I have imported an aws_vpn_connection using tf 1.5 and aws provider 5.70. After the import, running tf plan always shows planned changes, and apply does not fix this:
Terraform will perform the following actions:
# module.gcp_non_prod_with_aws_default.aws_vpn_connection.this will be updated in-place
~ resource "aws_vpn_connection" "this" {
id = "vpn-ID"
tags = {
"Name" = "my vpn name"
}
~ tunnel2_ike_versions = [
- "ikev1",
- "ikev2",
]
~ tunnel2_phase1_dh_group_numbers = [
- 2,
- 14,
- 15,
- 16,
- 17,
- 18,
- 19,
- 20,
- 21,
- 22,
- 23,
- 24,
]
~ tunnel2_phase1_encryption_algorithms = [
- "AES128",
- "AES128-GCM-16",
- "AES256",
- "AES256-GCM-16",
]
~ tunnel2_phase1_integrity_algorithms = [
- "SHA1",
- "SHA2-256",
- "SHA2-384",
- "SHA2-512",
]
~ tunnel2_phase2_dh_group_numbers = [
- 2,
- 5,
- 14,
- 15,
- 16,
- 17,
- 18,
- 19,
- 20,
- 21,
- 22,
- 23,
- 24,
]
~ tunnel2_phase2_encryption_algorithms = [
- "AES128",
- "AES128-GCM-16",
- "AES256",
- "AES256-GCM-16",
]
~ tunnel2_phase2_integrity_algorithms = [
- "SHA1",
- "SHA2-256",
- "SHA2-384",
- "SHA2-512",
]
# (49 unchanged attributes hidden)
# (2 unchanged blocks hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
When I look at the terraform state (via show), the settings are the same for tunnel 1 and 2. But in AWS console, the settings are different: whereas tunnel 1 shows Default for all settings, tunnel 2 has some settings with specific values. Eg the tunnel 1 IKE version says Default in console and is empty list in state; tunnel 2 IKE version says ike1, ike2 in console and is empty list in state. I think that’s the reason but I don’t know how to fix this other than re-creating the connection. But I would have to use the same pre-shared key which means storing it in a safe place (probably AWS secret) etc quite a pain, or let AWS create new pre-shared key but then customer gateway will have to be edited.