cloudformation-coverage-roadmap icon indicating copy to clipboard operation
cloudformation-coverage-roadmap copied to clipboard
verified publisher icon aws-cloudformation

Supported resource AWS::EC2::VPCGatewayAttachment can't be imported to stack

Open AlexGurtoff opened this issue 2 years ago • 10 comments

Name of the resource

Other

Resource Name

AWS::EC2::VPCGatewayAttachment

Issue Description

Existing resource AWS::EC2::VPCGatewayAttachment can't be imported to stack. There is a weird error with such description: READ operation is not supported
image

Expected Behavior

Reffering to: https://docs.aws.amazon.com/cloudcontrolapi/latest/userguide/supported-resources.html image and https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-supported-resources.html image Resource is supported by import. So, I should be able to import this resource into my cloudformation stack.

Observed Behavior

Existing resource AWS::EC2::VPCGatewayAttachment can't be imported to stack. There is a weird error with such description: READ operation is not supported
image

Test Cases

I used such template file to import this resource:

Resources:
...
  VpcVPCGWBF912B6E:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId:
        Ref: VpcIGWD7BA715C
      VpcId:
        Ref: Vpc8378EB38
    DeletionPolicy: Retain
    Metadata:
      aws:cdk:path: CommonVpcStack/Vpc/VPCGW
...

And here is the import.json file that I provide with the template when creating a change set:

...
{
    "ResourceType":"AWS::EC2::VPCGatewayAttachment",
    "LogicalResourceId":"VpcVPCGWBF912B6E",
    "ResourceIdentifier": {
        "AttachmentType":"IGW",
        "VpcId":"vpc-xxxxxxxxxxxxxxxxx"
    }
},
...

I removed redundant information from it

Other Details

No response

AlexGurtoff avatar Dec 13 '23 15:12 AlexGurtoff

@AlexGurtoff , after experiencing the same unexpected behavior and reaching out to the AWS support, it seems that the VPCGatewayAttachment resource cannot be imported at the moment, even though it's documented that it's supported. It's a reported bug.

As a workaround, it was suggested to create the VPCGatewayAttachment via Cloudformation directly.

thodorisit avatar Jan 03 '24 08:01 thodorisit

As a workaround, it was suggested to create the VPCGatewayAttachment via Cloudformation directly.

@thodorisit Yeah, but in this case I need to detach the old VPCGateway, and this will require deleting all ENIs, and this in turn will cause our system to downtime... So, I hope that the CFN team will add support for importing this resource

AlexGurtoff avatar Jan 03 '24 09:01 AlexGurtoff

Any update on this? I'm experiencing the same issue

kajm avatar Jan 18 '24 07:01 kajm

Also hit this - and as part of stack refactoring. As with @AlexGurtoff this will likely cause production downtime

smee30 avatar Apr 12 '24 10:04 smee30

bump into this as well - down the road is there any cons of leaving this out of the import?

hongruiloop avatar Apr 15 '24 06:04 hongruiloop

Workaround:

  1. create a dummy VPC with IGW, NAT GW, route tables (without IGW/NAT), subnets, etc. on the side
  2. Alter the CF template to attach the dummy-IGW to the dummy-VPC,
  3. apply
  4. Block the dummy-IGW attachment by activating the NAT GW and IGW in the respective subnets. To be sure, I launched a private instance and pinged Google. You can try manually detaching the IGW. If you get the error Network vpc-xxxx has some mapped public address(es). Please unmap those public address(es) before detaching the gateway. you are good to continue.
  5. Update the VPCAttachement to the original IGW/VPC combination. Apply the change set with the "keep updated resources" option.
  6. Wait for it to error.
  7. Delete the NAT, Clean up the IGW attachment
  8. Hit retry. I assume it suddenly is happy since VPCAttachement doesn't support drift detection.
  9. clean up the dummy VPC with all resources in it.

Are there issues down the road? Most likely. One potential issue will appear when VPCAttachement supports drift detection. The physical ID of the VPCAttachment is IGW|vpc-dummy-vpc-id. That's the only delta I was able to detect.

If it ever becomes an issue, the chances are high that it can also be imported. You can use a similar hack to make it disappear from the stack. Remove the VPCAttachement from the stack while it's being blocked due to active public IPs.

bitte-ein-bit avatar Jul 05 '24 12:07 bitte-ein-bit

The lack of support for this resource is particularly troublesome as it can't be trivially recreated. Detaching an IGW from a VPC requires all public IP addresses to also be removed. Bringing the IGW attachment under the management of a CloudFormation template is thus often a lot of work, which may entail extended downtime. This feels like a resource for which support for importing should be prioritised given there isn't really any acceptable workaround.

ralish avatar Jul 17 '24 02:07 ralish