terraform: Error finding route after creating it: Unable to find matching route for Route Table

[hashibot]

This issue was originally opened by @FlorinAndrei as hashicorp/terraform#9756. It was migrated here as part of the provider split. The original body of the issue is below.

---

Terraform Version

Terraform v0.7.7

Terraform Configuration Files

https://dl.dropboxusercontent.com/u/29966/tf.zip

Expected Behavior

Create the infrastructure.

Actual Behavior

https://gist.github.com/FlorinAndrei/17c0a12e70c0a15671322030b419ec92

However, the routes, route tables, and NAT gateways were all created just fine. Subnet associations were set also.

Running terraform plan again produces this output:

+ module.network.private_subnet.aws_route.private_nat_gw.2
    destination_cidr_block:     "0.0.0.0/0"
    destination_prefix_list_id: "<computed>"
    gateway_id:                 "<computed>"
    instance_id:                "<computed>"
    instance_owner_id:          "<computed>"
    nat_gateway_id:             "nat-09ffe6396b7b4f821"
    network_interface_id:       "<computed>"
    origin:                     "<computed>"
    route_table_id:             "rtb-6ad9640d"
    state:                      "<computed>"


Plan: 1 to add, 0 to change, 0 to destroy.

But that route exists already. If I try to apply the plan, I get this:

module.network.private_subnet.aws_route.private_nat_gw.2: Creating...
  destination_cidr_block:     "" => "0.0.0.0/0"
  destination_prefix_list_id: "" => "<computed>"
  gateway_id:                 "" => "<computed>"
  instance_id:                "" => "<computed>"
  instance_owner_id:          "" => "<computed>"
  nat_gateway_id:             "" => "nat-09ffe6396b7b4f821"
  network_interface_id:       "" => "<computed>"
  origin:                     "" => "<computed>"
  route_table_id:             "" => "rtb-6ad9640d"
  state:                      "" => "<computed>"
Error applying plan:

1 error(s) occurred:

* aws_route.private_nat_gw.2: Error creating route: RouteAlreadyExists: The route identified by 0.0.0.0/0 already exists.
	status code: 400, request id: 31c1946f-6359-41c6-8be6-460c8d3b5d99

terraform refresh produces this output:

terraform_remote_state.aws_global: Refreshing state... (ID: 2016-10-31 20:05:38.730089879 +0000 UTC)
module.network.nat.aws_eip.nat.0: Refreshing state... (ID: eipalloc-e15ccd86)
module.network.nat.aws_eip.nat.1: Refreshing state... (ID: eipalloc-785ccd1f)
module.network.nat.aws_eip.nat.2: Refreshing state... (ID: eipalloc-795ccd1e)
module.network.vpc.aws_vpc.vpc: Refreshing state... (ID: vpc-b04abed7)
module.network.vpc.aws_vpc_peering_connection.peering: Refreshing state... (ID: pcx-327bc05b)
module.network.public_subnet.aws_internet_gateway.public: Refreshing state... (ID: igw-da109cbe)
module.network.public_subnet.aws_route_table.public: Refreshing state... (ID: rtb-6cd9640b)
module.network.public_subnet.aws_subnet.public.2: Refreshing state... (ID: subnet-a86c0ff0)
module.network.private_subnet.aws_subnet.private.0: Refreshing state... (ID: subnet-afefdad9)
module.network.private_subnet.aws_route_table.private.0: Refreshing state... (ID: rtb-6bd9640c)
module.network.private_subnet.aws_route_table.private.1: Refreshing state... (ID: rtb-6dd9640a)
module.network.public_subnet.aws_subnet.public.1: Refreshing state... (ID: subnet-933b28f7)
module.network.public_subnet.aws_subnet.public.0: Refreshing state... (ID: subnet-adefdadb)
module.network.private_subnet.aws_subnet.private.2: Refreshing state... (ID: subnet-a96c0ff1)
module.network.private_subnet.aws_route_table.private.2: Refreshing state... (ID: rtb-6ad9640d)
module.network.private_subnet.aws_subnet.private.1: Refreshing state... (ID: subnet-9d3b28f9)
module.network.public_subnet.aws_route.public_gw: Refreshing state... (ID: r-rtb-6cd9640b1080289494)
module.network.public_subnet.aws_route_table_association.public.0: Refreshing state... (ID: rtbassoc-f928c59f)
module.network.public_subnet.aws_route_table_association.public.1: Refreshing state... (ID: rtbassoc-c728c5a1)
module.network.public_subnet.aws_route_table_association.public.2: Refreshing state... (ID: rtbassoc-c628c5a0)
module.network.nat.aws_nat_gateway.nat.0: Refreshing state... (ID: nat-0b9579e6856f9f3d3)
module.network.nat.aws_nat_gateway.nat.1: Refreshing state... (ID: nat-0533b77ab8365de80)
module.network.nat.aws_nat_gateway.nat.2: Refreshing state... (ID: nat-09ffe6396b7b4f821)
module.network.private_subnet.aws_route_table_association.private.0: Refreshing state... (ID: rtbassoc-fd28c59b)
module.network.private_subnet.aws_route_table_association.private.1: Refreshing state... (ID: rtbassoc-fa28c59c)
module.network.private_subnet.aws_route_table_association.private.2: Refreshing state... (ID: rtbassoc-fb28c59d)
module.network.aws_network_acl.acl: Refreshing state... (ID: acl-9168b8f6)
module.network.private_subnet.aws_route.private_nat_gw.1: Refreshing state... (ID: r-rtb-6dd9640a1080289494)
module.network.private_subnet.aws_route.private_nat_gw.0: Refreshing state... (ID: r-rtb-6bd9640c1080289494)

