Terraform: Terraform apply fails on subnet dependency

Created on 27 Jun 2017  ยท  12Comments  ยท  Source: hashicorp/terraform

Terraform Version

0.9.8

Affected Resource(s)

  • aws_network_acl

Terraform Configuration Files

resource "aws_subnet" "private" {
  vpc_id            = "${var.vpc_id}"
  cidr_block        = "172.31.0.0/20"
  availability_zone = "ap-south-1a"

  tags {
    Name         = "private-subnet-1"
    role         = "k8s"
    az           = "ap-south-1a"
    environment  = "qa"
  }
}

data "aws_subnet" "k8s" {
  vpc_id = "${var.vpc_id}"

  filter {
    name   = "tag:role"
    values = ["k8s"]
  }

  filter {
    name   = "tag:az"
    values = ["ap-south-1a"]
  }

  filter {
    name   = "tag:environment"
    values = ["qa"]
  }

  //depends_on = ["aws_subnet.private"]
}

resource "aws_network_acl" "k8s" {
  vpc_id     = "${var.vpc_id}"
  subnet_ids = ["${data.aws_subnet.k8s.*.id}"]

  ingress {
    from_port  = 80
    to_port    = 80
    rule_no    = 100
    action     = "allow"
    protocol   = "udp"
    cidr_block = "0.0.0.0/0"
  }

  egress {
    from_port  = 80
    to_port    = 80
    rule_no    = 100
    action     = "allow"
    protocol   = "tcp"
    cidr_block = "0.0.0.0/0"
  }

  depends_on = ["aws_subnet.private"]
}

Debug Output

https://gist.github.com/SanchitBansal/ed0b7eb3ec3f4f94eba4a0e481bd2190

Panic Output

https://gist.github.com/SanchitBansal/e02526d1d19992d206bf7da59cb49f26

Expected Behavior

creation of private subnet and ACL.

Actual Behavior

On first execution of resources, private subnet was created successfully but got error in datasource that no matching subnet was found, then I executed it again and everything got created fine. After spending few minutes on error, I analysed that datasource execution is happening earlier than subnet creation because of which it failed to find subnet. Then I added private subnet as dependency in datasource which resulted in giving me error saying bug in terraform

Steps to Reproduce

  1. terraform apply
  2. terraform apply
  3. Uncomment dependency in datasource
  4. terraform apply
bug core
Source
picture SanchitBansal

All 12 comments

One solution could be to destroy everything and create fresh infra with pre defined dependency in datasource, it works fine. But as I already have my applications running so not feasible to destroy them. Please help me to resolve this.

SanchitBansal picture SanchitBansal on 27 Jun 2017

Hi @SanchitBansal,

I think you have something else going on here that's not represented by your example.

Like you mentioned, the data source is loaded early on, during refresh, and that is going to fail if the subnet doesn't exist. This means that the plan would have failed and nothing would have been applied.

I see in the output that the some of this is in a module; can you share how that is structured?

jbardin picture jbardin on 28 Jun 2017

that's the problem, it doesn't give error while plan. And on terraform apply, it even creates the resources and give error for just data source. That's why on reapplying, it creates that as well.

SanchitBansal picture SanchitBansal on 28 Jun 2017
👍1

Sorry, what I'm saying is that this example as presented _will_ give an error on plan, and prevent anything from applying. I'm trying to determine what might be different in your environment that allows it to partially apply.

jbardin picture jbardin on 28 Jun 2017

ok, actually I am creating lot of other things too like vpc, public subnets, other private subnets, nat gateways, route53 etc. And the concern here is it does not actually fails on pre load of data source which was expected.

SanchitBansal picture SanchitBansal on 28 Jun 2017

@jbardin for your more clarification, I have added actual console logs of vpc, private subnet creation.
https://gist.github.com/SanchitBansal/d49077e7450fd0c742bb67ad7d7a10a6
here you can clearly see that it didn't give me error while planning, but actually created vpc, private subnet, route tables and then gave error. It is very strange behaviour.

SanchitBansal picture SanchitBansal on 28 Jun 2017

OK, so it looks like you have multiple modules involved here too. I'll see if I can piece together a reproduction case from that output.

jbardin picture jbardin on 29 Jun 2017

@jbardin did you get time to look into it. If you need anything from me then let me know. I can share complete modules too if required.

SanchitBansal picture SanchitBansal on 4 Jul 2017

@SanchitBansal - sorry for the slow response here. I'll hopefully get to take a stab at this this week. I'll let you know if I need more info, but as always, if you have a minimal reproduction that runs from scratch it's always appreciated!

Thanks!

jbardin picture jbardin on 5 Jul 2017

I have a similar issue ... in a infra module i create base infrastructure (vpc etc) and use another module to wrap creating new subnets and adding routing. The subnet module uses a data.aws_vpc to grab the vpc id rather than passing variables but unfortunately is fails on start due to it not finding the VPC yet

module.master.data.aws_vpc.selected: data.aws_vpc.selected: no matching VPC found

module "compute" {
  source         = "git::<source>"

  name           = "compute"
  environment    = "${var.environment}"
  tables         = "${module.infra.zone_rt_id}"
  zones          = [ "${data.aws_availability_zones.selected.names}" ]
  network_offset = 100
  tags         = {
    Role = "compute"
  }
}

I assumed because of reference to module.infra.zone_rt_id there would be an implied dependencies :-( ... I have to comment out everything other than infra before i can build. Even using a target doesn't work due to the counts 

[test@terraform] (master) $ plan -target module.infra
....
* module.infra.aws_eip.nat_ips: aws_eip.nat_ips: value of 'count' cannot be computed
* module.infra.aws_subnet.elb_subnets: aws_subnet.elb_subnets: value of 'count' cannot be computed
* module.infra.aws_subnet.nat_subnets: aws_subnet.nat_subnets: value of 'count' cannot be computed

using version: v0.9.11

gambol99 picture gambol99 on 14 Jul 2017
👍1

@SanchitBansal: it looks like the diff mismatch error has since been taken care of. This config will still have issue with the depends_on in the data source (which we're tracking in #11806), but you shouldn't be able to get into the broken state any longer.

jbardin picture jbardin on 16 Nov 2017

I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 6 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

cpoole picture cpoole  ยท  3Comments
rjinski picture rjinski  ยท  3Comments
Seraf picture Seraf  ยท  3Comments
zeninfinity picture zeninfinity  ยท  3Comments
thebenwaters picture thebenwaters  ยท  3Comments