Terraform-provider-aws: Terraform import aws_vpn_connection does not get tunnel1/2_inside_cidr

Created on 1 Jun 2018 · 4Comments · Source: hashicorp/terraform-provider-aws

_This issue was originally opened by @repl-nealalberda as hashicorp/terraform#18170. It was migrated here as a result of the provider split. The original body of the issue is below._

Long time user, first time contribute, thanks for all you do!. Reworking my VPN connections and forced to import aws_vpn_connection..

terraform import module.vpn_eu-west-1.aws_vpn_connection.xxxxx_wan1_vpn vpn-xxxxxxxx

module.vpn_eu-west-1.aws_vpn_connection.xxxxx_wan1_vpn: Importing from ID "vpn-xxxxxxxx"...
module.vpn_eu-west-1.aws_vpn_connection.xxxxx_wan1_vpn: Import complete!
Imported aws_vpn_connection (ID: vpn-xxxxxxxx)
module.vpn_eu-west-1.aws_vpn_connection.xxxxx_wan1_vpn: Refreshing state... (ID: vpn-xxxxxxxx)

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

Releasing state lock. This may take a few moments...

Upon a plan I get (redacted some info):
-/+ module.vpn_eu-west-1.aws_vpn_connection.xxxxxxx_wan1_vpn (new resource required)
id: "vpn-xxxxxxxx" => (forces new resource)
customer_gateway_id: "cgw-xxxxxxxx" => "${aws_customer_gateway.xxxxx_wan1.id}" (forces new resource)
routes.#: "0" =>
static_routes_only: "false" => "false"
tags.%: "1" => "1"
tags.Name: "xxxxx_wan1_vpn" => "xxxxx_wan1_vpn"
tunnel1_address: "x.x.x.x" =>
tunnel1_bgp_asn: "12345" =>
tunnel1_bgp_holdtime: "30" =>
tunnel1_cgw_inside_address: "169.254.6.6" =>
tunnel1_inside_cidr: "" => "169.254.6.6/30" (forces new resource)
tunnel1_vgw_inside_address: "169.254.6.5" =>
tunnel2_address: "y.y.y.y" =>
tunnel2_bgp_asn: "12345" =>
tunnel2_bgp_holdtime: "30" =>
tunnel2_cgw_inside_address: "169.254.6.10" =>
tunnel2_inside_cidr: "" => "169.254.6.10/30" (forces new resource)
tunnel2_vgw_inside_address: "169.254.6.9" =>
type: "ipsec.1" => "ipsec.1"
vgw_telemetry.#: "2" =>
vpn_gateway_id: "vgw-zzzzzz" => "${aws_vpn_gateway.vpn_gateway_zzzz.id}" (forces new resource)

If I terraform state pull, amend the state file in the appropriate spots with:
"tunnel1_inside_cidr": "169.254.6.6/30",
"tunnel2_inside_cidr": "169.254.6.10/30",
and terraform state push then no new resource is attempted.

Terraform Version

terraform -v

Terraform v0.11.7

provider.aws v1.21.0

...

Terraform Configuration Files

resource "aws_vpn_connection" "xxxxxx_wan1_vpn" {
  vpn_gateway_id      = "${aws_vpn_gateway.vpn_gateway_zzzzz.id}"
  customer_gateway_id = "${aws_customer_gateway.xxxxxx_wan1.id}"
  type                = "ipsec.1"
  tunnel1_inside_cidr = "${var.mytun1}"
  tunnel2_inside_cidr = "${var.mytun2}"
  static_routes_only  = false

  tags {
    Name = "xxxxxx_wan1_vpn"
  }
}

Debug Output

Crash Output

Expected Behavior

Actual Behavior

Steps to Reproduce

Additional Context

References

bug servicec2

Source

hashibot[bot]

All 4 comments

@radeksimko we are running into this right now, is there a workaround or a patch for this that we can try?

sh4d0wz on 10 Jul 2019

👍1

@sh4d0wz - the workaround is mentioned in the in de bug report (pull state, amend statefile and plan/apply). Hopefully someone is able to fix this in the import of aws_vpn_connection?

sgzijl on 22 Nov 2019

👍1

This looks fixed now with

Terraform v0.12.28
+ provider.aws v2.66.0

mpitt on 6 Jul 2020

Hi, unfortunalty, I just done a new import with 0.12.28 ( start rm before)
field is no empty : but instead of tunnel1_inside_cidr -> we can see the the mask lengh ( probably, the end of 169.254.49.52/30 cidr)

169.254.49.53
255.255.255.252
30

Terraform v0.12.28