terraform-provider-aws: resource/aws_route_table_association: error reading Route Table Association (rtbassoc-xxx): Empty result

Community Note

  • Please vote on this issue by adding a đź‘Ť reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave “+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

terraform version - 0.12.31 provider-aws version - 3.54.0

Affected Resource(s)

  • aws_route_table_association

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

    provider "aws" {
      access_key = "${var.ACCESS_KEY_ID}"
      secret_key = "${var.SECRET_ACCESS_KEY}"
      region     = "eu-west-1"
    }

    resource "aws_vpc_dhcp_options" "vpc_dhcp_options" {
      domain_name         = "eu-west-1.compute.internal"
      domain_name_servers = ["AmazonProvidedDNS"]
    }

    resource "aws_vpc" "vpc" {
      cidr_block           = "10.250.0.0/16"
      enable_dns_support   = true
      enable_dns_hostnames = true
    }

    resource "aws_vpc_dhcp_options_association" "vpc_dhcp_options_association" {
      vpc_id          = "${aws_vpc.vpc.id}"
      dhcp_options_id = "${aws_vpc_dhcp_options.vpc_dhcp_options.id}"
    }

    resource "aws_default_security_group" "default" {
      vpc_id = "${aws_vpc.vpc.id}"
    }

    resource "aws_internet_gateway" "igw" {
      vpc_id = "${aws_vpc.vpc.id}"
    }

    resource "aws_route_table" "routetable_main" {
      vpc_id = "${aws_vpc.vpc.id}"
    }

    resource "aws_route" "public" {
      route_table_id         = "${aws_route_table.routetable_main.id}"
      destination_cidr_block = "0.0.0.0/0"
      gateway_id             = "${aws_internet_gateway.igw.id}"
    }

    resource "aws_security_group" "nodes" {
      name        = "foo-nodes"
      description = "Security group for nodes"
      vpc_id      = "${aws_vpc.vpc.id}"
    }

    resource "aws_security_group_rule" "nodes_self" {
      type              = "ingress"
      from_port         = 0
      to_port           = 0
      protocol          = "-1"
      self              = true
      security_group_id = "${aws_security_group.nodes.id}"
    }

    resource "aws_security_group_rule" "nodes_tcp_all" {
      type              = "ingress"
      from_port         = 30000
      to_port           = 32767
      protocol          = "tcp"
      cidr_blocks       = ["0.0.0.0/0"]
      security_group_id = "${aws_security_group.nodes.id}"
    }

    resource "aws_security_group_rule" "nodes_udp_all" {
      type              = "ingress"
      from_port         = 30000
      to_port           = 32767
      protocol          = "udp"
      cidr_blocks       = ["0.0.0.0/0"]
      security_group_id = "${aws_security_group.nodes.id}"
    }

    resource "aws_security_group_rule" "nodes_egress_all" {
      type              = "egress"
      from_port         = 0
      to_port           = 0
      protocol          = "-1"
      cidr_blocks       = ["0.0.0.0/0"]
      security_group_id = "${aws_security_group.nodes.id}"
    }


    resource "aws_subnet" "nodes_z0" {
      vpc_id            = "${aws_vpc.vpc.id}"
      cidr_block        = "10.250.0.0/19"
      availability_zone = "eu-west-1c"
    }

    output "subnet_nodes_z0" {
      value = "${aws_subnet.nodes_z0.id}"
    }

    resource "aws_subnet" "private_utility_z0" {
      vpc_id            = "${aws_vpc.vpc.id}"
      cidr_block        = "10.250.112.0/22"
      availability_zone = "eu-west-1c"
    }

    resource "aws_security_group_rule" "nodes_tcp_internal_z0" {
      type              = "ingress"
      from_port         = 30000
      to_port           = 32767
      protocol          = "tcp"
      cidr_blocks       = ["10.250.112.0/22"]
      security_group_id = "${aws_security_group.nodes.id}"
    }

    resource "aws_security_group_rule" "nodes_udp_internal_z0" {
      type              = "ingress"
      from_port         = 30000
      to_port           = 32767
      protocol          = "udp"
      cidr_blocks       = ["10.250.112.0/22"]
      security_group_id = "${aws_security_group.nodes.id}"
    }

    resource "aws_subnet" "public_utility_z0" {
      vpc_id            = "${aws_vpc.vpc.id}"
      cidr_block        = "10.250.96.0/22"
      availability_zone = "eu-west-1c"
    }

    output "subnet_public_utility_z0" {
      value = "${aws_subnet.public_utility_z0.id}"
    }

