Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Error deleting EC2 Network ACL rule on a destroying plan #34462

Closed
cristhianramirezp opened this issue Nov 17, 2023 · 4 comments · Fixed by #36326
Closed

[Bug]: Error deleting EC2 Network ACL rule on a destroying plan #34462

cristhianramirezp opened this issue Nov 17, 2023 · 4 comments · Fixed by #36326
Labels
bug Addresses a defect in current functionality. service/vpc Issues and PRs that pertain to the vpc service.
Milestone
v5.41.0

Comments

@cristhianramirezp
Copy link

cristhianramirezp commented Nov 17, 2023
edited by justinretzolk
Loading

Terraform Core Version

1.5.2

AWS Provider Version

5.15.0

Affected Resource(s)

aws_network_acl

Expected Behavior

It is expected in normal behavior that resources are destroyed naturally without problems.

Actual Behavior

After several tests with Atlantis and running Terraform locally in the container, we came to the conclusion that there is an ongoing issue with the assume_role functionality which is causing conflicts with the API calls during a destroy.

Relevant Error/Panic Output Snippet

Error: deleting EC2 Network ACL Rule (nacl-1694042272): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-0804e62f77ad72b9c' does not exist
	status code: 400, request id: 712e8f7c-1af0-49fc-88ed-80ad872d27ee


Error: deleting EC2 Network ACL Rule (nacl-3020242703): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: 5db7bfbd-9724-4f7a-af45-9bd5cafcb5ff


Error: deleting EC2 Network ACL Rule (nacl-1580390254): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: 3dac6bfd-e0c9-4401-8175-568d3ce20c25


Error: deleting EC2 Network ACL Rule (nacl-567060021): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-0804e62f77ad72b9c' does not exist
	status code: 400, request id: 379c56ab-1953-4376-982d-434d9bc28725


Error: deleting EC2 Network ACL Rule (nacl-1784939737): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: ce775ff3-7cf0-45f9-908c-07f009e0c787


Error: deleting EC2 Network ACL Rule (nacl-1618479453): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: 291e84ef-8f41-4e24-a7a8-00a8e4b6307d


Error: deleting EC2 Network ACL Rule (nacl-1158746755): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: ba264dfc-c2c1-4da7-b489-3a60d0395fc3


Error: reading Route Table (rtb-0afc7c6af0ac17aff): couldn't find resource


Error: deleting EC2 Network ACL Rule (nacl-504181882): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: b87c9291-784f-4419-8d6c-997c7e3d42bb


Error: deleting EC2 Network ACL Rule (nacl-2667639172): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-0804e62f77ad72b9c' does not exist
	status code: 400, request id: 63915ef5-0044-46c7-be47-b44cf422ed3a


Error: deleting EC2 Network ACL Rule (nacl-77970923): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-0804e62f77ad72b9c' does not exist
	status code: 400, request id: d8217b60-1976-45ab-bbb3-de6f73d6bc77


Error: deleting EC2 Network ACL Rule (nacl-2102757307): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-0804e62f77ad72b9c' does not exist
	status code: 400, request id: 74d31e5a-0dbc-4eaa-8cf1-fe2f127b201b


Error: deleting EC2 Network ACL Rule (nacl-1669214754): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: 36df7a25-61f8-45e4-9d61-6653313cab78


Error: deleting EC2 Network ACL Rule (nacl-2617690875): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-0804e62f77ad72b9c' does not exist
	status code: 400, request id: f9802deb-42f7-4343-9490-4b5e5a22ab6a


Error: deleting EC2 Network ACL Rule (nacl-3070428272): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: 587a1a61-e317-410a-9535-08950831b40b


Error: deleting EC2 Network ACL Rule (nacl-2868069035): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-0804e62f77ad72b9c' does not exist
	status code: 400, request id: 4f3c02f9-a10c-4448-ac0a-c0f2a4d01faf


Error: deleting EC2 Network ACL Rule (nacl-919680070): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: 93a1bdce-e200-4944-af54-ebc7f9c99d03


Error: deleting EC2 Network ACL Rule (nacl-1555930520): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: 36af51a1-85b0-4df7-9150-31f7fc2b6936


Error: deleting EC2 Network ACL Rule (nacl-1632700933): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-0804e62f77ad72b9c' does not exist
	status code: 400, request id: dfe38001-d97b-4aef-80ea-6f8dde283980


Error: reading Route Table (rtb-06b8b2e624fac003a): couldn't find resource


Error: deleting EC2 Network ACL Rule (nacl-749094943): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: ac4fe209-3bc6-4b89-93ef-b374fe37b0d2


Error: deleting EC2 Network ACL Rule (nacl-1480499600): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: b671481a-e6e5-47ff-88d9-3776db36cb8b


Error: reading Route Table (rtb-0c4ccb6ff0248a44e): couldn't find resource


Error: deleting EC2 Network ACL Rule (nacl-2806277308): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: 59ddced6-dcf7-470b-9d1d-cabece729241


