VPCLink creation issues (NLB is already associated with another VPC Endpoint Service)

[Brother-Andy]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.21
aws provider version 2.54.0

Affected Resource(s)

aws_api_gateway_vpc_link

Terraform Configuration Files

resource "aws_api_gateway_vpc_link" "main" {
  name        = "vpclink-myconnector"
  target_arns = [aws_lb.example.arn]
}

Expected Behavior

I have a load balancer that has already been attached to the vpclink.
I want to provision a new vpclink resource with the same balancer.
Terraform should fail with the appropriate error and write vpclink resource to the state file (since it has been provisioned but failed to start).
terraform destroy command should remove failed vpclink

Actual Behavior

When I try to attach NLB to the new VPCLink using terraform I receive an error:

Error: Error waiting for APIGateway Vpc Link status to be "AVAILABLE": unexpected state 'FAILED', wanted target 'AVAILABLE'. last error: %!s(<nil>)

  on main.tf line 17, in resource "aws_api_gateway_vpc_link" "main":
  17: resource "aws_api_gateway_vpc_link" "main" {

In fact API Gateway console returns a more convenient error:
VPC link creation failed
NLB is already associated with another VPC Endpoint Service.

When I execute terraform destroy, it does not remove failed VPCLink resource since information about its provisioning wasn't added to the state file (I guess because of error).

Steps to Reproduce

1. Create vpclink A and attach a balancer to it.
2. Create vpclink B and attach the same balancer to it (terraform apply).
3. Receive an error.
4. Execute terraform destroy
5. Check console and make sure that failed vpclink is still there.

[ewbankkit]

My guess is that it's the d.SetId("") here that is at fault:

terraform-provider-aws/aws/resource_aws_api_gateway_vpc_link.go

Lines 71 to 83 in 41561e8

	stateConf := &resource.StateChangeConf{
	Pending: []string{apigateway.VpcLinkStatusPending},
	Target: []string{apigateway.VpcLinkStatusAvailable},
	Refresh: apigatewayVpcLinkRefreshStatusFunc(conn, *resp.Id),
	Timeout: 8 * time.Minute,
	MinTimeout: 3 * time.Second,
	}
	_, err = stateConf.WaitForState()
	if err != nil {
	d.SetId("")
	return fmt.Errorf("Error waiting for APIGateway Vpc Link status to be \"%s\": %s", apigateway.VpcLinkStatusAvailable, err)
	}

The VPC link has been created but does not reach the Available state because of the stated error but we are unsetting the ID of the create resource which means it isn't stored to the state file.

[trahloff-deloitte]

+1 @ewbankkit's suspicion.

This also leads to Terraform creating a new (failing) VPC Link for each apply because the created VPC Link is not persisted into the state.

[ghost]

This has been released in version 3.34.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!