bug: route_table reports Amazon FSx for NetApp ONTAP service routes and tag as configuration change

[awsaxeman]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.0.8
aws v3.62.0

Affected Resource(s)

• aws_route_table

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_route_table" "PrivateRT" {    
    vpc_id = var.vpc
    route {
    cidr_block = "0.0.0.0/0"             
    nat_gateway_id = aws_nat_gateway.NATgw.id
    }
 }

resource "aws_fsx_ontap_file_system" "fsxontap" {
    storage_capacity    = 1024
    subnet_ids          = [var.privatesubnet_1, var.privatesubnet_2]
    deployment_type     = "MULTI_AZ_1"
    throughput_capacity = 512
    preferred_subnet_id = var.privatesubnet_1
    route_table_ids = [aws_route_table.PrivateRT.id]
}

Expected Behavior

When running a terraform plan after deploying an aws_fsx_ontap_file_system resource and specifying a terraform managed route_table the output should be "No changes. Your infrastructure matches the configuration."

Actual Behavior

FSx route that is managed by the Amazon FSx for NetApp ONTAP in route table and FSX tag shows as changed.

"aws_route_table.PrivateRT will be updated in-place"
~ resource "aws_route_table" "PrivateRT" {
~ route = [
~ tags = {
~ tags_all = {

"Plan: 0 to add, 1 to change, 0 to destroy."

Steps to Reproduce

1. terraform apply
2. terraform plan

References

• Feature Request: Amazon FSx for NetApp ONTAP #20778

[awsaxeman]

Working on it

[ewbankkit]

 % terraform plan
...
  # aws_route_table.test has been changed
  ~ resource "aws_route_table" "test" {
        id               = "rtb-057a228c2dd86416e"
      ~ route            = [
          + {
              + carrier_gateway_id         = ""
              + cidr_block                 = "198.19.255.23/32"
              + destination_prefix_list_id = ""
              + egress_only_gateway_id     = ""
              + gateway_id                 = ""
              + instance_id                = ""
              + ipv6_cidr_block            = ""
              + local_gateway_id           = ""
              + nat_gateway_id             = ""
              + network_interface_id       = "eni-0993c2d317e67588a"
              + transit_gateway_id         = ""
              + vpc_endpoint_id            = ""
              + vpc_peering_connection_id  = ""
            },
            # (1 unchanged element hidden)
        ]
      ~ tags             = {
          + "AmazonFSx" = "ManagedByAmazonFSx"
            # (1 unchanged element hidden)
        }
      ~ tags_all         = {
          + "AmazonFSx" = "ManagedByAmazonFSx"
            # (1 unchanged element hidden)
        }
        # (4 unchanged attributes hidden)
    }
...

[ewbankkit]

provider "aws" {
  ignore_tags {
    keys = ["AmazonFSx"]
  }
}

will fix the tags diff.

[ewbankkit]

To address the route diff you could use a separate aws_route resource for the NAT Gateway route (and have no routes specified in aws_route_table).

[awsaxeman]

Thanks @ewbankkit, I think the trouble is we can't guarantee how a customer may have their network definitions setup in terraform. The provided config is just one easy example but the customer could have many different network configurations and whoever is managing the network configuration may or may not be aware of the FSx configuration. It may be two different teams managing FSx and the network definition.

[ewbankkit]

I ran a Whois on that address range - https://search.arin.net/rdap/?query=198.19.255.23%2F32 - and:

Addresses starting with "198.18." or "198.19." are set aside for use in isolated laboratory networks used for benchmarking and performance testing. They should never appear on the Internet and if you see Internet traffic using these addresses, they are being used without permission.

[awsaxeman]

These are used internally, not over the internet.

[github-actions]

This functionality has been released in v3.64.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.