    resource "aws_security_group_rule" "nodes_tcp_public_z0" {
      type              = "ingress"
      from_port         = 30000
      to_port           = 32767
      protocol          = "tcp"
      cidr_blocks       = ["10.250.96.0/22"]
      security_group_id = "${aws_security_group.nodes.id}"
    }

    resource "aws_security_group_rule" "nodes_udp_public_z0" {
      type              = "ingress"
      from_port         = 30000
      to_port           = 32767
      protocol          = "udp"
      cidr_blocks       = ["10.250.96.0/22"]
      security_group_id = "${aws_security_group.nodes.id}"
    }

    resource "aws_eip" "eip_natgw_z0" {
      vpc = true
    }

    resource "aws_nat_gateway" "natgw_z0" {
      allocation_id = "${aws_eip.eip_natgw_z0.id}"
      subnet_id     = "${aws_subnet.public_utility_z0.id}"
    }

    resource "aws_route_table" "routetable_private_utility_z0" {
      vpc_id = "${aws_vpc.vpc.id}"
    }

    resource "aws_route" "private_utility_z0_nat" {
      route_table_id         = "${aws_route_table.routetable_private_utility_z0.id}"
      destination_cidr_block = "0.0.0.0/0"
      nat_gateway_id         = "${aws_nat_gateway.natgw_z0.id}"

      timeouts {
        create = "5m"
      }
    }

    resource "aws_route_table_association" "routetable_private_utility_z0_association_private_utility_z0" {
      subnet_id      = "${aws_subnet.private_utility_z0.id}"
      route_table_id = "${aws_route_table.routetable_private_utility_z0.id}"
    }

    resource "aws_route_table_association" "routetable_main_association_public_utility_z0" {
      subnet_id      = "${aws_subnet.public_utility_z0.id}"
      route_table_id = "${aws_route_table.routetable_main.id}"
    }

    resource "aws_route_table_association" "routetable_private_utility_z0_association_nodes_z0" {
      subnet_id      = "${aws_subnet.nodes_z0.id}"
      route_table_id = "${aws_route_table.routetable_private_utility_z0.id}"
    }


    //=====================================================================
    //= IAM instance profiles
    //=====================================================================

    resource "aws_iam_role" "bastions" {
      name = "foo-bastions"
      path = "/"

      assume_role_policy = <<EOF
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "ec2.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    EOF
    }

    resource "aws_iam_instance_profile" "bastions" {
      name = "foo-bastions"
      role = "${aws_iam_role.bastions.name}"
    }

    resource "aws_iam_role_policy" "bastions" {
      name = "foo-bastions"
      role = "${aws_iam_role.bastions.id}"

      policy = <<EOF
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeRegions"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }
    EOF
    }

    resource "aws_iam_role" "nodes" {
      name = "foo-nodes"
      path = "/"

      assume_role_policy = <<EOF
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "ec2.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    EOF
    }

    resource "aws_iam_instance_profile" "nodes" {
      name = "foo-nodes"
      role = "${aws_iam_role.nodes.name}"
    }

    resource "aws_iam_role_policy" "nodes" {
      name = "foo-nodes"
      role = "${aws_iam_role.nodes.id}"

      policy = <<EOF
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeInstances"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "ecr:GetAuthorizationToken",
            "ecr:BatchCheckLayerAvailability",
            "ecr:GetDownloadUrlForLayer",
            "ecr:GetRepositoryPolicy",
            "ecr:DescribeRepositories",
            "ecr:ListImages",
            "ecr:BatchGetImage"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }
    EOF
    }

    //=====================================================================
    //= EC2 Key Pair
    //=====================================================================

    resource "aws_key_pair" "kubernetes" {
      key_name   = "foo-ssh-publickey"
      public_key = "ssh-rsa bar"
    }

    //=====================================================================
    //= Output variables
    //=====================================================================

    output "vpc_id" {
      value = "${aws_vpc.vpc.id}"
    }

    output "iamInstanceProfileNodes" {
      value = "${aws_iam_instance_profile.nodes.name}"
    }

    output "keyName" {
      value = "${aws_key_pair.kubernetes.key_name}"
    }

    output "security_group_nodes" {
      value = "${aws_security_group.nodes.id}"
    }

    output "nodes_role_arn" {
      value = "${aws_iam_role.nodes.arn}"
    }

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Initializing the backend...

Initializing provider plugins...

The following providers do not have any version constraints in configuration,
so the latest version was installed.

To prevent automatic upgrades to new major versions that may contain breaking
changes, it is recommended to add version = "..." constraints to the
corresponding provider blocks in configuration, with the constraint strings
suggested below.

