Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

false positive: missing EIP association resources associated with NAT Gateways #1616

Closed
n2N8Z opened this issue Jan 31, 2023 · 5 comments
Closed

false positive: missing EIP association resources associated with NAT Gateways #1616

n2N8Z opened this issue Jan 31, 2023 · 5 comments
Labels
kind/bug Something isn't working
Milestone
v0.39.0

Comments

@n2N8Z
Copy link
Contributor

n2N8Z commented Jan 31, 2023
edited
Loading

Description

driftctl/pkg/middlewares/aws_nat_gateway_eip_assoc.go

Line 44 in 5f863c7

if isAssociatedToNatGateway {

Results in missing resources being reported:

Scanned states (1)      
Found missing resources:
  - eipassoc-00000000000000001 (aws_eip_association)
  - eipassoc-00000000000000002 (aws_eip_association)
  - eipassoc-00000000000000003 (aws_eip_association)
  - eipassoc-00000000000000004 (aws_eip_association)
  - eipassoc-00000000000000005 (aws_eip_association)
  - eipassoc-00000000000000006 (aws_eip_association)
  - eipassoc-00000000000000007 (aws_eip_association)
  - eipassoc-00000000000000008 (aws_eip_association)

If I stop managing the corresponding eips, then the missing eipassocs go away, and instead I get aws_eip resources reported as not managed by IaC:

  aws_eip:
    - eipalloc-00000000000000001
    - eipalloc-00000000000000002
    - eipalloc-00000000000000003
    - eipalloc-00000000000000004
    - eipalloc-00000000000000005
    - eipalloc-00000000000000006
    - eipalloc-00000000000000007
    - eipalloc-00000000000000008

If I manage both the eip and the eipassoc, I just get a more detailed missing resource report:

Scanned states (1)      
Found missing resources:
  - eipassoc-00000000000000001 (module.ngw_eip_assoc)
  - eipassoc-00000000000000002 (module.ngw_eip_assoc)
  - eipassoc-00000000000000003 (module.ngw_eip_assoc)
  - eipassoc-00000000000000004 (module.ngw_eip_assoc)
  - eipassoc-00000000000000005 (module.ngw_eip_assoc)
  - eipassoc-00000000000000006 (module.ngw_eip_assoc)
  - eipassoc-00000000000000007 (module.ngw_eip_assoc)
  - eipassoc-00000000000000008 (module.ngw_eip_assoc)

Environment

  • OS: Any
  • driftctl version: Latest
  • terraform version: Any
  • terraform providers versions: Any

How to reproduce
Allocate an EIP
Create a nat gateway and associate the EIP.

Possible Solution
Don't ignore EIP associations to nat gateways.

Additional context
The issue is probably caused by aws_eip_association_expander.go expanding the association from the eip after they were already ignored.

