search

cloudposse / terraform-aws-ec2-client-vpn

https://cloudposse.com/accelerate
Apache License 2.0
45 stars 28 forks source link

Add longer timeouts to aws_ec2_client_vpn_route #40

Closed rpadovani closed 2 years ago

rpadovani commented 2 years ago

Default timeout for aws_ec2_client_vpn_route is 1 minute for all operations.

Trying to attach routes in eu-central-1 for a peered VPC, it constantly fails with:

│ Error: error waiting for EC2 Client VPN Route (cvpn-endpoint-xxx,subnet-yyy,10.100.0.0/16) create: timeout while waiting for state to become 'active' (last state: 'creating', timeout: 1m0s)
│ 
│   with module.ec2_client_vpn[0].aws_ec2_client_vpn_route.default[0],
│   on .terraform/modules/ec2_client_vpn/main.tf line 242, in resource "aws_ec2_client_vpn_route" "default":
│  242: resource "aws_ec2_client_vpn_route" "default" {

and 

│ Error: error waiting for EC2 Client VPN Route (cvpn-endpoint-xxx,subnet-yyy,10.100.0.0/16) delete: timeout while waiting for resource to be gone (last state: 'deleting', timeout: 1m0s)

With this commit, we increment the timeout to 5 minutes. In my experiments, the route is always available in around 90 seconds. 5 minutes gives us plenty of time, and still is not too long to wait in case of problems.

Upstream issue: https://github.com/hashicorp/terraform-provider-aws/issues/23787

I think fixing here is good, until we wait for an upstream improvement, because I am currently blocked

what

why

references

rpadovani commented 2 years ago

/cc @Gowiem

(sorry for the direct ping, but this is currently a blocker for me)

Gowiem commented 2 years ago

/test all

Gowiem commented 2 years ago

/test all

rpadovani commented 2 years ago

@Gowiem, I don't have a stable state, all my 3 routes are tainted, so I tested in this way:

  1. I removed one of the routes ('cause it is stale!), and imported it again:
aws-vault exec dock-vpn -- terragrunt state rm "module.ec2_client_vpn[0].aws_ec2_client_vpn_route.default[2]"
aws-vault exec dock-vpn -- terragrunt import "module.ec2_client_vpn[0].aws_ec2_client_vpn_route.default[2]" "cvpn-endpoint-04da04851fedf3b7b,subnet-0805d79cdca015578,10.100.0.0/16"
  1. I replaced the module with my fork:
➜ git --no-pager diff
diff --git a/client_vpn.tf b/client_vpn.tf
index 5e1e3ea..48206d2 100644
--- a/client_vpn.tf
+++ b/client_vpn.tf
@@ -22,8 +22,7 @@ locals {
 }

 module "ec2_client_vpn" {
-  source  = "cloudposse/ec2-client-vpn/aws"
-  version = "0.11.0"
+  source = "git::git@github.com:rpadovani/terraform-aws-ec2-client-vpn.git?ref=patch-1"

   count = var.client_vpn != null ? 1 : 0
  1. I ran plan:
aws-vault exec dock-vpn -- terragrunt plan -target="module.ec2_client_vpn[0]"                                                                                                       
Initializing modules...
Downloading git::ssh://git@github.com/rpadovani/terraform-aws-ec2-client-vpn.git?ref=patch-1 for ec2_client_vpn...
- ec2_client_vpn in .terraform/modules/ec2_client_vpn

[...useless part...]

Terraform will perform the following actions:

  # module.ec2_client_vpn[0].aws_ec2_client_vpn_route.default[0] is tainted, so must be replaced
-/+ resource "aws_ec2_client_vpn_route" "default" {
      ~ id                     = "cvpn-endpoint-04da04851fedf3b7b,subnet-0c9e828c615486624,10.100.0.0/16" -> (known after apply)
      ~ origin                 = "add-route" -> (known after apply)
      ~ type                   = "Nat" -> (known after apply)
        # (4 unchanged attributes hidden)

      + timeouts {
          + create = "5m"
          + delete = "5m"
        }
    }

  # module.ec2_client_vpn[0].aws_ec2_client_vpn_route.default[1] is tainted, so must be replaced
-/+ resource "aws_ec2_client_vpn_route" "default" {
      ~ id                     = "cvpn-endpoint-04da04851fedf3b7b,subnet-0477c31fa00337f2f,10.100.0.0/16" -> (known after apply)
      ~ origin                 = "add-route" -> (known after apply)
      ~ type                   = "Nat" -> (known after apply)
        # (4 unchanged attributes hidden)

      + timeouts {
          + create = "5m"
          + delete = "5m"
        }
    }

Plan: 2 to add, 0 to change, 2 to destroy.

So, it seems to want to replace only the tainted routes, not the 3rd one I imported. I would say we are safe :-)

Gowiem commented 2 years ago

@rpadovani Thanks for the contribution! Released as https://github.com/cloudposse/terraform-aws-ec2-client-vpn/releases/tag/0.12.0