-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VPN Connection Tunnels incorrectly ordered #396
Comments
Not sure, but suspect the AWS Console GUI is sorting by Outside IP address. Would recommend TF does NOT do so. |
perhaps the reason is this sort-statement:
this sort is inside the code since the first version:
but why the xml from the api should be in the wrong order? |
for users who running in this issue before merging/releasing the pull-request: use the xml-output "aws_vpn_connection.<resource_name>.customer_gateway_configuration". the tunnels inside this xml are always sorted exactly like the aws console does. aditionaly it contains some more informations about the connection-parameters. https://www.terraform.io/docs/providers/aws/r/vpn_connection.html#virtual-private-gateway |
This triage bug becomes very annoying since last version of the provider v3.22.0 with PR #14740 which adds read/refresh of tunnel options. |
Configuring tunnel1/tunnel2 with differing options (DH group, etc.) will trigger a dual tunnel outage when applying due to the reordering of the tunnels in terraform. I would support ANY solution that results in consistent ordering of the tunnels, even if it doesn't match the Console. As it is now, having different tunnel configs will trigger a dual tunnel outage and full loss of connectivity during applies, which is just not acceptable in a production environment. |
I have found a workaround: because tunnel1 is always the lowest IP of the two, I just wrote a few lines to convert it to a number, and tied the assignment to this convention. You can do it in two-three lines with a simple condition. I think this could be fixed this way in the backend, also. |
Hi folks 👋 Sorry this is still causing issues. We are working on a fix now. |
…_*` ordering when `tunnel1_inside_cidr`, `tunnel1_inside_ipv6_cidr`, or `tunnel1_preshared_key` is configured Reference: #396 Reference: #3359 Reference: #4728 Reference: #5809 Reference: #11293 Previously (race condition of automatically assigned outside IP addresses): ``` === CONT TestAccAWSVpnConnection_tunnelOptions resource_aws_vpn_connection_test.go:210: Step 15/15 error: Check failed: Check 4/6 error: aws_vpn_connection.test: Attribute 'tunnel1_preshared_key' expected "12345678", got "abcdefgh" --- FAIL: TestAccAWSVpnConnection_tunnelOptions (738.28s) ``` Output from acceptance testing: ``` --- PASS: TestAccAWSVpnConnection_Tunnel1PresharedKey (251.02s) --- PASS: TestAccAWSVpnConnection_withoutStaticRoutes (263.77s) --- PASS: TestAccAWSVpnConnection_Tunnel1InsideCidr (335.14s) --- PASS: TestAccAWSVpnConnection_tunnelOptions (342.30s) --- PASS: TestAccAWSVpnConnection_disappears (388.07s) --- PASS: TestAccAWSVpnConnection_tags (445.29s) --- PASS: TestAccAWSVpnConnection_basic (797.33s) --- PASS: TestAccAWSVpnConnection_withIpv6 (1235.35s) --- PASS: TestAccAWSVpnConnection_TransitGatewayID (1235.72s) --- PASS: TestAccAWSVpnConnection_withEnableAcceleration (1352.28s) --- PASS: TestAccAWSVpnConnection_Tunnel1InsideIpv6Cidr (1595.79s) ```
