Updating subnet fails with error: Ipv6CidrBlock cannot be empty

[pjoe]

What happened?

Trying to update a awsnative.ec2.Subnet (just adding a name tag). pulumi preview works fine but pulumi up errors complaining about ipv6CidrBlock

Here is the error from pulumi up:

~  aws-native:ec2:Subnet egress-public-c updating (1s) [diff: ~tags]; error: operation UPDATE failed with "InvalidRequest": Invalid request provided: Property Ipv6CidrBlock cannot be empty.

Expected Behavior

Changes to subnet applies without errors.

Steps to reproduce

Here is source for the subnet:

azs.forEach((az, idx) => {
      const azSuffix = az.substring(az.length - 1);
      const publicSubnet = new awsnative.ec2.Subnet(
        `egress-public-${azSuffix}`,
        {
          vpcId: vpc.vpcId,
          availabilityZone: az,
          cidrBlock: subnetCidrs[idx * 2],
          mapPublicIpOnLaunch: true,
          tags: [...tags, { key: "Name", value: `egress-public-${azSuffix}` }],
        },
        { parent: vpc, provider: networkProvider }
      );

Output of pulumi about

$ pulumi -C packages/central-network -s main about
CLI          
Version      3.53.0
Go Version   go1.19.5
Go Compiler  gc

Plugins
NAME    VERSION
nodejs  unknown

Host     
OS       ubuntu
Version  22.04
Arch     x86_64

This project is written in nodejs: executable='/usr/bin/node' version='v18.12.1'

Current Stack: main

TYPE                                                         URN
pulumi:pulumi:Stack                                          urn:pulumi:main::central-network::pulumi:pulumi:Stack::central-network-main
pulumi:providers:aws-native                                  urn:pulumi:main::central-network::pulumi:providers:aws-native::networkProvider
pulumi:providers:aws                                         urn:pulumi:main::central-network::pulumi:providers:aws::networkProvider
aws-native:ec2:VPC                                           urn:pulumi:main::central-network::aws-native:ec2:VPC::egress-vpc
aws-native:ec2:RouteTable                                    urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:RouteTable::egress-public-rt
aws-native:ec2:InternetGateway                               urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:InternetGateway::egress-igw
aws-native:ec2:Subnet                                        urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet::egress-public-c
aws-native:ec2:Subnet                                        urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet::egress-private-c
aws-native:ec2:Subnet                                        urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet::egress-public-a
aws-native:ec2:Subnet                                        urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet::egress-private-a
aws-native:ec2:Subnet                                        urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet::egress-private-b
aws-native:ec2:Subnet                                        urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet::egress-public-b
aws-native:ec2:SubnetRouteTableAssociation                   urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet$aws-native:ec2:SubnetRouteTableAssociation::egress-public-rt-assoc-b
aws-native:ec2:SubnetRouteTableAssociation                   urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet$aws-native:ec2:SubnetRouteTableAssociation::egress-public-rt-assoc-c
aws-native:ec2:SubnetRouteTableAssociation                   urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet$aws-native:ec2:SubnetRouteTableAssociation::egress-public-rt-assoc-a
aws-native:ec2:RouteTable                                    urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet$aws-native:ec2:RouteTable::egress-private-rt-c
aws-native:ec2:RouteTable                                    urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet$aws-native:ec2:RouteTable::egress-private-rt-a
aws-native:ec2:SubnetRouteTableAssociation                   urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet$aws-native:ec2:SubnetRouteTableAssociation::egress-private-rt-assoc-c
aws-native:ec2:RouteTable                                    urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet$aws-native:ec2:RouteTable::egress-private-rt-b
aws:ec2/internetGatewayAttachment:InternetGatewayAttachment  urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:InternetGateway$aws:ec2/internetGatewayAttachment:InternetGatewayAttachment::egress-igw-attachment
aws:ec2/route:Route                                          urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:RouteTable$aws:ec2/route:Route::egress-public-route
aws-native:ec2:SubnetRouteTableAssociation                   urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet$aws-native:ec2:SubnetRouteTableAssociation::egress-private-rt-assoc-a
aws-native:ec2:SubnetRouteTableAssociation                   urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet$aws-native:ec2:SubnetRouteTableAssociation::egress-private-rt-assoc-b
aws-native:ec2:EIP                                           urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet$aws-native:ec2:EIP::egress-eip-c
aws-native:ec2:EIP                                           urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet$aws-native:ec2:EIP::egress-eip-a
aws-native:ec2:EIP                                           urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet$aws-native:ec2:EIP::egress-eip-b
aws-native:ec2:NatGateway                                    urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet$aws-native:ec2:NatGateway::egress-natgw-c
aws-native:ec2:NatGateway                                    urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet$aws-native:ec2:NatGateway::egress-natgw-a
aws:ec2/route:Route                                          urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet$aws-native:ec2:RouteTable$aws:ec2/route:Route::egress-private-route-c
aws:ec2/route:Route                                          urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet$aws-native:ec2:RouteTable$aws:ec2/route:Route::egress-private-route-a
aws-native:ec2:NatGateway                                    urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet$aws-native:ec2:NatGateway::egress-natgw-b
aws:ec2/route:Route                                          urn:pulumi:main::central-network::aws-native:ec2:VPC$aws-native:ec2:Subnet$aws-native:ec2:RouteTable$aws:ec2/route:Route::egress-private-route-b


