resource aws_network_interface performs undesirable sort and attempts to detach primary ip address

[elliott-weston-transferwise]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.12.28
+ provider.aws v2.70.0

Affected Resource(s)

• aws_network_interface

Terraform Configuration Files

Create initial eni:

resource "aws_network_interface" "eni_test1" {
  subnet_id   = var.subnet
}

resource "aws_network_interface" "eni_test2" {
  subnet_id   = var.subnet
}

Then add private_ips to the eni's

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp
locals {
  private_ips_test = concat(["10.0.0.8"], ["10.0.0.6", "10.6.12.6"])
  private_ips_test2 = ["172.18.0.24", "172.18.0.18", "172.18.0.20", "172.18.0.25"]
}

resource "aws_network_interface" "eni_test1" {
  subnet_id   = var.subnet
  private_ips = local.private_ips_test
}

resource "aws_network_interface" "eni_test2" {
  subnet_id   = var.subnet
  private_ips = local.private_ips_test2
}

Expected Behavior

Terraform honours the ordering specified by the end user.

Actual Behavior

Terraform will order the private_ips lexicographically.

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_network_interface.eni_test1 will be updated in-place
  ~ resource "aws_network_interface" "eni_test1" {
        id                = "removed"
        mac_address       = "removed"
        private_dns_name  = "ip-172-31-50-184.eu-central-1.compute.internal"
        private_ip        = "172.31.50.184"
      ~ private_ips       = [
          + "10.0.0.6",
          + "10.0.0.8",
          + "10.6.12.6",
          - "172.31.50.184",
        ]
        private_ips_count = 0
        security_groups   = [
            "removed",
        ]
        source_dest_check = true
        subnet_id         = "removed"
        tags              = {}
    }

  # aws_network_interface.eni_test2 will be updated in-place
  ~ resource "aws_network_interface" "eni_test2" {
        id                = "removed"
        mac_address       = "removed"
        private_dns_name  = "ip-172-31-48-102.eu-central-1.compute.internal"
        private_ip        = "172.31.48.102"
      ~ private_ips       = [
          - "172.31.48.102",
          + "172.31.48.18",
          + "172.31.49.20",
          + "172.31.50.24",
          + "172.31.50.27",
        ]
        private_ips_count = 0
        security_groups   = [
            "removed",
        ]
        source_dest_check = true
        subnet_id         = "removed"
        tags              = {}
    }

Steps to Reproduce

1. terraform apply
2. Add list of ips and pass into private_ips attribute
3. terraform plan

Important Factoids

Hello Hashicorp!,

The two unexpected behaviours that I am seeing:

• The aws_network_interface resource appears to be ordering the private ips associated with the network interface lexicographically.
• The private_ips attribute requires the first element to be the primary private ip if the ENI has already been created.

The issue is that if at least one of the private_ips is lexicographically "less" than the private ip, terraform will attempt to set one of the secondary ips as the primary ip which will result in an error similar to this:

Error: Failure to unassign Private IPs: InvalidParameterValue: Value (172.31.48.102) for parameter privateIpAddress is invalid. The primary IP address of an interface cannot be unassigned.
        status code: 400, request id: <redacted>

Therefore terraform should honour the order that is set by the end user.
Also, if the primary ip address (denoted in the attribute private_ip) must be the first element in the list, it may make sense to do this automatically if the private_ips has been passed, but the primary ip is not in the list.
I.e. Concat the private_ip attribute and the private_ips attribute, placing the private_ip attribute as the first element.

References

• #0000

[ag-TJNII]

Just want to +1 and comment that if downstream resources iterate over the returned private_ip list then the sort wreaks havoc on the downstream resources if the IP count changes. As the sort causes IPs to change in the middle of the array it will cause TF to try and remap the changed IPs and all subsequent IPs, which is annoying at best and disruptive at worst.

[github-actions]

This functionality has been released in v3.74.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.