aws_route_table_association fails if a different association already exists

[hashibot]

This issue was originally opened by @davehodgson as hashicorp/terraform#5037. It was migrated here as part of the provider split. The original body of the issue is below.

---

As part of a script to create an environment, I create a route table and associate it to 3 subnets

resource "aws_route_table" "internet_access" {
  vpc_id = "${aws_vpc.main-vpc.id}"
  tags {
    Name = "${var.customer_prefix}-internet-access-routetable"
    Description = "${var.aws_label}"
  }   
  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = "${aws_internet_gateway.internet_gw.id}"
  }
}

resource "aws_route_table_association" "private" {
     subnet_id = "${aws_subnet.private_subnet.id}"
     route_table_id = "${aws_route_table.internet_access.id}"
}

This has to happen initially because I want to be able to configure them using remote provisioners and it seems to fail to connect if they don't have access to an internet gateway.

At the end of the script I have a NULL resource which then using Amazon tools from a linux box to change the routing table association:

AWS_ACCESS_KEY_ID=${var.access_key} AWS_SECRET_ACCESS_KEY=${var.secret_key} aws ec2 replace-route-table-association --association-id ${aws_route_table_association.mgmt.id} --region ${var.aws_region} --route-table-id ${aws_route_table.main.id}

It all works fine, but when I then re-run terraform apply, naturally the refresh picks up that the associate has changed and tried to re-associate the first routing table. It then fails with the error below:

* aws_route_table_association.private: Resource.AlreadyAssociated: the specified association for route table rtb-42f40226 conflicts with an existing association status code: 400, request id:

This happens because my script doesn't update the association id in the terraform.state file.

I'm not sure how best to achieve what I am looking to do here - essentially using a temporary routing table association to give the machines internet access while terraform configures them using remote-exec and then change the associate to one that hasn't got internet access.

Any ideas? The only one I have is to catch the associate id returned by the command line and update the terraform state file in my script but that scares me a little bit

As a feature suggestion it would be handy for the aws_route_table_association to work if the association is different to what it expects, for example if someone had manually changed the association in the aws console, this would also fail, perhaps if it fails, it could can pull the existing association ID then call replace-route-table-association instead of AssociateRouteTable which it seems to do now

[hashibot]

This comment was originally opened by @mwarkentin as hashicorp/terraform#5037 (comment). It was migrated here as part of the provider split. The original comment is below.

---

We seem to be hitting this as well.

[hashibot]

This comment was originally opened by @awilkins as hashicorp/terraform#5037 (comment). It was migrated here as part of the provider split. The original comment is below.

---

Also hitting this case.

Seems to be occurring when an existing explicit aws_route_table_association is destroyed and the subnet falls back to the main route table.

Re-applying subsequently works. Is it that the destroy for the prior association is falsely reporting completion?

[Florent-A]

Hello
Same issue faced here:
I'm trying to associate a previously created subnet with a newly created route table. It fails at apply phase with v0.10.4 and v0.10.6.

* module.shared-tools.aws_route_table_association.rtb[1]: 1 error(s) occurred:
 
* aws_route_table_association.rtb.1: Resource.AlreadyAssociated: the specified association for route table rtb-9xxa4af0 conflicts with an existing association
        status code: 400, request id: 654431da-0433-4f6f-9fb8-88b320732631

Sample code

#identifies the shared-tools subnets, already explicitely associated with another rtb
data "aws_subnet_ids" "shared-tools" {
  tags {
    purpose = "shared-tools"
    managed-by = "terraform"
  }
}

# new rtb
resource "aws_route_table" "rtb" {
  vpc_id = "${data.aws_vpc.x.id}"  
}

# attach this route to the zone subnets
resource "aws_route_table_association" "rtb" {
  count = "${length(data.aws_subnet_ids.shared-tools.ids)}" //iterate on all subnets
  subnet_id = "${data.aws_subnet_ids.shared-tools.ids[count.index]}"
  route_table_id = "${aws_route_table.rtb.id}"
}

Any idea on how to workaround this issue?
Thanks for your help

[sidprak]

I just ran into this also. I worked around it by:

1. Replace the route table association manually. Using the command line tools, this would look something like aws ec2 replace-route-table-association --association-id rtbassoc-12345678 --route-table rtb-12345678.
2. Run terraform apply. Terraform will re-apply the same association and succeed. Nothing will change in this step except for the association being captured in the state.

[RuBiCK]

I ran the same issue. That is a workaround but it's supposed it should make the new association, right?

[quietjoy]

Experiencing the same problem. Manually doing the subnet associations and then running apply again does not seem to work for me. I am using terraform v0.11.10

[YakDriver]

@sidprak @RuBiCK @andrewhart098 @Florent-A @awilkins @mwarkentin @davehodgson I submitted PR #6999 to allow replacement of a subnet's existing route table association. To help the maintainers prioritize, please visit the PR and 👍 or leave a comment with your thoughts!

[yves-vogl]

@andrewhart098 this doesn't work for me, either. I'll try to look what the PR actually does and try to figure it out. I'll share my results if I can produce anything useful :-)

@YakDriver Thank you :-)

[yves-vogl]

I solved my issue. I've had circular associations so replacing did not actually work.

$ aws ec2 describe-route-tables --filters "Name=route-table-id,Values=rtb-0eeb23139fac403a5" 
ROUTETABLES	397794470468	rtb-0eeb23139fac403a5	vpc-01f45574c74eb8ac1
ASSOCIATIONS	False	rtbassoc-064611555f45f4ace	rtb-0eeb23139fac403a5	subnet-046b73ff13c54ef04
ASSOCIATIONS	False	rtbassoc-030af166ccd8a8851	rtb-0eeb23139fac403a5	subnet-04915d7ff586db40d
ROUTES	10.4.0.0/16	local		CreateRouteTable	active
ROUTES	0.0.0.0/0		nat-03f839a190a2f3e9f	CreateRoute	active

When trying to delete, I got:

An error occurred (DependencyViolation) when calling the DeleteRouteTable operation: The routeTable 'rtb-0eeb23139fac403a5' has dependencies and cannot be deleted.

So I had to first dissociate at least one route (and then either replace the association of delete it completely.)

$ aws ec2 disassociate-route-table --association-id rtbassoc-064611555f45f4ace
$ aws ec2 disassociate-route-table --association-id rtbassoc-030af166ccd8a8851
$ aws ec2 delete-route-table --route-table-id rtb-0eeb89739fac403a5

[bflad]

The aws_route_table_association resource has been updated to support resource import as well as allow subnet_id updates in-place via replacement. This will release in version 2.22.0 of the Terraform AWS Provider, tomorrow. 👍 Thanks to @YakDriver for the implementation.

[ghost]

This has been released in version 2.22.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!