Terraform-provider-aws: Terraform aws_waf_ipset is not comparing ipv6 addresses correctly and it is causing drift on every plan
Community Note
- Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
terraform -v
Terraform v0.11.8
+ provider.aws v1.36.0
Affected Resource(s)
- aws_waf_ipset
Terraform Configuration Files
provider "aws" {
region = "us-east-1"
}
resource "aws_waf_ipset" "ipset" {
name = "test-ipset"
ip_set_descriptors = [
{
type = "IPV4"
value = "192.0.7.0/24"
},
{
value = "2600:123:1020:2111::/64"
type = "IPV6"
},
{
value = "2600:123:1020:2881::/64"
type = "IPV6"
},
]
}
Debug Output
Not needed, as could be easily reproduced
Panic Output
Expected Behavior
Second run of terraform plan (after terraform apply) should show not difference. Instead it shows difference every time.
Actual Behavior
Terraform creating plans on every run. Only difference is a format of v6 address (full with compact) what indicates that ipv6 addresses are not compared correctly:
$ terraform apply
aws_waf_ipset.ipset: Refreshing state... (ID: 914d0092-1b68-4996-b63b-13e01318ff1b)
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
~ aws_waf_ipset.ipset
ip_set_descriptors.2937190556.type: "" => "IPV6"
ip_set_descriptors.2937190556.value: "" => "2600:123:1020:2881::/64"
ip_set_descriptors.3390743040.type: "IPV6" => ""
ip_set_descriptors.3390743040.value: "2600:0123:1020:2881:0000:0000:0000:0000/64" => ""
ip_set_descriptors.3558925536.type: "IPV6" => ""
ip_set_descriptors.3558925536.value: "2600:0123:1020:2111:0000:0000:0000:0000/64" => ""
ip_set_descriptors.4037960608.type: "IPV4" => "IPV4"
ip_set_descriptors.4037960608.value: "192.0.7.0/24" => "192.0.7.0/24"
ip_set_descriptors.486364652.type: "" => "IPV6"
ip_set_descriptors.486364652.value: "" => "2600:123:1020:2111::/64"
Steps to Reproduce
terraform applyterraform applyterraform apply
[...]
Important Factoids
Should be reproducible on any account. If i am using full format of ip address terraform works as expected.
References
https://tools.ietf.org/html/rfc1884#page-4
- #0000
samm-git
All 4 comments
In fact same apply to ipv4 address if written with leading 0. E.g. 10.0.1.01
samm-git
on 17 Sep 2018
@bflad I'm looking into this, and the only way I found to solve this is overriding the Set SchemaSetFunc to normalise the unique ID of the ip_set_descriptor, is this the right solution to fix this and won't this cause a breaking change ?.
I looked into overriding SchemaDiffSuppressFunc but couldn't get it to work, probably because of the schema.TypeSet.
pvanbuijtene
on 4 Oct 2018
We are seeing the exact same thing. Pretty annoying but not a blocker for us.
sethfloydjr
on 24 Oct 2018
There is a workaround :
Write every CIDR block as AWS outputs them :
- For IPv4 CIDR blocks : write NO preceding
0( E.G.10.0.1.1instead of10.0.1.01to quote @samm-git ) - For IPv6 CIDR blocks : write EVERY preceding and succeeding
0( E.G.2600:0123:1020:2881:0000:0000:0000:0000instead of2600:123:1020:2881to quote O.P. )
andy-b-84
on 8 Aug 2019
Related issues
EmmN
路
3Comments
hashibot
路
3Comments
andywirv
路
3Comments
gothrek22
路
3Comments
hazmeister
路
3Comments
Most helpful comment
There is a workaround :
Write every CIDR block as AWS outputs them :
0( E.G.10.0.1.1instead of10.0.1.01to quote @samm-git )0( E.G.2600:0123:1020:2881:0000:0000:0000:0000instead of2600:123:1020:2881to quote O.P. )