Not idempotent for aws_route_table_association

[RuBiCK]

Terraform Version

Terraform v0.11.10

• provider.aws v1.46.0

Affected resources

aws_route_table_association

Expected Behavior

I have a var that defines subnets with tags to indicate if a subnet is public
I create a resource aws_route_table that I associate to certain subnets found by data aws_subnet_ids
It's expected to be idempotent if I run many times terraform apply
The subnet id to be associated needs to be computed (in my case) and after gather all information, terraform should check that association exists or not instead of delete and create the same association.

Actual Behavior

Between first and second apply the route_table_association gets removed and recreated again for each apply:

plan:

-/+ aws_route_table_association.public-rt (new resource required)
      id:                   "rtbassoc-00fa56a88a4080a05" => <computed> (forces new resource)
      route_table_id:       "rtb-044e7ab173eb7dd2e" => "rtb-044e7ab173eb7dd2e"
      subnet_id:            "subnet-0b8bee3f1d5b755ec" => "${data.aws_subnet_ids.public.ids[count.index]}" (forces new resource)

apply:

aws_route_table_association.public-rt: Creating...
  route_table_id: "" => "rtb-044e7ab173eb7dd2e"
  subnet_id:      "" => "subnet-0b8bee3f1d5b755ec"
...
aws_route_table_association.public-rt: Creation complete after 5s (ID: rtbassoc-03e0dbad4543d6ff4)

Steps to Reproduce

1. terraform plan
2. terraform apply
3. terraform apply

Output
Debug log

Additional Context

data "aws_subnet_ids" "public" {
  depends_on = ["aws_subnet.subnet"] //creation of subnets
  vpc_id = "${aws_vpc.main.id}"
  tags {
    public = true
  }
}

resource "aws_route_table_association" "public-rt" {
  /*
  workaround count can't be computed
 https:/hashicorp/terraform/issues/10857#issuecomment-368059147
  count = "${length(data.aws_subnet_ids.public.ids)}"
  */
  count = "${var.subnets_public_count}"
  subnet_id = "${data.aws_subnet_ids.public.ids[count.index]}"
  route_table_id = "${aws_route_table.public-route.id}"
}

References

• Terraform apply not idempotent for security groups #13966

[RuBiCK]

Same behavior with resource aws_nat_gateway

-/+ aws_nat_gateway.gwa (new resource required)
      id:                   "nat-01c5fa9680df5359b" => <computed> (forces new resource)
      allocation_id:        "eipalloc-0057d480fa70e0749" => "eipalloc-0057d480fa70e0749"
      network_interface_id: "eni-0ce5f6f6e96335ffb" => <computed>
      private_ip:           "10.240.0.225" => <computed>
      public_ip:            "63.33.29.4" => <computed>
      subnet_id:            "subnet-0b8bee3f1d5b755ec" => "${data.aws_subnet_ids.subnetnat.ids[0]}" (forces new resource)

aws_nat_gateway.gwa: Destroying... (ID: nat-03bbce1edd26a004e)
...
aws_nat_gateway.gwa: Destruction complete after 1m7s
aws_nat_gateway.gwa: Creating...
  allocation_id:        "" => "eipalloc-0057d480fa70e0749"
  network_interface_id: "" => "<computed>"
  private_ip:           "" => "<computed>"
  public_ip:            "" => "<computed>"
  subnet_id:            "" => "subnet-0b8bee3f1d5b755ec"
...
aws_nat_gateway.gwa: Creation complete after 1m45s (ID: nat-0714763ddcfbdfbef)```

resource "aws_nat_gateway" "gwa" {
  depends_on = ["aws_subnet.subnet","aws_eip.nat"]
  allocation_id = "${aws_eip.nat.id}"
  subnet_id     = "${data.aws_subnet_ids.subnetnat.ids[0]}"
}

Obtain subnet_id from data computed forces new resource always.

Debug information on the gist of the main issue

[ghost]

This issue has been automatically migrated to hashicorp/terraform-provider-aws#6556 because it looks like an issue with that provider. If you believe this is not an issue with the provider, please reply to hashicorp/terraform-provider-aws#6556.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.