cloudposse/terraform-aws-vpn-connection

Using defaults results in circular modifications in-place

Kieran-Bacon opened this issue · 1 comments

Kieran-Bacon commented

Describe the Bug

When creating a VPN using the aws_vpn_connection resource, lots of defaults for the VPN are set up which is desired. When you come to plan/apply you get in-place changes where the default values are to be taken out and replaced with nothing. This leads to the VPN being modified and the tunnels going down during the process despite nothing actually happening.

Expected Behavior

You don't modify in place or anything when the modification is to remove the default values so that you can use the default values.

Steps to Reproduce

  1. Create a resource
resource "aws_vpn_connection" "main" {
    count                       = var.enable_vpn ? 1 : 0
    vpn_gateway_id              = aws_vpn_gateway.vpn_gateway[0].id
    customer_gateway_id         = aws_customer_gateway.customer_gateway[0].id
    type                        = "ipsec.1"
    static_routes_only          = true

    tags = {
        Name = "${var.customer_name}-VPN"
    }
}
  1. Apply the VPN - and then later apply again
# aws_vpn_connection.main[0] will be updated in-place
  ~ resource "aws_vpn_connection" "main" {
        id                                   = "vpn-0c6ec0afe0bd1debb"
        tags                                 = {
            "Name" = "***-VPN"
        }
      ~ tunnel1_ike_versions                 = [
          - "ikev1",
          - "ikev2",
        ]
      ~ tunnel1_phase1_dh_group_numbers      = [
          - 2,
          - 14,
          - 15,
          - 16,
          - 17,
          - 18,
          - 19,
          - 20,
          - 21,
          - 22,
          - 23,
          - 24,
        ]
      ~ tunnel1_phase1_encryption_algorithms = [
          - "AES128",
          - "AES128-GCM-16",
          - "AES256",
          - "AES256-GCM-16",
        ]
      ~ tunnel1_phase1_integrity_algorithms  = [
          - "SHA1",
          - "SHA2-256",
          - "SHA2-384",
          - "SHA2-512",
        ]
      ~ tunnel1_phase2_dh_group_numbers      = [
          - 2,
          - 5,
          - 14,
          - 15,
          - 16,
          - 17,
          - 18,
          - 19,
          - 20,
          - 21,
          - 22,
          - 23,
          - 24,
        ]
      ~ tunnel1_phase2_encryption_algorithms = [
          - "AES128",
          - "AES128-GCM-16",
          - "AES256",
          - "AES256-GCM-16",
        ]
      ~ tunnel1_phase2_integrity_algorithms  = [
          - "SHA1",
          - "SHA2-256",
          - "SHA2-384",
          - "SHA2-512",
        ]
      ~ tunnel2_ike_versions                 = [
          - "ikev1",
          - "ikev2",
        ]
      ~ tunnel2_phase1_dh_group_numbers      = [
          - 2,
          - 14,
          - 15,
          - 16,
          - 17,
          - 18,
          - 19,
          - 20,
          - 21,
          - 22,
          - 23,
          - 24,
        ]
      ~ tunnel2_phase1_encryption_algorithms = [
          - "AES128",
          - "AES128-GCM-16",
          - "AES256",
          - "AES256-GCM-16",
        ]
      ~ tunnel2_phase1_integrity_algorithms  = [
          - "SHA1",
          - "SHA2-256",
          - "SHA2-384",
          - "SHA2-512",
        ]
      ~ tunnel2_phase2_dh_group_numbers      = [
          - 2,
          - 5,
          - 14,
          - 15,
          - 16,
          - 17,
          - 18,
          - 19,
          - 20,
          - 21,
          - 22,
          - 23,
          - 24,
        ]
      ~ tunnel2_phase2_encryption_algorithms = [
          - "AES128",
          - "AES128-GCM-16",
          - "AES256",
          - "AES256-GCM-16",
        ]
      ~ tunnel2_phase2_integrity_algorithms  = [
          - "SHA1",
          - "SHA2-256",
          - "SHA2-384",
          - "SHA2-512",
        ]
        # (41 unchanged attributes hidden)
    }

aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 1m40s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 1m50s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 2m0s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 2m10s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 2m20s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 2m30s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 2m40s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 2m50s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 3m0s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 3m10s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 3m20s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 3m30s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 3m40s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 3m50s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 4m0s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 4m10s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 4m20s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 4m30s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 4m40s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 4m50s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 5m0s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 5m10s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 5m20s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 5m30s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 5m40s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 5m50s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 6m0s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 6m10s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 6m20s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 6m30s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 6m40s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 6m50s elapsed]
aws_vpn_connection.main[0]: Still modifying... [id=vpn-0c6ec0afe0bd1debb, 7m0s elapsed]
  1. Have you tunnels go down

image

Environment (please complete the following information):

Terraform v1.1.9
on windows_386

  • provider registry.terraform.io/hashicorp/aws v4.13.0
  • provider registry.terraform.io/hashicorp/cloudinit v2.2.0
  • provider registry.terraform.io/hashicorp/kubernetes v2.11.0
  • provider registry.terraform.io/hashicorp/null v3.1.1
  • provider registry.terraform.io/hashicorp/template v2.2.0
  • provider registry.terraform.io/hashicorp/tls v3.3.0

Additional Context

Add any other context about the problem here.

Gowiem commented

@Kieran-Bacon I have run this module multiple times for 2 different connections using OpenTofu v1.6.1 and AWS Provider v5.37.0. I have not seen any of the cycling issues that you're referring to. I believe this may be due to an older version of TF or the AWS provider. Please try this out with the latest module, AWS provider, and Terraform and let me know your results. If this continues to occur, then please reopen and we'll work to see what the issue is. Thanks!