search

pulumi / pulumi-aws

An Amazon Web Services (AWS) Pulumi resource package, providing multi-language access to AWS
Apache License 2.0
445 stars 154 forks source link

Importing aws:ec2/routeTable:RouteTable produces resource with ipv6Cidr resource with empty string resulting in invalid CIDR address error #3986

Open tombee opened 3 months ago

tombee commented 3 months ago

Update: 28 May '24

It looks as though this specific issue is triggered when using ignore_changes=["routes"] after doing pulumi import on a RouteTable resource

According to the docs, by omitting the routes input, this should then ignore route changes. I've tried this and it looks to be working okay for our use case.

For now it looks as though this isn't a blocking issue for importing Route Tables since there is a workaround, it's probably just not ideal that import is producing an invalid resource state that cannot be validated as per @tmeckel's reply: https://github.com/pulumi/pulumi-aws/issues/3986#issuecomment-2129313732

Latest info and steps to repro are in: https://github.com/pulumi/pulumi-aws/issues/3986#issuecomment-2130139319

What happened?

Not sure if this is a pulumi-aws or upstream Terraform problem!

When pulumi importing an AWS Route Table with AWS Classic (aws:ec2/routeTable:RouteTable), it appears that it also imports routes associated with the route table. The attributes on a route are set to "" if there is no value associated. I’m seeing an issue where "ipv6CidrBlock": "" then causes pulumi preview to complain that "" is not a valid CIDR block: invalid CIDR address.

When I pulumi state edit and remove the ipv6CidrBlock: "", line from the aws:ec2/routeTable:RouteTable resources the error goes away.

If I also compare a aws:ec2/routeTable:RouteTable created by pulumi up vs an imported resource via pulumi import, the fields without values are all "" in the imported version and not present in the pulumi up.

Example

pulumi import aws:ec2/routeTable:RouteTable public_rt rtb-4e616f6d69
pulumi preview

error: aws:ec2/routeTable:RouteTable resource 'public_rt' has a problem: "" is not a valid CIDR block: invalid CIDR address: . Examine values at 'public_rt.routes'.
      15       "urn": "urn:pulumi:ccoe-sandbox-usw2-tbarlow::riotvpc::aws:ec2/routeTable:RouteTable::customer_tbarlow_PublicRouteTable_10.189.130.0/28_az1",
      14       "custom": true,
      13       "id": "rtb-0845eafb29d28dbb9",
      12       "type": "aws:ec2/routeTable:RouteTable",
      11       "inputs": {
      10         "__defaults": [],
       9         "routes": [
       8           {
       7             "__defaults": [],
       6             "carrierGatewayId": "",
       5             "cidrBlock": "0.0.0.0/0",
       4             "coreNetworkArn": "",
       3             "destinationPrefixListId": "",
       2             "egressOnlyGatewayId": "",
       1             "gatewayId": "igw-09254a252d322b940",
    156              "ipv6CidrBlock": "",
       1             "localGatewayId": "",
       2             "natGatewayId": "",
       3             "networkInterfaceId": "",
       4             "transitGatewayId": "",
       5             "vpcEndpointId": "",
       6             "vpcPeeringConnectionId": ""
       7           }
       8         ],

Section of state where the empty strings are being added to route attributes:

"custom": true,
"type": "aws:ec2/routeTable:RouteTable",
"inputs": {
  "__defaults": [],
  "routes": [
    {
      "__defaults": [],
      "carrierGatewayId": "",
      "cidrBlock": "0.0.0.0/0",
      "coreNetworkArn": "",
      "destinationPrefixListId": "",
      "egressOnlyGatewayId": "",
      "gatewayId": "igw-00000000",
      "ipv6CidrBlock": "",
      "localGatewayId": "",
      "natGatewayId": "",
      "networkInterfaceId": "",
      "transitGatewayId": "",
      "vpcEndpointId": "",
      "vpcPeeringConnectionId": ""
    }
  ],

Output of pulumi about

  ❯ pulumi about
  CLI
  Version      3.116.1
  Go Version   go1.22.2
  Go Compiler  gc

  Plugins
  KIND      NAME    VERSION
  resource  aws     6.35.0
  language  python  unknown

  Host
  OS       darwin
  Version  14.3.1
  Arch     arm64

  This project is written in python: executable='.../python3' version='3.11.7'

...

Dependencies:
  NAME                        VERSION
  ansible                     9.5.1
  isort                       5.13.2
  mypy-boto3-ec2              1.34.101
  mypy-boto3-ram              1.34.0
  mypy-boto3-route53          1.34.31
  mypy-boto3-route53resolver  1.34.102
  parameterized               0.9.0
  pip                         23.3.2
  pre-commit                  3.7.1
  pytest                      8.2.0
  yamllint                    1.35.1

Additional context

Discussed this a little bit on Slack: https://pulumi-community.slack.com/archives/C84L4E3N1/p1715987354126929

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

tmeckel commented 3 months ago

The above shown data in routes is clearly invalid, because for an optional Terraform property the property shouldn't show up at all. That's why removing the empty string "" will solve the shown error by pulumi.

https://github.com/hashicorp/terraform-provider-aws/blob/4827180fd06cbdc17b6209f9dc8f9513a0a8d4a7/internal/service/ec2/vpc_route_table.go#L91

image

CC: @t0yv0

t0yv0 commented 3 months ago

Thank you for reporting this issue so clearly and thanks for the cited workaround! I'm adding the appropriate labels. This is indeed common theme of issues, our team will need to tackle as time permits. Adding to a tracking issue.

tombee commented 3 months ago

I've created a repository here with a minimal configuration to reproduce this issue: https://github.com/tombee/pulumi-aws-issue-3986

Interestingly I found that it's only preventing preview and up actions when I add:

opts=pulumi.ResourceOptions(ignore_changes=["routes"]

It also about failed validation during pulumi import of the route table:

Diagnostics:
  aws:ec2:RouteTable (pulumi-import-issue-3986-rtb):
    warning: One or more imported inputs failed to validate. This is almost certainly a bug in the `aws` provider. The import will still proceed, but you will need to edit the generated code after copying it into your program.
    warning: aws:ec2/routeTable:RouteTable resource 'pulumi-import-issue-3986-rtb' has a problem: "" is not a valid CIDR block: invalid CIDR address: . Examine values at 'pulumi-import-issue-3986-rtb.routes'.
tombee commented 3 months ago

Updated the main issue comment, since I don't believe this is a blocking issue if the trigger is only when ignore_changes=["routes"] is added, since the RouteTable resource has a built-in method of ignoring routes by simply omitting the input.

I don't know enough about how import works with pulumi-aws and the terraform bridge to know if this could be a wider issue though where the import CLI is producing a state that won't pass validation.

corymhall commented 1 month ago

I just tried to reproduce this using the latest https://github.com/pulumi/pulumi-terraform-bridge/tree/master and it looks like it has been fixed.

After the next bridge release we can pull in the new version and test it out to confirm.

t0yv0 commented 3 weeks ago

Tracking https://github.com/pulumi/pulumi-terraform-bridge/issues/2314 in the bridge.