Importing aws:ec2/routeTable:RouteTable produces resource with ipv6Cidr resource with empty string resulting in invalid CIDR address error

[tombee]

Update: 28 May '24

It looks as though this specific issue is triggered when using ignore_changes=["routes"] after doing pulumi import on a RouteTable resource

According to the docs, by omitting the routes input, this should then ignore route changes. I've tried this and it looks to be working okay for our use case.

For now it looks as though this isn't a blocking issue for importing Route Tables since there is a workaround, it's probably just not ideal that import is producing an invalid resource state that cannot be validated as per @tmeckel's reply: #3986 (comment)

Latest info and steps to repro are in: #3986 (comment)

---

What happened?

Not sure if this is a pulumi-aws or upstream Terraform problem!

When pulumi importing an AWS Route Table with AWS Classic (aws:ec2/routeTable:RouteTable), it appears that it also imports routes associated with the route table. The attributes on a route are set to "" if there is no value associated. I’m seeing an issue where "ipv6CidrBlock": "" then causes pulumi preview to complain that "" is not a valid CIDR block: invalid CIDR address.

When I pulumi state edit and remove the ipv6CidrBlock: "", line from the aws:ec2/routeTable:RouteTable resources the error goes away.

If I also compare a aws:ec2/routeTable:RouteTable created by pulumi up vs an imported resource via pulumi import, the fields without values are all "" in the imported version and not present in the pulumi up.

Example

pulumi import aws:ec2/routeTable:RouteTable public_rt rtb-4e616f6d69
pulumi preview

error: aws:ec2/routeTable:RouteTable resource 'public_rt' has a problem: "" is not a valid CIDR block: invalid CIDR address: . Examine values at 'public_rt.routes'.

      15       "urn": "urn:pulumi:ccoe-sandbox-usw2-tbarlow::riotvpc::aws:ec2/routeTable:RouteTable::customer_tbarlow_PublicRouteTable_10.189.130.0/28_az1",
      14       "custom": true,
      13       "id": "rtb-0845eafb29d28dbb9",
      12       "type": "aws:ec2/routeTable:RouteTable",
      11       "inputs": {
      10         "__defaults": [],
       9         "routes": [
       8           {
       7             "__defaults": [],
       6             "carrierGatewayId": "",
       5             "cidrBlock": "0.0.0.0/0",
       4             "coreNetworkArn": "",
       3             "destinationPrefixListId": "",
       2             "egressOnlyGatewayId": "",
       1             "gatewayId": "igw-09254a252d322b940",
    156              "ipv6CidrBlock": "",
       1             "localGatewayId": "",
       2             "natGatewayId": "",
       3             "networkInterfaceId": "",
       4             "transitGatewayId": "",
       5             "vpcEndpointId": "",
       6             "vpcPeeringConnectionId": ""
       7           }
       8         ],

Section of state where the empty strings are being added to route attributes:

"custom": true,
"type": "aws:ec2/routeTable:RouteTable",
"inputs": {
  "__defaults": [],
  "routes": [
    {
      "__defaults": [],
      "carrierGatewayId": "",
      "cidrBlock": "0.0.0.0/0",
      "coreNetworkArn": "",
      "destinationPrefixListId": "",
      "egressOnlyGatewayId": "",
      "gatewayId": "igw-00000000",
      "ipv6CidrBlock": "",
      "localGatewayId": "",
      "natGatewayId": "",
      "networkInterfaceId": "",
      "transitGatewayId": "",
      "vpcEndpointId": "",
      "vpcPeeringConnectionId": ""
    }
  ],

Output of pulumi about

  ❯ pulumi about
  CLI
  Version      3.116.1
  Go Version   go1.22.2
  Go Compiler  gc

  Plugins
  KIND      NAME    VERSION
  resource  aws     6.35.0
  language  python  unknown

  Host
  OS       darwin
  Version  14.3.1
  Arch     arm64

  This project is written in python: executable='.../python3' version='3.11.7'

...

Dependencies:
  NAME                        VERSION
  ansible                     9.5.1
  isort                       5.13.2
  mypy-boto3-ec2              1.34.101
  mypy-boto3-ram              1.34.0
  mypy-boto3-route53          1.34.31
  mypy-boto3-route53resolver  1.34.102
  parameterized               0.9.0
  pip                         23.3.2
  pre-commit                  3.7.1
  pytest                      8.2.0
  yamllint                    1.35.1

Additional context

Discussed this a little bit on Slack: https://pulumi-community.slack.com/archives/C84L4E3N1/p1715987354126929

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[tmeckel]

The above shown data in routes is clearly invalid, because for an optional Terraform property the property shouldn't show up at all. That's why removing the empty string "" will solve the shown error by pulumi.

https://github.com/hashicorp/terraform-provider-aws/blob/4827180fd06cbdc17b6209f9dc8f9513a0a8d4a7/internal/service/ec2/vpc_route_table.go#L91

CC: @t0yv0

[t0yv0]

Thank you for reporting this issue so clearly and thanks for the cited workaround! I'm adding the appropriate labels. This is indeed common theme of issues, our team will need to tackle as time permits. Adding to a tracking issue.

[tombee]

I've created a repository here with a minimal configuration to reproduce this issue: https://github.com/tombee/pulumi-aws-issue-3986

Interestingly I found that it's only preventing preview and up actions when I add:

opts=pulumi.ResourceOptions(ignore_changes=["routes"]

It also about failed validation during pulumi import of the route table:

Diagnostics:
  aws:ec2:RouteTable (pulumi-import-issue-3986-rtb):
    warning: One or more imported inputs failed to validate. This is almost certainly a bug in the `aws` provider. The import will still proceed, but you will need to edit the generated code after copying it into your program.
    warning: aws:ec2/routeTable:RouteTable resource 'pulumi-import-issue-3986-rtb' has a problem: "" is not a valid CIDR block: invalid CIDR address: . Examine values at 'pulumi-import-issue-3986-rtb.routes'.

[tombee]

Updated the main issue comment, since I don't believe this is a blocking issue if the trigger is only when ignore_changes=["routes"] is added, since the RouteTable resource has a built-in method of ignoring routes by simply omitting the input.

I don't know enough about how import works with pulumi-aws and the terraform bridge to know if this could be a wider issue though where the import CLI is producing a state that won't pass validation.

[corymhall]

I just tried to reproduce this using the latest https://github.com/pulumi/pulumi-terraform-bridge/tree/master and it looks like it has been fixed.

After the next bridge release we can pull in the new version and test it out to confirm.

[t0yv0]

Tracking pulumi/pulumi-terraform-bridge#2314 in the bridge.

[corymhall]

@tombee the issue should now be fixed on the latest version. I tested with your repro and it was successful.

[tombee]

Thank you @corymhall! That's great news.

…

On Wed, Sep 11, 2024 at 1:33 PM Cory Hall ***@***.***> wrote: Closed #3986 <#3986> as completed. — Reply to this email directly, view it on GitHub <#3986 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAOVJDUCE3DII4FIQH5GB3ZWA2CTAVCNFSM6AAAAABIHKCEGKVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJUGIYTKNBTGM4DOOA> . You are receiving this because you were mentioned.Message ID: ***@***.***>