Terraform aws_vpn_connection updated in-place but no modified arguments

tbrosillon · October 9, 2023, 12:28pm

Hello,

Importing aws_vpn_connection using import block:

import {
  to = module.hard_network.aws_vpn_connection.site2_site_vpn[0]
  id = "vpn-xxx"
}

then after plan:

# module.hard_network.aws_vpn_connection.site2_site_vpn[0] will be updated in-place
  # (imported from "vpn-xxx")
  ~ resource "aws_vpn_connection" "site2_site_vpn" {
        arn                                     = "arn:aws:ec2:xxx:xxx:vpn-connection/vpn-xxx"
        customer_gateway_configuration          = (sensitive value)
        customer_gateway_id                     = "cgw-xxx"
        enable_acceleration                     = false
        id                                      = "vpn-xxx"
        local_ipv4_network_cidr                 = "0.0.0.0/0"
        outside_ip_address_type                 = "PublicIpv4"
        remote_ipv4_network_cidr                = "0.0.0.0/0"
        routes                                  = []
        static_routes_only                      = true
        tags                                    = {
            "Name" = "vpn"
        }
        transit_gateway_attachment_id           = "tgw-attach-xxx"
        transit_gateway_id                      = "tgw-xxx"
        tunnel1_address                         = "xxx"
        tunnel1_bgp_holdtime                    = 0
        tunnel1_cgw_inside_address              = "xxxx"
        tunnel1_dpd_timeout_seconds             = 0
        tunnel1_enable_tunnel_lifecycle_control = false
        tunnel1_ike_versions                    = []
        tunnel1_inside_cidr                     = "xxx"
        tunnel1_phase1_dh_group_numbers         = []
        tunnel1_phase1_encryption_algorithms    = []
        tunnel1_phase1_integrity_algorithms     = []
        tunnel1_phase1_lifetime_seconds         = 0
        tunnel1_phase2_dh_group_numbers         = []
        tunnel1_phase2_encryption_algorithms    = []
        tunnel1_phase2_integrity_algorithms     = []
        tunnel1_phase2_lifetime_seconds         = 0
        tunnel1_preshared_key                   = (sensitive value)
        tunnel1_rekey_fuzz_percentage           = 0
        tunnel1_rekey_margin_time_seconds       = 0
        tunnel1_replay_window_size              = 0
        tunnel1_vgw_inside_address              = "xxx"
        tunnel2_address                         = "xxx"
        tunnel2_bgp_holdtime                    = 0
        tunnel2_cgw_inside_address              = "xxx"
        tunnel2_dpd_timeout_seconds             = 0
        tunnel2_enable_tunnel_lifecycle_control = false
        tunnel2_ike_versions                    = []
        tunnel2_inside_cidr                     = "xxx"
        tunnel2_phase1_dh_group_numbers         = []
        tunnel2_phase1_encryption_algorithms    = []
        tunnel2_phase1_integrity_algorithms     = []
        tunnel2_phase1_lifetime_seconds         = 0
        tunnel2_phase2_dh_group_numbers         = []
        tunnel2_phase2_encryption_algorithms    = []
        tunnel2_phase2_integrity_algorithms     = []
        tunnel2_phase2_lifetime_seconds         = 0
        tunnel2_preshared_key                   = (sensitive value)
        tunnel2_rekey_fuzz_percentage           = 0
        tunnel2_rekey_margin_time_seconds       = 0
        tunnel2_replay_window_size              = 0
        tunnel2_vgw_inside_address              = "xxx"
        tunnel_inside_ip_version                = "ipv4"
        type                                    = "ipsec.1"
        vgw_telemetry                           = [
            {
                accepted_route_count = 0
                certificate_arn      = ""
                last_status_change   = "2023-09-18T19:54:30Z"
                outside_ip_address   = "xxx"
                status               = "UP"
                status_message       = ""
            },
            {
                accepted_route_count = 0
                certificate_arn      = ""
                last_status_change   = "2023-10-02T19:58:40Z"
                outside_ip_address   = "xxx"
                status               = "UP"
                status_message       = ""
            },
        ]
        tunnel1_log_options {
            cloudwatch_log_options {
                log_enabled = false
            }
        }
        tunnel2_log_options {
            cloudwatch_log_options {
                log_enabled = false
            }
        }
    }

terraform wants to update the aws_vpn_connection but we don’t know why as no resource arguments seems modified

Thank you your help!

tbrosillon · October 10, 2023, 7:40am

Using terraform import command instead of import block, plan produces:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.hard_network.aws_vpn_connection.site2_site_vpn will be updated in-place
  ~ resource "aws_vpn_connection" "site2_site_vpn" {
        id                                      = "xxx"
        tags                                    = {
            "Name" = "xxx"
        }
        # (54 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.hard_network.aws_vpn_connection.site2_site_vpn_syslog will be updated in-place
  ~ resource "aws_vpn_connection" "site2_site_vpn_syslog" {
        id                                      = "xxx"
        tags                                    = {
            "Name" = "xxx"
        }
        # (55 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

same problem. I am not confident executing apply.

Thanks!