[Bug]: EC2 EIP Association: empty result

[boonimus]

Terraform Core Version

1.6.6

AWS Provider Version

5.26.0

Affected Resource(s)

aws_eip_association

Expected Behavior

Details of associationId returned after creation (input of allocationId and networkInterfaceId), cdktf deploy continues to create resources and completes successfully.

Actual Behavior

"Error reading EC2 EIP Association (eipassoc-xxxxxx)" in logs. "cdktf deploy" fails at this point.

Curiously, when looking up an affected associationId in CloudTrail event logs, the association DID complete, and the response elements are visible. Furthermore, you can see the association completed in the EC2->EIP console. Subsequent runs of cdktf deploy result in success. This is also an intermittent issue, occuring in ~1/5 deployments.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

Sample association tf generated by cdktf:

"aws_eip_association": {
    "InstanceStack-Instance1Nic0-EipAssociation": {
    "//": {
        "metadata": {
        "path": "InstanceStack/InstanceStack-Instance1Nic0-EipAssociation",
        "uniqueId": "InstanceStack-Instance1Nic0-EipAssociation"
        }
    },
    "allocation_id": "${aws_eip.InstanceStack-Instance1Nic0Eip.allocation_id}",
    "network_interface_id": "${aws_network_interface.InstanceStack-Instance1Nic0.id}"
    },

Steps to Reproduce

-create ENI and EIP -create subsequent association of those two

Issue is intermittent...

Debug Output

[2024-01-02T10:59:59.200] [DEBUG] default - Filter undefined applied on line '╷
│ Error: reading EC2 EIP Association (eipassoc-0157736c39ac0ec0b): empty result
│ 
│   with aws_eip_association.Instance1Nic12-EipAssociation,
│   on cdk.tf.json line 470, in resource.aws_eip_association.InstanceStack-Instance1Nic12-EipAssociation:
│  470:       },
│ 
╵
' with result '╷
│ Error: reading EC2 EIP Association (eipassoc-0157736c39ac0ec0b): empty result
│ 
│   with aws_eip_association.InstanceStack-Instance1Nic12-EipAssociation,
│   on cdk.tf.json line 470, in resource.aws_eip_association.InstanceStack-Instance1Nic12-EipAssociation:
│  470:       },
│ 
╵

Cloudtrail for that same call:

{
    "eventVersion": "1.09",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "REDACTED",
        "arn": "arn:aws:iam::REDACTED:user/CDKTF",
        "accountId": "REDACTED",
        "accessKeyId": "REDACTED",
        "userName": "CDKTF"
    },
    "eventTime": "2024-01-02T16:59:05Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "AssociateAddress",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "24.152.154.20",
    "userAgent": "APN/1.0 HashiCorp/1.0 Terraform/1.6.6 (+https://www.terraform.io) terraform-provider-aws/5.26.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.47.12 (go1.20.10; darwin; arm64) cdktf/0.19.1 (+https://github.com/hashicorp/terraform-cdk)",
    "requestParameters": {
        "allocationId": "eipalloc-0b7468a291078b2f3",
        "networkInterfaceId": "eni-0e425dc85b55fa144"
    },
    "responseElements": {
        "requestId": "be0d6b9d-8246-4ce8-a4a9-76cfb72ef32e",
        "_return": true,
        "associationId": "eipassoc-0157736c39ac0ec0b"
    },
    "requestID": "be0d6b9d-8246-4ce8-a4a9-76cfb72ef32e",
    "eventID": "044b57a4-5fe0-4efb-853f-042679083f3b",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "REDACTED",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"
    }
}

Panic Output

No response

Important Factoids

My code creates a series ENIs and EIPs for new C5.18XL large instances. The ENIs <-> EIP association is done separately, as I was getting an error about the instance not being reading for EIP attachment. So it goes like this:

1. Create ENIs
2. Create EIPs
3. Launch Instance and associate ENIs
4. Wait a few seconds, attach EIPs to their respective ENIs

As mentioned earlier, the association always completes. The issue is that running cdktf deploy says the stack failed, which is confusing for customers. I can just tell them to run cdktf deploy again, but that seems counterintuitive. I feel like the provider is creating the association but somehow mishandling the response or trying to read it again immediately? Like I said, CloudTrail shows a successful association and response (see logs).

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[doug-fitzmaurice-rowden]

I've hit this error when I've accidentally assigned two aws_eip resources to an aws_instance that only has one network adaptor.

For instance, to reproduce the error:

resource "aws_instance" "demo" {
  ami           = "ami-08e4526a271956ce2"
  instance_type = "t3a.micro"
}

resource "aws_eip" "primary_ip" {
  instance = aws_instance.demo.id
  domain   = "vpc"
}

resource "aws_eip" "secondary_ip" {
  instance = aws_instance.demo.id
  domain   = "vpc"
}

The fix depends on what you intend to do - either drop the second IP address if it was an accidental assignment, or if you wanted two EIPs then add another network adaptor and change the aws_eip resources to target the adaptors rather than the instance:

resource "aws_instance" "demo" {
  ami           = "ami-08e4526a271956ce2"
  instance_type = "t3a.micro"
  network_interface {
    network_interface_id = aws_network_interface.primary.id
    device_index         = 0
  }
  network_interface {
    network_interface_id = aws_network_interface.secondary.id
    device_index         = 1
  }
}

resource "aws_eip" "primary_ip" {
  network_interface = aws_network_interface.primary.id
  domain   = "vpc"
}

resource "aws_network_interface" "primary" {
  subnet_id = aws_subnet.whatever.id
}

resource "aws_eip" "secondary_ip" {
  network_interface = aws_network_interface.secondary.id
  domain   = "vpc"
}

resource "aws_network_interface" "secondary" {
  subnet_id = aws_subnet.whatever.id
}