Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_vpn_connection - inside_tunnel_cidr swapped between tunnel interfaces #5809

Closed
ppieprzycki opened this issue Sep 7, 2018 · 5 comments · Fixed by #19077
Closed

aws_vpn_connection - inside_tunnel_cidr swapped between tunnel interfaces #5809

ppieprzycki opened this issue Sep 7, 2018 · 5 comments · Fixed by #19077
Assignees
@bflad
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.
Milestone
v3.38.0

Comments

@ppieprzycki
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.8

  • provider.aws v1.35.0

Affected Resource(s)

"aws_vpn_connection"

Terraform Configuration Files

We create resource by using module

module "vpn_gateway_main" {
  source = "../terraform-aws-vpn-gateway.git"
  create_vpn_connection = "${ var.create_vpn  ? 1 : 0}"   

  vpn_gateway_id      = "${module.vpc.vgw_id}"
  customer_gateway_id = "${local.vpn_main_cgw_id}"

  tunnel1_inside_cidr   = "${local.vpn1_tunnel1_cidr}"
  tunnel2_inside_cidr   = "${local.vpn1_tunnel2_cidr}"
  vpc_id                       = "${module.vpc.vpc_id}"
  create_vpn_gateway_attachment = false 
}

from module resource is created
https://github.com/terraform-aws-modules/terraform-aws-vpn-gateway/blob/master/main.tf

resource "aws_vpn_connection" "tunnel" {
  count = "${var.create_vpn_connection && length(var.tunnel1_inside_cidr) > 0 && length(var.tunnel2_inside_cidr) > 0 && length(var.tunnel1_preshared_key) == 0 && length(var.tunnel2_preshared_key) == 0 ? 1 : 0}"

  vpn_gateway_id      = "${var.vpn_gateway_id}"
  customer_gateway_id = "${var.customer_gateway_id}"
  type                = "ipsec.1"

  static_routes_only = "${var.vpn_connection_static_routes_only}"

  tunnel1_inside_cidr = "${var.tunnel1_inside_cidr}"
  tunnel2_inside_cidr = "${var.tunnel2_inside_cidr}"

  tags = "${merge(
    map(
      "Name", "VPN Connection between VPC ${var.vpc_id} and Customer Gateway ${var.customer_gateway_id}"
    ),
    var.tags
  )}"
}

Debug Output

#terraform apply

module.account_vpc1.module.vpn_gateway_main.aws_vpn_connection.tunnel: Creating...
  customer_gateway_configuration: "" => "<computed>"
  customer_gateway_id:            "" => "cgw-07eb19a67ffa83222"
  routes.#:                       "" => "<computed>"
  static_routes_only:             "" => "false"
  tags.%:                         "" => "1"
  tags.Name:                      "" => "VPN Connection between VPC vpc-070021af585778888 and Customer Gateway cgw-07eb19a67ffa83222"
  tunnel1_address:                "" => "<computed>"
  tunnel1_bgp_asn:                "" => "<computed>"
  tunnel1_bgp_holdtime:           "" => "<computed>"
  tunnel1_cgw_inside_address:     "" => "<computed>"
  tunnel1_inside_cidr:            "" => "169.254.10.0/30"
  tunnel1_preshared_key:          "<sensitive>" => "<sensitive>"
  tunnel1_vgw_inside_address:     "" => "<computed>"
  tunnel2_address:                "" => "<computed>"
  tunnel2_bgp_asn:                "" => "<computed>"
  tunnel2_bgp_holdtime:           "" => "<computed>"
  tunnel2_cgw_inside_address:     "" => "<computed>"
  tunnel2_inside_cidr:            "" => "169.254.10.4/30"
  tunnel2_preshared_key:          "<sensitive>" => "<sensitive>"
  tunnel2_vgw_inside_address:     "" => "<computed>"
  type:                           "" => "ipsec.1"
  vgw_telemetry.#:                "" => "<computed>"
  vpn_gateway_id:                 "" => "vgw-024f5f47d937a4adb"

