Failure configuring ALB attributes: ValidationError: The value of 'access_logs.s3.bucket' cannot be empty

[wvidana]

Hi!

I'm trying to build some generic ALB module for our infra, where some load balancers might have access logs and others may not, but I can't seem to have some defaults to allow that behavior.

Terraform Version

Terraform v0.10.8

Affected Resource(s)

• aws_alb

Terraform Configuration Files

variable "access_logs" {
  type = "map"
  default = {
    bucket = ""
    prefix = ""
  }
}

resource "aws_alb" "alb" {
  name = "${var.alb_name}"
  internal = "${var.internal}"
  security_groups = "${var.security_groups}"
  subnets = "${var.subnets}"
  enable_deletion_protection = true
  idle_timeout = "${var.idle_timeout}"
  access_logs {
    enabled = "${var.access_logs["bucket"] != ""}"
    bucket = "${var.access_logs["bucket"]}"
    prefix = "${var.access_logs["prefix"]}"
  }
}

Expected Behavior

ALBs should be created with access logs disabled

Actual Behavior

I get a validation error cause bucket name is empty

* aws_alb.alb: Failure configuring ALB attributes: ValidationError: The value of 'access_logs.s3.bucket' cannot be empty
	status code: 400, request id: XXXXXX

Steps to Reproduce

1. terraform apply

References

This issue on TF sums up my problem hashicorp/terraform#14037

Though I think the aws_lb resource can have better coding to make the empty block behave the same as having it with the flag enable = false. I never used Go so I don't feel confident on submitting a PR, but something here should be changed to avoid having the bucket parameter as required when the flag is false https://github.com/terraform-providers/terraform-provider-aws/blob/6b2f18b42893be9a9778721f7bfc89a075fb0d40/aws/resource_aws_lb.go#L319-L346

Some change like sugested in here so an empty block behaves the same as having the enable flag as false https://gist.github.com/woqer/48d002fc64049706f4f9bc32a1f1dbb6#file-aws_lb_changes-go-L3-L9

[sean-zou]

+1

[Geartrixy]

+1

[Geartrixy]

Any update here?

[zshift]

Bump. Running into this as well with aws_ecs_resource > load_balancer > elb_name

[imyuliz]

+1

[SpComb]

This is still a problem with the null values introduced in terraform 0.12 / hashicorp/terraform#14037 after this issue was opened.

A snippet like this will fail by default, when it should ideally just leave the ALB access logs disabled and ignore the invaldi bucket when enabled is false:

variable "access_logs_bucket" {
  type    = string
  default = null
}

resource "aws_lb" "alb" {
  ...

  access_logs {
    enabled = var.access_logs_bucket != null ? true : false
    bucket  = var.access_logs_bucket
    prefix  = var.name
  }
}

Error: Required attribute is not set

  on ../../terraform-modules/aws_alb/main.tf line 84, in resource "aws_lb" "alb":
  84:     bucket  = var.access_logs_bucket

Workaround

Use a dynamic block to configure the access_logs conditionally:

  dynamic "access_logs" {
    for_each = var.access_logs_bucket != null ? { enabled = true } : {}

    content {
      enabled = true
      bucket  = var.access_logs_bucket
      prefix  = var.name
    }
  }

Did not test if this also disables the ALB access_logs when var.access_logs_bucket reverts to null.

EDIT: this workaround then runs into #16674 with Error: Provider produced inconsistent final plan