Drift straight away after creation

robertalexa commented 1 month ago

Description

Resources showing drift straight away after initial plan and apply. Steps and further considerations provided below.

[x] ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Versions

Module version: 5.9.0
Terraform version: 1.9.3
Provider version(s): hashicorp/aws 5.60.0

Reproduction Code [Required]

module "vpc_beta" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.9.0"

  # VPC
  name = "${var.project}-${var.environment}"
  cidr = var.vpc_cidr
  tags = local.general_tags

  # Availability zones
  azs = var.azs

  # Subnets
  private_subnets = [var.private_subnet_1_cidr]
  public_subnets  = [var.public_subnet_1_cidr]
}

Steps to reproduce the behavior:

Setup at my end is Terraform Cloud, with remote state and runs, in an isolated workspace.

I have created a VPC (and implicit resources) - config provided above.
Plan and apply
resources created
terraform plan shows 3 resources drifted, despite no other aws cloud changes happening in between.

And here is a copy and paste of the output of terraform plan -refresh-only

module.vpc_beta.aws_default_network_acl.this[0]: Drift detected (update)
module.vpc_beta.aws_route_table.public[0]: Drift detected (update)
module.vpc_beta.aws_default_route_table.default[0]: Drift detected (update)

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

  # module.vpc_beta.aws_default_network_acl.this[0] has changed
  ~ resource "aws_default_network_acl" "this" {
        id                     = "acl-0b93850e988a82d52"
        tags                   = {
            "Environment" = "beta"
            "ManagedBy"   = "terraform"
            "Name"        = "hav-sentry-beta-default"
            "Product"     = "none"
            "Project"     = "hav-sentry"
        }
        # (6 unchanged attributes hidden)

      - egress {
          - action          = "allow" -> null
          - from_port       = 0 -> null
          - ipv6_cidr_block = "::/0" -> null
          - protocol        = "-1" -> null
          - rule_no         = 101 -> null
          - to_port         = 0 -> null
            # (1 unchanged attribute hidden)
        }
      - egress {
          - action          = "allow" -> null
          - cidr_block      = "0.0.0.0/0" -> null
          - from_port       = 0 -> null
          - protocol        = "-1" -> null
          - rule_no         = 100 -> null
          - to_port         = 0 -> null
            # (1 unchanged attribute hidden)
        }
      + egress {
          + action          = "allow"
          + from_port       = 0
          + icmp_code       = 0
          + icmp_type       = 0
          + ipv6_cidr_block = "::/0"
          + protocol        = "-1"
          + rule_no         = 101
          + to_port         = 0
            # (1 unchanged attribute hidden)
        }
      + egress {
          + action          = "allow"
          + cidr_block      = "0.0.0.0/0"
          + from_port       = 0
          + icmp_code       = 0
          + icmp_type       = 0
          + protocol        = "-1"
          + rule_no         = 100
          + to_port         = 0
            # (1 unchanged attribute hidden)
        }

      - ingress {
          - action          = "allow" -> null
          - from_port       = 0 -> null
          - ipv6_cidr_block = "::/0" -> null
          - protocol        = "-1" -> null
          - rule_no         = 101 -> null
          - to_port         = 0 -> null
            # (1 unchanged attribute hidden)
        }
      - ingress {
          - action          = "allow" -> null
          - cidr_block      = "0.0.0.0/0" -> null
          - from_port       = 0 -> null
          - protocol        = "-1" -> null
          - rule_no         = 100 -> null
          - to_port         = 0 -> null
            # (1 unchanged attribute hidden)
        }
      + ingress {
          + action          = "allow"
          + from_port       = 0
          + icmp_code       = 0
          + icmp_type       = 0
          + ipv6_cidr_block = "::/0"
          + protocol        = "-1"
          + rule_no         = 101
          + to_port         = 0
            # (1 unchanged attribute hidden)
        }
      + ingress {
          + action          = "allow"
          + cidr_block      = "0.0.0.0/0"
          + from_port       = 0
          + icmp_code       = 0
          + icmp_type       = 0
          + protocol        = "-1"
          + rule_no         = 100
          + to_port         = 0
            # (1 unchanged attribute hidden)
        }
    }

  # module.vpc_beta.aws_default_route_table.default[0] has changed
  ~ resource "aws_default_route_table" "default" {
        id                     = "rtb-082b39f9de2ade609"
      + propagating_vgws       = []
        tags                   = {
            "Environment" = "beta"
            "ManagedBy"   = "terraform"
            "Name"        = "hav-sentry-beta-default"
            "Product"     = "none"
            "Project"     = "hav-sentry"
        }
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.vpc_beta.aws_route_table.public[0] has changed
  ~ resource "aws_route_table" "public" {
        id               = "rtb-0689df8d3283fa5a4"
      ~ route            = [
          + {
              + cidr_block                 = "0.0.0.0/0"
              + gateway_id                 = "igw-07cb0ea33c114815f"
                # (11 unchanged attributes hidden)
            },
        ]
        tags             = {
            "Environment" = "beta"
            "ManagedBy"   = "terraform"
            "Name"        = "hav-sentry-beta-public"
            "Product"     = "none"
            "Project"     = "hav-sentry"
        }
        # (5 unchanged attributes hidden)
    }

I am unsure at this point if I have misconfigured the module or if this is indeed a misbehaviour. There are certain properties that appear to be added (maybe default AWS behaviour that is not yet included in the module), as well as a whole route missing, where the IGW is connected to the public route table.

Any advice is appreciated.

github-actions[bot] commented 2 weeks ago

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] commented 6 days ago

This issue was automatically closed because of stale in 10 days

terraform-aws-modules / terraform-aws-vpc