Gateway creation fails with public ip created from ip prefix #1918
Description
Describe the problem
Attempting to create a new gateway, but with the elastic IP created outside the providers control fails when i try to use a public ip address that was created from an IP prefix. It looks to modify the public address with a createOrUpdate operation from the Azure activity logs, and its update operation looks to try to remove the ip_prefix assocation to the ip address, which is not allowed from Azure.
To Reproduce
My terraform resources are as follows:
data "azurerm_public_ip_prefix" "vpn_gw_ip_prefix" {
name = "vpn-gateways-ip-prefix"
resource_group_name = "test-rg"
}
resource "azurerm_public_ip" "aviatrix_saml_gateway_public_ip" {
name = "av-ip-user-vpn-gateway-avi"
location = var.location
resource_group_name = var.resource_group
allocation_method = "Static"
sku = "Standard"
zones = [1,2,3]
public_ip_prefix_id = data.azurerm_public_ip_prefix.vpn_gw_ip_prefix.id
lifecycle {
ignore_changes = [
tags
]
}
}
locals {
saml_gateway_eip_id = "av-ip-user-vpn-gateway-avi:${var.resource_group}"
}
# Create an Aviatrix Azure Gateway (USER)
resource "aviatrix_gateway" "saml_gateway" {
cloud_type = 8
account_name = var.account_name
gw_name = "user-vpn-gateway-avi"
vpc_id = "${var.virtual_network_name}:${var.resource_group}"
vpc_reg = "West Europe"
gw_size = var.user_gateway_size
subnet = var.subnet_range
vpn_access = true
vpn_cidr = "192.168.43.0/24"
enable_elb = false
split_tunnel = true
saml_enabled = true
max_vpn_conn = "100"
allocate_new_eip = false
eip = azurerm_public_ip.aviatrix_saml_gateway_public_ip.ip_address
azure_eip_name_resource_group = local.saml_gateway_eip_id
}
When running this way i get a deployment error from terraform:
Error: failed to create Aviatrix gateway: rest API connect_container POST failed: [AVXERR-TRANSIT-0024] Failed to launch Gateway - user-vpn-gateway-avi. [AVXERR-TRANSIT-0067] Azure Error: DeploymentFailed
Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.
Exception Details:
Error Code: BadRequest
Message: {'error': {'code': 'CannotChangePublicIpPrefixForExistingPublicIpAddress', 'message': 'Cannot change Public Ip Prefix from /subscriptions/<sub_id>/resourceGroups/<rg_name>/providers/Microsoft.Network/publicIPPrefixes/vpn-gateways-ip-prefix to null for the PublicIp /subscriptions/<sub_id>/resourceGroups/<rg_name>/providers/Microsoft.Network/publicIPAddresses/av-ip-user-vpn-gateway-avi.', 'details': []}} Please go to Azure cloud portal and check Activity log for resource group <rg_name> to get detailed reason.
with aviatrix_gateway.saml_gateway,
on main.tf line 79, in resource "aviatrix_gateway" "saml_gateway":
79: resource "aviatrix_gateway" "saml_gateway" {
Environment:
- Provider version: 3.1.3
- Terraform version: 0.15.5
- Aviatrix Controller version: 7.1
Additional context
Worth noting that when i try to do this operation but the public IP is not from an ip prefix, it works as intended. This would be a useful feature as it allows me to have a reliable pool of addresses to standup multiple gateways if i need to perform any maintenance.