Terraform-provider-aws: Unable to add multiple static routes to aws_vpn_connection_route

@@singhsurjeet, you can add multiple aws_vpn_connection_route resources, each with its own destination. Given that you have a variable called "static_routes" with a list with all the destination CIDRs, you can do the following:

resource "aws_vpn_connection_route" "vpn_route" {
count = "${length(var.static_routes)}"
destination_cidr_block = "${var.static_routes[count.index]}"
vpn_connection_id = "${aws_vpn_connection.vpn_conn.id}"
}

This behavior corresponds with the aws_route resource.

@sfrode , Thanks. Yeah this worked but is this the proposed solution to this problem?

@singhsurjeet, I can't speak for the creator/maintainer of these resources, but as both are in the singular, it makes sense that they only support one route per resource definition. It also has certain benefits as each route resource can be managed independently. And, as I stated in the comment above, this behavior mirrors the aws_route resource.

Hi @singhsurjeet
thanks for raising this issue.

@sfrode is right, this is the preferred way to do it. For various reasons (ability to use count and interpolation is one of them) we prefer to have granular resources rather than managing multiple things via the same resource.

We had to learn this the hard way in the past with aws_security_group which allows you to manage rules inline + via aws_security_group_rule (as a standalone resource).

Because of resources being independent of each other (which is a good thing for most of the time) there's no way for Terraform to figure out which one is the source of truth. This keeps confusing many people that keep reporting issues about this and we don't want to get into the same situation here.

There are plans for eventually introducing concept of nested resources which might give us the benefit of both approaches, but I can't share any timelines nor guarantees around this.

I agree with the preferred way of using terraform but I have a situation where I have multiple datacenters with multiple subnets at each DC behind a single physical router and my AWS vpn route tables are having almost close to 50+ static route added to it. How can I make this happen with terraform? Also when granularity comes to picture and if its a fin-tech we also need to be very specific about outbound and inbound traffic we need to code exact source and destination IP/url.
Do we have any workaround for this condition? I am stuck here as terraform state restores to default entry every time we run terraform apply and manual updates are lost.

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!