RouteAlready exists error

[horsey]

Hello,
I see this error when converging with Terraform v0.11.1

• provider.aws v1.5.0
  I set enable_nat_gateway to true and have one private subnet enabled in the module.

2 error(s) occurred:

* module.production.module.vpc.aws_route.private_nat_gateway[0]: 1 error(s) occurred:

* aws_route.private_nat_gateway.0: Error creating route: RouteAlreadyExists: The route identified by 0.0.0.0/0 already exists.
        status code: 400, request id: c90d42d0-64f8-44da-89ea-bdfc37252a1e
* module.production.module.vpc.aws_route.private_nat_gateway[2]: 1 error(s) occurred:

* aws_route.private_nat_gateway.2: Error creating route: RouteAlreadyExists: The route identified by 0.0.0.0/0 already exists.
        status code: 400, request id: 47d42d18-bbac-4a1b-8966-61d2e954358d`

[antonbabenko]

Please provide the piece of code you are trying to run. Have you created VPC routes without using Terraform?

[horsey]

No, I haven't created any VPC routes using Terraform. I am using the VPC module in the following fashion:

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
  name = "${var.vpc_name}"
  cidr = "${var.cidr}"
  azs              = "${var.azs}"
  private_subnets  = "${var.private_subnets}"
  public_subnets   = "${var.public_subnets}"
  database_subnets = "${var.database_subnets}"

  create_database_subnet_group = "${var.create_database_subnet_group}"
  enable_nat_gateway           = "${var.enable_nat_gateway}"
  tags                         = "${var.vpc_tags}"
}

[horsey]

I observe the route table is created 3 times when I run terraform plan Is this the way it is supposed to be?

Logs here:

module.production.module.vpc.aws_route.private_nat_gateway[2]: Creating...
  destination_cidr_block:     "" => "0.0.0.0/0"
  destination_prefix_list_id: "" => "<computed>"
  egress_only_gateway_id:     "" => "<computed>"
  gateway_id:                 "" => "<computed>"
  instance_id:                "" => "<computed>"
  instance_owner_id:          "" => "<computed>"
  nat_gateway_id:             "" => "nat-0580607c824d36f8a"
  network_interface_id:       "" => "<computed>"
  origin:                     "" => "<computed>"
  route_table_id:             "" => "rtb-4112f13c"
  state:                      "" => "<computed>"
module.production.module.vpc.aws_route.private_nat_gateway[1]: Creating...
  destination_cidr_block:     "" => "0.0.0.0/0"
  destination_prefix_list_id: "" => "<computed>"
  egress_only_gateway_id:     "" => "<computed>"
  gateway_id:                 "" => "<computed>"
  instance_id:                "" => "<computed>"
  instance_owner_id:          "" => "<computed>"
  nat_gateway_id:             "" => "nat-047413a0978614325"
  network_interface_id:       "" => "<computed>"
  origin:                     "" => "<computed>"
  route_table_id:             "" => "rtb-4112f13c"
  state:                      "" => "<computed>"
module.production.module.vpc.aws_route.private_nat_gateway[0]: Creating...
  destination_cidr_block:     "" => "0.0.0.0/0"
  destination_prefix_list_id: "" => "<computed>"
  egress_only_gateway_id:     "" => "<computed>"
  gateway_id:                 "" => "<computed>"
  instance_id:                "" => "<computed>"
  instance_owner_id:          "" => "<computed>"
  nat_gateway_id:             "" => "nat-03a905522aea0fa94"
  network_interface_id:       "" => "<computed>"
  origin:                     "" => "<computed>"
  route_table_id:             "" => "rtb-4112f13c"
  state:                      "" => "<computed>"

[antonbabenko]

Have you created VPC routes without using Terraform? Check in AWS console.

It creates 3 routes because there are 3 private subnets and 3 NAT gateways (1 per each availability zone), which is correct behaviour.

[horsey]

I haven't created VPC routes without using Terraform. Pretty sure about that.

