VPN Connection Preshared forces new resource each run

[adamthomason]

module.vpn_gateway.aws_vpn_connection.preshared Attempts to compute a new ID each run, and also also forces new resource based on preshared keys. Is this expected behaviour? The state objects looks perfectly fine to me.

[miguelaferreira]

Hi @adamthomason. Thanks for reporting this and apologies for the late reply. I don't think this is expected behaviour. Example complete-vpn-gateway-with-static-routes that uses pre-shared keys and tunnels details should cover this case.

I just ran a plan-apply-plan cycle on that example and in the first plan-apply terraform offers to create 28 resources:

(...)

Plan: 28 to add, 0 to change, 0 to destroy.

(...)

Apply complete! Resources: 28 added, 0 changed, 0 destroyed.

Outputs:

vpn_connection_id = vpn-0c9d44d432710088c
vpn_connection_tunnel1_address = 34.251.115.132
vpn_connection_tunnel1_cgw_inside_address = 169.254.33.102
vpn_connection_tunnel1_vgw_inside_address = 169.254.33.101
vpn_connection_tunnel2_address = 63.34.56.91
vpn_connection_tunnel2_cgw_inside_address = 169.254.33.90
vpn_connection_tunnel2_vgw_inside_address = 169.254.33.89

On the second plan terraform offers to replace 3 resources

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.vpn_gateway.aws_vpn_connection.tunnel_preshared[0] must be replaced
-/+ resource "aws_vpn_connection" "tunnel_preshared" {
      ~ customer_gateway_configuration = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<vpn_connection id=\"vpn-0c9d44d432710088c\">\n  <customer_gateway_id>cgw-05a8696354f104dde</customer_gateway_id>\n  <vpn_gateway_id>vgw-0cd65a4a426062da6</vpn_gateway_id>\n  <vpn_connection_type>ipsec.1</vpn_connection_type>\n  <vpn_connection_attributes>NoBGPVPNConnection</vpn_connection_attributes>\n  <ipsec_tunnel>\n    <customer_gateway>\n      <tunnel_outside_address>\n        <ip_address>172.83.124.11</ip_address>\n      </tunnel_outside_address>\n      <tunnel_inside_address>\n        <ip_address>169.254.33.102</ip_address>\n        <network_mask>255.255.255.252</network_mask>\n        <network_cidr>30</network_cidr>\n      </tunnel_inside_address>\n    </customer_gateway>\n    <vpn_gateway>\n      <tunnel_outside_address>\n        <ip_address>34.251.115.132</ip_address>\n      </tunnel_outside_address>\n      <tunnel_inside_address>\n        <ip_address>169.254.33.101</ip_address>\n        <network_mask>255.255.255.252</network_mask>\n        <network_cidr>30</network_cidr>\n      </tunnel_inside_address>\n    </vpn_gateway>\n    <ike>\n      <authentication_protocol>sha1</authentication_protocol>\n      <encryption_protocol>aes-128-cbc</encryption_protocol>\n      <lifetime>28800</lifetime>\n      <perfect_forward_secrecy>group2</perfect_forward_secrecy>\n      <mode>main</mode>\n      <pre_shared_key>abcdefghijklmn1234567890</pre_shared_key>\n    </ike>\n    <ipsec>\n      <protocol>esp</protocol>\n      <authentication_protocol>hmac-sha1-96</authentication_protocol>\n      <encryption_protocol>aes-128-cbc</encryption_protocol>\n      <lifetime>3600</lifetime>\n      <perfect_forward_secrecy>group2</perfect_forward_secrecy>\n      <mode>tunnel</mode>\n      <clear_df_bit>true</clear_df_bit>\n      <fragmentation_before_encryption>true</fragmentation_before_encryption>\n      <tcp_mss_adjustment>1379</tcp_mss_adjustment>\n      <dead_peer_detection>\n        <interval>10</interval>\n        <retries>3</retries>\n      </dead_peer_detection>\n    </ipsec>\n  </ipsec_tunnel>\n  <ipsec_tunnel>\n    <customer_gateway>\n      <tunnel_outside_address>\n        <ip_address>172.83.124.11</ip_address>\n      </tunnel_outside_address>\n      <tunnel_inside_address>\n        <ip_address>169.254.33.90</ip_address>\n        <network_mask>255.255.255.252</network_mask>\n        <network_cidr>30</network_cidr>\n      </tunnel_inside_address>\n    </customer_gateway>\n    <vpn_gateway>\n      <tunnel_outside_address>\n        <ip_address>63.34.56.91</ip_address>\n      </tunnel_outside_address>\n      <tunnel_inside_address>\n        <ip_address>169.254.33.89</ip_address>\n        <network_mask>255.255.255.252</network_mask>\n        <network_cidr>30</network_cidr>\n      </tunnel_inside_address>\n    </vpn_gateway>\n    <ike>\n      <authentication_protocol>sha1</authentication_protocol>\n      <encryption_protocol>aes-128-cbc</encryption_protocol>\n      <lifetime>28800</lifetime>\n      <perfect_forward_secrecy>group2</perfect_forward_secrecy>\n      <mode>main</mode>\n      <pre_shared_key>1234567890abcdefghijklmn</pre_shared_key>\n    </ike>\n    <ipsec>\n      <protocol>esp</protocol>\n      <authentication_protocol>hmac-sha1-96</authentication_protocol>\n      <encryption_protocol>aes-128-cbc</encryption_protocol>\n      <lifetime>3600</lifetime>\n      <perfect_forward_secrecy>group2</perfect_forward_secrecy>\n      <mode>tunnel</mode>\n      <clear_df_bit>true</clear_df_bit>\n      <fragmentation_before_encryption>true</fragmentation_before_encryption>\n      <tcp_mss_adjustment>1379</tcp_mss_adjustment>\n      <dead_peer_detection>\n        <interval>10</interval>\n        <retries>3</retries>\n      </dead_peer_detection>\n    </ipsec>\n  </ipsec_tunnel>\n</vpn_connection>" -> (known after apply)
        customer_gateway_id            = "cgw-05a8696354f104dde"
      ~ id                             = "vpn-0c9d44d432710088c" -> (known after apply)
      ~ routes                         = [
          - {
              - destination_cidr_block = "10.100.0.1/32"
              - source                 = ""
              - state                  = "available"
            },
          - {
              - destination_cidr_block = "10.200.0.1/32"
              - source                 = ""
              - state                  = "available"
            },
        ] -> (known after apply)
        static_routes_only             = true
        tags                           = {
            "Name" = "VPN Connection between VPC vpc-0cc1c0738d8faab4c and Customer Gateway cgw-05a8696354f104dde"
        }
      + transit_gateway_attachment_id  = (known after apply)
      ~ tunnel1_address                = "34.251.115.132" -> (known after apply)
      + tunnel1_bgp_asn                = (known after apply)
      ~ tunnel1_bgp_holdtime           = 0 -> (known after apply)
      ~ tunnel1_cgw_inside_address     = "169.254.33.102" -> (known after apply)
        tunnel1_inside_cidr            = "169.254.33.88/30"
      ~ tunnel1_preshared_key          = (sensitive value)
      ~ tunnel1_vgw_inside_address     = "169.254.33.101" -> (known after apply)
      ~ tunnel2_address                = "63.34.56.91" -> (known after apply)
      + tunnel2_bgp_asn                = (known after apply)
      ~ tunnel2_bgp_holdtime           = 0 -> (known after apply)
      ~ tunnel2_cgw_inside_address     = "169.254.33.90" -> (known after apply)
        tunnel2_inside_cidr            = "169.254.33.100/30"
      ~ tunnel2_preshared_key          = (sensitive value)
      ~ tunnel2_vgw_inside_address     = "169.254.33.89" -> (known after apply)
        type                           = "ipsec.1"
      ~ vgw_telemetry                  = [
          - {
              - accepted_route_count = 2
              - last_status_change   = "2019-07-01 07:54:38 +0000 UTC"
              - outside_ip_address   = "63.34.56.91"
              - status               = "DOWN"
              - status_message       = ""
            },
          - {
              - accepted_route_count = 2
              - last_status_change   = "2019-07-01 07:57:26 +0000 UTC"
              - outside_ip_address   = "34.251.115.132"
              - status               = "DOWN"
              - status_message       = ""
            },
        ] -> (known after apply)
        vpn_gateway_id                 = "vgw-0cd65a4a426062da6"
    }