module.account_vpc1.module.vpn_gateway_secondary.aws_vpn_connection.tunnel: Creating...
  customer_gateway_configuration: "" => "<computed>"
  customer_gateway_id:            "" => "cgw-0f5f408a10dda83111"
  routes.#:                       "" => "<computed>"
  static_routes_only:             "" => "false"
  tags.%:                         "" => "1"
  tags.Name:                      "" => "VPN Connection between VPC vpc-070021af585778888 and Customer Gateway cgw-0f5f408a10dda83111"
  tunnel1_address:                "" => "<computed>"
  tunnel1_bgp_asn:                "" => "<computed>"
  tunnel1_bgp_holdtime:           "" => "<computed>"
  tunnel1_cgw_inside_address:     "" => "<computed>"
  tunnel1_inside_cidr:            "" => "169.254.10.8/30"
  tunnel1_preshared_key:          "<sensitive>" => "<sensitive>"
  tunnel1_vgw_inside_address:     "" => "<computed>"
  tunnel2_address:                "" => "<computed>"
  tunnel2_bgp_asn:                "" => "<computed>"
  tunnel2_bgp_holdtime:           "" => "<computed>"
  tunnel2_cgw_inside_address:     "" => "<computed>"
  tunnel2_inside_cidr:            "" => "169.254.10.12/30"
  tunnel2_preshared_key:          "<sensitive>" => "<sensitive>"
  tunnel2_vgw_inside_address:     "" => "<computed>"
  type:                           "" => "ipsec.1"
  vgw_telemetry.#:                "" => "<computed>"
  vpn_gateway_id:                 "" => "vgw-024f5f47d937a4adb"

Panic Output

#terraform state show module.account_vpc1.module.vpn_gateway_main.aws_vpn_connection.tunnel

VPN connection 1 
customer_gateway_id                           = cgw-07eb19a67ffa83222
routes.#                                      = 0
static_routes_only                            = false
tags.%                                        = 1
tags.Name                                     = VPN Connection between VPC vpc-070021af58578888 and Customer Gateway cgw-07eb19a67ffa83222
tunnel1_address                               = 18.184.98.78
tunnel1_bgp_asn                               = 64512
tunnel1_bgp_holdtime                          = 30
tunnel1_cgw_inside_address                    = 169.254.10.6
tunnel1_inside_cidr                           = 169.254.10.0/30
tunnel1_preshared_key                         = password
tunnel1_vgw_inside_address                    = 169.254.10.5
tunnel2_address                               = 35.158.222.155
tunnel2_bgp_asn                               = 64512
tunnel2_bgp_holdtime                          = 30
tunnel2_cgw_inside_address                    = 169.254.10.2
tunnel2_inside_cidr                           = 169.254.10.4/30
tunnel2_preshared_key                         = password
tunnel2_vgw_inside_address                    = 169.254.10.1

#terraform state show module.account_vpc1.module.vpn_gateway_secondary.aws_vpn_connection.tunnel

customer_gateway_id                           = cgw-0f5f408a10dda8111
routes.#                                      = 0
static_routes_only                            = false
tags.%                                        = 1
tags.Name                                     = VPN Connection between VPC vpc-070021af585778888 and Customer Gateway cgw-0f5f408a10dda8111
tunnel1_address                               = 18.196.49.49
tunnel1_bgp_asn                               = 64512
tunnel1_bgp_holdtime                          = 30
tunnel1_cgw_inside_address                    = 169.254.10.10
tunnel1_inside_cidr                           = 169.254.10.8/30
tunnel1_preshared_key                         = password
tunnel1_vgw_inside_address                    = 169.254.10.9
tunnel2_address                               = 35.158.82.179
tunnel2_bgp_asn                               = 64512
tunnel2_bgp_holdtime                          = 30
tunnel2_cgw_inside_address                    = 169.254.10.14
tunnel2_inside_cidr                           = 169.254.10.12/30
tunnel2_preshared_key                         = password
tunnel2_vgw_inside_address                    = 169.254.10.13
type                                          = ipsec.1

Expected Behavior

We created two VPN connections called in output "main" and "secondary" to separate Customer gateways. Both IPSEC Connection have inside two tunnels.
To prevent conflicts we manually assign CIDR inside each tunnel.

