Multiple clientvpn associate leads to wrong networks in state file

Sinnohd commented 5 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

terragrunt version v0.19.11 Terraform v0.12.5 provider.aws v2.21.1

Affected Resource(s)

aws_ec2_client_vpn_network_association

Terraform Configuration Files


resource "aws_ec2_client_vpn_endpoint" "clientvpn-test" {
  description            = "Clientvpn Endpoint Test"
  server_certificate_arn = "arn:aws:acm:eu-central-1:xxx:certificate/xxx"
  client_cidr_block      = "192.168.0.0/22"
  transport_protocol     = "tcp"

  authentication_options {
    type                = "directory-service-authentication"
    active_directory_id = "d-testid"
  }

  connection_log_options {
    enabled               = true
    cloudwatch_log_group  = "/aws/vpn/test"
    cloudwatch_log_stream = "clientvpn"
  }

  tags = { 
    Name = "ClientVPN_Test"
  }
}

resource "aws_ec2_client_vpn_network_association" "clientvpn-test-assoc1" {
  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.clientvpn-test.id
  subnet_id              = "subnet-network1"
}

resource "aws_ec2_client_vpn_network_association" "clientvpn-test-assoc2" {
  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.clientvpn-test.id
  subnet_id              = "subnet-network2"
}

resource "aws_ec2_client_vpn_network_association" "clientvpn-test-assoc3" {
  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.clientvpn-test.id
  subnet_id              = "subnet-network3"
}

Debug Output

Panic Output

Expected Behavior

It should create the defined associations and store them in the state file.

Actual Behavior

It creates the correct associations in AWS, but stores in the state file three times the association with one of networks!

Except from state file, same "subnet_id" for every entry, where it should be subnet-network1 to subnet-network3:


    {
      "mode": "managed",
      "type": "aws_ec2_client_vpn_network_association",
      "name": "clientvpn-test-assoc1",
      "provider": "provider.aws",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "client_vpn_endpoint_id": "cvpn-endpoint-xxx",
            "id": "cvpn-assoc-xxx01",
            "security_groups": [
              "sg-xxx"
            ],
            "status": "associated",
            "subnet_id": "subnet-network2",
            "vpc_id": "vpc-xxx"
          },
          "private": "xxx",
          "depends_on": [
            "aws_ec2_client_vpn_endpoint.clientvpn-test"
          ]
        }
      ]
    },
    {
      "mode": "managed",
      "type": "aws_ec2_client_vpn_network_association",
      "name": "clientvpn-test-assoc2",
      "provider": "provider.aws",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "client_vpn_endpoint_id": "cvpn-endpoint-xxx",
            "id": "cvpn-assoc-xxx02",
            "security_groups": [
              "sg-xxx"
            ],
            "status": "associated",
            "subnet_id": "subnet-network2",
            "vpc_id": "vpc-xxx"
          },
          "private": "xxx",
          "depends_on": [
            "aws_ec2_client_vpn_endpoint.clientvpn-test"
          ]
        }
      ]
    },
    {
      "mode": "managed",
      "type": "aws_ec2_client_vpn_network_association",
      "name": "clientvpn-test-assoc3",
      "provider": "provider.aws",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "client_vpn_endpoint_id": "cvpn-endpoint-xxx",
            "id": "cvpn-assoc-xxx03",
            "security_groups": [
              "sg-xxx"
            ],
            "status": "associated",
            "subnet_id": "subnet-network2",
            "vpc_id": "vpc-xxx"
          },
          "private": "xxx",
          "depends_on": [
            "aws_ec2_client_vpn_endpoint.clientvpn-test"
          ]
        }
      ]
    }

If you do the apply from step three below, it triggers additional bugs with wait states not handled correct.

Steps to Reproduce

Create a tf file with aws_ec2_client_vpn_endpoint and multiple aws_ec2_client_vpn_network_association (as example see terraform configuration above)
terraform apply
terraform plan
Output of terraform plan, should be lead to zero actions, however, it asks for two of the three associations to be recreated.

Important Factoids

References

borisroman commented 4 years ago

Hi @bflad

This looks like a bug that has been around for quite some time. @nijave has created a seemingly trivial patch for this in https://github.com/terraform-providers/terraform-provider-aws/pull/14380. Would you be willing to look at this?

Thanks, Boris

bill-rich commented 3 years ago

Hi @Sinnohd! It looks like this has been fixed on the AWS side. I'm going to be merging a test today that checks for this.

ghost commented 3 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashicorp / terraform-provider-aws