Existing AWS routing table configuration is always being registered as a change

[dictvm]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.8
provider.aws v1.33.0

Affected Resource(s)

• aws_route_table

Terraform Configuration Files

resource "aws_route_table" "prod_private" {
  vpc_id = "${aws_vpc.ivx.id}"
  count  = 3

  route {
    cidr_block     = "0.0.0.0/0"
    nat_gateway_id = "${element(aws_nat_gateway.prod_gw.*.id, count.index)}"
  }

  route {
    cidr_block = "${var.site1_local_cidr}"
    gateway_id = "${aws_vpn_gateway.vpn_gateway.id}"
  }

  route {
    cidr_block = "${var.site2_local_cidr}"
    gateway_id = "${aws_vpn_gateway.vpn_gateway.id}"
  }

  route {
    cidr_block = "${var.site3_local_cidr}"
    gateway_id = "${aws_vpn_gateway.vpn_gateway.id}"
  }

  route {
    cidr_block = "${data.terraform_remote_state.us-tf.ivx_vpc_cidr}"
    gateway_id = "${aws_vpc_peering_connection.us_west_1.id}"
  }

  tags {
    Name = "prod_private_${count.index}"
  }
}

Debug Output

Panic Output

No panic occured.

Expected Behavior

Once the changes have been applied by Terraform, creating a new plan shouldn't show any changes to the state.

Actual Behavior

Everytime a plan is being created, the routing table is being modified, even though no new changes have been made to underlying terraform resources.

Steps to Reproduce

Have an existing AWS VPC Routing Table. Modify the table to resemble the changes from the pasted hcl-snippet.

1. terraform plan -out prod_routing.plan
2. terraform apply -f prod_routing.plan
3. Create a new plan: terraform plan -out prod_routing.plan

Important Factoids

References

[YakDriver]

This is due to issue #5631 and related to #5657.

[bflad]

Hi @dictvm 👋 Sorry you're running into trouble here. Can you please provide the terraform plan output you are seeing after terraform apply?

[dictvm]

@bflad sure, of course: https://gist.github.com/dictvm/334f1e4d8f3d889d2a46a40b571cd59a

[bflad]

According to the terraform plan difference, the EC2 API is returning the peering connection in the vpc_peering_connection_id attribute. If you're unfamiliar with TypeSet output its okay 😄 its confusing sometimes:

• The middle numbers (3429374882/3640882208) on the left side represent a hash of the "configuration block"
• The left value of the arrow is output from the API
• The right value of the arrow is your configuration

      route.3429374882.cidr_block:                "" => "172.22.0.0/16"
...
      route.3429374882.gateway_id:                "" => "pcx-0159fe9306c5b60b8"
...
      route.3640882208.cidr_block:                "172.22.0.0/16" => ""
...
      route.3640882208.vpc_peering_connection_id: "pcx-0159fe9306c5b60b8" => ""

If you adjust this configuration (assuming that's where the pcx-0159fe9306c5b60b8 is coming from):

  route {
    cidr_block = "${data.terraform_remote_state.us-tf.ivx_vpc_cidr}"
    gateway_id = "${aws_vpc_peering_connection.us_west_1.id}"
  }

To the below, the difference should go away:

  route {
    cidr_block = "${data.terraform_remote_state.us-tf.ivx_vpc_cidr}"
    vpc_peering_connection_id = "${aws_vpc_peering_connection.us_west_1.id}"
  }

Let us know, thanks!

[dictvm]

Hey @bflad, thanks for the proposed solution. I was on vacation until today and now I verified that it works as intended. Thank you for the explanation as well. 👍

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!