Terraform-provider-aws: aws_dx_gateway_association_proposal recreated

Created on 2 Jul 2019 · 12Comments · Source: hashicorp/terraform-provider-aws

Terraform bug

It happens when associating a virtual private gateway with a direct connect gateway in a separate account (See AWS doc). There is a terraform resource for the proposal. But this resource is not permanent, so terraform will try to recreate it.

Terraform Version

terraform 0.11.10
terraform-provider-aws 2.12.0

Affected Resource(s)

aws_dx_gateway_association_proposal
aws_dx_gateway_association

Terraform Configuration Files

resource "aws_dx_gateway_association_proposal" "dcgw_association_proposal" {
  depends_on                  = ["aws_vpn_gateway_attachment.vpn_attachment"]
  dx_gateway_id               = "${local.dcgw_id}"
  dx_gateway_owner_account_id = "${local.shared_services_account_id}"
  associated_gateway_id       = "${aws_vpn_gateway.vpn_gw.id}"
}

resource "aws_dx_gateway_association" "dcgw_association" {
  provider = "aws.shared_services"

  proposal_id                         = "${aws_dx_gateway_association_proposal.dcgw_association_proposal.id}"
  dx_gateway_id                       = "${local.dcgw_id}"
  associated_gateway_owner_account_id = "${local.account_id}"

  timeouts {
    delete = "30m"
    create = "30m"
  }
}

Expected Behavior

Apply: create proposal, associate in other account, networks are connected
Any apply after that: No change

Actual Behavior

Apply: create proposal, associate in other account
Apply immediately: No change
Apply after a few days once the proposal has been removed by AWS: create proposal, force recreation of association, networks are disconnected for up to 20min -> DOWNTIME

Steps to Reproduce

terraform apply
Wait for a few days or delete the proposal (Example)
terraform plan: shows creation of the proposal and recreation of the association

Important Factoids

Raised a support case with AWS to understand the behaviour. Here is the response:

I relayed the same question to the service team and they have informed me that the proposal will be available as long as the "accepter" has not accepted the proposal. Once the proposal is accepted, it will disappear after some time. There is no defined time duration as to how long the proposal is available after acceptance through CLI. As we use a distributed and eventual consistency model, I would highly recommend you to not use the time the proposal remains in the CLI output after acceptance to make any design, architectural, or application decisions.

bug servicdirectconnect

Source

saliceti

👍22

Most helpful comment

I've just run into this problem as well. I tend to agree with @saliceti - this resource should be fixed or removed, as this bug is not obvious and has the potential to cause outages.

josephschadlick on 16 Aug 2019

👍7

All 12 comments

A solution here may be to modify the behavior of the aws_dx_gateway_association.proposal_id attribute so that on update if the new proposal was for the same Direct Connect gateway/associated gateway pair that no new association is created.
Maybe even allow the new value to be empty on update.
I think this could be achieved via a CustomizeDiffFunc.

ewbankkit on 4 Jul 2019

👍1

@saliceti How urgent is this to address? Thanks.

ewbankkit on 26 Jul 2019

We stopped using this resource and replaced it with boto code triggered by a provisionner.
It’s ugly but it works. So it’s not urgent anymore. Thanks.

saliceti on 27 Jul 2019

To be honest this resource is not useful in the current state. If no plan is made to fix it soon it should be removed in the meantime.

saliceti on 28 Jul 2019

👍6

I've just run into this problem as well. I tend to agree with @saliceti - this resource should be fixed or removed, as this bug is not obvious and has the potential to cause outages.

josephschadlick on 16 Aug 2019

👍7

Just ran into this issue too. Terraform created a new proposal and detached the VPC from the Direct Connect Gateway.

acarrasquillo on 16 Aug 2019

I have also ran into this issue. It should be fixed as soon as possible. Anywork around for now?

SureshGoli123 on 3 Feb 2020

We're also seeing this issue, we would prefer to avoid any messy work arounds obviously :)

huddy on 17 Feb 2020

Looking at this some more the possibility I see is to change ForceNew to false for the proposal_id attribute of the aws_dx_gateway_association.
This would mean that once a DX Gateway Association has been created, any change to the proposal_id would trigger a recreation of the resource.

ewbankkit on 19 Mar 2020

👍2

Same issue for me using the latest terraform version 0.12.24. Basically aws_dx_gateway_association_proposal removed by AWS itself within 1-3 days, so the actual id of the resource is no longer in AWS, which forces new creation.
Lifecycle ignore_changes is not helping either. The resource is literally unusable. Any estimates on the fix?

sporokh on 31 Mar 2020

👍3

I'm experiencing the same issue with terraform version 0.12.24. We need a fix ASAP, this is causing downtime if we need to add or change any resoucres.

hhh0505 on 1 Apr 2020

👍4

Encountered this too, going to omit until fixed.

piyat on 15 Jun 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Using security_groups instead of the correct vpc_security_group_ids on an instance within VPC results in instance recreation on each apply

andywirv · 3Comments

Terraform support for Alexa Smart Home Lambda trigger

joelittlejohn · 3Comments

aws_elasticsearch_domain: vpc_options - subnet_ids asks for list but can only be a single value.

ccslamstack · 3Comments

tainting an ecs service and running terraform apply receives Creation of service was not idempotent

hashibot · 3Comments

aws_cloudfront_distribution - "Only one viewer certificate change may be in progress at a time"

hashibot · 3Comments