fortinet/fortigate-terraform-deploy

Terraform private_ips does not guarantee order of IP addresses in network interfaces

stsimb opened this issue · 2 comments

stsimb commented

Hi all,

We've used https://github.com/fortinet/fortigate-terraform-deploy/tree/main/aws/7.2/ha-single-az-existing to provision a pair of Fortigate devices. No problems, the instances were provisioned and config deployed in them.

But when we tried to actually reach the ip addresses generated and use them, we couldn't.

After a few hours of troubleshooting, we realised that the IP addresses in "active-port1" and "active-port2" were the other way around.

Our variables.tf values look like this


variable "activeport1" {
  default = "10.10.1.21"
}

variable "activeport1float" {
  default = "10.10.1.20"
}

variable "activeport2" {
  default = "10.10.4.21"
}

variable "activeport2float" {
  default = "10.10.4.20"
}

For active-port1 we expected a network interface with private ipv4 address = 10.10.1.21 and secondary private ipv4 address = 10.10.1.20. Unfortunately, the actual network interface created by terraform has private ipv4 address = 10.10.1.20 and secondary private ipv4 address = 10.10.1.21.

Same for active-port2, instead of private ipv4 address = 10.10.4.21 and secondary private ipv4 address = 10.10.4.20 the actual network interface created by terraform has private ipv4 address = 10.10.4.20 and secondary private ipv4 address = 10.10.4.21.

It all comes down to terraform not guaranteeing the order of ip addresses when using "private_ips" in the aws_network_interface resource

quoting from https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_interface#example-of-managing-multiple-ips-on-a-network-interface (emphasis is mine)

By default, private IPs are managed through the private_ips and private_ips_count arguments which manage IPs as a set of IPs that are configured without regard to order. For a new network interface, the same primary IP address is consistently selected from a given set of addresses, regardless of the order provided. However, modifications of the set of addresses of an existing interface will not alter the current primary IP address unless it has been removed from the set.

In order to manage the private IPs as a sequentially ordered list, configure private_ip_list_enabled to true and use private_ip_list to manage the IPs. This will disable the private_ips and private_ips_count settings, which must be removed from the config file but are still exported. Note that changing the first address of private_ip_list, which is the primary, always requires a new interface.

So please, for the sake of other people who will hit the same problem, consider switching to private_ip_list instead of private_ips in the code.

mobilesuitzero commented

hi stsimb,

Thanks for the suggestion. Will try to make the change to use private_ip_list in the future update.

Cheers

mobilesuitzero commented

fixed in PR 120