley avatar Nov 02 '22 23:11 WilliamABradley

Hello,

Without any examples or configuration to reproduce the problem, there's not going to be much else we can do here. As others have pointed out, known cases have been resolved by the latest release, so I'm going to close this out as complete for now.

Thanks!

jbardin avatar Nov 07 '22 16:11 jbardin

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Dec 08 '22 02:12 github-actions[bot]