Unnecessary vpc/subnet recreation planned when modifying ipv6 settings

[philipl]

Using the AWS API or Console, it is possible to add and remove ipv6 cidr block associations from vpcs and subnets without recreating them. However, terraform insists that recreation is required, which is obviously highly disruptive.

Additionally, if you experiment in the console with toggling IPv6 (so you turn it on and then turn it off), terraform will think that it is still on and say it must do a re-creation to turn it off (even though it is off). This effectively leads to a situation where you cannot actually turn IPv6 off on a vpc or subnet because terraform will demand to recreate.

Additionally, to turn IPv6 on without re-creation, you must turn it on using the API or console and then terraform will see that the state is consistent and not force re-creation.

For example:

-/+ module.networking.aws_subnet.private_subnet.1
    assign_ipv6_address_on_creation: "false" => "false"
    availability_zone:               "us-west-2b" => "us-west-2b"
    cidr_block:                      "10.6.128.0/18" => "10.6.128.0/18"
    ipv6_cidr_block:                 "2600:1f14:917:700::/64" => "" (forces new resource)
    ipv6_cidr_block_association_id:  "subnet-cidr-assoc-722fcb1b" => "<computed>"
    map_public_ip_on_launch:         "false" => "false"
    tags.%:                          "1" => "1"
    tags.Name:                       "thunderhead-dev.internal.us-west-2b" => "thunderhead-dev.internal.us-west-2b"
    vpc_id:                          "vpc-3e61cd5a" => "vpc-3e61cd5a"

Terraform Version

0.9.2

Affected Resource(s)

• aws_vpc
• aws_subnet

Terraform Configuration Files

resource "aws_vpc" "vpc" {
    cidr_block = "${var.vpc_cidr}"
    instance_tenancy = "default"

    enable_dns_hostnames = true
    enable_dns_support = true

    assign_generated_ipv6_cidr_block = "${var.use_ipv6}"
    lifecycle {
        prevent_destroy = true
    }

    tags {
        Name = "${var.vpc_name}"
    }
}

# Public Subnets
resource "aws_subnet" "public_subnet" {
    count = "${var.public_subnets_count}"

    vpc_id = "${aws_vpc.vpc.id}"

    cidr_block = "${element(split(",", var.public_subnets), count.index)}"
    ipv6_cidr_block = "${var.use_ipv6 == 0 ? "" :
                         cidrsubnet(aws_vpc.vpc.ipv6_cidr_block, 8, count.index)}"

    availability_zone = "${element(split(",", var.availability_zones), count.index)}"

    map_public_ip_on_launch = "${var.public_subnet_map_public_ip_on_launch}"
    assign_ipv6_address_on_creation = "${var.use_ipv6}"                                                                              

    tags {
        Name = "${format("%s.external.%s", var.vpc_name, element(split(",", var.availability_zones), count.index) )}"
    }
}

Expected Behavior

Terraform should be able to add/remove ipv6 cidr blocks from VPCs and Subnets without recreating them.

Actual Behavior

Terraform says it must recreate the vpc or subnet to add/remove ipv6 cidr blocks

Steps to Reproduce

1. terraform plan

Important Factoids

[stack72]

Hi @philipl

Terraform can now, as of 0.9.3, enable / disable IPv6 from aws_vpc. The only actions available on a subnet to modify are map_public_ip_on_launch and assign_ipv6_address_on_creation so any changes to IPv6 CIDR block will definitely need a subnet recreation

Please let me know if this isn't the case for you

Thanks

Paul

[philipl]

I'm glad this works for VPCs now, but you can use the '(dis)associate-subnet-cidr-block' to add/remove an ipv6 block from an existing subnet. So it is possible.

[stack72]

You are 100% correct - reopening and will work on this today :)

[stack72]

Hi @philipl

Just sent a PR that fixes this :)

Paul

[philipl]

Cheers!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.