awscc_ec2_vpc resource and state don't converge

[mattburgess]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

$ terraform -v
Terraform v1.9.3
on linux_amd64
+ provider registry.terraform.io/hashicorp/awscc v1.9.0

Affected Resource(s)

• awscc_ec2_vpc

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "awscc_ec2_vpc" "this" {
  cidr_block           = "10.0.0.0/16"
  enable_dns_hostnames = true
}

Debug Output

2024-08-11T21:47:41.097+0100 [WARN]  Provider "registry.terraform.io/hashicorp/awscc" produced an unexpected new value for awscc_ec2_vpc.this during refresh.
      - .enable_dns_hostnames: was cty.True, but now null

Panic Output

Expected Behavior

A single terraform apply should persist accurate resource state; a 2nd terraform apply should show no drift

Actual Behavior

Subsequent terraform apply runs show perpetual diffs.

Steps to Reproduce

1. terraform apply

   Terraform will perform the following actions:
   
     # awscc_ec2_vpc.this will be created
     + resource "awscc_ec2_vpc" "this" {
         + cidr_block              = "10.0.0.0/16"
         + cidr_block_associations = (known after apply)
         + default_network_acl     = (known after apply)
         + default_security_group  = (known after apply)
         + enable_dns_hostnames    = true
         + enable_dns_support      = (known after apply)
         + id                      = (known after apply)
         + instance_tenancy        = (known after apply)
         + ipv_4_ipam_pool_id      = (known after apply)
         + ipv_4_netmask_length    = (known after apply)
         + ipv_6_cidr_blocks       = (known after apply)
         + tags                    = (known after apply)
         + vpc_id                  = (known after apply)
       }
      ...
      Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

2. terraform plan

   ...
   Terraform will perform the following actions:
   
     # awscc_ec2_vpc.this will be updated in-place
     ~ resource "awscc_ec2_vpc" "this" {
         + default_network_acl     = (known after apply)
         + default_security_group  = (known after apply)
         + enable_dns_hostnames    = true
         + enable_dns_support      = (known after apply)
           id                      = "vpc-0f54385984cc45709"
         + ipv_4_ipam_pool_id      = (known after apply)
         + ipv_4_netmask_length    = (known after apply)
         + ipv_6_cidr_blocks       = (known after apply)
         + tags                    = (known after apply)
           # (4 unchanged attributes hidden)
       }
   
   Plan: 0 to add, 1 to change, 0 to destroy.

3. terraform apply

   ...
   Plan: 0 to add, 1 to change, 0 to destroy.
   ...
   Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
   

Important Factoids

References

• vpc default values do not persist after create() #301 looks similar, but not exactly the same; with default values then convergence happens.

[mattburgess]

This was actually caused by the fact that my user didn't have the ec2:DescribeVpcAttribute permission, but that doesn't get surfaced as an error by the provider. I found this out by trying to create a VPC with the aws provider, which did surface the 403 as an error.

[quixoticmonk]

Thank you for opening the issue @mattburgess . I can confirm the behavior with the cloudcontrol api in this case as well. Researching this.