aws_vpn_connection applies tunnel2 options to tunnel1

[dthvt]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

$ terraform -v
Terraform v0.14.8
+ provider registry.terraform.io/hashicorp/aws v3.37.0

Your version of Terraform is out of date! The latest version
is 0.15.0. You can update by downloading from https://www.terraform.io/downloads.html

Affected Resource(s)

• aws_vpn_connection

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_customer_gateway" "test" {
  bgp_asn    = 65000
  ip_address = "8.8.8.8"
  type       = "ipsec.1"
  tags = {
    Name = "dhagan-test"
  }
}

resource "aws_vpc" "test" {
  cidr_block = "10.0.0.0/16"
  tags = {
    Name = "dhagan-test"
  }
}

resource "aws_vpn_gateway" "test" {
  vpc_id = aws_vpc.test.id
  tags = {
    Name = "dhagan-test"
  }
}

resource "aws_vpn_connection" "test" {
  vpn_gateway_id      = aws_vpn_gateway.test.id
  customer_gateway_id = aws_customer_gateway.test.id
  type                = "ipsec.1"
  tunnel2_phase1_encryption_algorithms = [
    "AES128",
    "AES128-GCM-16",
    "AES256",
    "AES256-GCM-16",
  ]
  tunnel2_phase1_lifetime_seconds = 28800
  tunnel2_phase2_encryption_algorithms = [
    "AES128",
    "AES128-GCM-16",
    "AES256",
    "AES256-GCM-16",
  ]
  tunnel2_phase2_lifetime_seconds = 3600
}

Debug Output

Trace output for initial apply and a subsequent "update apply":

https://gist.github.com/dthvt/9c936a1589b1e88b38aac30391b981e3

Panic Output

Expected Behavior

Terraform should apply the tunnel2_* values to Tunnel 2 on the VPN.

Actual Behavior

Terraform applies the tunnel2_* values to Tunnel 1, which triggers resource cycling. Additionally, when tunnel1_* parameters are left at defaults (i.e. unspecified), this triggers an API error from AWS, because I don't think there's a way to set a tunnel back to default once a setting has been set. (I consider that outside the scope of this issue, since that's API behavior.)

Steps to Reproduce

1. terraform apply
2. terraform apply

Important Factoids

References

[bflad]

Hi @dthvt 👋 Thank you for raising this and sorry you ran into trouble with this. Hopefully this can be addressed with #19077

[bflad]

Actually given this section of configuration:

resource "aws_vpn_connection" "test" {
  vpn_gateway_id      = aws_vpn_gateway.test.id
  customer_gateway_id = aws_customer_gateway.test.id
  type                = "ipsec.1"
  tunnel2_phase1_encryption_algorithms = [
    "AES128",
    "AES128-GCM-16",
    "AES256",
    "AES256-GCM-16",
  ]
  tunnel2_phase1_lifetime_seconds = 28800
  tunnel2_phase2_encryption_algorithms = [
    "AES128",
    "AES128-GCM-16",
    "AES256",
    "AES256-GCM-16",
  ]
  tunnel2_phase2_lifetime_seconds = 3600
}

The fix mentioned would not catch this case. Tunnels are automatically assigned outside addresses and even with the proposed changes there, it would still fall back to sorting by outside address to order the tunnels. We would need to potentially look at all configuration options in this case to properly match tunnel 1 versus 2. 🙁

To workaround the problem when the above fix is in place, configuring tunnel1_inside_cidr or tunnel1_preshared_key would allow the resource to properly align the tunnels.

[dthvt]

Hey @bflad , thanks for the quick reply. To my amateur eye, the issue is actually this line:

terraform-provider-aws/aws/resource_aws_vpn_connection.go

Line 1549 in 9a609f3

vpnTunnelOutsideIPAddress := v.List()[vgwTelemetryTunIndex].(map[string]interface{})["outside_ip_address"].(string)

Calling v.List() I think is converting vgwTelemetry from a Set to a List, which is indeterminate for ordering, but then we reference the desired tunnel by an index. So the API request is getting populated with the wrong target outside IP address. Would it make sense to change vgw_telemetry to Type: schema.TypeList instead of TypeSet?

[flightlesstux]

I'm still having this issue with Terraform v0.15.1 on darwin_arm64 and + provider registry.terraform.io/hashicorp/aws v3.38.0.

On the AWS site-to-site vpn,
Tunnel1 address is: 3.126.158.214
Tunnel2 address is: 18.192.169.176

output "aws_vpn_tunnel1_address" {
    value = aws_vpn_connection.this.tunnel1_address
}

output "aws_vpn_tunnel2_address" {
    value = aws_vpn_connection.this.tunnel2_address
}

There you go;

aws_vpn_tunnel1_address = "18.192.169.176"
aws_vpn_tunnel2_address = "3.126.158.214"

Preshared-keys are also having the same issue.

[ewbankkit]

@dthvt I think your are right that it's the use of the vgw_telemetry value that is causing the incorrect outside IP address to be passed to the ModifyVpnTunnelOptions API and hence the incorrect tunnel to be modified.
It seems a more reliable way of getting the correct address is to use the values returned from the previous call to DescribeVpnConnections.
I am working on fixing this (and adding acceptance tests around this functionality - we were missing such tests) as part of a set of enhancements to be merged in #19311.
You are correct that vgw_telemetry (and routes) has no need to be of TypeSet - these will be converted to TypeList as part of the upcoming v4.0.0 Terraform AWS Provider release.

[github-actions]

This functionality has been released in v3.72.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.