[Bug]: Cannot disassociate an IPv6 CIDR block on an existing VPC

[jpieriniDD]

Terraform Core Version

1.9.5

AWS Provider Version

5.82.2

Affected Resource(s)

aws_vpc, aws_subnet

Expected Behavior

be able to disassociate an ipv6 cidr block on a subnet before trying to disassociate it from a VPC

Actual Behavior

It tries to disassociate the ipv6 cidr block attached to the VPC before doing it on the subnets generating an error

Relevant Error/Panic Output Snippet

module.vpc.aws_vpc.this[0]: Refreshing state... [id=vpc-07e709a961f238e31]
module.vpc.aws_route_table.private[0]: Refreshing state... [id=rtb-06d1787e7a3dd727b]
module.vpc.aws_default_network_acl.this[0]: Refreshing state... [id=acl-0751822ef9a656cd3]
module.vpc.aws_internet_gateway.this[0]: Refreshing state... [id=igw-0d253b0840d82fa9e]
module.vpc.aws_default_security_group.this[0]: Refreshing state... [id=sg-070fe3e09f548e8c1]
module.vpc.aws_route_table.public[0]: Refreshing state... [id=rtb-07d392beb44dcc518]
module.vpc.aws_egress_only_internet_gateway.this[0]: Refreshing state... [id=eigw-0a1a9e0d9f02966db]
module.vpc.aws_route_table.private[1]: Refreshing state... [id=rtb-0564c25a2bcbcd1eb]
module.vpc.aws_subnet.private[1]: Refreshing state... [id=subnet-0cc6c6a86e71cbc9d]
module.vpc.aws_subnet.private[0]: Refreshing state... [id=subnet-0d71a3fd41abd2780]
module.vpc.aws_subnet.public[0]: Refreshing state... [id=subnet-0ee0e80e5a2453cc7]
module.vpc.aws_subnet.public[1]: Refreshing state... [id=subnet-078143d2ddb14b463]
module.vpc.aws_route.private_ipv6_egress[0]: Refreshing state... [id=r-rtb-06d1787e7a3dd727b2750132062]
module.vpc.aws_route.private_ipv6_egress[1]: Refreshing state... [id=r-rtb-0564c25a2bcbcd1eb2750132062]
module.vpc.aws_route_table_association.private[1]: Refreshing state... [id=rtbassoc-0e5f34c05f66aa55f]
module.vpc.aws_route_table_association.private[0]: Refreshing state... [id=rtbassoc-0ab73c0823e1ce85d]
module.vpc.aws_route.public_internet_gateway[0]: Refreshing state... [id=r-rtb-07d392beb44dcc5181080289494]
module.vpc.aws_route.public_internet_gateway_ipv6[0]: Refreshing state... [id=r-rtb-07d392beb44dcc5182750132062]
module.vpc.aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-0560687faf185580d]
module.vpc.aws_route_table_association.public[1]: Refreshing state... [id=rtbassoc-020e01cf567320229]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # module.vpc.aws_egress_only_internet_gateway.this[0] will be destroyed
  # (because index [0] is out of range for count)
  - resource "aws_egress_only_internet_gateway" "this" {
      - id       = "eigw-0a1a9e0d9f02966db" -> null
      - tags     = {
          - "Name" = "dualstack-vpc"
        } -> null
      - tags_all = {
          - "Name" = "dualstack-vpc"
        } -> null
      - vpc_id   = "vpc-07e709a961f238e31" -> null
    }

  # module.vpc.aws_route.private_ipv6_egress[0] will be destroyed
  # (because index [0] is out of range for count)
  - resource "aws_route" "private_ipv6_egress" {
      - destination_ipv6_cidr_block = "::/0" -> null
      - egress_only_gateway_id      = "eigw-0a1a9e0d9f02966db" -> null
      - id                          = "r-rtb-06d1787e7a3dd727b2750132062" -> null
      - origin                      = "CreateRoute" -> null
      - route_table_id              = "rtb-06d1787e7a3dd727b" -> null
      - state                       = "active" -> null
        # (13 unchanged attributes hidden)
    }