…_*` ordering when `tunnel1_inside_cidr`, `tunnel1_inside_ipv6_cidr`, or `tunnel1_preshared_key` is configured (#19077) * resource/aws_vpn_connection: Prevent flipped `tunnel1_*` and `tunnel2_*` ordering when `tunnel1_inside_cidr`, `tunnel1_inside_ipv6_cidr`, or `tunnel1_preshared_key` is configured Reference: #396 Reference: #3359 Reference: #4728 Reference: #5809 Reference: #11293 Previously (race condition of automatically assigned outside IP addresses): ``` === CONT TestAccAWSVpnConnection_tunnelOptions resource_aws_vpn_connection_test.go:210: Step 15/15 error: Check failed: Check 4/6 error: aws_vpn_connection.test: Attribute 'tunnel1_preshared_key' expected "12345678", got "abcdefgh" --- FAIL: TestAccAWSVpnConnection_tunnelOptions (738.28s) ``` Output from acceptance testing: ``` --- PASS: TestAccAWSVpnConnection_Tunnel1PresharedKey (251.02s) --- PASS: TestAccAWSVpnConnection_withoutStaticRoutes (263.77s) --- PASS: TestAccAWSVpnConnection_Tunnel1InsideCidr (335.14s) --- PASS: TestAccAWSVpnConnection_tunnelOptions (342.30s) --- PASS: TestAccAWSVpnConnection_disappears (388.07s) --- PASS: TestAccAWSVpnConnection_tags (445.29s) --- PASS: TestAccAWSVpnConnection_basic (797.33s) --- PASS: TestAccAWSVpnConnection_withIpv6 (1235.35s) --- PASS: TestAccAWSVpnConnection_TransitGatewayID (1235.72s) --- PASS: TestAccAWSVpnConnection_withEnableAcceleration (1352.28s) --- PASS: TestAccAWSVpnConnection_Tunnel1InsideIpv6Cidr (1595.79s) ``` * tests/resource/aws_vpn_connection: Add nosemgrep comment for errant situation * resource/aws_vpn_connection: Fix comment typo
…_*` ordering when `tunnel1_inside_cidr`, `tunnel1_inside_ipv6_cidr`, or `tunnel1_preshared_key` is configured (#19077) * resource/aws_vpn_connection: Prevent flipped `tunnel1_*` and `tunnel2_*` ordering when `tunnel1_inside_cidr`, `tunnel1_inside_ipv6_cidr`, or `tunnel1_preshared_key` is configured Reference: #396 Reference: #3359 Reference: #4728 Reference: #5809 Reference: #11293 Previously (race condition of automatically assigned outside IP addresses): ``` === CONT TestAccAWSVpnConnection_tunnelOptions resource_aws_vpn_connection_test.go:210: Step 15/15 error: Check failed: Check 4/6 error: aws_vpn_connection.test: Attribute 'tunnel1_preshared_key' expected "12345678", got "abcdefgh" --- FAIL: TestAccAWSVpnConnection_tunnelOptions (738.28s) ``` Output from acceptance testing: ``` --- PASS: TestAccAWSVpnConnection_Tunnel1PresharedKey (251.02s) --- PASS: TestAccAWSVpnConnection_withoutStaticRoutes (263.77s) --- PASS: TestAccAWSVpnConnection_Tunnel1InsideCidr (335.14s) --- PASS: TestAccAWSVpnConnection_tunnelOptions (342.30s) --- PASS: TestAccAWSVpnConnection_disappears (388.07s) --- PASS: TestAccAWSVpnConnection_tags (445.29s) --- PASS: TestAccAWSVpnConnection_basic (797.33s) --- PASS: TestAccAWSVpnConnection_withIpv6 (1235.35s) --- PASS: TestAccAWSVpnConnection_TransitGatewayID (1235.72s) --- PASS: TestAccAWSVpnConnection_withEnableAcceleration (1352.28s) --- PASS: TestAccAWSVpnConnection_Tunnel1InsideIpv6Cidr (1595.79s) ``` * tests/resource/aws_vpn_connection: Add nosemgrep comment for errant situation * resource/aws_vpn_connection: Fix comment typo
This has been released in version 3.38.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
This issue was originally opened by @kitforbes as hashicorp/terraform#10411. It was migrated here as part of the provider split. The original body of the issue is below.
Terraform Version
Terraform v0.7.13
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
${aws_vpn_connection.edinburgh.tunnel1_address}
should output the value of Tunnel 1 in the AWS Console.Actual Behavior
It actually outputs the value of tunnel 2, and tunnel 2 outputs the value of tunnel 1. Not a critical issue by any means.
Steps to Reproduce
Create an AWS VPN connection and compare the Terraform output to actual AWS Console information in the VPC section.
The text was updated successfully, but these errors were encountered: