Unable to re-create Vpc if cidr block changes

[clstokes]

When using awsx.ec2.Vpc if a code change causes the VPC to get re-created, then subsequent up and destroy fails.

Code

import * as awsx from "@pulumi/awsx";
import * as pulumi from "@pulumi/pulumi";

const vpc = new awsx.ec2.Vpc("web-vpc", {
    cidrBlock: new pulumi.Config().require("cidrBlock"),
    numberOfAvailabilityZones: 1,
    subnets: [{ type: "public" }],
});

Steps to reproduce

1. pulumi config set cidrBlock 10.0.0.0/16
2. pulumi up -y --skip-preview
3. pulumi config set cidrBlock 172.31.0.0/16
4. pulumi up -y --skip-preview
   1. Observe error - InvalidParameterValue: route table association rtbassoc-0dc85cf09166d123c and route table rtb-078fcbf504feb6938 belong to different networks
5. pulumi destroy -y --skip-preview
   1. Observe error - Error deleting route: InvalidRoute.NotFound

Output

16:32:42 [aws-ts-webserver] $ pulumi config
KEY         VALUE
aws:region  us-west-2
cidrBlock   10.0.0.0/16
16:32:46 [aws-ts-webserver] $ pulumi up -y --skip-preview
Updating (dev):

     Type                                    Name                       Status
 +   pulumi:pulumi:Stack                     demo-aws-ts-webserver-dev  created
 +   └─ awsx:x:ec2:Vpc                       web-vpc                    created
 +      ├─ awsx:x:ec2:InternetGateway        web-vpc                    created
 +      │  └─ aws:ec2:InternetGateway        web-vpc                    created
 +      ├─ awsx:x:ec2:Subnet                 web-vpc-public-0           created
 +      │  ├─ aws:ec2:RouteTable             web-vpc-public-0           created
 +      │  ├─ aws:ec2:Subnet                 web-vpc-public-0           created
 +      │  ├─ aws:ec2:Route                  web-vpc-public-0-ig        created
 +      │  └─ aws:ec2:RouteTableAssociation  web-vpc-public-0           created
 +      └─ aws:ec2:Vpc                       web-vpc                    created

Resources:
    + 10 created

Duration: 13s

Permalink: https://app.pulumi.com/clstokes/demo-aws-ts-webserver/dev/updates/170
16:33:05 [aws-ts-webserver] $ pulumi config set cidrBlock 172.31.0.0/16
16:33:15 [aws-ts-webserver] $ pulumi up -y --skip-preview
Updating (dev):

     Type                                    Name                       Status                  Info
     pulumi:pulumi:Stack                     demo-aws-ts-webserver-dev  **failed**              1 error
     └─ awsx:x:ec2:Vpc                       web-vpc
 +-     ├─ aws:ec2:Vpc                       web-vpc                    replaced                [diff: ~cidrBlock]
        ├─ awsx:x:ec2:InternetGateway        web-vpc
 ~      │  └─ aws:ec2:InternetGateway        web-vpc                    updated                 [diff: ~vpcId]
        └─ awsx:x:ec2:Subnet                 web-vpc-public-0
 +-        ├─ aws:ec2:RouteTable             web-vpc-public-0           replaced                [diff: ~vpcId]
 +-        ├─ aws:ec2:Subnet                 web-vpc-public-0           replaced                [diff: ~cidrBlock,vpcId]
 ~         └─ aws:ec2:RouteTableAssociation  web-vpc-public-0           **updating failed**     [diff: ~routeTableId,subnetId]; 1 error

Diagnostics:
  pulumi:pulumi:Stack (demo-aws-ts-webserver-dev):
    error: update failed

  aws:ec2:RouteTableAssociation (web-vpc-public-0):
    error: Plan apply failed: 1 error occurred:
        * updating urn:pulumi:dev::demo-aws-ts-webserver::awsx:x:ec2:Vpc$awsx:x:ec2:Subnet$aws:ec2/routeTableAssociation:RouteTableAssociation::web-vpc-public-0: InvalidParameterValue: route table association rtbassoc-0dc85cf09166d123c and route table rtb-078fcbf504feb6938 belong to different networks
        status code: 400, request id: db52f610-5032-43d6-abb4-647f21bed8f9

Resources:
    ~ 1 updated
    +-3 replaced
    4 changes. 4 unchanged

Duration: 19s

Permalink: https://app.pulumi.com/clstokes/demo-aws-ts-webserver/dev/updates/171
16:33:37 [aws-ts-webserver] $ pulumi destroy -y --skip-preview
Destroying (dev):

     Type                              Name                       Status                  Info
     pulumi:pulumi:Stack               demo-aws-ts-webserver-dev  **failed**              1 error
 -   ├─ aws:ec2:RouteTable             web-vpc-public-0           deleted
 -   ├─ aws:ec2:Subnet                 web-vpc-public-0           deleted
 -   ├─ aws:ec2:Vpc                    web-vpc                    deleted
 -   ├─ aws:ec2:RouteTableAssociation  web-vpc-public-0           deleted
 -   └─ aws:ec2:Route                  web-vpc-public-0-ig        **deleting failed**     1 error

Diagnostics:
  pulumi:pulumi:Stack (demo-aws-ts-webserver-dev):
    error: update failed

  aws:ec2:Route (web-vpc-public-0-ig):
    error: Plan apply failed: deleting urn:pulumi:dev::demo-aws-ts-webserver::awsx:x:ec2:Vpc$awsx:x:ec2:Subnet$aws:ec2/route:Route::web-vpc-public-0-ig: Error deleting route: InvalidRoute.NotFound: no route with destination-cidr-block 0.0.0.0/0 in route table rtb-0eed5fb7755032eb1
        status code: 400, request id: 9c16f0af-fb06-44c7-86d0-4d5ec4e171cd

Resources:
    - 4 deleted

Duration: 5s

Permalink: https://app.pulumi.com/clstokes/demo-aws-ts-webserver/dev/updates/172
16:33:48 [aws-ts-webserver] $

Workaround

1. pulumi stack export > stack.json
2. Edit the stack.json and remove the ec2/route:Route referenced in the error.
3. pulumi stack import < stack.json
4. Re-run with up or destroy.

[CyrusNajmabadi]

Likely a dupe of: https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_route.go#L444-L450

[metral]

Retries are set to 3 attempts in EKS CI but this does not seem to be doing the trick. Seems like the fix lives in handling this error with retries in TF: https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_route.go#L444-L450

[dannielshalev]

I have the same issue... is it going to be fixed?