  # module.vpn_gateway.aws_vpn_connection_route.default[0] must be replaced
-/+ resource "aws_vpn_connection_route" "default" {
        destination_cidr_block = "10.100.0.1/32"
      ~ id                     = "10.100.0.1/32:vpn-0c9d44d432710088c" -> (known after apply)
      ~ vpn_connection_id      = "vpn-0c9d44d432710088c" -> (known after apply) # forces replacement
    }

  # module.vpn_gateway.aws_vpn_connection_route.default[1] must be replaced
-/+ resource "aws_vpn_connection_route" "default" {
        destination_cidr_block = "10.200.0.1/32"
      ~ id                     = "10.200.0.1/32:vpn-0c9d44d432710088c" -> (known after apply)
      ~ vpn_connection_id      = "vpn-0c9d44d432710088c" -> (known after apply) # forces replacement
    }

Plan: 3 to add, 0 to change, 3 to destroy.

This seems to reproduce what you are experiencing. I will look into it.

[miguelaferreira]

It seems that terraform wants to re-create aws_vpn_connection.tunnel_preshared without any change that "# forces replacement". I've ran the plan again targeting that VPN connection alone and terraform still wants to re-create it without any attribute that forces a re-create having changed.

$  terraform plan -target  module.vpn_gateway.aws_vpn_connection.tunnel_preshared

(...)

Terraform will perform the following actions:

  # module.vpn_gateway.aws_vpn_connection.tunnel_preshared[0] must be replaced
-/+ resource "aws_vpn_connection" "tunnel_preshared" {
      ~ customer_gateway_configuration = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<vpn_connection id=\"vpn-0c9d44d432710088c\">\n  <customer_gateway_id>cgw-05a8696354f104dde</customer_gateway_id>\n  <vpn_gateway_id>vgw-0cd65a4a426062da6</vpn_gateway_id>\n  <vpn_connection_type>ipsec.1</vpn_connection_type>\n  <vpn_connection_attributes>NoBGPVPNConnection</vpn_connection_attributes>\n  <ipsec_tunnel>\n    <customer_gateway>\n      <tunnel_outside_address>\n        <ip_address>172.83.124.11</ip_address>\n      </tunnel_outside_address>\n      <tunnel_inside_address>\n        <ip_address>169.254.33.102</ip_address>\n        <network_mask>255.255.255.252</network_mask>\n        <network_cidr>30</network_cidr>\n      </tunnel_inside_address>\n    </customer_gateway>\n    <vpn_gateway>\n      <tunnel_outside_address>\n        <ip_address>34.251.115.132</ip_address>\n      </tunnel_outside_address>\n      <tunnel_inside_address>\n        <ip_address>169.254.33.101</ip_address>\n        <network_mask>255.255.255.252</network_mask>\n        <network_cidr>30</network_cidr>\n      </tunnel_inside_address>\n    </vpn_gateway>\n    <ike>\n      <authentication_protocol>sha1</authentication_protocol>\n      <encryption_protocol>aes-128-cbc</encryption_protocol>\n      <lifetime>28800</lifetime>\n      <perfect_forward_secrecy>group2</perfect_forward_secrecy>\n      <mode>main</mode>\n      <pre_shared_key>abcdefghijklmn1234567890</pre_shared_key>\n    </ike>\n    <ipsec>\n      <protocol>esp</protocol>\n      <authentication_protocol>hmac-sha1-96</authentication_protocol>\n      <encryption_protocol>aes-128-cbc</encryption_protocol>\n      <lifetime>3600</lifetime>\n      <perfect_forward_secrecy>group2</perfect_forward_secrecy>\n      <mode>tunnel</mode>\n      <clear_df_bit>true</clear_df_bit>\n      <fragmentation_before_encryption>true</fragmentation_before_encryption>\n      <tcp_mss_adjustment>1379</tcp_mss_adjustment>\n      <dead_peer_detection>\n        <interval>10</interval>\n        <retries>3</retries>\n      </dead_peer_detection>\n    </ipsec>\n  </ipsec_tunnel>\n  <ipsec_tunnel>\n    <customer_gateway>\n      <tunnel_outside_address>\n        <ip_address>172.83.124.11</ip_address>\n      </tunnel_outside_address>\n      <tunnel_inside_address>\n        <ip_address>169.254.33.90</ip_address>\n        <network_mask>255.255.255.252</network_mask>\n        <network_cidr>30</network_cidr>\n      </tunnel_inside_address>\n    </customer_gateway>\n    <vpn_gateway>\n      <tunnel_outside_address>\n        <ip_address>63.34.56.91</ip_address>\n      </tunnel_outside_address>\n      <tunnel_inside_address>\n        <ip_address>169.254.33.89</ip_address>\n        <network_mask>255.255.255.252</network_mask>\n        <network_cidr>30</network_cidr>\n      </tunnel_inside_address>\n    </vpn_gateway>\n    <ike>\n      <authentication_protocol>sha1</authentication_protocol>\n      <encryption_protocol>aes-128-cbc</encryption_protocol>\n      <lifetime>28800</lifetime>\n      <perfect_forward_secrecy>group2</perfect_forward_secrecy>\n      <mode>main</mode>\n      <pre_shared_key>1234567890abcdefghijklmn</pre_shared_key>\n    </ike>\n    <ipsec>\n      <protocol>esp</protocol>\n      <authentication_protocol>hmac-sha1-96</authentication_protocol>\n      <encryption_protocol>aes-128-cbc</encryption_protocol>\n      <lifetime>3600</lifetime>\n      <perfect_forward_secrecy>group2</perfect_forward_secrecy>\n      <mode>tunnel</mode>\n      <clear_df_bit>true</clear_df_bit>\n      <fragmentation_before_encryption>true</fragmentation_before_encryption>\n      <tcp_mss_adjustment>1379</tcp_mss_adjustment>\n      <dead_peer_detection>\n        <interval>10</interval>\n        <retries>3</retries>\n      </dead_peer_detection>\n    </ipsec>\n  </ipsec_tunnel>\n</vpn_connection>" -> (known after apply)
        customer_gateway_id            = "cgw-05a8696354f104dde"
      ~ id                             = "vpn-0c9d44d432710088c" -> (known after apply)
      ~ routes                         = [
          - {
              - destination_cidr_block = "10.100.0.1/32"
              - source                 = ""
              - state                  = "available"
            },
          - {
              - destination_cidr_block = "10.200.0.1/32"
              - source                 = ""
              - state                  = "available"
            },
        ] -> (known after apply)
        static_routes_only             = true
        tags                           = {
            "Name" = "VPN Connection between VPC vpc-0cc1c0738d8faab4c and Customer Gateway cgw-05a8696354f104dde"
        }
      + transit_gateway_attachment_id  = (known after apply)
      ~ tunnel1_address                = "34.251.115.132" -> (known after apply)
      + tunnel1_bgp_asn                = (known after apply)
      ~ tunnel1_bgp_holdtime           = 0 -> (known after apply)
      ~ tunnel1_cgw_inside_address     = "169.254.33.102" -> (known after apply)
        tunnel1_inside_cidr            = "169.254.33.88/30"
      ~ tunnel1_preshared_key          = (sensitive value)
      ~ tunnel1_vgw_inside_address     = "169.254.33.101" -> (known after apply)
      ~ tunnel2_address                = "63.34.56.91" -> (known after apply)
      + tunnel2_bgp_asn                = (known after apply)
      ~ tunnel2_bgp_holdtime           = 0 -> (known after apply)
      ~ tunnel2_cgw_inside_address     = "169.254.33.90" -> (known after apply)
        tunnel2_inside_cidr            = "169.254.33.100/30"
      ~ tunnel2_preshared_key          = (sensitive value)
      ~ tunnel2_vgw_inside_address     = "169.254.33.89" -> (known after apply)
        type                           = "ipsec.1"
      ~ vgw_telemetry                  = [
          - {
              - accepted_route_count = 2
              - last_status_change   = "2019-07-01 07:54:38 +0000 UTC"
              - outside_ip_address   = "63.34.56.91"
              - status               = "DOWN"
              - status_message       = ""
            },
          - {
              - accepted_route_count = 2
              - last_status_change   = "2019-07-01 07:57:26 +0000 UTC"
              - outside_ip_address   = "34.251.115.132"
              - status               = "DOWN"
              - status_message       = ""
            },
        ] -> (known after apply)
        vpn_gateway_id                 = "vgw-0cd65a4a426062da6"
    }

