Terraform-provider-aws: aws_route_table_association fails if a different association already exists
_This issue was originally opened by @davehodgson as hashicorp/terraform#5037. It was migrated here as part of the provider split. The original body of the issue is below._
As part of a script to create an environment, I create a route table and associate it to 3 subnets
resource "aws_route_table" "internet_access" {
vpc_id = "${aws_vpc.main-vpc.id}"
tags {
Name = "${var.customer_prefix}-internet-access-routetable"
Description = "${var.aws_label}"
}
route {
cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.internet_gw.id}"
}
}
resource "aws_route_table_association" "private" {
subnet_id = "${aws_subnet.private_subnet.id}"
route_table_id = "${aws_route_table.internet_access.id}"
}
This has to happen initially because I want to be able to configure them using remote provisioners and it seems to fail to connect if they don't have access to an internet gateway.
At the end of the script I have a NULL resource which then using Amazon tools from a linux box to change the routing table association:
AWS_ACCESS_KEY_ID=${var.access_key} AWS_SECRET_ACCESS_KEY=${var.secret_key} aws ec2 replace-route-table-association --association-id ${aws_route_table_association.mgmt.id} --region ${var.aws_region} --route-table-id ${aws_route_table.main.id}
It all works fine, but when I then re-run terraform apply, naturally the refresh picks up that the associate has changed and tried to re-associate the first routing table. It then fails with the error below:
* aws_route_table_association.private: Resource.AlreadyAssociated: the specified association for route table rtb-42f40226 conflicts with an existing association status code: 400, request id:
This happens because my script doesn't update the association id in the terraform.state file.
I'm not sure how best to achieve what I am looking to do here - essentially using a temporary routing table association to give the machines internet access while terraform configures them using remote-exec and then change the associate to one that hasn't got internet access.
Any ideas? The only one I have is to catch the associate id returned by the command line and update the terraform state file in my script but that scares me a little bit
As a feature suggestion it would be handy for the aws_route_table_association to work if the association is different to what it expects, for example if someone had manually changed the association in the aws console, this would also fail, perhaps if it fails, it could can pull the existing association ID then call replace-route-table-association instead of AssociateRouteTable which it seems to do now
hashibot
All 12 comments
_This comment was originally opened by @mwarkentin as https://github.com/hashicorp/terraform/issues/5037#issuecomment-265798064. It was migrated here as part of the provider split. The original comment is below._
We seem to be hitting this as well.
hashibot
on 13 Jun 2017
_This comment was originally opened by @awilkins as https://github.com/hashicorp/terraform/issues/5037#issuecomment-280025071. It was migrated here as part of the provider split. The original comment is below._
Also hitting this case.
Seems to be occurring when an existing explicit aws_route_table_association is destroyed and the subnet falls back to the main route table.
Re-applying subsequently works. Is it that the destroy for the prior association is falsely reporting completion?
hashibot
on 13 Jun 2017
Hello
Same issue faced here:
I'm trying to associate a previously created subnet with a newly created route table. It fails at apply phase with v0.10.4 and v0.10.6.
* module.shared-tools.aws_route_table_association.rtb[1]: 1 error(s) occurred:
* aws_route_table_association.rtb.1: Resource.AlreadyAssociated: the specified association for route table rtb-9xxa4af0 conflicts with an existing association
status code: 400, request id: 654431da-0433-4f6f-9fb8-88b320732631
Sample code
#identifies the shared-tools subnets, already explicitely associated with another rtb
data "aws_subnet_ids" "shared-tools" {
tags {
purpose = "shared-tools"
managed-by = "terraform"
}
}
# new rtb
resource "aws_route_table" "rtb" {
vpc_id = "${data.aws_vpc.x.id}"
}
# attach this route to the zone subnets
resource "aws_route_table_association" "rtb" {
count = "${length(data.aws_subnet_ids.shared-tools.ids)}" //iterate on all subnets
subnet_id = "${data.aws_subnet_ids.shared-tools.ids[count.index]}"
route_table_id = "${aws_route_table.rtb.id}"
}
Any idea on how to workaround this issue?
Thanks for your help
Florent-A
on 28 Sep 2017
I just ran into this also. I worked around it by:
- Replace the route table association manually. Using the command line tools, this would look something like
aws ec2 replace-route-table-association --association-id rtbassoc-12345678 --route-table rtb-12345678. - Run
terraform apply. Terraform will re-apply the same association and succeed. Nothing will change in this step except for the association being captured in the state.
sidprak
on 12 Apr 2018
I ran the same issue. That is a workaround but it's supposed it should make the new association, right?
RuBiCK
on 4 Dec 2018
Experiencing the same problem. Manually doing the subnet associations and then running apply again does not seem to work for me. I am using terraform v0.11.10
andrewhart098
on 6 Dec 2018
@sidprak @RuBiCK @andrewhart098 @Florent-A @awilkins @mwarkentin @davehodgson I submitted PR #6999 to allow replacement of a subnet's existing route table association. To help the maintainers prioritize, please visit the PR and 👍 or leave a comment with your thoughts!
YakDriver
on 28 Dec 2018
@andrewhart098 this doesn't work for me, either. I'll try to look what the PR actually does and try to figure it out. I'll share my results if I can produce anything useful :-)
@YakDriver Thank you :-)
yves-vogl
on 19 Jan 2019
I solved my issue. I've had circular associations so replacing did not actually work.
$ aws ec2 describe-route-tables --filters "Name=route-table-id,Values=rtb-0eeb23139fac403a5"
ROUTETABLES 397794470468 rtb-0eeb23139fac403a5 vpc-01f45574c74eb8ac1
ASSOCIATIONS False rtbassoc-064611555f45f4ace rtb-0eeb23139fac403a5 subnet-046b73ff13c54ef04
ASSOCIATIONS False rtbassoc-030af166ccd8a8851 rtb-0eeb23139fac403a5 subnet-04915d7ff586db40d
ROUTES 10.4.0.0/16 local CreateRouteTable active
ROUTES 0.0.0.0/0 nat-03f839a190a2f3e9f CreateRoute active
When trying to delete, I got:
An error occurred (DependencyViolation) when calling the DeleteRouteTable operation: The routeTable 'rtb-0eeb23139fac403a5' has dependencies and cannot be deleted.
So I had to first dissociate at least one route (and then either replace the association of delete it completely.)
$ aws ec2 disassociate-route-table --association-id rtbassoc-064611555f45f4ace
$ aws ec2 disassociate-route-table --association-id rtbassoc-030af166ccd8a8851
$ aws ec2 delete-route-table --route-table-id rtb-0eeb89739fac403a5
The aws_route_table_association resource has been updated to support resource import as well as allow subnet_id updates in-place via replacement. This will release in version 2.22.0 of the Terraform AWS Provider, tomorrow. 👍 Thanks to @YakDriver for the implementation.
bflad
on 31 Jul 2019
This has been released in version 2.22.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 1 Aug 2019
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
hashibot[bot]
on 2 Nov 2019
Related issues
andywirv
·
3Comments
dvishniakov
·
3Comments
carmas
·
3Comments
modax
·
3Comments
hashibot
·
3Comments
Most helpful comment
@sidprak @RuBiCK @andrewhart098 @Florent-A @awilkins @mwarkentin @davehodgson I submitted PR #6999 to allow replacement of a subnet's existing route table association. To help the maintainers prioritize, please visit the PR and 👍 or leave a comment with your thoughts!