Route53 Resolver Endpoint failing when specifying more than two ip addresses

[nywilken]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Issue created for #6525 (comment)

Terraform Version

Affected Resource(s)

• aws_route53_resolver_endpoint

Terraform Configuration Files

resource "aws_route53_resolver_endpoint" "inbound_resolver" {
  name      = "Inbound Resolver"
  direction = "INBOUND"

  security_group_ids = [
    "${aws_security_group.route53_resolver_dns.id}",
  ]

  ip_address {
    subnet_id = "${data.aws_subnet_ids.vpc-example-eu-central-1a.id}"
    ip        = "${var.IP_SUBNET_A}"
  }

  ip_address {
    subnet_id = "${data.aws_subnet_ids.vpc-example-eu-central-1b.id}"
    ip        = "${var.IP_SUBNET_B}"
  }

  ip_address {
    subnet_id = "${data.aws_subnet_ids.vpc-example-eu-central-1c.id}"
    ip        = "${var.IP_SUBNET_C}"
  }

  tags {
    Name        = "Inbound Resolver"
    Deployed    = "Terraform"
    Environment = "${var.ENVIRONMENT}"
  }
}

Debug Output

Panic Output

Expected Behavior

Successful creation of a Route53 resolver endpoint with three IP addresses.

Actual Behavior

With provider.aws: version = "~> 2.1" is failed with message:
Resolver endpoint need to have at least 2 IP addresses.
But I have 3 Subnets and I want to put 3 IPs.

Steps to Reproduce

1. terraform apply

Important Factoids

References

• Support route53resolver #6525

[dalvarezquiroga]

Hi , I am going to update issue because I have same problem:

I updated Terraform AWS provider version to 2.2 Latest:
Downloading plugin for provider "aws" (2.2.0)...

• provider.aws: version = "~> 2.2"

Also upgrade Terraform version to 0.11.13 Latest.
But when I launch Terraform Plan:

`Terraform will perform the following actions:

• aws_route53_resolver_endpoint.inbound_resolver
  id:
  arn:
  direction: "INBOUND"
  host_vpc_id:
  ip_address.#: "1" Only 1 IP? Fail
  ip_address.463946607.ip: "Example IP: 192.168.1.1"
  ip_address.463946607.ip_id:
  ip_address.463946607.subnet_id: "vpc-003bd6b5"
  name: "Inbound Resolve"
  security_group_ids.#: "1"
  security_group_ids.1787158142: "sg-02cff9cf"
  tags.%: "4"
  tags.Deployed: "Terraform"
  tags.Name: "Inbound Resolver"
  `
  Code: -----------------------------------------------------------------------------------------------

resource "aws_route53_resolver_endpoint" "inbound_resolver" {
  name      = "Inbound Resolver"
  direction = "INBOUND"

  security_group_ids = [
    "${aws_security_group.route53_resolver_dns.id}",
  ]

  ip_address {
    subnet_id = "${data.aws_subnet_ids.vpc-example-eu-central-1a.id}"
    ip        = "${var.IP_SUBNET_A}"
  }

  ip_address {
    subnet_id = "${data.aws_subnet_ids.vpc-example-eu-central-1b.id}"
    ip        = "${var.IP_SUBNET_B}"
  }

  ip_address {
    subnet_id = "${data.aws_subnet_ids.vpc-example-eu-central-1c.id}"
    ip        = "${var.IP_SUBNET_C}"
  }

  tags {
    Name        = "Inbound Resolver"
    Deployed    = "Terraform"
    Environment = "${var.ENVIRONMENT}"
  }
}

You guys got the same problem?
ip_address.#: "1" sould be 3.
Thanks you!

[ewbankkit]

@dalvarezquiroga Could you please add your configuration of the various aws_subnet_ids data sources? Thanks.

[nywilken]

Hi @dalvarezquiroga sorry you’re running into trouble here. Looking at the configuration and provided plan output I can see that the aws_subnet_ids data source references need to be updated.

