terraform-provider-aiven icon indicating copy to clipboard operation
terraform-provider-aiven copied to clipboard

Published 20 hours ago verified publisher icon aiven

Creating VPC Peering when the same VPC Peering is already existing does not fail

Open theurichde opened this issue 2 years ago • 7 comments

Hi folks,

I stumbled upon the fact, that creating a VPC peering connection via your terraform provider does not fail when the same VPC peering connection is already existing in my Aiven project.

I would expect the provider to fail with some kind of a "Resource already exists" exception.

The current behavior leads to the following problem:

Given: One Project Z and a VPC setup Team 1 owns Cluster A in Project Z Team 2 owns Cluster B in Project Z Team 1 consumes from Cluster B in Project Z

Then:

  • Team 1 peers with its Cluster A in their own AWS account
  • Team 2 creates a peering in behalf of Team 1's AWS account and Project Z (because Team 1 consumes from Cluster B)
  • Now Team 1 stops consuming from Cluster B
  • Team 2 removes the VPC peering connection for Team 1 from their state, because Team 1 doesn't need it anymore for Cluster B
  • Team 1 loses its complete peering connection and has no longer access to their own Cluster A
    • that happens because the terraform Aiven provider treats an already existing peering connection as a single, new entity.

theurichde avatar Jun 07 '22 14:06 theurichde

Hi @ivan-savciuc any thoughts on this? is this intended? Thanks

wanisfahmyDE avatar Jun 14 '22 14:06 wanisfahmyDE

Hi @theurichde and @wanisfahmyDE, are you talking about Project VPC resource aiven_project_vpc or VPC peering connection resource, like aiven_aws_vpc_peering_connection? Also what version of Aiven TF provider are you using?

ivan-savciuc avatar Jun 17 '22 12:06 ivan-savciuc

Hi @ivan-savciuc, it's the VPC peering connection resource aiven_vpc_peering_connection we were using v2.7.3

wanisfahmyDE avatar Jun 20 '22 08:06 wanisfahmyDE

Hi @ivan-savciuc

Sorry, for not being specific enough. As @wanisfahmyDE mentioned, we are talking about the aiven_aws_vpc_peering_connection / the aiven_vpc_peering_connection resource here.

I digged a bit into the code and realized, that the Aiven Go Client uses the Aiven API (what else? ;-) ) and I played a bit around with the API.

When there is already an active peering connection existing and I try to create a new one for the exact same AWS account, vpc and Aiven vpc, I just get a HTTP status 200 back with the peering connection information from the API (and therefore the Go Client).

This information is used in the terraform provider to "register" this new resources, although this particular resource is already existing on Aiven side.

theurichde avatar Jun 20 '22 14:06 theurichde

Hi @theurichde,

Thank you for your reply and for your time investigating this issue.

It is a bug on Aiven API, on the creation of a new VPC peering connection we expect an error when it already exists, and instead, we are getting 200, however a new VPC peering connection is not created, and in response, we get a preexisting one.

I will create a patch to change the behaviour of the Terraform Provider, and we will patch the Aiven API as well. Would you like to have the patch in v2 as well as v3?

ivan-savciuc avatar Jun 21 '22 09:06 ivan-savciuc

Thanks for confirmation @ivan-savciuc! We are looking forward to the fix 🚀

Would you like to have the patch in v2 as well as v3?

Yeah, backporting the fix to v2 as well would be awesome.

Thanks!

theurichde avatar Jun 21 '22 13:06 theurichde

@theurichde v3 patch is already out, and we will back port it to the v2 in the coming days

ivan-savciuc avatar Jul 05 '22 07:07 ivan-savciuc

check out v2.7.5

ivan-savciuc avatar Sep 06 '22 08:09 ivan-savciuc