Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

awscc_ec2_ipam_pool - update to args has unexpected force new #1139

Closed
GlennChia opened this issue Aug 12, 2023 · 10 comments · Fixed by #1712
Closed

awscc_ec2_ipam_pool - update to args has unexpected force new #1139

GlennChia opened this issue Aug 12, 2023 · 10 comments · Fixed by #1712
Labels
bug service/ec2

Comments

@GlennChia
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
  • The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Affected Resource(s)

  • awscc_ec2_ipam_pool

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

First apply to create the resource works

data "aws_region" "current" {}

resource "awscc_ec2_ipam" "example" {
  operating_regions = [
    {
      region_name = data.aws_region.current.name
    }
  ]
}
resource "awscc_ec2_ipam_pool" "example" {
  address_family = "ipv4"
  description    = "example pool"
  ipam_scope_id  = awscc_ec2_ipam.example.private_default_scope_id
  locale         = data.aws_region.current.name
}

Second apply that just updates the description forces a new resources unexpectedly. This affects other argument updates of the pool as well

data "aws_region" "current" {}

resource "awscc_ec2_ipam" "example" {
  operating_regions = [
    {
      region_name = data.aws_region.current.name
    }
  ]
}
resource "awscc_ec2_ipam_pool" "example" {
  address_family = "ipv4"
  description    = "example pool update"
  ipam_scope_id  = awscc_ec2_ipam.example.private_default_scope_id
  locale         = data.aws_region.current.name
}

Debug Output

Panic Output

Expected Behavior

Expect an in-place update of the IPAM Pool without recreation

Actual Behavior

Forces a new IPAM Pool to be created. With the following snippet:

data.aws_region.current: Reading...
data.aws_region.current: Read complete after 0s [id=ap-southeast-1]
awscc_ec2_ipam.example: Refreshing state... [id=ipam-example]
awscc_ec2_ipam_pool.example: Refreshing state... [id=ipam-pool-example]

Terraform used the selected providers to generate the following execution plan. Resource
actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # awscc_ec2_ipam_pool.example must be replaced
-/+ resource "awscc_ec2_ipam_pool" "example" {
      + allocation_default_netmask_length = (known after apply)
      + allocation_max_netmask_length     = (known after apply)
      + allocation_min_netmask_length     = (known after apply)
      + allocation_resource_tags          = (known after apply)
      ~ arn                               = "arn:aws:ec2::111122223333:ipam-pool/ipam-pool-example" -> (known after apply)
      ~ auto_import                       = false -> (known after apply)
      + aws_service                       = (known after apply) # forces replacement
      ~ description                       = "example pool" -> "example pool update"
      ~ id                                = "ipam-pool-example" -> (known after apply)
      ~ ipam_arn                          = "arn:aws:ec2::111122223333:ipam/ipam-example" -> (known after apply)
      ~ ipam_pool_id                      = "ipam-pool-example" -> (known after apply)
      ~ ipam_scope_arn                    = "arn:aws:ec2::111122223333:ipam-scope/ipam-scope-example" -> (known after apply)
      ~ ipam_scope_type                   = "private" -> (known after apply)
      ~ pool_depth                        = 1 -> (known after apply)
      + provisioned_cidrs                 = (known after apply)
      + public_ip_source                  = (known after apply) # forces replacement
      + publicly_advertisable             = (known after apply) # forces replacement
      + source_ipam_pool_id               = (known after apply) # forces replacement
      ~ state                             = "create-complete" -> (known after apply)
      ~ state_message                     = "None" -> (known after apply)
      + tags                              = (known after apply)
        # (3 unchanged attributes hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Steps to Reproduce

  1. terraform apply with the following block
data "aws_region" "current" {}

resource "awscc_ec2_ipam" "example" {
  operating_regions = [
    {
      region_name = data.aws_region.current.name
    }
  ]
}
resource "awscc_ec2_ipam_pool" "example" {
  address_family = "ipv4"
  description    = "example pool"
  ipam_scope_id  = awscc_ec2_ipam.example.private_default_scope_id
  locale         = data.aws_region.current.name
}
  1. Run terraform apply again with the following config that just updates the description forces a new resources unexpectedly. This affects other argument updates of the pool as well
data "aws_region" "current" {}

resource "awscc_ec2_ipam" "example" {
  operating_regions = [
    {
      region_name = data.aws_region.current.name
    }
  ]
}
resource "awscc_ec2_ipam_pool" "example" {
  address_family = "ipv4"
  description    = "example pool update"
  ipam_scope_id  = awscc_ec2_ipam.example.private_default_scope_id
  locale         = data.aws_region.current.name
}