However, after your reply, I noticed I have defined only one private subnet - not three. Could this be the problem? I don't want 3 private subnets in my configuration.

[antonbabenko]

Please show the full module "vpc" block with actual amount of values (replace ${var....}). It may be a bug or edge case.

[horsey]

Here is the vpc block with actual values.

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
  name   = "example-vpc"
  cidr     =   "10.0.0.0/16"
  azs      =  ["us-east-1a", "us-east-1b", "us-east-1c"]
  private_subnets  = ["10.0.1.0/24"]
  public_subnets   =  ["10.0.101.0/24", "10.0.102.0/24"]
  database_subnets = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"]

  create_database_subnet_group = true
  enable_nat_gateway           = true
  tags                         =  {
    Terraform = "true"
    Environment = "dev"
    Name = "example-name"
  }

}

[antonbabenko]

Thanks for the code, now I can see the error myself.

Meanwhile, you can make this module to work for you if you set length of both lists of private_subnets and public_subnets to the same length as the number of azs (3). It is a good practice to keep subnets in each AZ and these resources are free. You can also specify single_nat_gateway = true to have the same amount of NAT gateways as now (1) because they cost money.

[antonbabenko]

v1.10.0 has been released and the bug has been fixed there.

[maxburke]

Hello!

I am using v1.26.0 and I am seeing a similar problem. Here is my VPC module description:

# VPC
module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
  name = "ul-infra-vpc"
  cidr = "10.0.0.0/16"

  azs = ["us-west-2a", "us-west-2b", "us-west-2c"]
  private_subnets = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]

  # The immutable_metadata tag is for Spinnaker to be able to discover the subnets.
  private_subnet_tags = {
    immutable_metadata = "{'purpose':'internal'}"
  }

  public_subnets = ["10.0.254.240/28", "10.0.254.224/28", "10.0.254.208/28"]
  public_subnet_tags = {
    immutable_metadata =  "{'purpose':'external'}"
  }

  single_nat_gateway = true
  enable_nat_gateway = true
  enable_s3_endpoint = true
  enable_dynamodb_endpoint = true
}

And when I apply my changes with Terraform, I get the result:

module.vpc.aws_route.private_nat_gateway[1]: Creating...
  destination_cidr_block:     "" => "0.0.0.0/0"
  destination_prefix_list_id: "" => "<computed>"
  egress_only_gateway_id:     "" => "<computed>"
  gateway_id:                 "" => "<computed>"
  instance_id:                "" => "<computed>"
  instance_owner_id:          "" => "<computed>"
  nat_gateway_id:             "" => "nat-051ea8db09567c324"
  network_interface_id:       "" => "<computed>"
  origin:                     "" => "<computed>"
  route_table_id:             "" => "rtb-0d8e9b0a66940f24d"
  state:                      "" => "<computed>"
module.vpc.aws_route.private_nat_gateway[2]: Creating...
  destination_cidr_block:     "" => "0.0.0.0/0"
  destination_prefix_list_id: "" => "<computed>"
  egress_only_gateway_id:     "" => "<computed>"
  gateway_id:                 "" => "<computed>"
  instance_id:                "" => "<computed>"
  instance_owner_id:          "" => "<computed>"
  nat_gateway_id:             "" => "nat-051ea8db09567c324"
  network_interface_id:       "" => "<computed>"
  origin:                     "" => "<computed>"
  route_table_id:             "" => "rtb-01647a366b84e9ed3"
  state:                      "" => "<computed>"
module.vpc.aws_route.private_nat_gateway[0]: Creating...
  destination_cidr_block:     "" => "0.0.0.0/0"
  destination_prefix_list_id: "" => "<computed>"
  egress_only_gateway_id:     "" => "<computed>"
  gateway_id:                 "" => "<computed>"
  instance_id:                "" => "<computed>"
  instance_owner_id:          "" => "<computed>"
  nat_gateway_id:             "" => "nat-051ea8db09567c324"
  network_interface_id:       "" => "<computed>"
  origin:                     "" => "<computed>"
  route_table_id:             "" => "rtb-0343dd2d7635c83be"
  state:                      "" => "<computed>"

