Failure associating EIP: IncorrectInstanceState: The pending-instance-creation instance to which 'eni-0ee36cd9d3c25cd44' is attached is not in a valid state for this operation

[ghost]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

% terraform -v
Terraform v0.15.5
on darwin_amd64

• Using previously-installed hashicorp/local v2.1.0
• Using previously-installed hashicorp/tls v3.1.0
• Using previously-installed hashicorp/random v3.1.0
• Using previously-installed hashicorp/template v2.2.0
• Using previously-installed hashicorp/aws v3.44.0
• Using previously-installed hashicorp/http v2.1.0

Affected Resource(s)

• aws_eip

Terraform Configuration Files

resource "aws_network_interface" "juiceShopAppAZ1ENI" {
  subnet_id       = aws_subnet.juiceShopAppSubnetAZ1.id
  tags = {
    Name = "juiceShopAppAZ1ENI"
  }
}

resource "aws_instance" "juiceShopAppAZ1" {
  ami               = data.aws_ami.ubuntu.id
  instance_type     = "m5.xlarge"
  availability_zone = local.awsAz1
  key_name          = aws_key_pair.deployer.id
	user_data = <<-EOF
              #!/bin/bash
              sudo apt update
              sudo apt -y upgrade
              sudo apt -y install apt-transport-https ca-certificates curl software-properties-common docker
              sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
              sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable"
              sudo apt update
              sudo apt-cache policy docker-ce
              sudo apt -y install docker-ce
              sudo usermod -aG docker ubuntu
              docker pull bkimminich/juice-shop
              docker run -d -p 80:3000 --restart unless-stopped bkimminich/juice-shop
              sudo reboot
              EOF    
  network_interface {
    network_interface_id = aws_network_interface.juiceShopAppAZ1ENI.id
    device_index = 0
  }
  tags = {
    Name = "${var.projectPrefix}-juiceShopAppAZ1-${random_id.buildSuffix.hex}"
  }
}

resource "aws_eip" "juiceShopAppAZ1EIP" {
  vpc = true
  network_interface = aws_network_interface.juiceShopAppAZ1ENI.id
  associate_with_private_ip = aws_network_interface.juiceShopAppAZ1ENI.private_ip
  tags = {
    Name = "juiceShopAppAZ1EIP"
  }
}

Debug Output

Panic Output

Expected Behavior

The provider should wait/retry/catch the condition and retry.

Actual Behavior

The EIPs were not created and the plan execution was halted.

Steps to Reproduce

Create an ENI, EIP and instance; the EIP will fail upon creation if the ENI creation is not complete.

1. terraform apply

Important Factoids

Running in us-east-2

References

• aws_eip.nameofmyeip.1: Failure associating EIP: IncorrectInstanceState: The pending-volume-availability instance to which 'eni-XXXXXXXXXXXXXXX' is attached is not in a valid state for this operation #6189
• https://www.reddit.com/r/Terraform/comments/c4nsfz/eip_association_fails_due_to_instance_state_in_aws/
• https://twitter.com/iamunnip/status/1289573304613838858

[anGie44]

Hi @grf5 , thank you for raising this issue. I haven't been able to reproduce this just yet, however, in the meantime I would try adjusting the resource dependencies to ensure the instance is created before the EIP resource attempts to associate such as by adding in a reference to the aws_instance resource e.g.

resource "aws_eip" "test" {
  instance                  = aws_instance.juiceShopAppAZ1.id
  vpc                       = true
  network_interface         = aws_network_interface.juiceShopAppAZ1ENIt.id
  associate_with_private_ip = aws_network_interface.juiceShopAppAZ1ENI.private_ip
}

Let me know if this helps!

[ghost]

Thanks for the follow up. My instances actually need an EIP in order to license themselves, so I'm using the time_sleep which depends_on the ENI to be created, waits 20 seconds, then the EIP depends_on the time_sleep statement.

IMO, the provider should be updated so that if the condition exists, there is a retry 20-30 seconds later. That would solve this completely for my use case. I'll attempt to reproduce and provide a debug so the "faulty" ENI status can be captured.

Workaround example:

resource "aws_network_interface" "juiceShopAppAZ1ENI" {
  subnet_id       = aws_subnet.juiceShopAppSubnetAZ1.id
  tags = {
    Name = "juiceShopAppAZ1ENI"
  }
}

resource "time_sleep" "juiceShopAppAZ1EIPdelay" {
  create_duration = "30s"
  depends_on = [
    aws_network_interface.juiceShopAppAZ1ENI
  ]
}

resource "aws_eip" "juiceShopAppAZ1EIP" {
  vpc = true
  network_interface = aws_network_interface.juiceShopAppAZ1ENI.id
  associate_with_private_ip = aws_network_interface.juiceShopAppAZ1ENI.private_ip
  depends_on = [
    time_sleep.juiceShopAppAZ1EIPdelay
  ]
  tags = {
    Name = "juiceShopAppAZ1EIP"
  }
}

resource "aws_instance" "juiceShopAppAZ1" {
  ami               = data.aws_ami.ubuntu.id
  instance_type     = "m5.xlarge"
  availability_zone = local.awsAz1
  key_name          = aws_key_pair.deployer.id
	user_data = <<-EOF
              #!/bin/bash
              sudo apt update
              sudo apt -y upgrade
              sudo apt -y install apt-transport-https ca-certificates curl software-properties-common docker
              sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
              sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable"
              sudo apt update
              sudo apt-cache policy docker-ce
              sudo apt -y install docker-ce
              sudo usermod -aG docker ubuntu
              docker pull bkimminich/juice-shop
              docker run -d -p 80:3000 --restart unless-stopped bkimminich/juice-shop
              sudo reboot
              EOF    
  network_interface {
    network_interface_id = aws_network_interface.juiceShopAppAZ1ENI.id
    device_index = 0
  }
  depends_on = [
    aws_eip.juiceShopAppAZ1EIP
  ]
  tags = {
    Name = "${var.projectPrefix}-juiceShopAppAZ1-${random_id.buildSuffix.hex}"
  }
}

[portablesounds]

Hi @grf5 , thank you for raising this issue. I haven't been able to reproduce this just yet, however, in the meantime I would try adjusting the resource dependencies to ensure the instance is created before the EIP resource attempts to associate such as by adding in a reference to the aws_instance resource e.g.

resource "aws_eip" "test" {
  instance                  = aws_instance.juiceShopAppAZ1.id
  vpc                       = true
  network_interface         = aws_network_interface.juiceShopAppAZ1ENIt.id
  associate_with_private_ip = aws_network_interface.juiceShopAppAZ1ENI.private_ip
}

Let me know if this helps!

According to the documentation this leads to undefined behavior:
You can specify either the instance ID or the network_interface ID, but not both. Including both will not return an error from the AWS API, but will have undefined behavior. See the relevant AssociateAddress API Call for more information.