router_interface' and router_peer` are not deleted

[prolane]

Hi there,

When using a cloud router for VPN between on-prem and GCP combined with dynamic routes (BGP), there is an issue when changing an attribute in the Terraform configuration for either the router_interface or the router_peer. Its actually not possible to change an attribute for one these two resources.

When you change an attribute Terraform will want to recreate the resource. This is fine so far and when doing terraform apply you see output thats saying it is deleting the resource. However, in reality the resource is not deleted at all. You can check/see this either using the web ui or the gcloud CLI

Describing the cloud router will show you the interface and the bgp-peer are still there.

gcloud compute routers describe <cloud router name>

Since the resources are still there Terraform runs in an error in the next step when trying to recreate the resource. It will complain there is already an router_peer with that name. Which is true, because Terraform did not really delete the resource.

Terraform Version

terraform -v
Terraform v0.11.7
+ provider.google v1.16.2
+ provider.template v1.0.0

Affected Resource(s)

• google_compute_router_interface
• google_compute_router_peer

Terraform Configuration Files

// Cloud Router for the VPN
resource "google_compute_router" "cloud-router-vpn-nl-dc" {
  description = "Cloud router for VPN to NL DC using BGP"
  name        = "cloud-router-vpn-nl-dc"
  network     = "${google_compute_network.shared-vpc-network.name}"
  region      = "europe-west4"

  bgp {
    asn            = 65002
    advertise_mode = "DEFAULT"
  }
}

// Create VPN to on-prem
resource "google_compute_vpn_gateway" "vpn-nl-dc" {
  description = "VPN from GCP  Shared VPC to NL DC"
  name        = "vpn-nl-dc"
  network     = "${google_compute_network.shared-vpc-network.self_link}"
  region      = "europe-west4"
}

resource "google_compute_address" "gcp-vpn-gw-eu-west4" {
  description = "GCP VPN GW in europe-west-4"
  name        = "gcp-vpn-gw-eu-west4"
  region      = "europe-west4"
}

resource "google_compute_forwarding_rule" "vpn-nl-dc-rule-esp" {
  name        = "vpn-nl-dc-rule-esp"
  region      = "europe-west4"
  ip_protocol = "ESP"
  ip_address  = "${google_compute_address.gcp-vpn-gw-eu-west4.address}"
  target      = "${google_compute_vpn_gateway.vpn-nl-dc.self_link}"
}

resource "google_compute_forwarding_rule" "vpn-nl-dc-rule-udp500" {
  name        = "vpn-nl-dc-rule-udp500"
  region      = "europe-west4"
  ip_protocol = "UDP"
  port_range  = "500"
  ip_address  = "${google_compute_address.gcp-vpn-gw-eu-west4.address}"
  target      = "${google_compute_vpn_gateway.vpn-nl-dc.self_link}"
}

resource "google_compute_forwarding_rule" "vpn-nl-dc-rule-udp4500" {
  name        = "vpn-nl-dc-rule-udp4500"
  region      = "europe-west4"
  ip_protocol = "UDP"
  port_range  = "4500"
  ip_address  = "${google_compute_address.gcp-vpn-gw-eu-west4.address}"
  target      = "${google_compute_vpn_gateway.vpn-nl-dc.self_link}"
}

resource "google_compute_vpn_tunnel" "vpn-nl-dc-tunnel-1" {
  description        = "VPN tunnel to NL DC using BGP"
  name               = "vpn-nl-dc-tunnel-1"
  region             = "europe-west4"
  peer_ip            = "<IP>"
  shared_secret      = "<shared_secret>"
  target_vpn_gateway = "${google_compute_vpn_gateway.vpn-nl-dc.self_link}"
  router             = "${google_compute_router.cloud-router-vpn-nl-dc.name}"

  depends_on = [
    "google_compute_forwarding_rule.vpn-nl-dc-rule-esp",
    "google_compute_forwarding_rule.vpn-nl-dc-rule-udp500",
    "google_compute_forwarding_rule.vpn-nl-dc-rule-udp4500",
  ]
}

