Unable to import existing Direct Connect Private VIF

[kevinpgrant]

Terraform CLI and Terraform AWS Provider Version Terraform v0.12.26 provider.aws v3.29.1

Affected Resource(s) aws_dx_private_virtual_interface

Terraform Configuration Files

resource "aws_dx_private_virtual_interface" "vif" {
  count = length(var.connection_ids) # only one VIF allowed per DX connection

  address_family   = var.address_family
  amazon_address   = var.amazon_addresses[count.index]
  bgp_asn          = var.bgp_asns[count.index]
  bgp_auth_key     = var.bgp_auth_keys[count.index]
  connection_id    = var.connection_ids[count.index]
  customer_address = var.customer_addresses[count.index]
  dx_gateway_id    = var.dx_gateway_id
  mtu              = var.mtus[count.index]
  name             = var.names[count.index]
  vlan             = var.vlans[count.index]
  vpn_gateway_id   = var.vpn_gateway_id

  # tags = {
  #   Account     = var.account
  #   Environment = "global"
  #   Name        = var.names[count.index]
  #   Project     = var.project
  #   Service     = "Direct Connect"
  #   Terraform   = "true"
  #   Type        = "Private Virtual Interface"
  # }
}

Debug Output

$ terraform import module.dx.module.private_vif.aws_dx_private_virtual_interface.vif[0] dxvif-xxxxxxxx
module.dx.module.private_vif.aws_dx_private_virtual_interface.vif[0]: Importing from ID "dxvif-xxxxxxxx"...
module.dx.module.private_vif.aws_dx_private_virtual_interface.vif[0]: Import prepared!
  Prepared aws_dx_private_virtual_interface for import
module.dx.module.private_vif.aws_dx_private_virtual_interface.vif[0]: Refreshing state... [id=dxvif-xxxxxxxx]
Error: error listing tags for Direct Connect private virtual interface (arn:aws:directconnect:eu-west-2:xxxxxxxx:dxvif/dxvif-xxxxxxxx): DirectConnectClientException: Invalid ARN(s) or resource not found

Panic Output Expected Behavior Resource should have been imported

Actual Behavior Error about listing tags

Steps to Reproduce terraform import module.dx.module.private_vif.aws_dx_private_virtual_interface.vif[0] dxvif-xxxxxxxx

Important Factoids A terraform plan shows that it wants to create the resource without tags and it is my belief that it would do so successfully, (but I always tag my resources so untested)

I have several pre-existing VIFs- some with, some without tags - and the ones with tags imported successfully (were actually transit VIFs)

the private VIF ARN is valid and the VIF shows correctly when performing aws directconnect describe-virtual-interfaces --virtual-interface-id dxvif-xxxxxxxx

It is possible to see the difference in object structures if running aws directconnect describe-virtual-interfaces - I know it is not easy to setup a DX connection and VIF combinations so I will capture an example output and put in a comment below for refernce shortly

[kevinpgrant]

as per description, here is a sanitised version of the output from describe-virtual-interfaces so that the difference in document structure can be observed between a (transite) VIF with tags, and a private VIF without:

$ aws directconnect describe-virtual-interfaces
{
    "virtualInterfaces": [
        {
            "ownerAccount": "xxxxxxxxxxxx",
            "virtualInterfaceId": "dxvif-xxxxxxxx",
            "location": "xxxxx",
            "connectionId": "dxcon-xxxxxxxx",
            "virtualInterfaceType": "transit",
            "virtualInterfaceName": "transitvif",
            "vlan": 350,
            "asn": 69420,
            "amazonSideAsn": 64512,
            "authKey": "myauthkey",
            "amazonAddress": "192.168.0.1/30",
            "customerAddress": "192.168.0.2/30",
            "addressFamily": "ipv4",
            "virtualInterfaceState": "available",
            "customerRouterConfig": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<snipn>\n",
            "mtu": 1500,
            "jumboFrameCapable": true,
            "virtualGatewayId": "",
            "directConnectGatewayId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
            "routeFilterPrefixes": [],
            "bgpPeers": [
                {
                    "bgpPeerId": "dxpeer-xxxxxxxx",
                    "asn": 65444,
                    "authKey": "myauthkey",
                    "addressFamily": "ipv4",
                    "amazonAddress": "192.168.0.1/30",
                    "customerAddress": "192.168.2.2/30",
                    "bgpPeerState": "available",
                    "bgpStatus": "up",
                    "awsDeviceV2": "xxxxx-xxxxxxxxxxxx"
                }
            ],
            "region": "eu-west-1",
            "awsDeviceV2": "xxxxx-xxxxxxxx",
            "tags": [
                {
                    "key": "Type",
                    "value": "DX Transit Virtual Interface"
                },
                {
                    "key": "Terraform",
                    "value": "true"
                },
                {
                    "key": "Environment",
                    "value": "global"
                },
                {
                    "key": "Service",
                    "value": "Direct Connect"
                }
            ]
        },
        {
            "ownerAccount": "xxxxxxxxxxxx",
            "virtualInterfaceId": "dxvif-xxxxxxxx",
            "location": "xxxxx",
            "connectionId": "dxcon-xxxxxxxx",
            "virtualInterfaceType": "private",
            "virtualInterfaceName": "myprivatevif",
            "vlan": 350,
            "asn": 69469,
            "amazonSideAsn": 64512,
            "authKey": "myotherauthkey",
            "amazonAddress": "192.168.0.1/30",
            "customerAddress": "192.168.0.2/30",
            "addressFamily": "ipv4",
            "virtualInterfaceState": "available",
            "customerRouterConfig": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<snip>\n",
            "mtu": 1500,
            "jumboFrameCapable": true,
            "virtualGatewayId": "vgw-xxxxxxxxxxxxxxxxx",
            "directConnectGatewayId": "",
            "routeFilterPrefixes": [],
            "bgpPeers": [
                {
                    "bgpPeerId": "dxpeer-fgxah2vj",
                    "asn": 65444,
                    "authKey": "myotherauthkey",
                    "addressFamily": "ipv4",
                    "amazonAddress": "192.168.0.1/30",
                    "customerAddress": "192.168.2.2/30",
                    "bgpPeerState": "available",
                    "bgpStatus": "up",
                    "awsDeviceV2": "xxxxx-xxxxxxxxxxxxx"
                }
            ],
            "region": "eu-west-1",
            "awsDeviceV2": "xxxxx-xxxxxxxxxxxxx"
        }
    ]
}

[ewbankkit]

Similar:

• https://github.com/hashicorp/terraform-provider-aws/issues/14895

[ewbankkit]

@kevinpgrant Thanks for raising this issue. Is the VIF your are attempting to imported owned by the AWS account that you are running terraform import in? If not, then the aws_dx_hosted_private_virtual_interface_accepter resource should be used to represent the non-owning side of the hosted VIF.

[kevinpgrant]

ah good shout, I assumed it was owned by the same account as it came back in the AWS CLI call to describe-virtual-interfaces - I'll go check that now

[kevinpgrant]

Yes, this object has another account owner as it is attached to the AWS VMWare cloud SDDC account (DX connection <> VPG)

I've not yet been able to import it with the aws_dx_hosted_private_virtual_interface_accepter resource, however I think that's just down to fine tuning the code rather than a terraform issue as such.

As I'm moving onto other work for now this ticket can be closed - and if it does turn out that there's a bug with the other resource for whatever reason I'll raise a separate issue

Thanks @ewbankkit for your assistance

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!