VPNServer Route failed timeout

[lionelmace]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

IBM Cloud Terraform Provider Version 1.60.0

Affected Resource(s)

resource "ibm_is_vpn_server_route"

Terraform Configuration Files

Full sample to reproduce`
https://github.com/lionelmace/ibmcloud-utils/tree/master/terraform/vpn

Expected Behavior

VPN Route should be able to delete within 90seconds timeframe.

Actual Behavior

VPN Routes are not able to destroy within 10mins leading a terraform destroy fails.

Steps to Reproduce

1. Clone this repo
2. terraform int
3. terraform apply
4. terraform destroy

• #0000

[lionelmace]

I solved this issue by adding a 20 minutes delete timeout on each route

resource "ibm_is_vpn_server_route" "route_cse_to_vpc" {
  vpn_server  = ibm_is_vpn_server.vpn.id
  action      = "deliver"
  # destination = "166.9.0.0/16"
  destination = "166.8.0.0/14"
  name        = "route-2-ibm-cloud-service-endpoints"
  timeouts {
    delete = "20m"
  }
}

[lionelmace]

Looking at the source code, I believe the timeout is missing on the function resourceIBMIsVPNServerRouteDelete
https://github.com/IBM-Cloud/terraform-provider-ibm/blob/617aba370acea3610016923479077d309683e626/ibm/service/vpc/resource_ibm_is_vpn_server_route.go#L372C1-L372C39
Currently this function does NOT have any timeout. There should be one, no?

[deepaksibm]

@lionelmace

terraform-provider-ibm/ibm/service/vpc/resource_ibm_is_vpn_server_route.go

Line 430 in 617aba3

Timeout: d.Timeout(schema.TimeoutDelete),

this is the timeout defined for the resourceIBMIsVPNServerRouteDelete method.

It is the same across resources.

[deepaksibm]

As updated in the internal slack thread, We couldn't reproduce the issue and could see the Routes getting deleted on time.
Could you please re-confirm on this issue?

[lionelmace]

Sharing @deepaksibm note

I suspect If the auth policy is deleted first then there could be an issue with SM secret READ while deleting the VPN route.
To isolate the issue could you retain the iam auth policy resource and destroy rest of the terraform config and try once?

It was indeed intermittent. I added a clause depends_on = [ibm_iam_authorization_policy.secret_group_to_vpn] . I tested several times and i cannot reproduce the issue any more 🙂 The depends-on prevents the IAM authorization from being deleted before the route! Tricky one.

Here is the solution.

resource "ibm_is_vpn_server_route" "route_private_to_vpc" {
  vpn_server  = ibm_is_vpn_server.vpn.id
  action      = "deliver"
  destination = "161.26.0.0/16"
  name        = "route-private-2-ibm-iaas-endpoints"
  depends_on  = [ibm_iam_authorization_policy.secret_group_to_vpn]
}

Additional timeout was not required.