Important Factoids

References
@wellsiau-aws
Copy link
Collaborator

TF DEBUG output shows that the only detected changes are for tf_attribute_path=description:

@module=sdk.framework tf_provider_addr=registry.terraform.io/hashicorp/awscc tf_req_id=b0f34296-ded1-42e8-f685-f95bca6fe3de tf_resource_type=awscc_ec2_ipam_pool tf_attribute_path=description tf_rpc=PlanResourceChange timestamp=2023-09-11T16:46:38.496-0700

@wellsiau-aws
Copy link
Collaborator

IPAM Pool create only properties

    "createOnlyProperties": [
        "/properties/IpamScopeId",
        "/properties/SourceIpamPoolId",
        "/properties/Locale",
        "/properties/AddressFamily",
        "/properties/PubliclyAdvertisable",
        "/properties/PublicIpSource",
        "/properties/AwsService",
        "/properties/SourceResource"
    ],

@wellsiau-aws
Copy link
Collaborator

Terraform plan shows force replacement for these createOnlyProperties:

  # awscc_ec2_ipam_pool.example must be replaced
-/+ resource "awscc_ec2_ipam_pool" "example" {
      + allocation_default_netmask_length = (known after apply)
      + allocation_max_netmask_length     = (known after apply)
      + allocation_min_netmask_length     = (known after apply)
      + allocation_resource_tags          = (known after apply)
      ~ arn                               = "arn:aws:ec2::204034886740:ipam-pool/ipam-pool-0503a8371a95ab7d3" -> (known after apply)
      ~ auto_import                       = false -> (known after apply)
      + aws_service                       = (known after apply) # forces replacement
      ~ description                       = "example pool" -> "example pool longer"
      ~ id                                = "ipam-pool-0503a8371a95ab7d3" -> (known after apply)
      ~ ipam_arn                          = "arn:aws:ec2::204034886740:ipam/ipam-07f64eb9d3be41299" -> (known after apply)
      ~ ipam_pool_id                      = "ipam-pool-0503a8371a95ab7d3" -> (known after apply)
      ~ ipam_scope_arn                    = "arn:aws:ec2::204034886740:ipam-scope/ipam-scope-00e0e4271731e525b" -> (known after apply)
      ~ ipam_scope_type                   = "private" -> (known after apply)
      ~ pool_depth                        = 1 -> (known after apply)
      + provisioned_cidrs                 = (known after apply)
      + public_ip_source                  = (known after apply) # forces replacement
      + publicly_advertisable             = (known after apply) # forces replacement
      + source_ipam_pool_id               = (known after apply) # forces replacement
      + source_resource                   = (known after apply) # forces replacement
      ~ state                             = "create-complete" -> (known after apply)
      ~ state_message                     = "None" -> (known after apply)
      + tags                              = (known after apply)
        # (3 unchanged attributes hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