First ipsec connection has
Connection "main":
tunnel1_cidr: 169.254.10.0/30
tunnel2_cidr: 169.254.10.4/30

Connection "secondary":
tunnel1_cidr: 169.254.8.0/30
tunnel2_cidr: 169.254.12.4/30

Actual Behavior

From time to time I can see that IP addresses are swapped between tunnel interfaces within a single connection.
It doesn't occur each time but quite often

As we can see in terraform state show command we have the problem in first connection.
We assigned CIDR 169.254.10.0/30 and is visible while we are creating resource but we at the end obtain addresses for second interfaces

tunnel1_cgw_inside_address = 169.254.10.6
tunnel1_inside_cidr = 169.254.10.0/30
tunnel1_vgw_inside_address = 169.254.10.5

tunnel2_cgw_inside_address = 169.254.10.2
tunnel2_inside_cidr = 169.254.10.4/30
tunnel2_vgw_inside_address = 169.254.10.1

Steps to Reproduce

  1. terraform apply

Important Factoids

References

  • #0000
@ppieprzycki ppieprzycki changed the title aws_vpn_connection aws_vpn_connection - inside_tunnel_cidr swapped between tunnel interfaces Sep 7, 2018
@ppieprzycki ppieprzycki mentioned this issue Sep 11, 2018
Closed
@jmanteau
Copy link

@a-teisseire

@bflad bflad added bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service. labels Sep 26, 2018
@selslack
Copy link

selslack commented Dec 2, 2019

Can this be looked at by anybody?

@selslack
Copy link

selslack commented Dec 3, 2019

The root cause, from my understanding, is that cgw_inside_address and vgw_inside_address are being sourced from customer_gateway_configuration XML while inside_cidr is sourced from the input.

Please correct me if I'm wrong.

@ewbankkit ewbankkit mentioned this issue Dec 14, 2019
Closed
@n3ph n3ph mentioned this issue Dec 14, 2019
Closed
@bflad bflad mentioned this issue Apr 23, 2021
Merged
@bflad bflad self-assigned this Apr 23, 2021
bflad added a commit that referenced this issue Apr 23, 2021
@bflad
resource/aws_vpn_connection: Prevent flipped tunnel1_* and `tunnel2…
83256e0 
…_*` ordering when `tunnel1_inside_cidr`, `tunnel1_inside_ipv6_cidr`, or `tunnel1_preshared_key` is configured

Reference: #396
Reference: #3359
Reference: #4728
Reference: #5809
Reference: #11293

Previously (race condition of automatically assigned outside IP addresses):

```
=== CONT  TestAccAWSVpnConnection_tunnelOptions
resource_aws_vpn_connection_test.go:210: Step 15/15 error: Check failed: Check 4/6 error: aws_vpn_connection.test: Attribute 'tunnel1_preshared_key' expected "12345678", got "abcdefgh"
--- FAIL: TestAccAWSVpnConnection_tunnelOptions (738.28s)
```

Output from acceptance testing:

```
--- PASS: TestAccAWSVpnConnection_Tunnel1PresharedKey (251.02s)
--- PASS: TestAccAWSVpnConnection_withoutStaticRoutes (263.77s)
--- PASS: TestAccAWSVpnConnection_Tunnel1InsideCidr (335.14s)
--- PASS: TestAccAWSVpnConnection_tunnelOptions (342.30s)
--- PASS: TestAccAWSVpnConnection_disappears (388.07s)
--- PASS: TestAccAWSVpnConnection_tags (445.29s)
--- PASS: TestAccAWSVpnConnection_basic (797.33s)
--- PASS: TestAccAWSVpnConnection_withIpv6 (1235.35s)
--- PASS: TestAccAWSVpnConnection_TransitGatewayID (1235.72s)
--- PASS: TestAccAWSVpnConnection_withEnableAcceleration (1352.28s)
--- PASS: TestAccAWSVpnConnection_Tunnel1InsideIpv6Cidr (1595.79s)
```
bflad added a commit that referenced this issue Apr 23, 2021
@bflad
resource/aws_vpn_connection: Prevent flipped tunnel1_* and `tunnel2…
74ca2b2 
…_*` ordering when `tunnel1_inside_cidr`, `tunnel1_inside_ipv6_cidr`, or `tunnel1_preshared_key` is configured (#19077)

* resource/aws_vpn_connection: Prevent flipped `tunnel1_*` and `tunnel2_*` ordering when `tunnel1_inside_cidr`, `tunnel1_inside_ipv6_cidr`, or `tunnel1_preshared_key` is configured

Reference: #396
Reference: #3359
Reference: #4728
Reference: #5809
Reference: #11293