Error: Error applying plan:

3 error(s) occurred:

* module.vpc.aws_route.private_nat_gateway[2]: 1 error(s) occurred:

* aws_route.private_nat_gateway.2: Error creating route: RouteAlreadyExists: The route identified by 0.0.0.0/0 already exists.
        status code: 400, request id: 86c0a46b-4910-43cb-a13d-d8add6abd1fe
* module.vpc.aws_route.private_nat_gateway[0]: 1 error(s) occurred:

* aws_route.private_nat_gateway.0: Error creating route: RouteAlreadyExists: The route identified by 0.0.0.0/0 already exists.
        status code: 400, request id: df63823f-ef08-4ebc-b604-fcf2cd617a67
* module.vpc.aws_route.private_nat_gateway[1]: 1 error(s) occurred:

* aws_route.private_nat_gateway.1: Error creating route: RouteAlreadyExists: The route identified by 0.0.0.0/0 already exists.
        status code: 400, request id: ac8ddb23-8800-4ddf-be5f-9e1348117f6d

[smastrorocco]

Seeing the same issue on v1.26.0. On first creation, it says it can't find a matching route for nat gateway with destination 0.0.0.0/0, however in AWS console, the route was created. Any plan after this attempts to add it again, and fails as a duplicate entry until the route is manually removed or imported into TF state.

[antonbabenko]

Thanks to everyone for reporting this issue. I am quite certain that this issue is now fixed in #111 and v1.27.0 has been released.

Please give it a try and leave a comment if the problem still exists.

[maxburke]

Hey Anton,

I gave it a try and I'm still seeing the issue:

module.vpc.aws_default_route_table.this: Destroying... (ID: rtb-0ab34e247773f6316)
module.vpc.aws_default_route_table.this: Destruction complete after 0s

Error: Error applying plan:

3 error(s) occurred:

* module.vpc.aws_route.private_nat_gateway[2]: 1 error(s) occurred:

* aws_route.private_nat_gateway.2: Error creating route: RouteAlreadyExists: The route identified by 0.0.0.0/0 already exists.
        status code: 400, request id: 883f4a2f-10f6-422c-b1a4-10fbe6d0cacd
* module.vpc.aws_route.private_nat_gateway[0]: 1 error(s) occurred:

* aws_route.private_nat_gateway.0: Error creating route: RouteAlreadyExists: The route identified by 0.0.0.0/0 already exists.
        status code: 400, request id: 30b7b29c-4845-4f40-aaaf-1ea12d70ab97
* module.vpc.aws_route.private_nat_gateway[1]: 1 error(s) occurred:

* aws_route.private_nat_gateway.1: Error creating route: RouteAlreadyExists: The route identified by 0.0.0.0/0 already exists.
        status code: 400, request id: 8c7d74b2-7bd6-4f61-b650-d2c26941264f```

[antonbabenko]

Hmm, strange... Does it still fail even after you rerun it and it destroyed module.vpc.aws_default_route_table.this? Could you delete these routes manually via console and see if Terraform is happy?

@smastrorocco Thanks for the explanation. It sounds like a result of eventual consistency somewhere in the process. I did my best today to come up with the failing example and could not reproduce it (tried different regions, different values). Could you give it a try on your setup?

[smastrorocco]

@antonbabenko Yes, I've upgraded to v1.29.0 and it's working great. Thanks for the quick response.

[TamiloreObydy]

Getting this error when i tried to create vpc. I need help.
Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, net/http: invalid header field value "AWS4-HMAC-SHA256 Credential=\x16AKIAQ7N6RR6I5GQTECZR/20220616/ca-central-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date, Signature=842150020261e915db46621bc495ccdbbed9055e22e0e02b0dfea316564c9fe2" for key Authorization
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on provider.tf line 1, in provider "aws":
│ 1: provider "aws" {

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.