Error: deleting EC2 Network ACL Rule (nacl-3231569536): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: 1cbec716-64d8-4963-88f5-3de966d5d38b


Error: deleting EC2 Network ACL Rule (nacl-1831454636): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: 73c6ba40-ff45-4a69-aaf8-ff21ac657938


Error: deleting EC2 Network ACL Rule (nacl-1452114189): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: 69a4040f-04e3-4155-a3b6-ffd2db7c75b8


Error: reading Route Table (rtb-00aa8212ce161edbf): couldn't find resource


Error: deleting EC2 Network ACL Rule (nacl-2637154723): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: 58d6b029-1bbe-4b99-909a-75d261eb0289


Error: deleting EC2 Network ACL Rule (nacl-3459936132): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: 8ca39a25-acdc-422b-9c03-f5604a0736e8


Error: deleting EC2 Network ACL Rule (nacl-4175134285): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: f92c9ad2-1c53-407a-b3e1-4e77e1bb18d4


Error: deleting EC2 Network ACL Rule (nacl-799044448): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: 294765b6-ce17-45d8-b609-0fe4a324d1c2


Error: reading Route Table (rtb-0e380ad24179884ec): couldn't find resource


Error: reading Route Table (rtb-0a4324846b22c67ce): couldn't find resource


Error: deleting EC2 Network ACL Rule (nacl-1530436335): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: b8250a8d-a7d8-400f-9f01-e6fc3d6add72


Error: deleting EC2 Network ACL Rule (nacl-3315047169): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: a9c07d10-242c-4707-bc3a-3dd63e6cadf5


Error: deleting EC2 Network ACL Rule (nacl-2242410517): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: a2811057-8a61-4a66-851d-87c5c5af2ae5


Error: deleting EC2 Network ACL Rule (nacl-4249510342): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: d5c3ead6-c8d1-4e5a-bd17-0b8aba10d219


Error: deleting EC2 Network ACL Rule (nacl-20226656): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-0804e62f77ad72b9c' does not exist
	status code: 400, request id: 01afcdb5-5dcc-4f5d-a806-ccd5b40cc804


Error: deleting EC2 Network ACL Rule (nacl-2697158206): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-0804e62f77ad72b9c' does not exist
	status code: 400, request id: c1198ce9-80f0-4ee6-be30-ebac27f56927


Error: deleting EC2 Network ACL Rule (nacl-3644023918): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-0804e62f77ad72b9c' does not exist
	status code: 400, request id: 2b470c54-0558-4437-b500-ae47d6bc1ff8


Error: deleting EC2 Network ACL Rule (nacl-2559036166): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: b8e2afb3-7c69-48b8-9281-a55e45babb95


Error: deleting EC2 Network ACL Rule (nacl-625846216): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: 16cf294f-a248-48d7-bfb6-85967cea6416


Error: deleting EC2 Network ACL Rule (nacl-4050851738): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-0804e62f77ad72b9c' does not exist
	status code: 400, request id: d86919d6-0174-453d-ae9d-4f59f5886baf


Error: deleting EC2 Network ACL Rule (nacl-2167096349): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: a5a4c79e-e4b1-470a-8fd4-a7a0d96c78ec


Error: deleting EC2 Network ACL Rule (nacl-4128697250): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-0804e62f77ad72b9c' does not exist
	status code: 400, request id: 9288941e-b2dd-4293-be34-9b1f24a216b8


Error: deleting EC2 Network ACL Rule (nacl-3111112997): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-0804e62f77ad72b9c' does not exist
	status code: 400, request id: e5cb16b6-bc02-40bd-827f-fc320315e0fa


Error: deleting EC2 Network ACL Rule (nacl-3281776127): InvalidNetworkAclID.NotFound: The networkAcl ID 'acl-039e920f603f6c6ce' does not exist
	status code: 400, request id: 3bea37e9-a192-4d89-8a3f-d8b8c34b068c

Terraform Configuration Files

resource "aws_network_acl_rule" "mgmt_ssh" {
  count          = var.management_subnets == "" ? 0 : length(var.vpn_ingress_cidr)
  network_acl_id = element(aws_network_acl.management.*.id, 0)
  rule_number    = var.rule_base + count.index * 10
  egress         = false
  protocol       = "tcp"
  rule_action    = "allow"
  cidr_block     = element(var.vpn_ingress_cidr, count.index)
  from_port      = 22
  to_port        = 22
}

resource "aws_network_acl_rule" "mgmt_rdp" {
  count          = var.management_subnets == "" ? 0 : 1
  network_acl_id = element(aws_network_acl.management.*.id, 0)
  rule_number    = var.rule_base + 15 + count.index * 10
  egress         = false
  protocol       = "tcp"
  rule_action    = "allow"
  cidr_block     = element(var.rdp_ingress_cidr, count.index)
  from_port      = 3389
  to_port        = 3389
}

resource "aws_network_acl_rule" "mgmt_icmp" {
  count          = var.management_subnets == "" ? 0 : 1
  network_acl_id = element(aws_network_acl.management.*.id, 0)
  rule_number    = var.b_rule_base + count.index * 10
  egress         = false
  protocol       = "icmp"
  icmp_type      = -1
  icmp_code      = -1
  rule_action    = "allow"
  cidr_block     = element(var.b_vpn_ingress_cidr, count.index)
}

resource "aws_network_acl_rule" "mgmt_http" {
  count          = var.management_subnets == "" ? 0 : 1
  network_acl_id = element(aws_network_acl.management.*.id, 0)
  rule_number    = var.c_rule_base + count.index * 10
  egress         = false
  protocol       = "tcp"
  rule_action    = "allow"
  cidr_block     = element(var.c_vpn_ingress_cidr, count.index)
  from_port      = 80
  to_port        = 80
}

resource "aws_network_acl_rule" "mgmt_https" {
  count          = var.management_subnets == "" ? 0 : 1
  network_acl_id = element(aws_network_acl.management.*.id, 0)
  rule_number    = var.c_rule_base + 10 + count.index * 10
  egress         = false
  protocol       = "tcp"
  rule_action    = "allow"
  cidr_block     = element(var.c_vpn_ingress_cidr, count.index)
  from_port      = 443
  to_port        = 443
}

resource "aws_network_acl_rule" "mgmt_tcp" {
  count          = var.management_subnets == "" ? 0 : 1
  network_acl_id = element(aws_network_acl.management.*.id, 0)
  rule_number    = var.d_rule_base + count.index * 10
  egress         = false
  protocol       = "tcp"
  rule_action    = "allow"
  cidr_block     = element(var.d_vpn_ingress_cidr, count.index)
  from_port      = 1024
  to_port        = 65535
}

resource "aws_network_acl_rule" "mgmt_udp" {
  count          = var.management_subnets == "" ? 0 : 1
  network_acl_id = element(aws_network_acl.management.*.id, 0)
  rule_number    = var.d_rule_base + 10 + count.index * 10
  egress         = false
  protocol       = "udp"
  rule_action    = "allow"
  cidr_block     = element(var.d_vpn_ingress_cidr, count.index)
  from_port      = 1024
  to_port        = 65535
}

resource "aws_network_acl_rule" "mgmt_smb" {
  count          = var.management_subnets == "" ? 0 : 1
  network_acl_id = element(aws_network_acl.management.*.id, 0)
  rule_number    = var.f_rule_base + 50 + count.index * 10
  egress         = false
  protocol       = "tcp"
  rule_action    = "allow"
  cidr_block     = element(var.b_vpn_ingress_cidr, count.index)
  from_port      = 445
  to_port        = 445
}

resource "aws_network_acl_rule" "mgmt_outbound" {
  count          = var.management_subnets == "" ? 0 : 1
  network_acl_id = element(aws_network_acl.management.*.id, 0)
  rule_number    = 100
  egress         = true
  protocol       = "-1"
  rule_action    = "allow"
  cidr_block     = "0.0.0.0/0"
  from_port      = 0
  to_port        = 0
}

Steps to Reproduce

terraform init
terraform plan
terraform apply : Create resources with terraform apply
terraform - --destroy : Try to destroy acl_rule

Debug Output

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No
@cristhianramirezp cristhianramirezp added the bug Addresses a defect in current functionality. label Nov 17, 2023
@github-actions GitHub Actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added the service/vpc Issues and PRs that pertain to the vpc service. label Nov 17, 2023
@terraform-aws-provider terraform-aws-provider bot added the needs-triage Waiting for first response or review from a maintainer. label Nov 17, 2023
@justinretzolk
Copy link
Member

Hey @cristhianramirezp 👋 Thank you for taking the time to raise this! Are you able to supply debug logs (redacted as needed) so that whoever picks this up has the information necessary to look into this?

@justinretzolk justinretzolk added the waiting-response Maintainers are waiting on response from community or contributor. label Jan 24, 2024
@ewbankkit ewbankkit removed waiting-response Maintainers are waiting on response from community or contributor. needs-triage Waiting for first response or review from a maintainer. labels Mar 12, 2024
@ewbankkit ewbankkit mentioned this issue Mar 12, 2024
Merged
ewbankkit added a commit that referenced this issue Mar 12, 2024
@ewbankkit
Additional CHANGELOG entry (#34462).
8c57ab0
@github-actions github-actions bot added this to the v5.41.0 milestone Mar 12, 2024
@github-actions GitHub Actions
Copy link

This functionality has been released in v5.41.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/vpc Issues and PRs that pertain to the vpc service.
Projects
None yet
Milestone
v5.41.0
Development

Successfully merging a pull request may close this issue.

Prevent creation of duplicate aws_network_acl_rule resources hashicorp/terraform-provider-aws
3 participants
@ewbankkit @justinretzolk @cristhianramirezp