DEBU[0012] Starting middleware middleware=middlewares.AwsNetworkACLExpander
DEBU[0012] Starting middleware middleware=middlewares.AwsNatGatewayEipAssoc
DEBU[0012] Ignoring aws_eip_association as it is associated to a nat gateway id=eipassoc-00000000000000001 type=aws_eip_association
DEBU[0012] Ignoring aws_eip_association as it is associated to a nat gateway id=eipassoc-00000000000000002 type=aws_eip_association
DEBU[0012] Ignoring aws_eip_association as it is associated to a nat gateway id=eipassoc-00000000000000003 type=aws_eip_association
DEBU[0012] Ignoring aws_eip_association as it is associated to a nat gateway id=eipassoc-00000000000000004 type=aws_eip_association
DEBU[0012] Ignoring aws_eip_association as it is associated to a nat gateway id=eipassoc-00000000000000005 type=aws_eip_association
DEBU[0012] Ignoring aws_eip_association as it is associated to a nat gateway id=eipassoc-00000000000000006 type=aws_eip_association
DEBU[0012] Ignoring aws_eip_association as it is associated to a nat gateway id=eipassoc-00000000000000007 type=aws_eip_association
DEBU[0012] Ignoring aws_eip_association as it is associated to a nat gateway id=eipassoc-00000000000000008 type=aws_eip_association
DEBU[0012] Starting middleware middleware=middlewares.AwsBucketPolicyExpander
DEBU[0012] Starting middleware middleware=middlewares.AwsSQSQueuePolicyExpander
DEBU[0012] Starting middleware middleware=middlewares.AwsDefaultSQSQueuePolicy
DEBU[0012] Starting middleware middleware=middlewares.AwsSNSTopicPolicyExpander
DEBU[0012] Starting middleware middleware=*middlewares.AwsRoleManagedPolicyExpander
DEBU[0012] Starting middleware middleware=middlewares.TagsAllManager
DEBU[0012] Starting middleware middleware=middlewares.EipAssociationExpander
DEBU[0012] Starting middleware middleware=middlewares.AwsRDSClusterInstanceExpander
DEBU[0012] Starting middleware middleware=middlewares.AwsApiGatewayDeploymentExpander
DEBU[0012] Starting middleware middleware=middlewares.AwsApiGatewayResourceExpander
DEBU[0012] Starting middleware middleware=middlewares.AwsApiGatewayApiExpander
DEBU[0012] Starting middleware middleware=middlewares.AwsApiGatewayRestApiPolicyExpander
DEBU[0012] Starting middleware middleware=middlewares.AwsConsoleApiGatewayGatewayResponse
DEBU[0012] Starting middleware middleware=middlewares.AwsApiGatewayDomainNamesReconciler
DEBU[0012] Starting middleware middleware=middlewares.AwsApiGatewayBasePathMappingReconciler
DEBU[0012] Starting middleware middleware=middlewares.AwsEbsEncryptionByDefaultReconciler
DEBU[0012] Starting middleware middleware=middlewares.AwsALBTransformer
DEBU[0012] Starting middleware middleware=middlewares.AwsALBListenerTransformer
DEBU[0012] Starting middleware middleware=*middlewares.GoogleIAMBindingTransformer
DEBU[0012] Starting middleware middleware=*middlewares.GoogleStorageBucketIAMPolicyTransformer
DEBU[0012] Starting middleware middleware=*middlewares.GoogleComputeInstanceGroupManagerReconciler
DEBU[0012] Starting middleware middleware=middlewares.AzurermRouteExpander
DEBU[0012] Starting middleware middleware=middlewares.AzurermSubnetExpander
DEBU[0012] Starting middleware middleware=*middlewares.AwsS3BucketPublicAccessBlockReconciler
DEBU[0012] Starting middleware middleware=middlewares.AwsDefaults
@n2N8Z n2N8Z added the kind/bug Something isn't working label Jan 31, 2023
@n2N8Z
Copy link
Contributor Author

n2N8Z commented Feb 1, 2023

Moving the AwsNatGatewayEipAssoc middleware after EipAssociationExpander has not resolved the issue.

DEBU[0013] Starting middleware middleware=middlewares.EipAssociationExpander
DEBU[0013] Starting middleware middleware=middlewares.AwsNatGatewayEipAssoc
DEBU[0013] Ignoring aws_eip_association as it is associated to a nat gateway id=eipassoc-00000000000000001 type=aws_eip_association
DEBU[0013] Ignoring aws_eip_association as it is associated to a nat gateway id=eipassoc-00000000000000002 type=aws_eip_association
DEBU[0013] Ignoring aws_eip_association as it is associated to a nat gateway id=eipassoc-00000000000000003 type=aws_eip_association
DEBU[0013] Ignoring aws_eip_association as it is associated to a nat gateway id=eipassoc-00000000000000004 type=aws_eip_association
DEBU[0013] Ignoring aws_eip_association as it is associated to a nat gateway id=eipassoc-00000000000000005 type=aws_eip_association
DEBU[0013] Ignoring aws_eip_association as it is associated to a nat gateway id=eipassoc-00000000000000006 type=aws_eip_association
DEBU[0013] Ignoring aws_eip_association as it is associated to a nat gateway id=eipassoc-00000000000000007 type=aws_eip_association
DEBU[0013] Ignoring aws_eip_association as it is associated to a nat gateway id=eipassoc-00000000000000008 type=aws_eip_association

This was referenced Feb 1, 2023
Closed
Merged
@n2N8Z
Copy link
Contributor Author

n2N8Z commented Feb 1, 2023

fixed by #1619

@n2N8Z n2N8Z closed this as completed Feb 1, 2023
@patch-the-dog patch-the-dog added this to the v0.39.0 milestone Jun 6, 2023
@patch-the-dog
Copy link

This issue has been referenced in the v0.39.0 release.

2 similar comments
@cloud-config-ro
Copy link
Collaborator

This issue has been referenced in the v0.39.0 release.

@cloud-config-ro
Copy link
Collaborator

This issue has been referenced in the v0.39.0 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
v0.39.0
Development

No branches or pull requests
3 participants
@n2N8Z @patch-the-dog @cloud-config-ro