AWS VPC resource is recreated if the IP does not match exactly

[hackaugusto]

A network block 10.01 forces the resource to be recreated where a block 10.1 does not.

I used a varible to configure the network block, based on the configuration cloudfoundry-community/terraform-aws-vpc , here is the minimum example:

variable "aws_access_key_id" {}
variable "aws_secret_access_key" {}
variable "aws_network_block" {}

provider "aws" {
    access_key = "${var.aws_access_key_id}"
    secret_key = "${var.aws_secret_access_key}"
    region = "us-west-2"
}

resource "aws_vpc" "default" {
    cidr_block = "${var.aws_network_block}.0.0/16"
    enable_dns_hostnames = "true"
}

$ terraform plan -var 'aws_network_block=10.01'
+ aws_vpc.default
    cidr_block:                "" => "10.01.0.0/16"
    default_network_acl_id:    "" => "<computed>"
    default_security_group_id: "" => "<computed>"
    dhcp_options_id:           "" => "<computed>"
    enable_dns_hostnames:      "" => "1"
    enable_dns_support:        "" => "<computed>"
    main_route_table_id:       "" => "<computed>"

$ terraform apply -var 'aws_network_block=10.01'
aws_vpc.default: Creating...
  cidr_block:                "" => "10.01.0.0/16"
  default_network_acl_id:    "" => "<computed>"
  default_security_group_id: "" => "<computed>"
  dhcp_options_id:           "" => "<computed>"
  enable_dns_hostnames:      "" => "1"
  enable_dns_support:        "" => "<computed>"
  main_route_table_id:       "" => "<computed>"
aws_vpc.default: Creation complete

$ terraform plan -var 'aws_network_block=10.01'
Refreshing Terraform state prior to plan...
aws_vpc.default: Refreshing state... (ID: vpc-32ab3c57)

-/+ aws_vpc.default
    cidr_block:                "10.1.0.0/16" => "10.01.0.0/16" (forces new resource)
    default_network_acl_id:    "acl-c81281ad" => "<computed>"
    default_security_group_id: "sg-9209e2f6" => "<computed>"
    dhcp_options_id:           "dopt-9e48bdfb" => "<computed>"
    enable_dns_hostnames:      "true" => "1"
    enable_dns_support:        "" => "<computed>"
    main_route_table_id:       "rtb-c243dba7" => "<computed>"

$ terraform plan -var 'aws_network_block=10.1'
Refreshing Terraform state prior to plan...

aws_vpc.default: Refreshing state... (ID: vpc-32ab3c57)

No changes. Infrastructure is up-to-date. ...

Note: I'm using a slightly out-of-date version, v0.5.2 instead of v0.5.3

[radeksimko]

Hi @hackaugusto
(excuse maybe my lack of knowledge in the networking area)
those leading zeros in the CIDR definition, is that any standard format - i.e. is there any reason why we should support that except because AWS ignores these zeros and just replies back with the "standard" format?

[hackaugusto]

@radeksimko not that I'm aware of.

I opened the issue because it took me some time to realize what was going on. Everytime I executed terraform it recreated everything that depended uppon the vpc, the vpc itself, subnets, security groups, gateway, the instances.

[radeksimko]

There's an upcoming feature for field validation and we could build a validation for IP CIDRs which would effectively mean that each time you'd enter CIDR with leading zeros into a field that has this validation, Terraform would not execute anything and let you fix that first.

Does that sound like a solution?

[hackaugusto]

@radeksimko Thx for the fix!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.