Plan: 1 to add, 0 to change, 1 to destroy.

I ran out of clues where to look at. @antonbabenko can you spot anything here that could explain this?

[Alien2150]

Having the same issue. Is there a workaround for now? Update: Removing pre-shared keys after the first run helped me.

[miguelaferreira]

@Alien2150 Sorry for the delay, vacation got in the way. I wasn't able to figure anything out before you added your update, I will try it and if it also helps with our test, I will add it to the README as a known workaround. Thanks!

[Alien2150]

@miguelaferreira I assume that the API does not give back the shared key and therefore is null or not set. Maybe it's a starting point. Could not figure out where this is checked in the code.

[miguelaferreira]

I cannot seem to reproduce the issue with terraform v0.12.5, aws provider v2.21.1 and module version from master. @adamthomason, @Alien2150 could you please try it out with those versions?

[Alien2150]

But converting to 0.12.x is a bigger step for me. I will see if i can switch to that later. I am using 0.11.X atm

[miguelaferreira]

I'll try to reproduce with terraform v0.11.14 and version v1.6.1 of the module.

[miguelaferreira]

@Alien2150 I can reproduce the issue with terraform v0.11.14 so I will try your proposed workaround.

Having the same issue. Is there a workaround for now? Update: Removing pre-shared keys after the first run helped me.

Do you mean removing the pre-shared keys from the terraform state?

[Alien2150]

@maartenvanderhoef removing it from the terraform file

[miguelaferreira]

I've tried to plan & apply twice and that seems to fix the issue (with terraform v0.11.14 and module version v1.6.1).

@Alien2150 I assume that by terraform file you mean the terraform state file. In which case that would mean letting terraform recreate the keys, and that is the same thing as running plan & apply twice.

I've created a troubleshooting gist here: https://gist.github.com/miguelaferreira/59a32bede686e569c190a4e11c0e4851

If you could please try it out and let me know if running plan & apply twice fixes the issue for you that would be great.

[maartenvanderhoef]

@Alien2150 Good Morning, what have I done to be in this thread ?

[miguelaferreira]

I think you were mentioned by mistake @maartenvanderhoef, but welcome anyway :)

[Alien2150]

@maartenvanderhoef Sorry ❤️ . Did not properly check who I linked. Welcome to this thread :-). @miguelaferreira will reread it. But might indicate the problem. So you are saying i had something else in my terraform state. So when i would re-add the preshared key atm it should not recreate it. Is that the take-away?

[miguelaferreira]

I don't think this is something in your particular state @Alien2150, because @adamthomason and I experienced the same problem. I even experienced it with a fresh infra and state using the example I mentioned.

My best guess is that at the first plan & apply terraform produces a state that is not as it expects it to be. Then at the second plan & apply terraform picks up on the difference and proposes to change the state (and the infra). Once it sets the state (and infra) the second time, terraform won't propose any further changes unless the code or the infra change meanwhile.

I've seen many examples of this type of "inconsistency" in the state when lists and maps are used because terraform has a hard time tracking changes in the order of these collections, for example.

[antonbabenko]

@miguelaferreira Can this issue be closed now since v1.7.0 has been released (ref #25)?

[miguelaferreira]

Yes I would say this can be closed. Thanks @antonbabenko

[bugok]

Just hit the same issue. (Running terraform version 0.11.4, with version 1.7.0 of the module)

Running apply three times still yields changes.

I see that I'm getting changes in vpn_gateway.aws_vpn_connection.tunnel_preshared Specifically, the pre-shared keys show as changed (though they haven't changed). Also, the id field shows that is needs to be changed, but I assume this is because changing the pre-shared keys would require a new resource.

[miguelaferreira]

@bugok could you please try again with terraform v0.11.14? I was able to reproduce this issue with that version, but after the second plan + apply there were no more changes.

[bugok]

Sorry, I had a typo. I meant 0.11.14.

Edit: This issue reproduces for me when using terraform v0.11.14 and module version v1.7.0.

Not sure, but maybe is because I'm chaining modules. I have a chain of three modules (one module which references another, which references another).

[bugok]

Maybe the issue isn't with this specific module, but with the terraform resource? https://github.com/terraform-providers/terraform-provider-aws/issues/3359

[miguelaferreira]

It seems everyone having the issue with the resource is also running terraform < 0.11.14. With the exception of one person that reports having the same issue with terraform v012.

[bugok]

@miguelaferreira: I think that it makes sense to keep this issue closed. I don't think that it's in the scope of this module to fix the problem with that resource.

[miguelaferreira]

I agree @bugok. Thanks for reporting and please let everyone know if you ever find out why it's not working for you. I'll be happy to try and reproduce your setup.

[cdaniluk]

I have the same problem using tf 1.12.10. I'm fairly certain @bugok is right on the cause of this though.

[bugok]

Currently, the way I decided to work around this is:

• Not supply any pre-shared keys
• After running terraform, use the AWS API (using python's boto3) to retrieve the generated pre-shared keys using the describe_vpn_connections api call.

The return value is an xml that can be parsed - and from that - retrieve the pre shared keys.

I'm doing this as my high level goal is to know which pre-shared keys I'm using. If there was a way to retrieve that using terraform alone, I would have done it. I remember seeing an issue about defining a aws_vpn_connection data source, but I can't find it now...

It's not pretty, but it works.

[antonbabenko]

Having to work with many VPN connections now I see this issue is still present sometimes with latest AWS provider and Terraform.

There is an open issue in Terraform AWS provider - https://github.com/terraform-providers/terraform-provider-aws/issues/3359 .

Let's have this issue open in case someone has an idea for the fix we can put in this module while the provider is not fixed.

[maartenschalekamp]

I ran into the same issue where I have specified the preshared_key's on initial creation. I however didnt want to re-create the tunnel with no preshared_key as the tunnel is already in use. So what I did was to remove the state for aws_vpn_connection.preshared[0] from the state file, removed the preshared key from my tf config and imported it vpn into the state.

Removing from state terraform state rm module.vpn_gateway.aws_vpn_connection.preshared[0]

Importing it again with terraform import module.vpn_gateway.aws_vpn_connection.default[0] vpn-000aaaabbbcccddd

The import however failed with

Error: Invalid template interpolation value

  on .terraform/modules/vpn_gateway/terraform-aws-vpn-gateway-2.5.0/main.tf line 13, in locals:
  13:   connection_identifier = var.connect_to_transit_gateway ? "TGW ${var.transit_gateway_id}" : "VPC ${var.vpc_id}"
    |----------------
    | var.vpc_id is null

I then manually modified the default value for vpc_id in the file in error above from null to empty string ""

Then did the import again and it worked like a charm. Hacky but atleast I didnt need to recreate the resource.

Using versions: terraform-provider-aws_v2.61.0_x4 terraform-aws-vpn-gateway-2.5.0

[omahonyb]

Then did the import again and it worked like a charm. Hacky but atleast I didnt need to recreate the resource.

I did something similar for importing a previously in use VPN i couldnt recreate due to it being in use.

My issue here atm is a different VPN btw. The issue is that if the VPN was originally created without a PSK [was used to actually get the endpoint IPs so i could give them to soemone else], and i then try to add a PSK in TF, it wants to recreate my VPN, whcih i cant allow. Is there any way to do this via code, other than adding it manually and then hacking the import as above?

B

EDIT: TF 12.31, Provider 3.27, gateway repo master branch [

[omahonyb]

This actually doesnt seem to work. Import works successfully with the hack above, however it seems to want remove all the tunnel options:

      ~ tunnel1_phase1_dh_group_numbers      = [
          - 2,
          - 14,
          - 15,
          - 16,
          - 17,
          - 18,
          - 19,
          - 20,
          - 21,
          - 22,
          - 23,
          - 24,
        ]
      ~ tunnel1_phase1_encryption_algorithms = [
          - "AES128",
          - "AES128-GCM-16",
          - "AES256",
          - "AES256-GCM-16",
        ]
      ~ tunnel1_phase1_integrity_algorithms  = [
          - "SHA1",
          - "SHA2-256",
          - "SHA2-384",
          - "SHA2-512",
        ]
        tunnel1_phase1_lifetime_seconds      = 0
      ~ tunnel1_phase2_dh_group_numbers      = [
          - 2,
          - 5,
          - 14,
          - 15,
          - 16,
          - 17,
          - 18,
          - 19,
          - 20,
          - 21,
          - 22,
          - 23,
          - 24,
        ]
      ~ tunnel1_phase2_encryption_algorithms = [
          - "AES128",
          - "AES128-GCM-16",
          - "AES256",
          - "AES256-GCM-16",
        ]
      ~ tunnel1_phase2_integrity_algorithms  = [
          - "SHA1",
          - "SHA2-256",
          - "SHA2-384",
          - "SHA2-512",
        ]

This then aborts with: module.vpn.module.vpn_gateway.aws_vpn_connection.default[0]: Modifying... [id=vpn-XXXX]

Error: Error modifying vpn tunnel options: InvalidRequest: The request received was invalid. status code: 400, request id: 7e33fcfc-19ed-4bc4-abd5-347ed61255f3

[I am assuming this is removing all to reset to default, but not actually doing it]

[omahonyb]

I managed to get around this with a big ugly dirty block of all the defaults.

  tunnel1_phase1_dh_group_numbers      = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
  tunnel1_phase1_encryption_algorithms = ["AES128", "AES128-GCM-16", "AES256", "AES256-GCM-16"]
  tunnel1_phase1_integrity_algorithms  = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]
  tunnel1_phase2_dh_group_numbers      = [2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
  tunnel1_phase2_encryption_algorithms = ["AES128", "AES128-GCM-16", "AES256", "AES256-GCM-16"]
  tunnel1_phase2_integrity_algorithms  = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]

  tunnel2_phase1_dh_group_numbers      = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
  tunnel2_phase1_encryption_algorithms = ["AES128", "AES128-GCM-16", "AES256", "AES256-GCM-16"]
  tunnel2_phase1_integrity_algorithms  = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]
  tunnel2_phase2_dh_group_numbers      = [2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
  tunnel2_phase2_encryption_algorithms = ["AES128", "AES128-GCM-16", "AES256", "AES256-GCM-16"]
  tunnel2_phase2_integrity_algorithms  = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days

[fabioformosa]

I managed to get around this with a big ugly dirty block of all the defaults.

  tunnel1_phase1_dh_group_numbers      = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
  tunnel1_phase1_encryption_algorithms = ["AES128", "AES128-GCM-16", "AES256", "AES256-GCM-16"]
  tunnel1_phase1_integrity_algorithms  = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]
  tunnel1_phase2_dh_group_numbers      = [2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
  tunnel1_phase2_encryption_algorithms = ["AES128", "AES128-GCM-16", "AES256", "AES256-GCM-16"]
  tunnel1_phase2_integrity_algorithms  = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]

  tunnel2_phase1_dh_group_numbers      = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
  tunnel2_phase1_encryption_algorithms = ["AES128", "AES128-GCM-16", "AES256", "AES256-GCM-16"]
  tunnel2_phase1_integrity_algorithms  = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]
  tunnel2_phase2_dh_group_numbers      = [2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
  tunnel2_phase2_encryption_algorithms = ["AES128", "AES128-GCM-16", "AES256", "AES256-GCM-16"]
  tunnel2_phase2_integrity_algorithms  = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]

The same. The workaround works, thanks. For the team: It would be better a more stable solution.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.