More specifically the aws_subnet_ids data source exports an ids attribute which returns a list of subnet ids for the provided vpc id. The id attribute which is what you have defined in your configuration actually returns the vpc id. Hence the reason you see the vpc id in the plan ip_address.463946607.subnet_id: "vpc-003bd6b5".

If you update your configuration to reference the specific subnet id for the IP address be used things should work as expected. Note that subnet ids must be unique for each IP address block otherwise you will encounter the same error.

resource "aws_route53_resolver_endpoint" "inbound_resolver" {
name = "Inbound Resolver"
direction = "INBOUND"

security_group_ids = [
"${aws_security_group.route53_resolver_dns.id}",
]

ip_address {
subnet_id = "${data.aws_subnet_ids.vpc-example-eu-central-1a.ids[0]}"
ip = "${var.IP_SUBNET_A}"
}
...

[dalvarezquiroga]

You're right @nywilken It Worked like a charm. I change to return a list and put position [0]

resource "aws_route53_resolver_endpoint" "inbound_resolver" {
  name      = "Inbound Resolver"
  direction = "INBOUND"

  security_group_ids = [
    "${aws_security_group.route53_resolver_dns.id}",
  ]

  ip_address {
    subnet_id = "${data.aws_subnet_ids.vpc-example-eu-central-1a.ids[0]}"
    ip        = "${var.IP_SUBNET_A}"
  }

  ip_address {
    subnet_id = "${data.aws_subnet_ids.vpc-example-eu-central-1b.ids[0]}"
    ip        = "${var.IP_SUBNET_B}"
  }

  ip_address {
    subnet_id = "${data.aws_subnet_ids.vpc-example-eu-central-1c.ids[0]}"
    ip        = "${var.IP_SUBNET_C}"
  }

  tags {
    Name        = "Inbound Resolver"
    Deployed    = "Terraform"
    Environment = "${var.ENVIRONMENT}"
  }
}

Thanks you!
We can close the issue.

[nywilken]

@dalverezquiroga glad that’s all squared away. @ewbankkit thanks for the help on this one.

[GeorgeShort]

Hi, this isn't working for me under different circumstances. I create the subnets within a particular module and output their IDs. I am then referencing these said IDs. When I perform a plan, only 2 ids/IPs are returned to be configured.

resource "aws_route53_resolver_endpoint" "r53_resolver_outbound" {
name = "r53_resolver_outbound"
direction = "OUTBOUND"

security_group_ids = [
"${aws_security_group.r53_resolver_sg.id}",
]

ip_address {
subnet_id = "${data.aws_subnet.r53_subnet_a.id}"
ip = "${local.r53_subnet_a_ip}"
}

ip_address {
subnet_id = "${data.aws_subnet.r53_subnet_b.id}"
ip = "${local.r53_subnet_b_ip}"
}

ip_address {
subnet_id = "${data.aws_subnet.r53_subnet_c.id}"
ip = "${local.r53_subnet_c_ip}"
}

}

[ewbankkit]

@GeorgeShort Can you add the terraform plan output (obfuscating where necessary)? Thanks.

[ramarnat]

Is there any reason why this resource requires one ip per subnet? Creating the resolver via the console does not restrict you from creating a resolver with multiple ip addresses in the same subnet.

I am replacing existing resolvers and so the downstream systems do not have to make any changes, I am keeping the IPs the same. Some of them have multiple in the same subnet.

When I run a plan it only shows the last ip_address.

I can import a precreated resolver with the three ips without issue.

[ewbankkit]

@ramarnat The technical reason is that the route53ResolverEndpointHashIpAddress() function
https://github.com/terraform-providers/terraform-provider-aws/blob/3baf33f202f644bd4d861d4b44846127774e7e30/aws/resource_aws_route53_resolver_endpoint.go#L329-L333 uses only subnet_id to generate the unique key.
There's plenty of discussion in the original PR for the resource - #6574 - as to why this is.
To cut a long story short, it's a limitation due to the way that Terraform handles attributes that are both Computed and Optional.
I'm not sure if any new Terraform 0.12 features would now help.

[ramarnat]

Thank you for explaining.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!