Terraform: Unable to create aws_route with destination_ipv6_cidr_block attribute

Created on 5 Apr 2017 · 8Comments · Source: hashicorp/terraform

Terraform Version

0.9.2

Affected Resource(s)

aws_route

Terraform Configuration Files

main.tf:

~~~

provider "aws" {

region = "eu-west-1"

}

A VPC with IPv6 enabled

resource "aws_vpc" "vpc" {

cidr_block = "10.0.0.0/16"

instance_tenancy = "default"

assign_generated_ipv6_cidr_block = true

}

resource "aws_internet_gateway" "gw" {

vpc_id = "${aws_vpc.vpc.id}"

}

A test subnet

resource "aws_subnet" "sn" {

vpc_id = "${aws_vpc.vpc.id}"

cidr_block = "10.0.0.0/20"

availability_zone = "eu-west-1a"

}

Works as expected

resource "aws_route" "ipv4-outbound" {

route_table_id = "${aws_vpc.vpc.main_route_table_id}"

gateway_id = "${aws_internet_gateway.gw.id}"

destination_cidr_block = "0.0.0.0/0"

}

NOTE: Fails to create!

resource "aws_route" "ipv6-outbound" {

route_table_id = "${aws_vpc.vpc.main_route_table_id}"

gateway_id = "${aws_internet_gateway.gw.id}"

destination_ipv6_cidr_block = "::0/"

}

~~~

Expected Behaviour

IPv6 outbound route is added to the default route table for the vpc called "vpc"

Actual behaviour

Terraform fails to add the IPv6 route, and returns the below error.

In particular, it prints The request must contain the parameter destinationCidrBlock or destinationIpv6CidrBlock even though destination_ipv6_cidr_block is specified (as in the docs)

~~~

Error applying plan:

1 error(s) occurred:

aws_route.ipv6-outbound: 1 error(s) occurred:
aws_route.ipv6-outbound: Error creating route: MissingParameter: The request must contain the parameter destinationCidrBlock or destinationIpv6CidrBlock
```
status code: 400, request id: <REMOVED>
```

~~~

Steps to reproduce

~~~

terraform apply

~~~

bug provideaws

Source

statusfailed

All 8 comments

Hi @statusfailed

I have just looked into this and I am afraid to say it isn't actually a bug. Basically, when using IPv6, you need a different type of Internet Gateway - Egress only Internet Gateway

Therefore, the config for ipv6_outbound should look as follows:

resource "aws_egress_only_internet_gateway" "ipv6_igw" {
    vpc_id = "${aws_vpc.vpc.id}"
}

resource "aws_route" "ipv6-outbound" {
  route_table_id                   = "${aws_vpc.vpc.main_route_table_id}"
  egress_only_gateway_id   = "${aws_egress_only_internet_gateway.ipv6_igw.id}"
  destination_ipv6_cidr_block = "::0/"
}

This then works as expected - I have just pushed a documentation change

Let me know if this doesn't work for you

Paul

stack72 on 21 Apr 2017

@stack72

egress_only_gateway pass the egress traffic only. Ingress traffic are blocked.

If we want to get ingress access via IPv6, we still need to route to regular Internet Gateway instead of Egress only Internet Gateway.

I think the main issue is terraform does not post the destination_ipv6_cidr_block with gateway_id

hasimo on 24 Apr 2017

👍1

@stack72 I confirm we need the gateway_id set to the VPC internet gateway to have IPv6 ingress access. So it's a bug.

bhuisgen on 24 Apr 2017

👍1

@stack72 I can get this to work in the AWS console without using an egress only internet gateway, so I think this should be reopened

statusfailed on 1 May 2017

works in AWS console, does not work with terraform

l5x on 14 May 2017

This is still an issue with v0.9.5

shepdelacreme on 25 May 2017

Hi @statusfailed

Please can you retry this with Terraform 0.9.6? I believe i fixed the issue in that release

Thanks

Paul

stack72 on 29 May 2017

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.