Terraform-provider-aws: AWS: default network ACL keeps being "changed" at each run, but no change actually happens (which is good)
_This issue was originally opened by @FlorinAndrei as hashicorp/terraform#9824. It was migrated here as part of the provider split. The original body of the issue is below._
Terraform Version
Terraform v0.7.8
Affected Resource(s)
- aws_default_network_acl
Terraform Configuration Files
The VPC module:
variable "name" { default = "vpc" }
variable "cidr" { }
resource "aws_vpc" "vpc" {
cidr_block = "${var.cidr}"
enable_dns_support = true
enable_dns_hostnames = true
tags { Name = "${var.name}" }
lifecycle { create_before_destroy = true }
}
output "vpc_id" { value = "${aws_vpc.vpc.id}" }
output "vpc_cidr" { value = "${aws_vpc.vpc.cidr_block}" }
output "default_network_acl_id" { value = "${aws_vpc.vpc.default_network_acl_id}" }
The network module that uses vpc (inspired by the terraform best practices repo):
module "vpc" {
source = "./vpc"
name = "${var.name}"
cidr = "${var.vpc_cidr}"
}
resource "aws_default_network_acl" "default" {
default_network_acl_id = "${module.vpc.default_network_acl_id}"
ingress {
protocol = "-1"
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
egress {
protocol = "-1"
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
tags { Name = "${var.name}-default" }
}
Debug Output
https://gist.github.com/FlorinAndrei/ed03b78d8db47a1d672c4150af482f5f
Expected Behavior
Nothing. I made no changes to the templates. Just repeat-running "terraform plan" and "terraform apply".
Actual Behavior
"Nothing". :)
It claims to change the default ACL, but nothing is changed (which is good). But it should really not claim to make any change.
That ACL remains default, and it remains associated with all subnets.
Steps to Reproduce
terraform plan -out=planterraform apply plan
hashibot
All 9 comments
this is still a problem in latest
wernerb
on 24 Nov 2017
Just ran into the same problem. Is there a workaround?
CumpsD
on 16 Dec 2017
Any update on this issue?
$ terraform --version
Terraform v0.11.7
+ provider.aws v1.17.0
+ provider.template v1.0.0
heldersepu
on 2 Jul 2018
What terraform plan differences are being shown? The original gist no longer opens.
bflad
on 2 Jul 2018
Hey @bflad, here is what I get on the plan:
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
~ aws_default_network_acl.default
subnet_ids.#: "1" => "0"
subnet_ids.3191101402: "subnet-068702c6e85dd3657" => ""
Plan: 0 to add, 1 to change, 0 to destroy.
Here is my code to reproduce the issue:
https://github.com/heldersepu/hs-scripts/blob/master/TerraForm/vpc.tf
heldersepu
on 2 Jul 2018
Managed to work around this bug by adding:
lifecycle {
ignore_changes = ["subnet_ids"]
}
Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.
If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!
![github-actions[bot] picture](https://avatars2.githubusercontent.com/in/15368?v=4&s=40)
github-actions[bot]
on 24 Jun 2020
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 24 Aug 2020
Related issues
hashibot
ยท
3Comments
gothrek22
ยท
3Comments
hazmeister
ยท
3Comments
reedloden
ยท
3Comments
hashibot
ยท
3Comments
Most helpful comment
Managed to work around this bug by adding: