Terraform: AWS Terraform does not handle the case of non existing ACL defined in the state
Summary
If terraform state refers to an ACL and rules that do not exist on AWS, terraform will not be able to refresh fail applying or destroying the definitions.
Issue details
Today I hit a RequestLimitExceeded error while destroying some object including ACLs:
Error applying plan:
3 error(s) occurred:
* aws_network_acl.cell: RequestLimitExceeded: Request limit exceeded.
status code: 503, request id:
* aws_subnet.cf.1: Error deleting subnet: RequestLimitExceeded: Request limit exceeded.
status code: 503, request id:
* aws_subnet.cf.0: Error deleting subnet: RequestLimitExceeded: Request limit exceeded.
status code: 503, request id:
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
That is fine, you can rerun terraform, but the next run failed because the ACL was actually deleted and the state change was not reflected in the state:
Error refreshing state: 6 error(s) occurred:
* aws_network_acl.cf: InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-925cbcf6' does not exist
status code: 400, request id:
* aws_network_acl_rule.100_internet_cell_out: Expected to find one Network ACL, got: []*ec2.NetworkAcl(nil)
* aws_network_acl_rule.110_router_cell_in: Expected to find one Network ACL, got: []*ec2.NetworkAcl(nil)
* aws_network_acl_rule.90_local_in: Expected to find one Network ACL, got: []*ec2.NetworkAcl(nil)
* aws_network_acl_rule.100_internet_cell_in: Expected to find one Network ACL, got: []*ec2.NetworkAcl(nil)
* aws_network_acl_rule.101_internet_cell_in: Expected to find one Network ACL, got: []*ec2.NetworkAcl(nil)
Workaround
So far, I think the only solution I found is manually edit the .tfstate to delete the missing ACLs and rules.
Expected behaviour.
Terraform should detect that the ACL is missing during refresh. If it is an apply operation, try to create a new ACL, if it is a destroy, carry on.
keymon
All 10 comments
Hi @keymon! Thanks for reporting this. I agree this is a bug in the AWS provider, and refresh should detect the missing ACLs. We'll get this fixed up.
jen20
on 3 Mar 2016
Hey all – sorry for the trouble, this is patched in #6021
catsby
on 5 Apr 2016
I am experience this exact issue. What version was this supposed to have been fixed in?
zkmoney
on 2 Nov 2016
I'm running 0.7.9, and this was marked as merged back in april. Best guess is that it was fixed in late version 6.x, and that this is either a different issue or a regression.
Edit: I'm seeing the same error.
cbarbour
on 7 Nov 2016
I'm seeing the same error too -> Terraform v0.8.1
LucaLanziani
on 11 Jan 2017
yep, also seeing the same error in Terraform v0.8.4
daveymoran
on 20 Jan 2017
also seeing the same error in Terraform v0.8.5
hanks
on 31 Jan 2017
@catsby any news? Do you prefer if we open a new issue?
LucaLanziani
on 31 Jan 2017
and v0.8.6
@catsby GH-6021 I belive fixes things when using and aws_network_acl resource. In this case, it's the aws_network_acl_rule that is failing (even on refresh)
jmahowald
on 15 Feb 2017
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 16 Apr 2020
Related issues
rjinski
·
3Comments
rjinski
·
3Comments
thebenwaters
·
3Comments
rnowosielski
·
3Comments
sprokopiak
·
3Comments
Most helpful comment
Hi @keymon! Thanks for reporting this. I agree this is a bug in the AWS provider, and refresh should detect the missing ACLs. We'll get this fixed up.