Open zoltan-toth-mw opened 2 years ago
@zoltan-toth-mw Thanks for raising this issue.
Does your aws_route_table.private
configuration contain any route{}
blocks?
This issue happens also when creating roles
Hey @ewbankkit , no route{} blocks, I'm using it just like in the example I provided.
resource "aws_route" "kubernetes_destinations" {
for_each = local.route_tables
route_table_id = each.key
destination_cidr_block = "10.103.0.0/16"
transit_gateway_id = data.aws_ec2_transit_gateway.tgw.id
}
Happens with other resources too:
Terraform detected the following changes made outside of Terraform since the
last "terraform apply":
# aws_default_security_group.default has changed
~ resource "aws_default_security_group" "default" {
id = "sg-0107REDACTED"
name = "default"
+ tags = {}
# (8 unchanged attributes hidden)
}
Happens on aws_security_group
when you have aws_security_group_rule
as well
We're seeing something similar to this with 0.15.4.
We manage SGs and SG rules in separate Terraform Cloud workspaces. We create all groups centrally in one workspace, and manage the rules for each group in the service-related workspaces. We're seeing the central SG workspace detect any changes made to SG rules made in the service-related workspaces, and report them:
Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the
last "terraform apply":
I tried to recreate the issue using routes pointing to transitgateway with 1.2.9 and the latest aws provider code from main, but I don't see the issue Note: Objects have changed outside of Terraform
. @zoltan-toth-mw, are you still seeing the issue?
Hey @ewbankkit , no route{} blocks, I'm using it just like in the example I provided.
resource "aws_route" "kubernetes_destinations" { for_each = local.route_tables route_table_id = each.key destination_cidr_block = "10.103.0.0/16" transit_gateway_id = data.aws_ec2_transit_gateway.tgw.id }
I think the question was not about the aws_route
resource, but rather the aws_route_table
resource which is the resource with detected changes. It’s documented behavior for many “subresources”that exist as separate resources in the provider but can also be configured as blocks in parent resources (e.g. route table routes, IAM identity policies, security group rules, …) that if the parent resource has configuration blocks present for those subresources, that parent resource instance assumes management of the set of whatever the applicable subresource is, and those shouldn’t also be created separately. If the applicable configuration is absent, it’s left unmanaged and in that case they can be created as their own separate resource instances. So if the route table instance has any route{}
blocks defined, all routes for that route table should be defined within the route table resource. If for whatever reason that isn’t possible, then all routes defined inline need to be split out into separate route resources.
Community Note
Terraform Version
Terraform Configuration Files
Expected Behavior
It should not report changes made with terraform as changes from the outside.
Actual Behavior
It reports changes made with terraform as they were made outside of it.
Steps to Reproduce
Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the last "terraform apply":
module.vpc.aws_route_table.private[0] has changed
~ resource "aws_route_table" "private" { id = "rtb-0b1REDACTED" ~ route = [
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
Terraform will perform the following actions:
aws_route.kubernetes_destinations["rtb-0b14REDACTED"] will be created
Plan: 3 to add, 0 to change, 0 to destroy. aws_route.kubernetes_destinations["rtb-08eREDACTED"]: Creating... [...]
Apply complete! Resources: 3 added, 0 changed, 0 destroyed.
Notes
Reported it as a generic terraform problem before: https://github.com/hashicorp/terraform/issues/30239