Terraform-provider-aws: Disassociating EIP when adding tags

Created on 12 Jan 2018 · 9Comments · Source: hashicorp/terraform-provider-aws

Terraform Version

Terraform v0.11.1

provider.aws v1.7.0
provider.null v1.0.0
provider.template v1.0.0

Affected Resource(s)

aws_eip

Terraform Configuration Files

resource "aws_eip" "nat-az-0" {
  vpc = true

  tags {
    Name        = "example"
  }
}

resource "aws_nat_gateway" "az-0" {
  allocation_id = "${aws_eip.nat-az-0.id}"
  subnet_id     = "${aws_subnet.dmz-az-0.id}"
}

Debug Output

https://gist.github.com/williamlord/3618c58363da6a1383f4206b76ce047d

Expected Behavior

Add tags.

Actual Behavior

Attempted to disassociate EIP, AWS returned 400 Bad Request,

Steps to Reproduce

Create EIP without tags and NAT Gateway.
Add tags

References

Attempting to use after https://github.com/terraform-providers/terraform-provider-aws/pull/2768.

bug servicec2

Source

williamlord

👍1

Most helpful comment

@williamlord thank you very much for submitting this bug and sorry for the trouble. Previously aws_eip only updated on association updates, so there was logic in place to always disassociate (if previously associated) on update. This functionality was not taken into account with the introduction of tags. I have submitted a bugfix PR to address this: #2975

bflad on 12 Jan 2018

🎉2

All 9 comments

williamlord on 12 Jan 2018

bflad on 12 Jan 2018

🎉2

I just replicated this too. Damn, I was so excited to be able to tag my EIPs, I downloaded 1.7.0 right away 😄

Thank you @bflad for adding the tag support, and for fixing this bug so quickly. Hopefully 1.7.1 will be soon! 👏

Terraform will perform the following actions:

  ~ module.nlb.aws_eip.subnet[0]
      tags.%:    "0" => "1"
      tags.Name: "" => "This doesn't work sad face"

* module.prod_nlb.aws_eip.subnet[0]: 1 error(s) occurred:

* aws_eip.subnet.0: AuthFailure: You do not have permission to access the specified resource.
        status code: 400, request id: 1234567-7932-4fc1-9d53-b6a87316abce

2018-01-12T15:21:22.580-0500 [DEBUG] plugin.terraform-provider-aws_v1.7.0_x4: Action=DisassociateAddress&AssociationId=eipassoc-8219b2a3&Version=2016-11-15
2018-01-12T15:21:22.580-0500 [DEBUG] plugin.terraform-provider-aws_v1.7.0_x4: -----------------------------------------------------
  tags.Name: "This works" => ""
2018-01-12T15:21:22.781-0500 [DEBUG] plugin.terraform-provider-aws_v1.7.0_x4: 2018/01/12 15:21:22 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/DisassociateAddress Details:
2018-01-12T15:21:22.781-0500 [DEBUG] plugin.terraform-provider-aws_v1.7.0_x4: ---[ RESPONSE ]--------------------------------------
2018-01-12T15:21:22.781-0500 [DEBUG] plugin.terraform-provider-aws_v1.7.0_x4: HTTP/1.1 400 Bad Request
2018-01-12T15:21:22.781-0500 [DEBUG] plugin.terraform-provider-aws_v1.7.0_x4: Connection: close
2018-01-12T15:21:22.781-0500 [DEBUG] plugin.terraform-provider-aws_v1.7.0_x4: Transfer-Encoding: chunked
2018-01-12T15:21:22.781-0500 [DEBUG] plugin.terraform-provider-aws_v1.7.0_x4: Date: Fri, 12 Jan 2018 20:21:25 GMT
2018-01-12T15:21:22.781-0500 [DEBUG] plugin.terraform-provider-aws_v1.7.0_x4: Server: AmazonEC2
2018-01-12T15:21:22.781-0500 [DEBUG] plugin.terraform-provider-aws_v1.7.0_x4:
2018-01-12T15:21:22.781-0500 [DEBUG] plugin.terraform-provider-aws_v1.7.0_x4:
2018-01-12T15:21:22.781-0500 [DEBUG] plugin.terraform-provider-aws_v1.7.0_x4: -----------------------------------------------------
2018-01-12T15:21:22.781-0500 [DEBUG] plugin.terraform-provider-aws_v1.7.0_x4: 2018/01/12 15:21:22 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
2018-01-12T15:21:22.781-0500 [DEBUG] plugin.terraform-provider-aws_v1.7.0_x4: <Response><Errors><Error><Code>AuthFailure</Code><Message>You do not have permission to access the specified resource.</Message></Error></Errors><RequestID>1234567-7932-4fc1-9d53-b6a87316abce</RequestID></Response>
2018-01-12T15:21:22.781-0500 [DEBUG] plugin.terraform-provider-aws_v1.7.0_x4: 2018/01/12 15:21:22 [DEBUG] [aws-sdk-go] DEBUG: Validate Response ec2/DisassociateAddress failed, not retrying, error AuthFailure: You do not have permission to access the specified resource.
2018-01-12T15:21:22.781-0500 [DEBUG] plugin.terraform-provider-aws_v1.7.0_x4:   status code: 400, request id: 1234567-7932-4fc1-9d53-b6a87316abce
2018/01/12 15:21:22 [TRACE] root.prod_nlb: eval: *terraform.EvalWriteState
2018/01/12 15:21:22 [TRACE] root.prod_nlb: eval: *terraform.EvalApplyProvisioners
2018/01/12 15:21:22 [TRACE] root.prod_nlb: eval: *terraform.EvalIf
2018/01/12 15:21:22 [TRACE] root.prod_nlb: eval: *terraform.EvalWriteState
2018/01/12 15:21:22 [TRACE] root.prod_nlb: eval: *terraform.EvalWriteDiff
2018/01/12 15:21:22 [TRACE] root.prod_nlb: eval: *terraform.EvalApplyPost
2018/01/12 15:21:22 [ERROR] root.prod_nlb: eval: *terraform.EvalApplyPost, err: 1 error(s) occurred:

whereisaaron on 12 Jan 2018

The fix has been merged into master (available if you want to build it yourself now) and will be released later this week in v1.7.1. Sorry again for the trouble.

bflad on 16 Jan 2018

Perfect thank you, no worries.

williamlord on 16 Jan 2018

This has been released in terraform-provider-aws version 1.7.1. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

bflad on 22 Jan 2018

🎉1

I can replicate this problem with "provider.aws v1.9.0". Is it a regression then?

bbdimitriu on 21 Feb 2018

I'm also receiving this error trying to create a aws_eip resource with tags using aws provider version 1.7:

resource "aws_eip" "nat" {
  vpc = true
  tags {
    Application = "${var.application_name}"
    Project = "${var.project_name}"
    Environment = "${terraform.workspace}"
  }
}

* module.vpc.aws_eip.nat: 1 error(s) occurred:

* aws_eip.nat: AuthFailure: You do not have permission to access the specified resource.
    status code: 400, request id: e5e99cf2-9b11-4fc4-8eb5-7f4881d34d5a

I removed the tags from the aws_eip resource and it worked.