Terraform: AWS: default network ACL keeps being "changed" at each run, but no change actually happens (which is good)

Created on 3 Nov 2016 · 5Comments · Source: hashicorp/terraform

Terraform Version

Terraform v0.7.8

Affected Resource(s)

aws_default_network_acl

Terraform Configuration Files

The VPC module:

variable "name" { default = "vpc" }
variable "cidr" { }

resource "aws_vpc" "vpc" {
  cidr_block           = "${var.cidr}"
  enable_dns_support   = true
  enable_dns_hostnames = true

  tags      { Name = "${var.name}" }
  lifecycle { create_before_destroy = true }
}

output "vpc_id"   { value = "${aws_vpc.vpc.id}" }
output "vpc_cidr" { value = "${aws_vpc.vpc.cidr_block}" }
output "default_network_acl_id" { value = "${aws_vpc.vpc.default_network_acl_id}" }

The network module that uses vpc (inspired by the terraform best practices repo):

module "vpc" {
  source = "./vpc"
  name = "${var.name}"
  cidr = "${var.vpc_cidr}"
}

resource "aws_default_network_acl" "default" {
  default_network_acl_id = "${module.vpc.default_network_acl_id}"

  ingress {
    protocol   = "-1"
    rule_no    = 100
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = 0
    to_port    = 0
  }

  egress {
    protocol   = "-1"
    rule_no    = 100
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = 0
    to_port    = 0
  }

  tags { Name = "${var.name}-default" }
}

Debug Output

https://gist.github.com/FlorinAndrei/ed03b78d8db47a1d672c4150af482f5f

Expected Behavior

Nothing. I made no changes to the templates. Just repeat-running "terraform plan" and "terraform apply".

Actual Behavior

"Nothing". :)

It claims to change the default ACL, but nothing is changed (which is good). But it should really not claim to make any change.

That ACL remains default, and it remains associated with all subnets.

Steps to Reproduce

terraform plan -out=plan
terraform apply plan

bug provideaws

Source

FlorinAndrei

👍4

Most helpful comment

Still happening on --version 0.11.7

Managed to work around this bug by adding:

  lifecycle {
    ignore_changes = ["subnet_ids"]
  }

heldersepu on 5 Jul 2018

👍7 ❤3

All 5 comments

Hey @FlorinAndrei – are there any Subnets defined in the configuration you're using? You cannot actually delete subnets from the default network acl; they have to be reassigned to a different ACL. If there is no other ACL, then any subnets belong to the default network ACL. If that's the case, then this is expected behavior :

https://www.terraform.io/docs/providers/aws/r/default_network_acl.html

It looks like those subnets exist but are not explicitly assigned to any other network acl, which explains why this is happening.

catsby on 3 Nov 2016

Yes, there are several subnets spread across multiple AZs. There is no ACL other than the default. Here are all the files (except for actual variable values):

https://dl.dropboxusercontent.com/u/29966/terraform/tf-2016110300.zip

The behavior here is counterintuitive and misleading. This is the steady state. The whole environment has been created. No changes are being made to the TF templates. That being the case, when running terraform plan; terraform apply the expectation is that no item would be changed.

And yet you get the warning that an ACL is about to "change". You run apply, and then when you verify the infrastructure, you find out that the ACL actually looks the same as before.

If the final state after terraform apply is the same as the state before, then Terraform should not claim to make changes. More importantly, if the initial and final state are the same, this should not be achieved by destroying an item and then re-creating it exactly the same. This is fundamental to any infrastructure and configuration management tools (Ansible, etc), not just Terraform. Try and look at it from the perspective of the user.

FlorinAndrei on 3 Nov 2016

Same problem here (on 0.9).

nanoz on 26 Feb 2017

Still happening on --version 0.11.7

Managed to work around this bug by adding:

  lifecycle {
    ignore_changes = ["subnet_ids"]
  }

heldersepu on 5 Jul 2018

👍7 ❤3

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.