Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS Client VPN Resource Timeouts are too low #23787

Closed
jalavoy opened this issue Mar 21, 2022 · 4 comments · Fixed by #30552
Closed

AWS Client VPN Resource Timeouts are too low #23787

jalavoy opened this issue Mar 21, 2022 · 4 comments · Fixed by #30552
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/ec2 Issues and PRs that pertain to the ec2 service. timeouts Pertains to timeout increases.
Milestone
v4.63.0

Comments

@jalavoy
Copy link
Contributor

jalavoy commented Mar 21, 2022

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform: 1.1.7
AWS Provider Version: 4.5.0

Affected Resource(s)

  • aws_ec2_client_vpn_authorization_rule
  • aws_ec2_client_vpn_route

Terraform Configuration Files

resource "aws_ec2_client_vpn_authorization_rule" "remote" {
  for_each               = { for role in local.roles : "${role.role}-${role.cidr}" => role }
  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
  target_network_cidr    = each.value.cidr
  access_group_id        = each.value.role
  description            = "${each.value.role}-${each.value.cidr}"
}

resource "aws_ec2_client_vpn_route" "route_1" {
  for_each               = toset(var.peer_cidrs)
  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
  destination_cidr_block = each.value
  target_vpc_subnet_id   = tolist(module.base_infrastructure_state.private_subnet_ids)[0]
}

Expected Behavior

Resources would be created/deleted cleanly. Timeout needs to be raised on these resources to 2 minutes or more. This can be done in hcl, but the default should be increased.

Actual Behavior

The timeout on these resources is hard coded to 1m. In my tests, creating and destroying these resources can take anywhere from 50-75 seconds. So about half the time the transaction fails. Which results in tainted resources that have to be destroyed and created again. When you have a number of routes/auth rules, this basically can never complete successfully.

Steps to Reproduce

  1. terraform apply

Important Factoids

Raising this value with the timeouts metadata block to 2m solved this issue for me.

  • #0000
@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. service/ec2 Issues and PRs that pertain to the ec2 service. labels Mar 21, 2022
@justinretzolk justinretzolk added enhancement Requests to existing resources that expand the functionality or scope. timeouts Pertains to timeout increases. and removed needs-triage Waiting for first response or review from a maintainer. labels Mar 21, 2022
@nitrocode
Copy link
Contributor

Previous possibly related issues

rpadovani added a commit to rpadovani/terraform-aws-ec2-client-vpn that referenced this issue Apr 21, 2022
@rpadovani
Add longer timeouts to aws_ec2_client_vpn_route
000177c 
Default timeout for `aws_ec2_client_vpn_route` is 1 minute for all operations.

Trying to attach routes in `eu-central-1` for a peered VPC, it constantly fails with:

```
│ Error: error waiting for EC2 Client VPN Route (cvpn-endpoint-xxx,subnet-yyy,10.100.0.0/16) create: timeout while waiting for state to become 'active' (last state: 'creating', timeout: 1m0s)
│ 
│   with module.ec2_client_vpn[0].aws_ec2_client_vpn_route.default[0],
│   on .terraform/modules/ec2_client_vpn/main.tf line 242, in resource "aws_ec2_client_vpn_route" "default":
│  242: resource "aws_ec2_client_vpn_route" "default" {
```

and 

```
│ Error: error waiting for EC2 Client VPN Route (cvpn-endpoint-xxx,subnet-yyy,10.100.0.0/16) delete: timeout while waiting for resource to be gone (last state: 'deleting', timeout: 1m0s)
```

With this commit, we increment the timeout to 5 minutes. In my experiments, the route is always available in around 90 seconds. 5 minutes gives us plenty of time, and still is not too long to wait in case of problems.

Upstream issue: hashicorp/terraform-provider-aws#23787

I think fixing here is good, until we wait for an upstream improvement, because I am currently blocked
@rpadovani rpadovani mentioned this issue Apr 21, 2022
Merged
@asaf400
Copy link
Contributor

asaf400 commented Apr 9, 2023
edited
Loading

I created PR #30552

@asaf400 asaf400 mentioned this issue Apr 9, 2023
Merged
@github-actions github-actions bot added this to the v4.63.0 milestone Apr 10, 2023
@github-actions
Copy link

This functionality has been released in v4.63.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 15, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/ec2 Issues and PRs that pertain to the ec2 service. timeouts Pertains to timeout increases.
Projects
None yet
Milestone
v4.63.0
Development

Successfully merging a pull request may close this issue.

Update default timeout for aws_ec2_client_vpn_route asaf400/terraform-provider-aws
4 participants
@jalavoy @nitrocode @asaf400 @justinretzolk