@wellsiau-aws
Copy link
Collaborator

These attributes are stored as null in the Terraform state file

    {
      "mode": "managed",
      "type": "awscc_ec2_ipam_pool",
      "name": "example",
      "provider": "provider[\"registry.terraform.io/hashicorp/awscc\"]",
      "instances": [
        {
          "schema_version": 1,
          "attributes": {
            "address_family": "ipv4",
            "allocation_default_netmask_length": null,
            "allocation_max_netmask_length": null,
            "allocation_min_netmask_length": null,
            "allocation_resource_tags": null,
            "arn": "arn:aws:ec2::204034886740:ipam-pool/ipam-pool-0503a8371a95ab7d3",
            "auto_import": false,
            "aws_service": null, # forces replacement
            "description": "example pool",
            "id": "ipam-pool-0503a8371a95ab7d3",
            "ipam_arn": "arn:aws:ec2::204034886740:ipam/ipam-07f64eb9d3be41299",
            "ipam_pool_id": "ipam-pool-0503a8371a95ab7d3",
            "ipam_scope_arn": "arn:aws:ec2::204034886740:ipam-scope/ipam-scope-00e0e4271731e525b",
            "ipam_scope_id": "ipam-scope-00e0e4271731e525b",
            "ipam_scope_type": "private",
            "locale": "us-east-1",
            "pool_depth": 1,
            "provisioned_cidrs": null,
            "public_ip_source": null, # forces replacement
            "publicly_advertisable": null, # forces replacement
            "source_ipam_pool_id": null, # forces replacement
            "source_resource": null, # forces replacement
            "state": "create-complete",
            "state_message": "None",
            "tags": null
          },
          "sensitive_attributes": [],
          "dependencies": [
            "awscc_ec2_ipam.example",
            "data.aws_region.current"
          ]
        }
      ]
    }

@wellsiau-aws wellsiau-aws mentioned this issue Mar 28, 2024
Closed
@wellsiau-aws
Copy link
Collaborator

GetResource using CCAPI confirms that these attributes are not included in the response:

  • aws_service
  • public_ip_source
  • publicly_advertisable
  • source_ipam_pool_id
  • source_resource

See below for the output:

aws cloudcontrol get-resource --type-name AWS::EC2::IPAMPool --identifier ipam-pool-0503a8371a95ab7d3 --region us-east-1 | jq -r ".ResourceDescription.Properties" | jq "."

{
  "Locale": "us-east-1",
  "Description": "example pool",
  "IpamPoolId": "ipam-pool-0503a8371a95ab7d3",
  "IpamArn": "arn:aws:ec2::204034886740:ipam/ipam-07f64eb9d3be41299",
  "IpamScopeArn": "arn:aws:ec2::204034886740:ipam-scope/ipam-scope-00e0e4271731e525b",
  "IpamScopeType": "private",
  "IpamScopeId": "ipam-scope-00e0e4271731e525b",
  "ProvisionedCidrs": [],
  "PoolDepth": 1,
  "State": "create-complete",
  "AutoImport": false,
  "AddressFamily": "ipv4",
  "Arn": "arn:aws:ec2::204034886740:ipam-pool/ipam-pool-0503a8371a95ab7d3",
  "StateMessage": "None",
  "Tags": []
}

@wellsiau-aws
Copy link
Collaborator

I suspect the plan modifiers couldn't distinguish null value in Terraform state file versus no attributes on CCAPI GetResource response.

@wellsiau-aws wellsiau-aws mentioned this issue Apr 10, 2024
Closed
@wellsiau-aws wellsiau-aws mentioned this issue Apr 18, 2024
Closed
@wellsiau-aws wellsiau-aws mentioned this issue Apr 26, 2024
Closed
@BondAnthony BondAnthony mentioned this issue Apr 29, 2024
Closed
This was referenced May 7, 2024
Open
Closed
@ewbankkit
Copy link
Contributor

ewbankkit commented May 15, 2024
edited
Loading

It looks like we are falling foul of this behavior.

For example with aws_service, the planned value is unknown and the state value is null, so stringplanmodifier.RequiresReplace() returns true.

@wellsiau-aws
Copy link
Collaborator

@ewbankkit , with the lack of default values available on the schema, does this mean we need a custom plan modifiers?

@ewbankkit
Copy link
Contributor

@wellsiau-aws I think using RequiresReplaceIfConfigured instead of RequiresReplace for the Optional+Computed attributes should work.

@wellsiau-aws
Copy link
Collaborator

you are right, I just tested this behavior on my local build for awscc_qbusiness_application

After I overcome this problem, I found a new behavior which I will describe on separate issue.

@ewbankkit ewbankkit mentioned this issue May 15, 2024
Merged
@wellsiau-aws wellsiau-aws mentioned this issue May 15, 2024
Closed
@quixoticmonk quixoticmonk mentioned this issue Jun 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug service/ec2
Projects
None yet
Milestone
No milestone
4 participants
@ewbankkit @GlennChia @justinretzolk @wellsiau-aws