Found no pending operations associated with main

Backend        
Name           pelle-rog
URL            s3://github-ci-pulumistate-1pohww1zvicda
User           pelle
Organizations  

Pulumi locates its logs in /tmp by default
warning: Failed to get information about the Pulumi program's dependencies: could not find either /XXX/packages/central-network/yarn.lock or /XXX/packages/central-network/package-lock.json

Looks like it isn't picking up deps from my monorepo setup, but here are some info:

$ npm list
nxproj@0.0.0 /XXX
└─┬ @devops/central-network@0.0.0 -> ./packages/central-network
  ├─┬ @devops/shared@0.0.0 -> ./packages/shared
  │ ├── @pulumi/pulumi@3.52.1 deduped
  │ ├── @types/jest@29.2.6 deduped
  │ ├── @types/node@14.18.36
  │ ├── @typescript-eslint/eslint-plugin@5.48.2 deduped
  │ ├── @typescript-eslint/parser@5.48.2 deduped
  │ ├── eslint-config-prettier@8.6.0 deduped
  │ ├── eslint-import-resolver-node@0.3.7 deduped
  │ ├── eslint-import-resolver-typescript@3.5.3 deduped
  │ ├── eslint-plugin-import@2.27.5 deduped
  │ ├── eslint-plugin-prettier@4.2.1 deduped
  │ ├── eslint@8.32.0 deduped
  │ ├── jest-junit@13.2.0 deduped
  │ ├── jest@29.3.1 deduped
  │ ├── json-schema@0.4.0 deduped
  │ ├── npm-check-updates@16.6.2 deduped
  │ ├── prettier@2.8.3 deduped
  │ ├── projen@0.65.86 deduped
  │ ├── ts-jest@29.0.5 deduped
  │ └── typescript@4.9.4 deduped
  ├── @pulumi/aws-native@v0.48.0
  ├── @pulumi/aws@v5.27.0
  ├── @pulumi/pulumi@3.52.1
  ├── @types/jest@29.2.6
  ├── @types/jsbn@1.2.30
  ├── @types/node@14.18.36
  ├── @typescript-eslint/eslint-plugin@5.48.2
  ├── @typescript-eslint/parser@5.48.2
  ├── eslint-config-prettier@8.6.0
  ├── eslint-import-resolver-node@0.3.7
  ├── eslint-import-resolver-typescript@3.5.3
  ├── eslint-plugin-import@2.27.5
  ├── eslint-plugin-prettier@4.2.1
  ├── eslint@8.32.0
  ├── ip-address@8.1.0
  ├── jest-junit@13.2.0
  ├── jest@29.3.1
  ├── jsbn@1.1.0
  ├── json-schema@0.4.0
  ├── npm-check-updates@16.6.2
  ├── prettier@2.8.3
  ├── projen@0.65.86
  ├── ts-jest@29.0.5
  └── typescript@4.9.4