  # module.vpc.aws_route.private_ipv6_egress[1] will be destroyed
  # (because index [1] is out of range for count)
  - resource "aws_route" "private_ipv6_egress" {
      - destination_ipv6_cidr_block = "::/0" -> null
      - egress_only_gateway_id      = "eigw-0a1a9e0d9f02966db" -> null
      - id                          = "r-rtb-0564c25a2bcbcd1eb2750132062" -> null
      - origin                      = "CreateRoute" -> null
      - route_table_id              = "rtb-0564c25a2bcbcd1eb" -> null
      - state                       = "active" -> null
        # (13 unchanged attributes hidden)
    }

  # module.vpc.aws_route.public_internet_gateway_ipv6[0] will be destroyed
  # (because index [0] is out of range for count)
  - resource "aws_route" "public_internet_gateway_ipv6" {
      - destination_ipv6_cidr_block = "::/0" -> null
      - gateway_id                  = "igw-0d253b0840d82fa9e" -> null
      - id                          = "r-rtb-07d392beb44dcc5182750132062" -> null
      - origin                      = "CreateRoute" -> null
      - route_table_id              = "rtb-07d392beb44dcc518" -> null
      - state                       = "active" -> null
        # (13 unchanged attributes hidden)
    }

  # module.vpc.aws_subnet.public[0] will be updated in-place
  ~ resource "aws_subnet" "public" {
      ~ enable_resource_name_dns_a_record_on_launch    = true -> false
        id                                             = "subnet-0ee0e80e5a2453cc7"
      - ipv6_cidr_block                                = "2a05:d018:1030:700::/64" -> null
        tags                                           = {
            "Name" = "dualstack-vpc-public-eu-west-1a"
        }
        # (18 unchanged attributes hidden)
    }

  # module.vpc.aws_subnet.public[1] will be updated in-place
  ~ resource "aws_subnet" "public" {
      ~ enable_resource_name_dns_a_record_on_launch    = true -> false
        id                                             = "subnet-078143d2ddb14b463"
      - ipv6_cidr_block                                = "2a05:d018:1030:701::/64" -> null
        tags                                           = {
            "Name" = "dualstack-vpc-public-eu-west-1b"
        }
        # (18 unchanged attributes hidden)
    }

  # module.vpc.aws_vpc.this[0] will be updated in-place
  ~ resource "aws_vpc" "this" {
      - assign_generated_ipv6_cidr_block     = true -> null
        id                                   = "vpc-07e709a961f238e31"
      ~ ipv6_association_id                  = "vpc-cidr-assoc-049eba6b74c7d981e" -> (known after apply)
      ~ ipv6_cidr_block                      = "2a05:d018:1030:700::/56" -> (known after apply)
        tags                                 = {
            "Name" = "dualstack-vpc"
        }
        # (16 unchanged attributes hidden)
    }

Plan: 0 to add, 3 to change, 4 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.vpc.aws_route.private_ipv6_egress[1]: Destroying... [id=r-rtb-0564c25a2bcbcd1eb2750132062]
module.vpc.aws_route.public_internet_gateway_ipv6[0]: Destroying... [id=r-rtb-07d392beb44dcc5182750132062]
module.vpc.aws_route.private_ipv6_egress[0]: Destroying... [id=r-rtb-06d1787e7a3dd727b2750132062]
module.vpc.aws_route.private_ipv6_egress[0]: Destruction complete after 1s
module.vpc.aws_route.private_ipv6_egress[1]: Destruction complete after 1s
module.vpc.aws_egress_only_internet_gateway.this[0]: Destroying... [id=eigw-0a1a9e0d9f02966db]
module.vpc.aws_route.public_internet_gateway_ipv6[0]: Destruction complete after 1s
module.vpc.aws_egress_only_internet_gateway.this[0]: Destruction complete after 0s
module.vpc.aws_vpc.this[0]: Modifying... [id=vpc-07e709a961f238e31]
╷
│ Error: updating EC2 VPC (vpc-07e709a961f238e31): disassociating IPv6 CIDR block (vpc-cidr-assoc-049eba6b74c7d981e): operation error EC2: DisassociateVpcCidrBlock, https response error StatusCode: 400, RequestID: ef8b1aec-1827-4ba6-9d85-392c597b1ce4, api error InvalidCidrBlock.InUse: The vpc vpc-07e709a961f238e31 currently has a subnet within CIDR block 2a05:d018:1030:700::/56
│
│   with module.vpc.aws_vpc.this[0],
│   on .terraform/modules/vpc/main.tf line 28, in resource "aws_vpc" "this":
│   28: resource "aws_vpc" "this" {
│
╵

