Hidden error message if aws_vpc_ipam_pool_cidr fails

[nitrocode]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

⨠ terraform --version
Terraform v1.1.9
on linux_amd64

Affected Resource(s)

• aws_vpc_ipam_pool_cidr

Terraform Configuration Files

https://github.com/aws-ia/terraform-aws-ipam/blob/main/modules/sub_pool/main.tf

resource "aws_vpc_ipam_pool" "top" {
  address_family           = "ipv4"
  auto_import              = false
  description              = "core-ue2"
  locale                   = "us-east-2"
}

resource "aws_vpc_ipam_pool_cidr" "top" {
  cidr         = "10.0.0.0/11"
  ipam_pool_id = aws_vpc_ipam_pool.top.id
}

resource "aws_vpc_ipam_pool" "sub" {
  address_family           = "ipv4"
  auto_import              = false
  description              = "core-ue2/network"
  locale                   = "us-east-2"
  source_ipam_pool_id      = aws_vpc_ipam_pool.top.id
  ipam_scope_id            = "ipam-scope-<redacted>"
}

resource "aws_vpc_ipam_pool_cidr" "sub" {
  cidr         = "10.96.0.0/12"
  ipam_pool_id = aws_vpc_ipam_pool.sub.id
}

Debug Output

│ Error: error waiting for IPAM Pool Cidr (10.96.0.0/12_ipam-pool-<redacted>) to be provision: unexpected state 'failed-provision', wanted target 'provisioned'. last error: %!s(<nil>)
│
│   with module.ipam[0].module.level_one["core-ue2"].aws_vpc_ipam_pool_cidr.sub["10.96.0.0/12"],
│   on .terraform-core/modules/ipam/modules/sub_pool/main.tf line 25, in resource "aws_vpc_ipam_pool_cidr" "sub":
│   25: resource "aws_vpc_ipam_pool_cidr" "sub" {

Panic Output

N/A

Expected Behavior

Clear error thrown during plan time check

Actual Behavior

Apply successfully or at the very least, expose the real error message

⨠ aws --profile cplive-core-gbl-network-admin ec2 allocate-ipam-pool-cidr --cidr "10.96.0.0/12" --ipam-pool-id ipam-pool-<redacted>

An error occurred (InvalidParameterValue) when calling the AllocateIpamPoolCidr operation: The allocation size is too big for the pool.

From the UI, it appears that the error happens because the cidr 10.96.0.0/12 is not within 10.0.0.0/11. This is probably something that we could calculate as a plan level check before even hitting the AWS API.

Steps to Reproduce

1. terraform apply

Important Factoids

N/A

References

N/A

[drewmullen]

Thanks for opening this up. I'll take a look and see if i can expose the true error

[drewmullen]

@nitrocode one thing to note is that allocate-ipam-pool-cidr is a different command than provision-ipam-pool-cidr. The resource aws_vpc_ipam_pool_cidr calls provision- so the error is likely going to be different based on the call.

That being said, the IpamPoolCidr does in fact have a FailureReason which contains a Message. It can be added to the error message. I believe early in development the errors weren't very handy so I ignored them - looks like theyre useful now! 😅

type IpamPoolCidr struct {
	_ struct{} `type:"structure"`

	// Details related to why an IPAM pool CIDR failed to be provisioned.
	FailureReason *IpamPoolCidrFailureReason `locationName:"failureReason" type:"structure"`
}

type IpamPoolCidrFailureReason struct {
	_ struct{} `type:"structure"`

	// An error code related to why an IPAM pool CIDR failed to be provisioned.
	Code *string `locationName:"code" type:"string" enum:"IpamPoolCidrFailureCode"`

	// A message related to why an IPAM pool CIDR failed to be provisioned.
	Message *string `locationName:"message" type:"string"`
}

terraform-provider-aws/internal/service/ec2/ipam_pool_cidr.go

Lines 100 to 102 in 19d5b4c

	if _, err = WaitIPAMPoolCIDRAvailable(conn, id, ipamPoolCIDRCreateTimeout); err != nil {
	return fmt.Errorf("error waiting for IPAM Pool Cidr (%s) to be provision: %w", id, err)
	}

the _ returned here can be changed into a variable and you can parse the information out of it and place it into the error.

This is a good beginner issue so im going to float it around to see if anyone wants. If not, ill fix it in the near future

[meetreks]

I am looking at this issue

[drewmullen]

closed by #25287

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.