Please note how gw.2 is not mentioned in the refresh.

terraform plan -destroy also does not mention gw.2

Applying that -destroy plan works well and destroys all infrastructure.

Steps to Reproduce

terraform apply

[thnee]

Same here, on 0.10.2.

Running apply the first time:

aws_route_table.private: Creating...
  propagating_vgws.#: "" => "<computed>"
  route.#:            "" => "<computed>"
  tags.%:             "" => "1"
  tags.Name:          "" => "stage-private"
  vpc_id:             "" => "vpc-63082c0b"
aws_route_table.private: Creation complete (ID: rtb-4a8f6021)
aws_nat_gateway.main: Creating...
  allocation_id:        "" => "eipalloc-975e5efe"
  network_interface_id: "" => "<computed>"
  private_ip:           "" => "<computed>"
  public_ip:            "" => "<computed>"
  subnet_id:            "" => "subnet-c4c42daf"
aws_nat_gateway.main: Still creating... (10s elapsed)
aws_nat_gateway.main: Still creating... (20s elapsed)
aws_nat_gateway.main: Still creating... (30s elapsed)
aws_nat_gateway.main: Still creating... (40s elapsed)
aws_nat_gateway.main: Still creating... (50s elapsed)
aws_nat_gateway.main: Still creating... (1m0s elapsed)
aws_nat_gateway.main: Still creating... (1m10s elapsed)
aws_nat_gateway.main: Still creating... (1m20s elapsed)
aws_nat_gateway.main: Still creating... (1m30s elapsed)
aws_nat_gateway.main: Still creating... (1m40s elapsed)
aws_nat_gateway.main: Creation complete (ID: nat-07f3c867c4ca19368)
aws_route.private-nat-gateway: Creating...
  destination_cidr_block:     "" => "0.0.0.0/0"
  destination_prefix_list_id: "" => "<computed>"
  egress_only_gateway_id:     "" => "<computed>"
  gateway_id:                 "" => "<computed>"
  instance_id:                "" => "<computed>"
  instance_owner_id:          "" => "<computed>"
  nat_gateway_id:             "" => "nat-07f3c867c4ca19368"
  network_interface_id:       "" => "<computed>"
  origin:                     "" => "<computed>"
  route_table_id:             "" => "rtb-4a8f6021"
  state:                      "" => "<computed>"
aws_route.private-nat-gateway: Still creating... (10s elapsed)
aws_route.private-nat-gateway: Still creating... (20s elapsed)
aws_route.private-nat-gateway: Still creating... (30s elapsed)
aws_route.private-nat-gateway: Still creating... (40s elapsed)
aws_route.private-nat-gateway: Still creating... (50s elapsed)
aws_route.private-nat-gateway: Still creating... (1m0s elapsed)
aws_route.private-nat-gateway: Still creating... (1m10s elapsed)
aws_route.private-nat-gateway: Still creating... (1m20s elapsed)
aws_route.private-nat-gateway: Still creating... (1m30s elapsed)
aws_route.private-nat-gateway: Still creating... (1m40s elapsed)
aws_route.private-nat-gateway: Still creating... (1m50s elapsed)
aws_route.private-nat-gateway: Still creating... (2m0s elapsed)
Error applying plan:

1 error(s) occurred:

* aws_route.private-nat-gateway: 1 error(s) occurred:

* aws_route.private-nat-gateway: Error finding route after creating it: Unable to find matching route for Route Table (rtb-4a8f6021) and destination CIDR block (0.0.0.0/0).

