aws_route_table_association fails if a different association already exists

[davehodgson]

As part of a script to create an environment, I create a route table and associate it to 3 subnets

resource "aws_route_table" "internet_access" {
  vpc_id = "${aws_vpc.main-vpc.id}"
  tags {
    Name = "${var.customer_prefix}-internet-access-routetable"
    Description = "${var.aws_label}"
  }   
  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = "${aws_internet_gateway.internet_gw.id}"
  }
}

resource "aws_route_table_association" "private" {
     subnet_id = "${aws_subnet.private_subnet.id}"
     route_table_id = "${aws_route_table.internet_access.id}"
}

This has to happen initially because I want to be able to configure them using remote provisioners and it seems to fail to connect if they don't have access to an internet gateway.

At the end of the script I have a NULL resource which then using Amazon tools from a linux box to change the routing table association:

AWS_ACCESS_KEY_ID=${var.access_key} AWS_SECRET_ACCESS_KEY=${var.secret_key} aws ec2 replace-route-table-association --association-id ${aws_route_table_association.mgmt.id} --region ${var.aws_region} --route-table-id ${aws_route_table.main.id}

It all works fine, but when I then re-run terraform apply, naturally the refresh picks up that the associate has changed and tried to re-associate the first routing table. It then fails with the error below:

* aws_route_table_association.private: Resource.AlreadyAssociated: the specified association for route table rtb-42f40226 conflicts with an existing association status code: 400, request id:

This happens because my script doesn't update the association id in the terraform.state file.

I'm not sure how best to achieve what I am looking to do here - essentially using a temporary routing table association to give the machines internet access while terraform configures them using remote-exec and then change the associate to one that hasn't got internet access.

Any ideas? The only one I have is to catch the associate id returned by the command line and update the terraform state file in my script but that scares me a little bit

As a feature suggestion it would be handy for the aws_route_table_association to work if the association is different to what it expects, for example if someone had manually changed the association in the aws console, this would also fail, perhaps if it fails, it could can pull the existing association ID then call replace-route-table-association instead of AssociateRouteTable which it seems to do now

[mwarkentin]

We seem to be hitting this as well.

[awilkins]

Also hitting this case.

Seems to be occurring when an existing explicit aws_route_table_association is destroyed and the subnet falls back to the main route table.

Re-applying subsequently works. Is it that the destroy for the prior association is falsely reporting completion?

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.