terraform-provider-aviatrix icon indicating copy to clipboard operation
terraform-provider-aviatrix copied to clipboard

Published 20 hours ago verified publisher icon AviatrixSystems

Gateway creation fails with public ip created from ip prefix

Open dyfhughes opened this issue 1 year ago • 0 comments

Describe the problem

Attempting to create a new gateway, but with the elastic IP created outside the providers control fails when i try to use a public ip address that was created from an IP prefix. It looks to modify the public address with a createOrUpdate operation from the Azure activity logs, and its update operation looks to try to remove the ip_prefix assocation to the ip address, which is not allowed from Azure.

To Reproduce

My terraform resources are as follows:

data "azurerm_public_ip_prefix" "vpn_gw_ip_prefix" {
  name                = "vpn-gateways-ip-prefix"
  resource_group_name = "test-rg"
}

resource "azurerm_public_ip" "aviatrix_saml_gateway_public_ip" {
  name                         = "av-ip-user-vpn-gateway-avi"
  location                     = var.location
  resource_group_name          = var.resource_group
  allocation_method            = "Static"
  sku                          = "Standard"
  zones                        = [1,2,3]
  public_ip_prefix_id          = data.azurerm_public_ip_prefix.vpn_gw_ip_prefix.id

  lifecycle {
    ignore_changes = [
      tags
    ]
  }
}

locals {
  saml_gateway_eip_id = "av-ip-user-vpn-gateway-avi:${var.resource_group}"
}

# Create an Aviatrix Azure Gateway (USER)
resource "aviatrix_gateway" "saml_gateway" {
  cloud_type   = 8
  account_name = var.account_name
  gw_name      = "user-vpn-gateway-avi"
  vpc_id       = "${var.virtual_network_name}:${var.resource_group}"
  vpc_reg      = "West Europe"
  gw_size      = var.user_gateway_size
  subnet       = var.subnet_range

  vpn_access   = true
  vpn_cidr     = "192.168.43.0/24"
  enable_elb   = false
  split_tunnel = true

  saml_enabled = true

  max_vpn_conn = "100"

  allocate_new_eip              = false
  eip                           = azurerm_public_ip.aviatrix_saml_gateway_public_ip.ip_address
  azure_eip_name_resource_group = local.saml_gateway_eip_id
}

When running this way i get a deployment error from terraform:

Error: failed to create Aviatrix gateway: rest API connect_container POST failed: [AVXERR-TRANSIT-0024] Failed to launch Gateway - user-vpn-gateway-avi. [AVXERR-TRANSIT-0067] Azure Error: DeploymentFailed
    Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.
    Exception Details:
            Error Code: BadRequest
            Message: {'error': {'code': 'CannotChangePublicIpPrefixForExistingPublicIpAddress', 'message': 'Cannot change Public Ip Prefix from /subscriptions/<sub_id>/resourceGroups/<rg_name>/providers/Microsoft.Network/publicIPPrefixes/vpn-gateways-ip-prefix to null for the PublicIp /subscriptions/<sub_id>/resourceGroups/<rg_name>/providers/Microsoft.Network/publicIPAddresses/av-ip-user-vpn-gateway-avi.', 'details': []}} Please go to Azure cloud portal and check Activity log for resource group <rg_name> to get detailed reason.
  
      with aviatrix_gateway.saml_gateway,
      on main.tf line 79, in resource "aviatrix_gateway" "saml_gateway":
      79: resource "aviatrix_gateway" "saml_gateway" {

Environment:

  • Provider version: 3.1.3
  • Terraform version: 0.15.5
  • Aviatrix Controller version: 7.1

Additional context

Worth noting that when i try to do this operation but the public IP is not from an ip prefix, it works as intended. This would be a useful feature as it allows me to have a reliable pool of addresses to standup multiple gateways if i need to perform any maintenance.

dyfhughes avatar Nov 15 '23 15:11 dyfhughes