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[squaremo]

Thanks for this detailed report ⭐ I see what you mean -- and the field is not marked as required in the docs, either (https://www.pulumi.com/registry/packages/aws-native/api-docs/ec2/subnet/#inputs). I think there's enough info here to try and reproduce the problem (thanks!), so we'll look into it.

[mchristen]

Is there a workaround for this?

[squaremo]

Is there a workaround for this?

Not sure; you could try explicitly supplying an empty string, but I'm making a guess.

[mchristen]

Is there a workaround for this?

Not sure; you could try explicitly supplying an empty string, but I'm making a guess.

That blows up with a validation error 🙂

[ahanoff]

Not sure; you could try explicitly supplying an empty string, but I'm making a guess.

I'm facing same issue with @pulumi/aws-native version 0.52.0 currently.
this fails with error: error: operation UPDATE failed with "InvalidRequest": CIDR block is malformed (Service: Ec2, Status Code: 400, Request ID: , Extended Request ID: null)

[pdf]

In case some additional clarity is helpful: it will happily create the resource without specifying Ipv6CidrBlock, it only fails on update.

[izaakschroeder]

I am also experiencing this issue 😄

[lannex]

I have same problem.

[ghferrari]

Same issue for me. The subnet resource will create just fine, but fails with the same error when attempting to update.

[thomas11]

I believe this is, unfortunately, an upstream issue on AWS' side. Here's a minimal program that reproduces the issue using the latest Pulumi azs-native v0.96:

import * as awsnative from "@pulumi/aws-native";

// Create a new VPC using AWS Native
const vpc = new awsnative.ec2.Vpc("my-vpc-native", {
    cidrBlock: "10.0.0.0/16", // Example CIDR block for the VPC
});

// Create a subnet within the VPC using AWS Native
const subnet = new awsnative.ec2.Subnet("my-subnet-native", {
    vpcId: vpc.id, // Associates the subnet with the VPC using the id property from the VPC
    cidrBlock: "10.0.1.0/24", // Example CIDR block for the subnet
    availabilityZone: "us-east-1c", // Specify the availability zone
    tags: [ {key: "foo", value: "bar"} ], // Add a tag to the subnet
});

// Export the IDs of the VPC and subnet
export const vpcId = vpc.id;
export const subnetId = subnet.id;

To isolate whether the issue is on Pulumi's side, I replicated the operation of editing or removing tags using the aws cli tool.

❯ aws cloudcontrol update-resource --type-name "AWS::EC2::Subnet" --region us-east-1 \
    --identifier subnet-011fcc8640b709368 \
    --patch-document '[{"op":"remove","path":"/Tags"}]'

I get the same error:

"StatusMessage": "Invalid request provided: Property Ipv6CidrBlock cannot be empty."

I double-checked in the Cloud Control specs that Ipv6CidrBlock is not a required property, and that a subnet is not Ipv6Native by default.

So this seems to be an issue on the Cloud Control side. I'll work with our Pulumi AWS contacts to get an issue filed in the right place.

[thomas11]

I filed #1927 EC2::Subnet cannot be updated if Ipv6CidrBlock is not set, although the property is not required and we also pinged some AWS contacts internally.

[amazon-chizever]

I just updated the referenced issue, but posting here as well for visibility. As a work-around, you can append the following string: {"op":"remove", "path":"AssignIpv6AddressOnCreation"} to the patch document for the mutation. This is safe even for subnets with this parameter set to true, as it only removes the key from the update API payload, it does not actually remove the configuration from the subnet.

[thomas11]

AWS have now resolved the upstream issue. That means updates should now work without a workaround. Please give it a try.