Provider ec2_vpc and ec2_vpc_routetable - Issue managing route tables

[pjfoley]

Hi,

Using the vpc-example provided in the repository I have been testing the VPC provider. Although the puppet code works it does surprising things which I would not expect. If I run:

ec2_vpc { 'sample-vpc':
  ensure       => present,
  region       => 'sa-east-1',
  cidr_block   => '10.0.0.0/16',
}

This creates a VPC and a route table both named sample-vpc. Looking through the aws-sdk-core manual it does not explicitly say it will create a route table but I assume this is correct behavior.

If it is correct behavior I would like to use this route table (sample-vpc) and add an additional route to it instead of creating a separate route table. For example (does not work):

ec2_vpc { 'sample-vpc':
  ensure       => present,
  region       => 'sa-east-1',
  cidr_block   => '10.0.0.0/16',
}

ec2_vpc_internet_gateway { 'sample-igw':
  ensure => present,
  region => 'sa-east-1',
  vpc    => 'sample-vpc',
}

#################
# The below will fail as there is already a sample-vpc route table created as part of the ec2_vpc type
#################
ec2_vpc_routetable { 'sample-vpc':
  ensure => present,
  region => 'sa-east-1',
  vpc    => 'sample-vpc',
  routes => [
    {
      destination_cidr_block => '10.0.0.0/16',
      gateway                => 'local'
    },{
      destination_cidr_block => '0.0.0.0/0',
      gateway                => 'sample-igw'
    },
  ],
}

However the routes property for the ec2_vpc_routetable type is read only once created and I am unable to add an additional route to an existing route table.

[garethr]

So, the route table you mentioned is automatically created by AWS, rather than by Puppet or the SDK. We tag it with the same name as the VPC to make keeping track of it possible.

However, as you mentioned, it's not (yet) possible to update the routes on an existing route table. This isn't a hard limitation, it's definitely something we'll be adding the ability to do. At which point the code you have should just work.

[daveseff]

I had the same issue. Error message below. Strangely, All my work is being don in us-west-1. Don't know why it's complaining about us-east-1:

Error: Could not run: Puppet detected a problem with the information returned from AWS
when looking up ec2_vpc_routetable in us-east-1. The specific error was:

expected params[:internet_gateway_ids][0] to be a string

Rather than report on ec2_vpc_routetable resources in an inconsistent state we have exited.
This could be because some other process is modifying AWS at the same time.

[daveseff]

Also, It seems that if this is put into a puppet manifest, it will complain everytime, whereas if just run via 'puppey apply' all is good for a onetime run:

Error: cidr_block property is read-only once ec2_vpc created.
Error: /Stage[main]/Main/Ec2_vpc[sample-vpc]/cidr_block: change from 10.10.0.0/16 to 10.10.10.0/16 failed: cidr_block property is read-only once ec2_vpc created.
Notice: /Stage[main]/Main/Ec2_securitygroup[sample-sg]: Dependency Ec2_vpc[sample-vpc] has failures: true
Warning: /Stage[main]/Main/Ec2_securitygroup[sample-sg]: Skipping because of failed dependencies

[jhojgaard]

Has anyone found a solution or workaround for this yet?
I really want to avoid having to use the webinterface when deploying a vpc, with subnet and internet gateway.

[matikij]

Any update on this? Does

However, as you mentioned, it's not (yet) possible to update the routes on an existing route table. This isn't a hard limitation, it's definitely something we'll be adding the ability to do.

still apply ?