I used the vpc module to create my VPC via the following code:

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
  name = "${var.namespace}-vpc"
  cidr = "10.0.0.0/16"
  azs = data.aws_availability_zones.available.names
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
  public_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
  #assign_generated_ipv6_cidr_block = true
  create_database_subnet_group     = true
  enable_nat_gateway               = true
  single_nat_gateway               = true
  enable_dns_hostnames = true
  enable_dns_support   = true
}

This module automatically creates two public subnets that has a route table that points to an internet gateway. However, I would like to modify one of the two public subnets to have a different route table that points to a firewall that I have created.

What I did was to create a new route table pub_to_firewall, and then create a new aws_route_table_association to associate the public subnet with the new route table.

resource "aws_route_table_association" "sn_to_fw_rt_association" {
  subnet_id      = module.vpc.public_subnets[0]
  route_table_id = aws_route_table.pub_to_firewall.id
  depends_on = [
    aws_route_table.pub_to_firewall,
  ]
}

I have been able to follow the instructions to import the original association to this new association, and terraform apply to get the public subnet to have this new route table containing the firewall reference.

However, when I run terraform apply again, terraform now wants to go back to the 'default' associations:

Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # module.networking.module.vpc.aws_route_table_association.public[0] has been deleted
  - resource "aws_route_table_association" "public" {
      - id             = "rtbassoc-[ ]" -> null
      - route_table_id = "rtb-0cabc2388adXXXXX" -> null
      - subnet_id      = "subnet-0a2b011cd7aXXXXX" -> null
    }


Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these
changes.
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
    create
  ~ update in-place

Terraform will perform the following actions:


  # module.networking.module.vpc.aws_route_table_association.public[0] will be created
    resource "aws_route_table_association" "public" {
        id             = (known after apply)
        route_table_id = "rtb-0cabc2388adXXXXX"
        subnet_id      = "subnet-0a2b011cd73XXXXX"
    }

I do not want this resource to be recreated because it would throw an error that │ Error: error creating Route Table (rtb-0cabc2388adXXXXX) Association: Resource.AlreadyAssociated: the specified association for route table rtb-0cabc2388adXXXXX conflicts with an existing association obviously since I already associated it with the new routing table.

How can I either:

1. Force terraform to 'ignore' the default subnet to routing tables setup
2. Or update the vpc created aws_route_table_association resource module.networking.module.vpc.aws_route_table_association.public[0] to reference the new route table instead?

CodePudding user response：

You can't change that, as this is how the aws vpc module works. You need custom designed VPC for that. So you have to either fork the entire module and made the changes that you want, or create new VPC module from scratch tailored to your needs.

CodePudding user response：

Thanks for the answers Marcin! I did more research and asked some people, and it does seem like the original decision to use the 'vpc' module to set up the initial infrastructure came with the trade off that modifying individual resources would be not possible.

The steps I took below is to keep the existing subnets etc that I need without destroying them. Changing subnets would mean destruction of the associated EC2 instances etc which we do not want.

As such, I had to do the tedious steps of recreating the infrastructure resource by resource. Below are my steps for people interested in the future:

1. Run terraform state list to see all the resources associated with the vpc module and you can filter to see module.networking.module.vpc.aws_eip.nat[0], module.networking.module.vpc.aws_internet_gateway.this[0] etc etc

2. For each of the resources under the module.networking.module.vpc list, create the resources again individually. For example, if you need a private subnet, then create a new aws_subnet resource. It will be painful, but you'll need to change all the links in other resources that points to the old resources in the Terraform code to point to these new resources.

3. After creating each individual resource, tell Terraform to point the existing resource to the new resource you want to create (remember to terraform init first so that Terraform knows of the new resources) for example terraform state mv module.networking.module.vpc.aws_subnet.private[0] module.vpc.aws_subnet.private_subnet_1