* provider.aws: version = "~> 3.54"

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

aws_key_pair.kubernetes: Creating...
### Creation logs are omitted

* error reading Route Table Association (rtbassoc-xxx): Empty result
  on tf/main.tf line 374, in resource "aws_route_table_association" "routetable_private_utility_z1_association_nodes_z1":
    374: resource "aws_route_table_association" "routetable_private_utility_z1_association_nodes_z1" {

Steps to Reproduce

  1. terraform apply the configuration from above

  2. Make sure that for heavily used AWS account, it may fail with the above error:

* error reading Route Table Association (rtbassoc-xxx): Empty result
  on tf/main.tf line 374, in resource "aws_route_table_association" "routetable_private_utility_z1_association_nodes_z1":
    374: resource "aws_route_table_association" "routetable_private_utility_z1_association_nodes_z1" {

Maybe also cloud provider request limits and throttling can lead to this error? Can this issue be related to the eventual consistency model of the AWS EC2 API (hence related to #16796)?

Important Factoids

References

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 75
  • Comments: 28 (10 by maintainers)

Commits related to this issue

Most upvoted comments

Hi @anGie44 , unfortunately this issue is still present in v3.65.0. I analysed the code and it seems to me that FindRouteTableAssociationByID function is a problem. My suspicion is that it starts returning expected results in StatusRouteTableAssociationState check in WaitRouteTableAssociationUpdated but then for some reason it is not returning same results in subsequent resourceRouteTableAssociationRead. So either there is some bug in this function (in such case this needs to be fixed) or AWS is returning inconsistent results (in that case maybe WaitRouteTableAssociationUpdated should wait for more than one successful find invocation).

BTW it looks like there is IGW regression in v3.65.0 which affects Terraform destroy, I reported it as a separate issue: https://github.com/hashicorp/terraform-provider-aws/issues/21792

+3
mgusiew-guide on Nov 16, 2021

Seeing the same issue on v3.71.0. It happens rarely, but we run a lot of tests, and encountered this multiple times already.

+2
artem-nefedov on Jan 14, 2022

FTR I ran my test suite on 4.0.0 (fortunately I am not affected by backwards incompatible changes) and I still receive route table errors like the one below (I use VPC module from terraform-aws-modules). Therefore I am not sure if this issue is completely fixed.

   Error: error reading Route Table (rtb-0xxxxxxx): couldn’t find resource

 on .terraform/modules/vpc.vpc.vpc/main.tf line 203, in resource “aws_route_table” “public”: 203: resource “aws_route_table” “public” {  }

+1
mgusiew-guide on Feb 17, 2022

In the past 3 months we have gone from almost zero failures to about 5 per day across about 100 deployments. We had our provider pinned to 3.64 during this whole time. We’ve now got a dedicated customer channel reporting launch failures! I suspect there has been some AWS backend change that’s amplified this weakness.

+1
jasonkinsella on Jan 27, 2022

This is a far from negligible occurrence pattern; in a dozen apply across 2 days I’ve seen it fail twice already (earlier it felt very rare). This impacts terraform-aws-modules/vpc/aws directly. And obviously completely breaks any CD pipelines that create and immediately manipulate route tables (i.e. everyone who creates a vpc?). It is so breaking in fact I have to ask myself if aws changed something in their backend to make this happen more often.

Bumping up literals like ContinuousTargetOccurence from 2 to 3 feels arbitrary. If it fixes it great, I guess, but I think we’d all rather not be reading the same discussion in a year when amazon scales out their backend further.

Retrying the entire script is like using a cannon as a fly swatter.

I’d be glad to test any potential fixes as I’m running into this on the daily.

+1
mritalian on Jan 27, 2022

@cdancy Ha - yes that’s exactly what my team implemented! Thought you might have something inside TF we’d missed. I’m hopeful #22420 related and all will be fixed in v3.73.0

+1
jasonkinsella on Jan 20, 2022

I am experiencing same issue. I am using pulumi 4.31.0, itself using aws terraform provider 3.68.0 aws:ec2:RouteTableAssociation (myservice-subnet-1): error: 1 error occurred: * creating urn:pulumi:dev::myproject::awsx:x:ec2:Vpc$awsx:x:ec2:Subnet$aws:ec2/routeTableAssociation:RouteTableAssociation::myservice-subnet-1: 1 error occurred: * error reading Route Table Association (rtbassoc-xxx): empty result

+1
Amokrane2018 on Jan 12, 2022

We’re hitting this as well, seemingly randomly, on version 3.63.0.

+1
cdancy on Nov 9, 2021
Read more comments on GitHub
← terraform-provider-aws: resource/aws_route: route is not saved in the state when it fails to be available (in 2m) on creation
terraform-provider-aws: resource/aws_security_group_rule crashes with provider version 1.43.1 →