[Bug]: Provider crashes when provisioning or importing IPAM CIDRs

[iwt-pjost]

Terraform Core Version

1.3.3

AWS Provider Version

4.35.0

Affected Resource(s)

aws_vpc_ipam_pool_cidr

Expected Behavior

I expected the pool to be created without errors

  + resource "aws_vpc_ipam_pool_cidr" "foo" {
      + cidr         = "10.10.10.10/10"
      + id           = (known after apply)
      + ipam_pool_id = "ipam-pool-bar"
    }

And here I expected the pool to be imported if it exists

terraform import "aws_vpc_ipam_pool_cidr.foo[\"10.10.10/10\"]" "10.10.10./10_ipam-pool-bar"

Actual Behavior

Output when creating the resource

Error: Plugin did not respond
│ 
│   with aws_vpc_ipam_pool_cidr.level_1["10.10.10./10"],
│   on main.tf line 83, in resource "aws_vpc_ipam_pool_cidr" "foo":
│   83: resource "aws_vpc_ipam_pool_cidr" "fo" {
│ 
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).ApplyResourceChange call. The
│ plugin logs may contain more details.
╵

╷
│ Error: Error provisioning CIDR in IPAM pool (ipam-pool-bar): IncorrectState: The specified action is not valid for ipam-pool-bar. The CIDR 10.10.10./10 is in an invalid state.
│ 	status code: 400, request id: 95fe7534-0r0r-4c4c-9d9d-ccea1c1fd5d1
│ 
│   with aws_vpc_ipam_pool_cidr.foo["10.10.10./10"],
│   on main.tf line 83, in resource "aws_vpc_ipam_pool_cidr" "foo":
│   83: resource "aws_vpc_ipam_pool_cidr" "foo" {
│ 

On the good news, Terraform actually created the pool. Everything is fine and as desired. When checking the pool I get a

{
  "IpamPoolCidrs": [
{
      "Cidr": "10.10.10./10",
      "State": "provisioned",
      "FailureReason": null
    },

so I thought I could just import the existing resource but when I try to import it I get the message:

│ Error: Cannot import non-existent remote object
│ 
│ While attempting to import an existing object to "aws_vpc_ipam_pool_cidr.foo[\"10.10.10./10\"]", the provider detected that no object exists with the given id. Only pre-existing objects can be imported; check that the
│ id is correct and that it is associated with the provider's configured region or endpoint, or use "terraform apply" to create a new remote object for this resource.
╵

So now I am stuck and will probably have to edit the state json directly so that TF can continue working

Relevant Error/Panic Output Snippet

Stack trace from the terraform-provider-aws_v4.35.0_x5 plugin:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x66b670a]

goroutine 3500 [running]:
github.com/hashicorp/terraform-provider-aws/internal/service/ec2.statusIPAMPoolCIDRStatus.func1()
	github.com/hashicorp/terraform-provider-aws/internal/service/ec2/ipam_pool_cidr.go:253 +0x2a
github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource.(*StateChangeConf).WaitForStateContext.func1()
	github.com/hashicorp/terraform-plugin-sdk/v2@v2.23.0/helper/resource/state.go:110 +0x207
created by github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource.(*StateChangeConf).WaitForStateContext
	github.com/hashicorp/terraform-plugin-sdk/v2@v2.23.0/helper/resource/state.go:83 +0x1d8

Error: The terraform-provider-aws_v4.35.0_x5 plugin crashed!

Terraform Configuration Files

resource "aws_vpc_ipam_pool_cidr" "foo" {
cidr = "10.10.10./10"
ipam_pool_id = ipam-pool-bar
}

Steps to Reproduce

1. Have a pre-existing IPAM pool with already provisioned CIDRs
2. Try to provision additional CIDRs to the pool using terraform apply.

Other option

1. Provision a CIDR in a pool
2. Import it using the import command terraform import "aws_vpc_ipam_pool_cidr.foo[\"10.10.10./10\"]" 10.10.10./10_ipam-pool-bar

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ewbankkit]

terraform-provider-aws/internal/service/ec2/ipam_pool_cidr.go

Lines 243 to 255 in d3e0b7e

	func statusIPAMPoolCIDRStatus(conn *ec2.EC2, id string) resource.StateRefreshFunc {
	return func() (interface{}, string, error) {
	output, _, err := FindIPAMPoolCIDR(conn, id)
	// there was an unhandled error in the Finder
	if err != nil {
	return nil, "", err
	}
	return output, aws.StringValue(output.State), nil
	}
	}

terraform-provider-aws/internal/service/ec2/ipam_pool_cidr.go

Lines 171 to 197 in d3e0b7e

	func FindIPAMPoolCIDR(conn *ec2.EC2, id string) (*ec2.IpamPoolCidr, string, error) {
	cidr_block, pool_id, err := DecodeIPAMPoolCIDRID(id)
	if err != nil {
	return nil, "", fmt.Errorf("error decoding ID (%s): %w", cidr_block, err)
	}
	input := &ec2.GetIpamPoolCidrsInput{
	IpamPoolId: aws.String(pool_id),
	Filters: []*ec2.Filter{
	{
	Name: aws.String("cidr"),
	Values: aws.StringSlice([]string{cidr_block}),
	},
	},
	}
	output, err := conn.GetIpamPoolCidrs(input)
	if err != nil {
	return nil, "", err
	}
	if output == nil || len(output.IpamPoolCidrs) == 0 || output.IpamPoolCidrs[0] == nil {
	return nil, "", nil
	}
	return output.IpamPoolCidrs[0], pool_id, nil
	}

Needs better error handling (via NotFoundError) when output is nil.

[iwt-pjost]

Update:
I just thought that, if we have to wait for a fix, I can just manipulate the state and add the existing resources into the terraform.tfstate file manually. Not the nicest way but in the end it's just a json
So I change the state to a local version so that I don't accidentally break the live state of our code and add it to the state. But even with the resource in the state, Terraform still tries to create the resource.
Is this a pagination issue? Is the pool (99 CIDRs) too big for Terraform because it tries to paginate through the pools and stops at page xxx?

Right now the current state of things is:

• I can't create the pools because they already exist and the plugin just keeps crashing,
• I can't import it using terraform import, because TF will tell me the resource does not exist
• I can't edit the state manually because TF will still try to create the resource even it is in the state file

Feeling kinda stuck here

[ewbankkit]

@iwt-pjost I think you are correct in your hypothesis that it's a pagination issue. #27051 introduced pagination for the aws_vpc_ipam_pool_cidrs data source and we need to use that functionality for the aws_vpc_ipam_pool_cidr resource.

We are aiming to get this fixed for today's Terraform AWS Provider release.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.