Cannot conditionally define subnet ipv6 cidr blocks when conditionally defining ipv6 cidr block for vpc

[hashibot]

This issue was originally opened by @philipl as hashicorp/terraform#13590. It was migrated here as part of the provider split. The original body of the issue is below.

---

I am attempting to extend our common module for vpc definition to optionally include ipv6 support. To do that, I must associate an ipv6 cidr block with the vpc and then sub-blocks with each subnet. I tried using a ternary construct to conditionally associate the subnet blocks, but terraform is fully evaluating the un-taken branch of the ternary, which then fails due to the vpc not having an ipv6_cidr_block attribute.

It seems the only way I could make this work is by always associating an ipv6 cidr block to the vpc, whether I want it or not, and then the conditional would correctly evaluate for the subnets. That's not the end of the world, but it prevents this work gracefully handling existing vpcs that don't require ipv6. And that's because of hashicorp/terraform#13588 which makes turning ipv6 on a highly manual process.

For example:

* module.networking.aws_subnet.public_subnet: 3 error(s) occurred:

* module.networking.aws_subnet.public_subnet[1]: Resource 'aws_vpc.vpc' does not have attribute 'ipv6_cidr_block' for variable 'aws_vpc.vpc.ipv6_cidr_block'
* module.networking.aws_subnet.public_subnet[2]: Resource 'aws_vpc.vpc' does not have attribute 'ipv6_cidr_block' for variable 'aws_vpc.vpc.ipv6_cidr_block'
* module.networking.aws_subnet.public_subnet[0]: Resource 'aws_vpc.vpc' does not have attribute 'ipv6_cidr_block' for variable 'aws_vpc.vpc.ipv6_cidr_block'

Terraform Version

0.9.2

Affected Resource(s)

• aws_vpc
• aws_subnet

Terraform Configuration Files

resource "aws_vpc" "vpc" {
    cidr_block = "${var.vpc_cidr}"
    instance_tenancy = "default"

    enable_dns_hostnames = true
    enable_dns_support = true

    assign_generated_ipv6_cidr_block = "${var.use_ipv6}"
    lifecycle {
        prevent_destroy = true
    }

    tags {
        Name = "${var.vpc_name}"
    }
}

# Public Subnets
resource "aws_subnet" "public_subnet" {
    count = "${var.public_subnets_count}"

    vpc_id = "${aws_vpc.vpc.id}"

    cidr_block = "${element(split(",", var.public_subnets), count.index)}"
    ipv6_cidr_block = "${var.use_ipv6 == 0 ? "" :
                         cidrsubnet(aws_vpc.vpc.ipv6_cidr_block, 8, count.index)}"

    availability_zone = "${element(split(",", var.availability_zones), count.index)}"

    map_public_ip_on_launch = "${var.public_subnet_map_public_ip_on_launch}"
    assign_ipv6_address_on_creation = "${var.use_ipv6}"                                                                              

    tags {
        Name = "${format("%s.external.%s", var.vpc_name, element(split(",", var.availability_zones), count.index) )}"
    }
}

Expected Behavior

Terraform should be able to evaluate the ternary and see that use_ipv6 is 0 and then not evaluate aws_vpc.vpc.ipv6_cidr_block.

Actual Behavior

Terraform evaluates both branches of the ternary and returns the error pasted above.

Steps to Reproduce

1. terraform plan

References

#13588

[phillbaker]

Looks related to hashicorp/hil#50?

I couldn't get the suggested join("", ) workaround from that issue to work in this case (or anything else) so I manually edited the state file to add a ipv6_cidr_block attribute to the VPC json object which seemed to shut terraform up. Was a pretty ugly hack though.

[phillbaker]

@stack72 I think you've done a bunch of the work on the AWS IPv6 support, I'm actually curious why the code here doesn't handle this situation? (ie setting ipv6_cidr_block to an empty string on VPCs created without IPv6.)

Is it possible that the code should check len(vpc.Ipv6CidrBlockAssociationSet) and if it's zero use the else clause to provide the defaults?

[flosell]

@phillbaker I ran into the same issue and decided to play round with the provider code a bit.
You were on the right track with the code snippet you linked to, looks like the Ipv6CidrBlockAssociationSet is empty if no ipv6 is configured so it doesn't jump into the loop.

Moving the else clause in front of the loop seems to work.
Unfortunately, we aren't done yet: Now cidrsubnet complains that an empty string is not a valid CIDR... We can work around this with a local value that maps the empty string to a dummy-CIDR but it's not exactly elegant...

What do you think? Is it worth doing a PR for this anyway?

In the end, the problem remains the conditional operator. There is an issue that's supposed to address this in hashicorp/hil#50 but that doesn't look like a simple fix...

[phillbaker]

Hey, sorry for the slow reply @flosell, thanks for digging into this! I'd say seems worthwhile to do the PR since it seems like there's some movement to fix hashicorp/hil#50 in hashicorp/terraform#11566 (comment)

[bflad]

The fix for this has been merged and will release with version 1.43.1 of the AWS provider.

[pdecat]

There's still the same issue for the ipv6_cidr_block field of the aws_subnet resource:

https://github.com/terraform-providers/terraform-provider-aws/blob/v1.46.0/aws/resource_aws_subnet.go#L158

[bflad]

The similar fix for aws_subnet has been merged and will release with version 1.47.0 of the AWS provider, sometime later this week. 👍

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!