[critical] Issue with Internet based traffic flows about terraform-aws-vpc-nfw HOT 6 CLOSED

including some screenshots of the issues/behavior i'm experiencing - I'm trying to destroy the NFW but it refuses to let me.

Also talking to @douglas-f we're unsure of the reason to use google DNS over AWS DNS

from terraform-aws-vpc-nfw.

After more testing - it appears this keeps happening due to the VPCE being created by the custom routes - if its a custom route with internet_route, why does it not change to using IGW, or removed and in theory use default route? Its getting hung up on this i believe

from terraform-aws-vpc-nfw.

including some screenshots of the issues/behavior i'm experiencing - I'm trying to destroy the NFW but it refuses to let me.

Also talking to @douglas-f we're unsure of the reason to use google DNS over AWS DNS

The public custom route is only an example of a possible configuration. It's not meant to actually be practical or useful to implement in any way, since when I was asked to create a custom route I didn't understand what the use case is for the ask. So Google DNS is only used to have an IP address to point to, there's no other point to having it.

from terraform-aws-vpc-nfw.

After more testing - it appears this keeps happening due to the VPCE being created by the custom routes - if its a custom route with internet_route, why does it not change to using IGW, or removed and in theory use default route? Its getting hung up on this i believe

Are you running Terraform destroy, or are you changing a variable and trying to reapply?

The code itself should point the route to either the VPC endpoint or the IGW id depending on a boolean:

If something isn't being updated, that's a deeper Terraform question beyond my level of expertise. Nothing is set to ignore lifecycle changes AFAIK. When I did simple testing in the FastRAMP sandbox, I'm able to create and destroy without issues, I haven't tested updating already created resources.

Given the extensive use of "count" across the resources, this module doesn't seem like something you'd want to adjust in-place. Instead the entire module should be something that's planned correctly from the very creation of the environment.

from terraform-aws-vpc-nfw.

Fixed by PR: #11
Split the aws_route public_custom resource into 2 parts, 1 for NFW routing, 1 for all other destinations. By adjusting the count conditional to operate off of the deploy_aws_nfw boolean, we avoid the dependency hell that caused the issue.

Running Terraform apply again after setting "deploy_aws_nfw" property to "false" destroys only the NFW without errors:

from terraform-aws-vpc-nfw.

yea i wasn't destroying, bc there should be some flexibility with it to allow for us to in some capacity deploy it without being dependent on it too, bc we can't really destroy unless we do targeted, bc of having resources eventually in the subnets

from terraform-aws-vpc-nfw.