aws_route Error: more than 1 target specified.

[atward]

#5867 and/or #5321 appear to have broken aws_route when the underlying instance_id is recreated/tainted. I'm unsure what is causing it but the route table entry in AWS still exists and points to a dandling eni (inactive black hole). Terraform then proceeds to apply the aws_route to the instance_id, but aws errors due to only target can be specified.

* aws_route.public_to_openvpn_clients: Error: more than 1 target specified. Only 1 of gateway_idnat_gateway_id, instance_id, network_interface_id, route_table_id orvpc_peering_connection_id is allowed.

Sample config:

resource "aws_route" "public_to_openvpn_clients" {
    route_table_id = "${aws_route_table.public.id}"
    destination_cidr_block = "${var.openvpn_cidr}"
    instance_id = "${aws_instance.openvpn_server.id}"
}
resource "aws_instance" "openvpn_server" {
 #...
}
resource "aws_route_table" "public" {
 # ...
}

To reproduce:

• terraform apply
• terraform taint aws_instance.openvpn_server
• terraform apply

[atward]

aws_route change proceeds without issue in v0.6.12. Broken in v0.6.14.

[yogeshnath]

I see the same issue. Is it going to be fixed in the next release or should I roll back to 0.6.12?

[bkarypid]

+1

[atward]

Appears to be introduced in 3f41515 from #5321. The ec2 TerminateInstances leaves the eni dangling and is picked up by the aws_route.resourceAwsRouteRead Computed attribute.

I don't think computed attributes here are the ideal solution as we need a way to differentiate between what is desired and what has been automatically set by AWS. Preferably resourceAwsRouteUpdate should lookup the NetworkInterfaceId of the instance if only instance_id has been requested.

[jrnt30]

To add a bit of additional info to Atward's message for those unfamiliar with the problem (as I was until I ran into it...).

Upon creation using instance_id:

• Initial creation of the aws_route is sent to AWS via CreateRoute with just the instance_id attribute set
• Behind the scenes, AWS looks up the network_interface_id for the given instance_id and stores that information on the route table entry
• After a successful creation response, TF requests the full information from AWS for the route table input
• TF then saves both the network_interface_id and instance_id in the state

After termination or taint of instance:

• When the instance that the route refers to disappears, AWS still maintains this route, however the destination only refers to the network_interface_id at that point.
• When running a plan/update TF sees that the state does not contain an instance_id (which at this point should be different since the instance was terminated or tainted)
• TF attempts to update the route table entry however fails due to there being both a network_interface_id (the old one) and an instance_id (the new one) on the node.

[atward]

640859f works for me.

@jrnt30 can you create a pull request?

[jrnt30]

@atward I opened the PR. Would like to add an explicit test but this has worked for me as well and the current ACC tests are good.

[kristjanelias]

+1

[liquid-sky]

Unfortunately this is still an issue in Terraform v0.7.3. Is there a workaround?

[ljsommer]

Also seeing this in Terraform v0.7.4

[leopepe]

Also seeing on 0.6.16

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.