attributes: InvalidConfigurationRequest: Key client_keep_alive .seconds not valid

[Rafaellinos]

Terraform Version

1.8.1

Terraform Configuration Files

variable "docker_image" {
  description = "The Docker image for the APIs"
  default     = "nginxdemos/nginx-hello"
}

# Region
provider "aws" {
  access_key                  = "test"
  secret_key                  = "test"
  region                      = "us-east-1"
  # only required for non virtual hosted-style endpoint use case.
  # https://registry.terraform.io/providers/hashicorp/aws/latest/docs#s3_use_path_style
  #s3_use_path_style           = true
  #skip_credentials_validation = true
  #skip_metadata_api_check     = true
  #skip_requesting_account_id  = true
  #endpoints {
  #  apigateway     = "http://localhost:4566"
  #  apigatewayv2   = "http://localhost:4566"
  #  cloudformation = "http://localhost:4566"
  #  cloudwatch     = "http://localhost:4566"
  #  dynamodb       = "http://localhost:4566"
  #  ec2            = "http://localhost:4566"
  #  iam            = "http://localhost:4566"
  #  lambda         = "http://localhost:4566"
  #  rds            = "http://localhost:4566"
  #  s3             = "http://s3.localhost.localstack.cloud:4566"
  #  secretsmanager = "http://localhost:4566"
  #  sns            = "http://localhost:4566"
  #  sqs            = "http://localhost:4566"
  #  ssm            = "http://localhost:4566"
  #  ecs            = "http://localhost:4566"
  #  elb            = "http://localhost:4566"
  #}
}

# VPC and Subnets
resource "aws_vpc" "my_vpc" {
  cidr_block = "10.0.0.0/16"
}

resource "aws_subnet" "public_subnet_a" {
  vpc_id                  = aws_vpc.my_vpc.id
  cidr_block              = "10.0.1.0/24"
  availability_zone       = "us-east-1a"
  map_public_ip_on_launch = false
}

resource "aws_subnet" "public_subnet_b" {
  vpc_id                  = aws_vpc.my_vpc.id
  cidr_block              = "10.0.2.0/24"
  availability_zone       = "us-east-1b"
  map_public_ip_on_launch = false
}

resource "aws_subnet" "public_subnet_c" {
  vpc_id                  = aws_vpc.my_vpc.id
  cidr_block              = "10.0.3.0/24"
  availability_zone       = "us-east-1c"
  map_public_ip_on_launch = false
}

# ECS Task Definitions
resource "aws_ecs_task_definition" "tax_api" {
  family                   = "TAX-API"
  container_definitions   = jsonencode([
    {
      name  = "taxApi"
      image = var.docker_image
      memory = 128 
    }
  ])
}

resource "aws_ecs_task_definition" "prodesp_acl" {
  family                   = "PRODESP-ACL"
  container_definitions   = jsonencode([
    {
      name  = "prodespAcl"
      image = var.docker_image
      memory = 128 
    }
  ])
}

resource "aws_ecs_task_definition" "payment_acl" {
  family                   = "PAYMENT-ACL"
  container_definitions   = jsonencode([
    {
      name  = "paymentAcl"
      image = var.docker_image
      memory = 128 
    }
  ])
}

# ECS Cluster
resource "aws_ecs_cluster" "my_cluster" {
  name = "tax-cluster"
}

# ECS Services
resource "aws_ecs_service" "tax_api_service" {
  name            = "tax-api-service"
  cluster         = aws_ecs_cluster.my_cluster.id
  task_definition = aws_ecs_task_definition.tax_api.arn
  desired_count   = 1

  network_configuration {
    subnets          = [aws_subnet.public_subnet_a.id]
    security_groups  = []  # Specify security groups if needed
    assign_public_ip = true
  }
}

resource "aws_ecs_service" "prodesp_acl_service" {
  name            = "prodesp-acl-service"
  cluster         = aws_ecs_cluster.my_cluster.id
  task_definition = aws_ecs_task_definition.prodesp_acl.arn
  desired_count   = 1

  network_configuration {
    subnets          = [aws_subnet.public_subnet_b.id]
    security_groups  = []  # Specify security groups if needed
    assign_public_ip = true
  }
}

resource "aws_ecs_service" "payment_acl_service" {
  name            = "payment-acl-service"
  cluster         = aws_ecs_cluster.my_cluster.id
  task_definition = aws_ecs_task_definition.payment_acl.arn
  desired_count   = 1

  network_configuration {
    subnets          = [aws_subnet.public_subnet_c.id]
    security_groups  = []  # Specify security groups if needed
    assign_public_ip = true
  }
}

# Application Load Balancer (ALB)
resource "aws_lb" "my_alb" {
  name               = "my-alb"
  internal           = false
  load_balancer_type = "application"
  client_keep_alive  = 3600
  subnets            = [
    aws_subnet.public_subnet_a.id,
    aws_subnet.public_subnet_b.id,
    aws_subnet.public_subnet_c.id
  ]
}

# ALB Target Groups
resource "aws_lb_target_group" "tax_api_target_group" {
  name     = "tax-api-tg"
  port     = 80
  protocol = "HTTP"
  vpc_id   = aws_vpc.my_vpc.id
}

resource "aws_lb_target_group" "prodesp_acl_target_group" {
  name     = "prodesp-acl-tg"
  port     = 80
  protocol = "HTTP"
  vpc_id   = aws_vpc.my_vpc.id
}

resource "aws_lb_target_group" "payment_acl_target_group" {
  name     = "payment-acl-tg"
  port     = 80
  protocol = "HTTP"
  vpc_id   = aws_vpc.my_vpc.id
}

# ALB Listener Rules
resource "aws_lb_listener_rule" "tax_api_listener_rule" {
  listener_arn = aws_lb.my_alb.arn
  priority     = 100

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.tax_api_target_group.arn
  }

  condition {
    path_pattern {
      values = ["/tax/*"]
    }
  }
}

resource "aws_lb_listener_rule" "prodesp_acl_listener_rule" {
  listener_arn = aws_lb.my_alb.arn
  priority     = 110

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.prodesp_acl_target_group.arn
  }

  condition {
    path_pattern {
      values = ["/prodesp/*"]
    }
  }
}

resource "aws_lb_listener_rule" "payment_acl_listener_rule" {
  listener_arn = aws_lb.my_alb.arn
  priority     = 120

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.payment_acl_target_group.arn
  }

  condition {
    path_pattern {
      values = ["/payment/*"]
    }
  }
}

Debug Output

https://gist.github.com/Rafaellinos/49618fec23afd1454cc6212d7b6c4258

Expected Behavior

Create ALB in localstack.

Actual Behavior

I tried to remove and add the client_keep_alive configuration, but no success.

Steps to Reproduce

tflocal init
tflocal apply

Additional Context

Using:

aws-cli = 2.15.40
localstack pro (trial) = 3.4.0

024-04-26T17:39:45.002 INFO --- [ asgi_gw_5] localstack.request.aws : AWS elbv2.DescribeLoadBalancers => 200
2024-04-26T17:39:45.007 INFO --- [ asgi_gw_4] localstack.request.aws : AWS elbv2.ModifyLoadBalancerAttributes => 400 (InvalidConfigurationRequest)

References

No response

[apparentlymart]

Hi @Rafaellinos! Sorry for this confusing situation.

The error message you've described seems to originate from the AWS load balancer API, and not from Terraform itself.

I'm not familiar enough with the load balancer API to know whether this is a bug in Terraform's AWS provider or if this is describing a genuine problem with your configuration, but I do note from the ELBv2 documentation that there is indeed a property named client_keep_alive.seconds and that 3600 ought to be a valid value for it when you are configuring an Application Load Balancer, so this does seem like possibly an AWS provider bug.

Because of that, I recommend that you report this bug in the AWS provider's GitHub repository. The AWS provider maintainers are far more familiar with AWS service behavior and so can hopefully confirm whether this is an AWS provider bug or if there is a different way you could write this configuration to get a successful result.

Since there doesn't seem to be anything we could change in Terraform Core to improve this situation -- the behaviors involved belong to the AWS provider and to the AWS ELBv2 API -- I'm going to close this issue. Thanks!