resource "google_compute_router_interface" "if-bgp-vpn-nl-dc" {
  name       = "if-bgp-vpn-nl-dc"
  router     = "${google_compute_router.cloud-router-vpn-nl-dc.name}"
  region     = "${google_compute_router.cloud-router-vpn-nl-dc.region}"
  ip_range   = "169.254.0.22/30"
  vpn_tunnel = "${google_compute_vpn_tunnel.vpn-nl-dc-tunnel-1.name}"
}

resource "google_compute_router_peer" "bgp-vpn-nl-dc" {
  name                      = "bgp-vpn-nl-dc"
  router                    = "${google_compute_router.cloud-router-vpn-nl-dc.name}"
  region                    = "${google_compute_router.cloud-router-vpn-nl-dc.region}"
  peer_ip_address           = "169.254.0.21"
  peer_asn                  = 65001
  advertised_route_priority = 100
  interface                 = "${google_compute_router_interface.if-bgp-vpn-nl-dc.name}"
}

Debug Output

Terraform will perform the following actions:

-/+ google_compute_router_peer.bgp-vpn-nl-dc (new resource required)
     id:                        "europe-west4/cloud-router-vpn-nl-dc/bgp-vpn-nl-dc" => <computed> (forces new resource)
     advertised_route_priority: "100" => "200" (forces new resource)
     interface:                 "if-bgp-vpn-nl-dc" => "if-bgp-vpn-nl-dc"
     ip_address:                "169.254.0.22" => <computed>
     name:                      "bgp-vpn-nl-dc" => "bgp-vpn-nl-dc"
     peer_asn:                  "65001" => "65001"
     peer_ip_address:           "169.254.0.21" => "169.254.0.21"
     project:                   "project-id" => <computed>
     region:                    "europe-west4" => "europe-west4"
     router:                    "cloud-router-vpn-nl-dc" => "cloud-router-vpn-nl-dc"


Plan: 1 to add, 0 to change, 1 to destroy.

Do you want to perform these actions?
 Terraform will perform the actions described above.
 Only 'yes' will be accepted to approve.

 Enter a value: yes

google_compute_router_peer.bgp-vpn-nl-dc: Destroying... (ID: europe-west4/cloud-router-vpn-nl-dc/bgp-vpn-nl-dc)
google_compute_router_peer.bgp-vpn-nl-dc: Still destroying... (ID: europe-west4/cloud-router-vpn-nl-dc/bgp-vpn-nl-dc, 10s elapsed)
google_compute_router_peer.bgp-vpn-nl-dc: Destruction complete after 12s
google_compute_router_peer.bgp-vpn-nl-dc: Creating...
 advertised_route_priority: "" => "200"
 interface:                 "" => "if-bgp-vpn-nl-dc"
 ip_address:                "" => "<computed>"
 name:                      "" => "bgp-vpn-nl-dc"
 peer_asn:                  "" => "65001"
 peer_ip_address:           "" => "169.254.0.21"
 project:                   "" => "<computed>"
 region:                    "" => "europe-west4"
 router:                    "" => "cloud-router-vpn-nl-dc"

Error: Error applying plan:

1 error(s) occurred:

* google_compute_router_peer.bgp-vpn-nl-dc: 1 error(s) occurred:

* google_compute_router_peer.bgp-vpn-nl-dc: Router cloud-router-vpn-nl-dc has peer bgp-vpn-nl-dc already

Expected Behavior

google_compute_router_peer or google_compute_router_interface should first be deleted before the new updated resources can be created.

Actual Behavior

Terraform says it deleted the resource, but in reality it was not deleted. Therefore Terraform is not able to create the new updated resource.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. Make sure you have the cloud router including router-if and router-peer deployed.
2. Change the advertised_route_priority from 100 to 200.
3. terraform apply

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!