Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VPC Update Causing Cloud WAN Attachment Replacement #162

Open
Drewster727 opened this issue Oct 29, 2024 · 1 comment · May be fixed by #163
Open

VPC Update Causing Cloud WAN Attachment Replacement #162

Drewster727 opened this issue Oct 29, 2024 · 1 comment · May be fixed by #163

Comments

@Drewster727
Copy link

Drewster727 commented Oct 29, 2024

Release 4.4.3

Hello Team,

We're running into an issue on the latest version where if we make changes to the primary vpc module reference (that creates the VPC) and then create a secondary CIDR range with Cloud WAN in a separate vpc module reference, that it wants to recreate the Cloud WAN / Network Manager VPC attachment after initial apply with subsequent changes.

For example, you can use the code snippet (below in Code Snippet section) and leave off the public subnets. Terraform apply it, then add the public subnets or make some sort of small change, and all of a sudden it wants to additionally recreate the network manager vpc attachment, because it thinks the vpc_arn has changed... However, nothing else has changed that would cause the VPC ARN to change, the same VPC is being used.

Steps to reproduce:

  1. Using Code Snippet (below), comment out public subnets
  2. terraform apply
  3. Uncomment public subnets
  4. terraform apply --> this will cause the cwan attachment replacement, which should not happen

There are likely many more scenarios where a change to the main vpc module reference causes this same behavior.

Plan/Apply Output:

...
other tf changes hidden to condense the output
...
# module.vpc_cwan.aws_networkmanager_vpc_attachment.cwan[0] must be replaced
-/+ resource "aws_networkmanager_vpc_attachment" "cwan" {
      ~ arn                           = "arn:aws:networkmanager::<redacted>:attachment/attachment-<redacted>" -> (known after apply)
      ~ attachment_policy_rule_number = 0 -> (known after apply)
      ~ attachment_type               = "VPC" -> (known after apply)
      ~ core_network_arn              = "arn:aws:networkmanager::<redacted>:core-network/core-network-<redacted>" -> (known after apply)
      ~ edge_location                 = "us-east-1" -> (known after apply)
      ~ id                            = "attachment-<redacted>" -> (known after apply)
      ~ owner_account_id              = "<redacted>" -> (known after apply)
      ~ resource_arn                  = "arn:aws:ec2:us-east-1:<redacted>:vpc/vpc-<redacted>" -> (known after apply)
      + segment_name                  = (known after apply)
      ~ state                         = "AVAILABLE" -> (known after apply)
        tags                          = {
            "Name"    = "cwan-vpc_attachment"
            "segname" = "prod"
        }
      ~ vpc_arn                       = "arn:aws:ec2:us-east-1:<redacted>:vpc/vpc-<redacted>" -> (known after apply) # forces replacement
        # (3 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Code Snippet:

module "vpc" {
  source  = "aws-ia/vpc/aws"
  version = ">= 4.4.3"

  name                                 = module.name_prefix.id
  cidr_block                         = "10.0.0.1/16"
  vpc_assign_generated_ipv6_cidr_block = false
  azs                                  = ["us-east-1a", "us-east-1b", "us-east-1c"]

  subnets = {
    private = {
      name_prefix               = "private"
      netmask                      = 26
      connect_to_public_natgw = true
    }
    public = {
      name_prefix               = "public"
      netmask                     = 26
      nat_gateway_configuration = "single_az"
    }
  }
}

module "vpc_cwan" {
  source  = "aws-ia/vpc/aws"
  version = ">= 4.4.3"

  name               = "cwan"
  vpc_id             = module.vpc.vpc_attributes.id
  create_vpc         = false
  cidr_block         = "192.168.0.1/24"
  vpc_secondary_cidr = true
  azs                = ["us-east-1a", "us-east-1b", "us-east-1c"]

  core_network = {
    id  = "xyz" #redacted
    arn = "xyz" #redacted
  }
  core_network_routes = {}

  subnets = {
    core_network = {
      name_prefix            = "cwan"
      netmask                 = 26
      appliance_mode_support = true
      tags = {
        segname = "prod"
      }
    }
  }

  depends_on = [module.vpc]
}

I noticed that the aws_networkmanager_vpc_attachment resource in the code is referencing local.vpc.arn:
https://github.com/aws-ia/terraform-aws-vpc/blob/8adf507bbddb5d959fc63cb894f40afc9d9f4405/data.tf#L92C3-L92C71

vpc        = var.create_vpc ? aws_vpc.main[0] : data.aws_vpc.main[0]

It must be that the data.aws_vpc resource is signaling that the value is potentially changing.

Any thoughts on how we can avoid this? We cannot have CWAN attachments getting dropped, as it forces a manual approval on the Network Manager side to allow it to attach again and could be disruptive to connectivity while it is re-associating to the core network.

Thanks!

@Drewster727 Drewster727 linked a pull request Oct 31, 2024 that will close this issue
@pablo19sc
Copy link
Collaborator

Hi @Drewster727 thanks for your feedback! Let us check your comment and come back to you with a fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants