Hi,

I'm having problems upgrading to 0.12.0. We're running in eu-west-1 but one of my modules requires a cloudfront certificate that is only available in us-east-1.

The main terraform file defines an additional aws provider running in us-east-1 aliased to a name expected by the module.

When I follow the upgrade instructions, I get an error at the step when I run terraform plan against v0.12.

Error: Provider configuration not present

To work with module.sunset_environment.aws_acm_certificate.cloudfront its
original provider configuration at
module.sunset_environment.provider.aws.us_east_1 is required, but it has been
removed. This occurs when a provider configuration is removed while objects
created by that provider still exist in the state. Re-add the provider
configuration to destroy
module.sunset_environment.aws_acm_certificate.cloudfront, after which you can
remove the provider configuration again.

I don't understand what to do about this because provider.aws.us_east_1 is already defined.

Terraform Version

Upgrading 0.11.14 to 0.12.0

Terraform Configuration Files

provider "aws" {
  region  = local.aws_region
  version = "~> 2.12.0"
}

...

provider "aws" {
  alias   = "us_east_1"
  region  = "us-east-1"
  version = "~> 2.12.0"
}

...

module "sunset_environment" {
  source = "git::git@github.com:my-private-repo"

  dns_root_zone_id   = local.dns_root_zone_id
  dns_root_zone_name = local.dns_root_zone_name

  stage       = local.stage
  aws_region  = local.aws_region
  environment = local.environment

  vpc_id = local.vpc_id

  dns_public_zone_id   = local.dns_public_zone_id
  dns_public_zone_name = local.dns_public_zone_name

  external_lb_arn         = module.environment.external_lb_arn
  external_lb_dns_name    = module.environment.external_lb_dns_name
  external_lb_dns_zone_id = module.environment.external_lb_dns_zone_id

  external_lb_http_listener_arn  = module.environment.external_lb_http_listener_arn
  external_lb_https_listener_arn = module.environment.external_lb_https_listener_arn

  cdn_origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"]
}

... and from the module...

resource "aws_acm_certificate" "cloudfront" {
  provider = "aws.us_east_1"
  domain_name = "${local.site_cdn_fqdn}"
  validation_method = "DNS"
}

Debug Output

https://gist.github.com/npc-adrian/2b1b8e8a93060ea164d57a322baae6ea

Crash Output

N/A

Expected Behavior

terraform plan should run successfully and report no changes needed

Actual Behavior

An error occurred running a plan using 0.12. Same message twice as shown below.

Error: Provider configuration not present

To work with
module.sunset_environment.aws_acm_certificate_validation.cloudfront its
original provider configuration at
module.sunset_environment.provider.aws.us_east_1 is required, but it has been
removed. This occurs when a provider configuration is removed while objects
created by that provider still exist in the state. Re-add the provider
configuration to destroy
module.sunset_environment.aws_acm_certificate_validation.cloudfront, after
which you can remove the provider configuration again.


Error: Provider configuration not present

To work with module.sunset_environment.aws_acm_certificate.cloudfront its
original provider configuration at
module.sunset_environment.provider.aws.us_east_1 is required, but it has been
removed. This occurs when a provider configuration is removed while objects
created by that provider still exist in the state. Re-add the provider
configuration to destroy
module.sunset_environment.aws_acm_certificate.cloudfront, after which you can
remove the provider configuration again.

Steps to Reproduce

Following the instructions at https://www.terraform.io/upgrade-guides/0-12.html

Additional Context

Tried running 0.11 syntax (i.e. with interpolated strings) against 0.12 but got the same error.

I tried running the 0.12 upgrade command against the module but it can't resolve the us_east_1 provider. I guess that's expected but I figured it was worth a go.

References

Looks similar to #21416

looks like now you have to explicitly pass down the aliased providers to our modules explicitly. From the docs (https://www.terraform.io/docs/configuration/modules.html#passing-providers-explicitly):

Additional provider configurations (those with the alias argument set) are never inherited automatically by child modules, and so must always be passed explicitly using the providers map.

There's an example in the docs that I linked to, but what it comes down to is that in my module that issues certificates I have to declare that it expects to be told about an aliased AWS provider (note that it doesn't need to declare any configuration for this provider, just that it will be there). So, in some-module/main.tf:

provider "aws" {
  alias = "north-virginia"
}

and then when the module is used:

module "root_domain" {
  source = "./some-module"
  providers = {
    aws                = aws
    aws.north-virginia = aws.north-virginia
  }

  ...other stuff...
}