Previously (race condition of automatically assigned outside IP addresses):

```
=== CONT  TestAccAWSVpnConnection_tunnelOptions
resource_aws_vpn_connection_test.go:210: Step 15/15 error: Check failed: Check 4/6 error: aws_vpn_connection.test: Attribute 'tunnel1_preshared_key' expected "12345678", got "abcdefgh"
--- FAIL: TestAccAWSVpnConnection_tunnelOptions (738.28s)
```

Output from acceptance testing:

```
--- PASS: TestAccAWSVpnConnection_Tunnel1PresharedKey (251.02s)
--- PASS: TestAccAWSVpnConnection_withoutStaticRoutes (263.77s)
--- PASS: TestAccAWSVpnConnection_Tunnel1InsideCidr (335.14s)
--- PASS: TestAccAWSVpnConnection_tunnelOptions (342.30s)
--- PASS: TestAccAWSVpnConnection_disappears (388.07s)
--- PASS: TestAccAWSVpnConnection_tags (445.29s)
--- PASS: TestAccAWSVpnConnection_basic (797.33s)
--- PASS: TestAccAWSVpnConnection_withIpv6 (1235.35s)
--- PASS: TestAccAWSVpnConnection_TransitGatewayID (1235.72s)
--- PASS: TestAccAWSVpnConnection_withEnableAcceleration (1352.28s)
--- PASS: TestAccAWSVpnConnection_Tunnel1InsideIpv6Cidr (1595.79s)
```

* tests/resource/aws_vpn_connection: Add nosemgrep comment for errant situation

* resource/aws_vpn_connection: Fix comment typo
@github-actions github-actions bot added this to the v3.38.0 milestone Apr 23, 2021
bflad added a commit that referenced this issue Apr 23, 2021
@bflad
resource/aws_vpn_connection: Prevent flipped tunnel1_* and `tunnel2…
54173a6 
…_*` ordering when `tunnel1_inside_cidr`, `tunnel1_inside_ipv6_cidr`, or `tunnel1_preshared_key` is configured (#19077)

* resource/aws_vpn_connection: Prevent flipped `tunnel1_*` and `tunnel2_*` ordering when `tunnel1_inside_cidr`, `tunnel1_inside_ipv6_cidr`, or `tunnel1_preshared_key` is configured

Reference: #396
Reference: #3359
Reference: #4728
Reference: #5809
Reference: #11293

Previously (race condition of automatically assigned outside IP addresses):

```
=== CONT  TestAccAWSVpnConnection_tunnelOptions
resource_aws_vpn_connection_test.go:210: Step 15/15 error: Check failed: Check 4/6 error: aws_vpn_connection.test: Attribute 'tunnel1_preshared_key' expected "12345678", got "abcdefgh"
--- FAIL: TestAccAWSVpnConnection_tunnelOptions (738.28s)
```

Output from acceptance testing:

```
--- PASS: TestAccAWSVpnConnection_Tunnel1PresharedKey (251.02s)
--- PASS: TestAccAWSVpnConnection_withoutStaticRoutes (263.77s)
--- PASS: TestAccAWSVpnConnection_Tunnel1InsideCidr (335.14s)
--- PASS: TestAccAWSVpnConnection_tunnelOptions (342.30s)
--- PASS: TestAccAWSVpnConnection_disappears (388.07s)
--- PASS: TestAccAWSVpnConnection_tags (445.29s)
--- PASS: TestAccAWSVpnConnection_basic (797.33s)
--- PASS: TestAccAWSVpnConnection_withIpv6 (1235.35s)
--- PASS: TestAccAWSVpnConnection_TransitGatewayID (1235.72s)
--- PASS: TestAccAWSVpnConnection_withEnableAcceleration (1352.28s)
--- PASS: TestAccAWSVpnConnection_Tunnel1InsideIpv6Cidr (1595.79s)
```

* tests/resource/aws_vpn_connection: Add nosemgrep comment for errant situation

* resource/aws_vpn_connection: Fix comment typo
@bflad bflad mentioned this issue Apr 23, 2021
Closed
@ghost
Copy link

ghost commented Apr 30, 2021

This has been released in version 3.38.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 31, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bflad bflad

Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.
Projects
None yet
Milestone
v3.38.0
4 participants
@bflad @jmanteau @selslack @ppieprzycki