Terraform Configuration Files

variable "availability_zones" {
  default     = ["eu-west-1a", "eu-west-1b"]
  description = "Target availability zones"
  type        = list(string)
}

variable "vpc_cidr" {
  default     = "10.253.0.0/16"
  description = "cidr of the VPC to be built"
  type        = string
}

variable "subnet_public_cidr" {
  default     = ["10.253.0.0/20", "10.253.16.0/20"]
  description = "Public subnets cidr"
  type        = list(string)
}

variable "subnet_private_cidr" {
  default     = ["10.253.48.0/20", "10.253.64.0/20"]
  description = "Private (main) subnets cidr"
  type        = list(string)
}

variable "enable_nat_gateway" {
  default     = false
  type        = bool
  description = "Enable NAT GW"
}

variable "enable_ipv6" {
  default     = false
  type        = bool
  description = "Enable ipv6"
}

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.82.2"
    }
  }
  required_version = "1.10.3"
}

provider "aws" {
  region  = "eu-west-1"
}

locals {
  public_subnet_ipv6_prefixes = var.enable_ipv6 ? range(length(var.subnet_public_cidr)) : []
}

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.17"

  create_vpc = true
  name       = "dualstack-vpc"
  cidr       = var.vpc_cidr
  azs        = var.availability_zones

  enable_ipv6                                                   = var.enable_ipv6
  public_subnet_enable_dns64                                    = false
  public_subnet_assign_ipv6_address_on_creation                 = false
  public_subnet_enable_resource_name_dns_a_record_on_launch     = var.enable_ipv6
  public_subnet_enable_resource_name_dns_aaaa_record_on_launch  = false
  public_subnet_ipv6_prefixes                                   = local.public_subnet_ipv6_prefixes
  private_subnet_enable_dns64                                   = false
  private_subnet_enable_resource_name_dns_a_record_on_launch    = false
  private_subnet_enable_resource_name_dns_aaaa_record_on_launch = false

  enable_nat_gateway     = false
  one_nat_gateway_per_az = false
  single_nat_gateway     = false

  public_subnets  = var.subnet_public_cidr
  private_subnets = var.subnet_private_cidr

  public_subnet_suffix  = "public"
  private_subnet_suffix = "private"

  manage_default_route_table = false

  default_security_group_name    = "dualstack-sg"
  manage_default_security_group  = true
  default_security_group_ingress = []
  default_security_group_egress  = []

  default_network_acl_name    = "dualstack-nacl"
  manage_default_network_acl  = true
  default_network_acl_ingress = []
  default_network_acl_egress  = []

  public_dedicated_network_acl  = false
  private_dedicated_network_acl = false
}

Steps to Reproduce

1. create the vpc with ipv6 enable
2. set enable_ipv6 to false and apply it

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[joshgch]

This same issue occurs when using a VPC created with individual resources instead of the public VPC module. To work around it, I could first remove everything IPv6-related except for assign_generated_ipv6_cidr_block in the aws_vpc resource.

This isn't ideal and wouldn't be possible using the public module.