Yet, in AWS web console I can see the route was created exactly as expected.

Running apply a second time:

aws_route.private-nat-gateway: Creating...
  destination_cidr_block:     "" => "0.0.0.0/0"
  destination_prefix_list_id: "" => "<computed>"
  egress_only_gateway_id:     "" => "<computed>"
  gateway_id:                 "" => "<computed>"
  instance_id:                "" => "<computed>"
  instance_owner_id:          "" => "<computed>"
  nat_gateway_id:             "" => "nat-07f3c867c4ca19368"
  network_interface_id:       "" => "<computed>"
  origin:                     "" => "<computed>"
  route_table_id:             "" => "rtb-4a8f6021"
  state:                      "" => "<computed>"
Error applying plan:

1 error(s) occurred:

* aws_route.private-nat-gateway: 1 error(s) occurred:

* aws_route.private-nat-gateway: Error creating route: RouteAlreadyExists: The route identified by 0.0.0.0/0 already exists.
	status code: 400, request id: 35c5077a-7437-43a9-84b7-40261cb79927

After doing destroy, and then apply again, without changing anything else, the same conf works just fine.

[gopisaba]

I have the same problem in v0.10.7

[AnthonyWC]

Ran into this issue; route was created properly but terraform does not recognize it:

Terraform v0.11.5
+ provider.aws v1.11.0

[AnthonyWC]

As a workaround; use state pull and manually edit the tfstate file and then state push works. Also this issue was closed in hashicorp/terraform#8542

[smihajlovic-frame]

Encountered the same issue in multiple provider and Terraform versions. Still having the same behavior using:

Terraform v0.11.5
+ provider.aws v1.11.0

[smihajlovic-frame]

@AnthonyWC I have tried putting depends_on but it did not help.

[eLco]

@smihajlovic-frame maybe you can try to increase aws_route configurable timeout for create, it's available since provider.aws v1.11.0. Default is 2 minutes.

[rafaljanicki]

Hey,

Just wanted to confirm that the timeout increase apparently fixed the issue:

timeouts {
    create = "5m"
  }

[smihajlovic-frame]

@eLco @rafaljanicki I am also confirming that increasing timeout fixes the issue.

[flickerfly]

I did not find that waiting 5m was sufficient for resolving my issue.

[flickerfly]

@AnthonyWC I found this is a problem in the latest version of terraform and aws provider:

$ terraform version
Terraform v0.11.8
+ provider.aws v1.37.0

[flickerfly]

I found that my situation had to do with a malformed CIDR reference. I had 192.168.0.21/30 as my destination_cidr_block, but AWS was nicely adjusting that to the more accurate 192.168.0.20/30 when. Meanwhile, I guess terraform was looking for the one I specified to confirm completion rather than the adjusted one. Same error pattern, different cause. Hope this saves someone some trouble.

[sriraja53]

I faced this issue once again in the below terraform version
Terraform v0.11.10

• provider.aws v1.57.0
• provider.null v2.0.0
• provider.template v2.0.0

[kostas-theo]

Still experiencing this issues, successfully resolved using:

timeouts {
    create = "5m"
  }

Terraform v0.12.8
provider "aws" (hashicorp/aws) 2.33.0

[ewikum]

I found that my situation had to do with a malformed CIDR reference. I had 192.168.0.21/30 as my destination_cidr_block, but AWS was nicely adjusting that to the more accurate 192.168.0.20/30 when. Meanwhile, I guess terraform was looking for the one I specified to confirm completion rather than the adjusted one. Same error pattern, different cause. Hope this saves someone some trouble.

Thanks, You saved my day!

[bflad]

Additional validation to prevent the CIDR misalignment has been merged and will release with version 2.68.0 of the Terraform AWS Provider, likely tomorrow. Thanks to @ewbankkit for the implementation. 👍

If you are still having issues after upgrading to 2.68.0 when its released, please file a new issue.

[ghost]

This has been released in version 2.68.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!