Handle cycles for AWS EIPs

[hashibot]

This issue was originally opened by @davidhoyt as hashicorp/terraform#4644. It was migrated here as part of the provider split. The original body of the issue is below.

---

Am attempting to setup a cross-region VPN and need to create EIPs in both regions and then use the public IPs in each when provisioning a new EC2 instance in each region. When I do so, there is a complaint about cycles and it fails. It seems that the cycle can be removed if both EIPs are created before the instances. Here's a dumbed-down example of what I am looking to do:

variable "aws-access-key" { default = "access-key-12345" }
variable "aws-secret-key" { default = "secret-key-12345" }

variable "vpc-1-aws-region" { default = "us-east-1" }
variable "vpc-1-aws-az" { default = "us-east-1a" }
variable "vpc-1-aws-subnet-id" { default = "subnet-us-east-12345" }

variable "vpc-2-aws-region" { default = "us-west-2" }
variable "vpc-2-aws-az" { default = "us-west-2a" }
variable "vpc-2-aws-subnet-id" { default = "subnet-us-west-12345" }

// Ubuntu 14.04 LTS (HVM)
variable "aws-vpn-ami" {
  default = {
    us-east-1 = "ami-d05e75b8"
    us-west-2 = "ami-5189a661"
    eu-west-1 = "ami-47a23a30"
  }
}

provider "aws" {
  region     = "${var.vpc-1-aws-region}"
  access_key = "${var.aws-access-key}"
  secret_key = "${var.aws-secret-key}"
}

provider "aws" {
  alias  = "vpc-1"
  region = "${var.vpc-1-aws-region}"
}

provider "aws" {
  alias  = "vpc-2"
  region = "${var.vpc-2-aws-region}"
}

resource "aws_eip" "vpc-1" {
  provider = "aws.vpc-1"
  lifecycle { create_before_destroy = true }
  instance = "${aws_instance.vpc-1.id}"
  vpc = true
}

resource "aws_eip" "vpc-2" {
  provider = "aws.vpc-2"
  lifecycle { create_before_destroy = true }
  instance = "${aws_instance.vpc-2.id}"
  vpc = true
}

resource "aws_instance" "vpc-1" {
  provider = "aws.vpc-1"
  instance_type = "t2.micro"

  ami = "${lookup(var.aws-vpn-ami, var.vpc-1-aws-region)}"

  lifecycle { create_before_destroy = true }

  source_dest_check = false
  availability_zone = "${var.vpc-1-aws-az}"
  subnet_id         = "${var.vpc-1-aws-subnet-id}"
  private_ip        = "10.0.0.4"

  provisioner "remote-exec" {
    inline = [
      "sudo tee /tmp/foo.conf > /dev/null <<'EOF'",
      "${aws_eip.vpc-2.public_ip}",
      "EOF"
    ]
  }
}

resource "aws_instance" "vpc-2" {
  provider = "aws.vpc-2"
  instance_type = "t2.micro"

  lifecycle { create_before_destroy = true }

  ami = "${lookup(var.aws-vpn-ami, var.vpc-2-aws-region)}"

  source_dest_check = false
  availability_zone = "${var.vpc-2-aws-az}"
  subnet_id         = "${var.vpc-2-aws-subnet-id}"
  private_ip        = "10.1.0.4"

  provisioner "remote-exec" {
    inline = [
      "sudo tee /tmp/foo.conf > /dev/null <<'EOF'",
      "${aws_eip.vpc-1.public_ip}",
      "EOF"
    ]
  }
}

I will need to later add security groups that include rules for ingress that only allow traffic from the EIP of the other region. Would love to hear alternative ways of achieving the same btw. Thanks ahead for any help!

[ewbankkit]

@davidhoyt You should try using the aws_eip_association resource. It should break the EIP <-> Instance ID cycle.

[bflad]

The correct implementation should be noted above. If the documentation (website/docs/r/eip.html.markdown) needs updates or to be clearer about this situation, we'll happily accept a pull request!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!