Skip to content

fix: use old zone id for records removal #45242

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ejorgensen22 wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix: use old zone id for records removal #45242

ejorgensen22 wants to merge 3 commits into from
+61 −3

Conversation

@ejorgensen22
Copy link

@ejorgensen22 ejorgensen22 commented Nov 24, 2025
edited
Loading

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

No changes to security controls (access controls, encryption, logging) in this pull request.

Description

Fixes a bug in Route53 hosted zone deletion logic during ForceNew operations when the zone name is updated. The issue occurred because the deletion process was using the new zone name from Terraform state instead of the actual zone name being deleted, causing NS/SOA record filtering to fail.

Key Changes:

  • Fixed deleteHostedZone function to fetch the actual zone name from AWS API instead of relying on Terraform state during ForceNew operations
  • Added acceptance test TestAccRoute53Zone_nameUpdate to verify zone recreation behavior when name changes
  • Added helper function testAccCheckZoneRecreated to validate zone recreation in tests

Bug Details:
During ForceNew operations (e.g., when changing the zone name), Terraform state contains the new zone name while the old zone still exists with the original name. The deletion logic was incorrectly using the new zone name from state to filter NS/SOA records, causing the filtering to fail and attempt deletion of undeletable apex records.

Root Cause:
When a Route53 zone name is changed, Terraform triggers a ForceNew operation that:

  1. Creates a new zone with the new name
  2. Attempts to delete the old zone using force_destroy = true

During step 2, the Terraform state already contains the new zone name, but the actual zone being deleted still has the old name. The deleteAllResourceRecordsFromHostedZone function was using the zone name from Terraform state (new name) to filter NS/SOA records, but the actual records in the zone being deleted still used the old zone name. This mismatch caused the filtering logic to fail, leading to attempts to delete undeletable NS/SOA records.

Solution:
Modified the deleteHostedZone function to fetch the actual zone name from AWS using the GetHostedZone API call before proceeding with record deletion. This ensures the correct zone name is used for NS/SOA record filtering regardless of Terraform state values.

Testing:

  • New acceptance test validates that zone name changes trigger proper recreation without errors
  • Existing tests continue to pass
  • Test specifically covers the scenario that previously failed with InvalidChangeBatch errors

Error Fixed:

deleting Route53 Hosted Zone (Z123456789EXAMPLE) resource record sets: operation error Route 53: ChangeResourceRecordSets, https response error StatusCode: 400, RequestID: 12345678-1234-1234-1234-123456789abc, InvalidChangeBatch: [A HostedZone must contain at least one NS record for the zone itself., A HostedZone must contain exactly one SOA record.]

References

Closes #45241

Output from Acceptance Testing

make testacc TESTS=TestAccRoute53Zone_nameUpdate PKG=route53
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 aws_route53_zone-InvalidChangeBatch 🌿...
TF_ACC=1 go1.24.10 test ./internal/service/route53/... -v -count 1 -parallel 20 -run='TestAccRoute53Zone_(basic|disappears|multiple|comment|delegationSetID|forceDestroy|ForceDestroy_trailingPeriod|tags|escapedCharacter|classlessDelegation|escapedSlash|escapedSpace|nameUpdate)'  -timeout 360m -vet=off
2025/11/25 11:09:00 Creating Terraform AWS Provider (SDKv2-style)...
2025/11/25 11:09:00 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccRoute53Zone_basic
=== PAUSE TestAccRoute53Zone_basic
=== RUN   TestAccRoute53Zone_disappears
=== PAUSE TestAccRoute53Zone_disappears
=== RUN   TestAccRoute53Zone_multiple
=== PAUSE TestAccRoute53Zone_multiple
=== RUN   TestAccRoute53Zone_comment
=== PAUSE TestAccRoute53Zone_comment
=== RUN   TestAccRoute53Zone_delegationSetID
=== PAUSE TestAccRoute53Zone_delegationSetID
=== RUN   TestAccRoute53Zone_forceDestroy
=== PAUSE TestAccRoute53Zone_forceDestroy
=== RUN   TestAccRoute53Zone_ForceDestroy_trailingPeriod
=== PAUSE TestAccRoute53Zone_ForceDestroy_trailingPeriod
=== RUN   TestAccRoute53Zone_tags
=== PAUSE TestAccRoute53Zone_tags
=== RUN   TestAccRoute53Zone_escapedCharacter
=== PAUSE TestAccRoute53Zone_escapedCharacter
=== RUN   TestAccRoute53Zone_classlessDelegation
=== PAUSE TestAccRoute53Zone_classlessDelegation
=== RUN   TestAccRoute53Zone_escapedSlash
=== PAUSE TestAccRoute53Zone_escapedSlash
=== RUN   TestAccRoute53Zone_escapedSpace
=== PAUSE TestAccRoute53Zone_escapedSpace
=== RUN   TestAccRoute53Zone_nameUpdate
=== PAUSE TestAccRoute53Zone_nameUpdate
=== CONT  TestAccRoute53Zone_basic
=== CONT  TestAccRoute53Zone_tags
=== CONT  TestAccRoute53Zone_escapedSlash
=== CONT  TestAccRoute53Zone_classlessDelegation
=== CONT  TestAccRoute53Zone_delegationSetID
=== CONT  TestAccRoute53Zone_ForceDestroy_trailingPeriod
=== CONT  TestAccRoute53Zone_forceDestroy
=== CONT  TestAccRoute53Zone_nameUpdate
=== CONT  TestAccRoute53Zone_escapedSpace
=== CONT  TestAccRoute53Zone_multiple
=== CONT  TestAccRoute53Zone_escapedCharacter
=== CONT  TestAccRoute53Zone_disappears
=== CONT  TestAccRoute53Zone_comment
--- PASS: TestAccRoute53Zone_disappears (83.19s)
--- PASS: TestAccRoute53Zone_classlessDelegation (85.93s)
--- PASS: TestAccRoute53Zone_multiple (90.47s)
--- PASS: TestAccRoute53Zone_escapedSlash (90.51s)
--- PASS: TestAccRoute53Zone_delegationSetID (91.23s)
--- PASS: TestAccRoute53Zone_escapedSpace (91.68s)
--- PASS: TestAccRoute53Zone_escapedCharacter (93.55s)
--- PASS: TestAccRoute53Zone_basic (94.93s)
--- PASS: TestAccRoute53Zone_comment (103.57s)
--- PASS: TestAccRoute53Zone_tags (117.37s)
--- PASS: TestAccRoute53Zone_nameUpdate (163.68s)
--- PASS: TestAccRoute53Zone_ForceDestroy_trailingPeriod (209.20s)
--- PASS: TestAccRoute53Zone_forceDestroy (214.07s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/route53	221.597s

@ejorgensen22 ejorgensen22 requested a review from a team as a code owner November 24, 2025 22:30
@github-actions
Copy link
Contributor

github-actions bot commented Nov 24, 2025

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

  • Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
  • Please see our prioritization guide for additional information on how the maintainers handle prioritization.
  • Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 24, 2025
edited
Loading

✅ Thank you for correcting the previously detected issues! The maintainers appreciate your efforts to make the review process as smooth as possible.

@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/route53 Issues and PRs that pertain to the route53 service. size/S Managed by automation to categorize the size of a PR. labels Nov 24, 2025
@github-actions github-actions bot added the size/M Managed by automation to categorize the size of a PR. label Nov 25, 2025
@github-actions github-actions bot added the service/route53domains Issues and PRs that pertain to the route53domains service. label Nov 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs-triage Waiting for first response or review from a maintainer. service/route53domains Issues and PRs that pertain to the route53domains service. service/route53 Issues and PRs that pertain to the route53 service. size/M Managed by automation to categorize the size of a PR. size/S Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

aws_route53_zone fails with InvalidChangeBatch during ForceNew operations

1 participant

@ejorgensen22