Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

After modifying VPC to assign IPv6, using ipv6_cidr_block causes failure #6710

Closed
fiducioso-dan opened this issue Dec 4, 2018 · 5 comments · Fixed by #6721
Closed

After modifying VPC to assign IPv6, using ipv6_cidr_block causes failure #6710

fiducioso-dan opened this issue Dec 4, 2018 · 5 comments · Fixed by #6721
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.
Milestone
v2.8.0

Comments

@fiducioso-dan
Copy link

fiducioso-dan commented Dec 4, 2018
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.10, provider-aws v1.50.0

Affected Resource(s)

  • aws_vpc
  • aws_network_acl_rule

Terraform Configuration Files

variable "enable_ipv6" {
}
resource "aws_vpc" "main" {
  assign_generated_ipv6_block = "${var.enable_ipv6}"
}
resource "aws_network_acl" "public" {
  vpc_id = "${aws_vpc.main.id}"
}
resource "aws_network_acl_rule" "egress_internal_ipv6" { # allow internal traffic
  count = "${var.enable_ipv6 ? 1 : 0}"
  network_acl_id = "${aws_network_acl.public.id}"
  egress = true
  rule_number = 2
  rule_action = "allow"
  protocol = "-1"
  from_port = 0
  to_port = 0
  ipv6_cidr_block = "${aws_vpc.main.ipv6_cidr_block}"
}

Debug Output

1 error(s) occurred:

* aws_network_acl_rule.egress_internal_ipv6: aws_network_acl_rule.egress_internal_ipv6: diffs didn't match during apply. This is a bug with Terraform and should be reported as a GitHub Issue.

Please include the following information in your report:

    Terraform Version: 0.11.10
    Resource ID: aws_network_acl_rule.egress_internal_ipv6
    Mismatch reason: extra attributes: ipv6_cidr_block
    Diff One (usually from plan): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{"protocol":*terraform.ResourceAttrDiff{Old:"", New:"-1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "rule_action":*terraform.ResourceAttrDiff{Old:"", New:"allow", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "from_port":*terraform.ResourceAttrDiff{Old:"", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "to_port":*terraform.ResourceAttrDiff{Old:"", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "network_acl_id":*terraform.ResourceAttrDiff{Old:"", New:"acl-061bc65514175849e", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "egress":*terraform.ResourceAttrDiff{Old:"", New:"true", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "rule_number":*terraform.ResourceAttrDiff{Old:"", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, Meta:map[string]interface {}(nil)}
    Diff Two (usually from apply): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{"rule_number":*terraform.ResourceAttrDiff{Old:"", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "egress":*terraform.ResourceAttrDiff{Old:"", New:"true", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "protocol":*terraform.ResourceAttrDiff{Old:"", New:"-1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "rule_action":*terraform.ResourceAttrDiff{Old:"", New:"allow", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "from_port":*terraform.ResourceAttrDiff{Old:"", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "to_port":*terraform.ResourceAttrDiff{Old:"", New:"0", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "network_acl_id":*terraform.ResourceAttrDiff{Old:"", New:"acl-061bc65514175849e", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "ipv6_cidr_block":*terraform.ResourceAttrDiff{Old:"", New:"2600:1f18:41c2:ac00::/56", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, Meta:map[string]interface {}(nil)}

Panic Output

Expected Behavior

When aws_vpc property assign_generated_ipv6_cidr_block goes from false to true, treat ipv6_cidr_block as "calculated" i.e. to be determined at runtime.
And of course the new aws_network_acl_rule should have created successfully.

Actual Behavior

During planning the acl rule treats the ipv6_cidr_block as missing instead of calculated. Then get error: diffs didn't match during apply.

WORKAROUND: Just run it a second time. Terraform will pick up the new CIDR during planning.

Steps to Reproduce

  1. terraform apply with enable_ipv6=false
  2. terraform apply with enable_ipv6=true

Important Factoids

References

There are many other issues in the backlog related to diffs didn't match during apply but I hope I reduced the case enough to make this issue fixable.
@bflad bflad added bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service. labels Dec 4, 2018
@bflad bflad mentioned this issue Dec 5, 2018
Merged
@bflad
Copy link
Contributor

bflad commented Dec 5, 2018

Hi @fiducioso-dan 👋 Sorry for the trouble. I have submitted a pull request to fix this behavior, however it is currently dependent on a change upstream in Terraform core which means this may not get fixed until version 2.0.0+ of the AWS provider at this point (due to timing with Terraform 0.12): #6721

@bflad bflad added upstream-terraform Addresses functionality related to the Terraform core binary. terraform-0.12 labels Dec 5, 2018
@bflad bflad added this to the v2.0.0 milestone Dec 5, 2018
@bflad bflad mentioned this issue Dec 5, 2018
Merged
@fiducioso-dan
Copy link
Author

@bflad It's amazing that you have a PR so quickly. Thank you for your excellent work.

@bflad bflad modified the milestones: v2.0.0, v2.1.0, v2.3.0 Feb 24, 2019
@bflad bflad modified the milestones: v2.3.0, 0.12-post-support Mar 15, 2019
@jbardin jbardin mentioned this issue Apr 3, 2019
Closed
@bflad bflad modified the milestones: 0.12-post-support, v2.8.0 Apr 18, 2019
@bflad bflad removed terraform-0.12 upstream-terraform Addresses functionality related to the Terraform core binary. labels Apr 18, 2019
@nywilken
Copy link
Member

The fix to the aws_vpc resource has been merged and will release with version 2.8.0 of the Terraform AWS Provider, shortly.

@nywilken
Copy link
Member

nywilken commented Apr 27, 2019
edited
Loading

This has been released in version 2.8.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

@ghost
Copy link

ghost commented Mar 30, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.
Projects
None yet
Milestone
v2.8.0
3 participants
@bflad @nywilken @fiducioso-dan