Importing aws:ec2/routeTable:RouteTable produces resource with ipv6Cidr resource with empty string resulting in invalid CIDR address error
Closed this issue · 8 comments
Update: 28 May '24
It looks as though this specific issue is triggered when using ignore_changes=["routes"]
after doing pulumi import
on a RouteTable resource
According to the docs, by omitting the routes input, this should then ignore route changes. I've tried this and it looks to be working okay for our use case.
For now it looks as though this isn't a blocking issue for importing Route Tables since there is a workaround, it's probably just not ideal that import is producing an invalid resource state that cannot be validated as per @tmeckel's reply: #3986 (comment)
Latest info and steps to repro are in: #3986 (comment)
What happened?
Not sure if this is a pulumi-aws or upstream Terraform problem!
When pulumi importing an AWS Route Table with AWS Classic (aws:ec2/routeTable:RouteTable
), it appears that it also imports routes associated with the route table. The attributes on a route are set to "" if there is no value associated. I’m seeing an issue where "ipv6CidrBlock": "" then causes pulumi preview to complain that "" is not a valid CIDR block: invalid CIDR address.
When I pulumi state edit
and remove the ipv6CidrBlock: "",
line from the aws:ec2/routeTable:RouteTable
resources the error goes away.
If I also compare a aws:ec2/routeTable:RouteTable
created by pulumi up
vs an imported resource via pulumi import
, the fields without values are all ""
in the imported version and not present in the pulumi up
.
Example
pulumi import aws:ec2/routeTable:RouteTable public_rt rtb-4e616f6d69
pulumi preview
error: aws:ec2/routeTable:RouteTable resource 'public_rt' has a problem: "" is not a valid CIDR block: invalid CIDR address: . Examine values at 'public_rt.routes'.
15 "urn": "urn:pulumi:ccoe-sandbox-usw2-tbarlow::riotvpc::aws:ec2/routeTable:RouteTable::customer_tbarlow_PublicRouteTable_10.189.130.0/28_az1",
14 "custom": true,
13 "id": "rtb-0845eafb29d28dbb9",
12 "type": "aws:ec2/routeTable:RouteTable",
11 "inputs": {
10 "__defaults": [],
9 "routes": [
8 {
7 "__defaults": [],
6 "carrierGatewayId": "",
5 "cidrBlock": "0.0.0.0/0",
4 "coreNetworkArn": "",
3 "destinationPrefixListId": "",
2 "egressOnlyGatewayId": "",
1 "gatewayId": "igw-09254a252d322b940",
156 "ipv6CidrBlock": "",
1 "localGatewayId": "",
2 "natGatewayId": "",
3 "networkInterfaceId": "",
4 "transitGatewayId": "",
5 "vpcEndpointId": "",
6 "vpcPeeringConnectionId": ""
7 }
8 ],
Section of state where the empty strings are being added to route attributes:
"custom": true,
"type": "aws:ec2/routeTable:RouteTable",
"inputs": {
"__defaults": [],
"routes": [
{
"__defaults": [],
"carrierGatewayId": "",
"cidrBlock": "0.0.0.0/0",
"coreNetworkArn": "",
"destinationPrefixListId": "",
"egressOnlyGatewayId": "",
"gatewayId": "igw-00000000",
"ipv6CidrBlock": "",
"localGatewayId": "",
"natGatewayId": "",
"networkInterfaceId": "",
"transitGatewayId": "",
"vpcEndpointId": "",
"vpcPeeringConnectionId": ""
}
],
Output of pulumi about
❯ pulumi about
CLI
Version 3.116.1
Go Version go1.22.2
Go Compiler gc
Plugins
KIND NAME VERSION
resource aws 6.35.0
language python unknown
Host
OS darwin
Version 14.3.1
Arch arm64
This project is written in python: executable='.../python3' version='3.11.7'
...
Dependencies:
NAME VERSION
ansible 9.5.1
isort 5.13.2
mypy-boto3-ec2 1.34.101
mypy-boto3-ram 1.34.0
mypy-boto3-route53 1.34.31
mypy-boto3-route53resolver 1.34.102
parameterized 0.9.0
pip 23.3.2
pre-commit 3.7.1
pytest 8.2.0
yamllint 1.35.1
Additional context
Discussed this a little bit on Slack: https://pulumi-community.slack.com/archives/C84L4E3N1/p1715987354126929
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The above shown data in routes
is clearly invalid, because for an optional
Terraform property the property shouldn't show up at all. That's why removing the empty string ""
will solve the shown error by pulumi
.
CC: @t0yv0
Thank you for reporting this issue so clearly and thanks for the cited workaround! I'm adding the appropriate labels. This is indeed common theme of issues, our team will need to tackle as time permits. Adding to a tracking issue.
I've created a repository here with a minimal configuration to reproduce this issue: https://github.com/tombee/pulumi-aws-issue-3986
Interestingly I found that it's only preventing preview and up actions when I add:
opts=pulumi.ResourceOptions(ignore_changes=["routes"]
It also about failed validation during pulumi import
of the route table:
Diagnostics:
aws:ec2:RouteTable (pulumi-import-issue-3986-rtb):
warning: One or more imported inputs failed to validate. This is almost certainly a bug in the `aws` provider. The import will still proceed, but you will need to edit the generated code after copying it into your program.
warning: aws:ec2/routeTable:RouteTable resource 'pulumi-import-issue-3986-rtb' has a problem: "" is not a valid CIDR block: invalid CIDR address: . Examine values at 'pulumi-import-issue-3986-rtb.routes'.
Updated the main issue comment, since I don't believe this is a blocking issue if the trigger is only when ignore_changes=["routes"]
is added, since the RouteTable resource has a built-in method of ignoring routes by simply omitting the input.
I don't know enough about how import works with pulumi-aws and the terraform bridge to know if this could be a wider issue though where the import CLI is producing a state that won't pass validation.
I just tried to reproduce this using the latest https://github.com/pulumi/pulumi-terraform-bridge/tree/master and it looks like it has been fixed.
After the next bridge release we can pull in the new version and test it out to confirm.
Tracking pulumi/pulumi-terraform-bridge#2314 in the bridge.
@tombee the issue should now be fixed on the latest version. I tested with your repro and it was successful.