Creating private_network with gateway in vpc does not work as expected

[rwunderer]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

$ terraform -v
Terraform v1.5.3
on linux_amd64
+ provider registry.terraform.io/scaleway/scaleway v2.24.0

Affected Resource(s)

• scaleway_vpc
• scaleway_vpc_private_network
• scaleway_vpc_gateway_network

Terraform Configuration Files

provider "scaleway" {
  project_id      = var.project_id
  organization_id = var.org_id
  region          = "fr-par"
}

resource "scaleway_vpc" "main" {
  name   = "main"
  region = "fr-par"
}

resource "scaleway_vpc_private_network" "main" {
  name   = "main"
  region = "fr-par"
  vpc_id = scaleway_vpc.main.id

  ipv4_subnet {
    subnet = "10.0.0.0/22"
  }
}

resource "scaleway_vpc_public_gateway_ip" "main" {
  zone = "fr-par-1"
}

resource "scaleway_vpc_public_gateway" "main" {
  name  = "main"
  type  = "VPC-GW-S"
  ip_id = scaleway_vpc_public_gateway_ip.main.id
  zone  = scaleway_vpc_public_gateway_ip.main.zone
}

resource "scaleway_vpc_gateway_network" "main" {
  gateway_id = scaleway_vpc_public_gateway.main.id
  private_network_id = scaleway_vpc_private_network.main.id
  zone              = scaleway_vpc_public_gateway.main.zone
  enable_masquerade = true
}

Debug Output

https://gist.github.com/rwunderer/898253cdd7a4d4d76e692746e2b6a4cd
https://gist.github.com/rwunderer/361bb83db2f98e32f6a8291dbab98e40

Expected Behavior

I would have expected the above to create:

• a single vpc called main
• a single network within that vpc with dhcp enabled, handing out addresses in the 10.0.0.0/22 range
• a public gateway connected to that network with NAT enabled

Actual Behavior I

Running the above produces:

• two(!) vpc's called main
• a private network with dhcp as expected
• a public gateway not connected to the network
• the error message below

│
│ Error: scaleway-sdk-go: invalid argument(s): enable_dhcp is invalid for unexpected reason, constraint: {"dhcp": "non_null"}
│ 
│   with scaleway_vpc_gateway_network.main,
│   on main.tf line 38, in resource "scaleway_vpc_gateway_network" "main":
│   38: resource "scaleway_vpc_gateway_network" "main" {
│    

$ scw vpc vpc list                                                 
ID                                    NAME     ORGANIZATION ID                       PROJECT ID                            REGION  TAGS
cccc4450-c905-4053-9a3b-68b32b1f434d  default  87b67ee8-xxxx-xxxx-xxxx-xxxxxxxxxxxx  ccb52cb5-6966-4f01-9886-c40c13c8a5e3  fr-par  [default]
5b7c8339-a09d-4bf8-8ad2-63f79cf33268  main     87b67ee8-xxxx-xxxx-xxxx-xxxxxxxxxxxx  ccb52cb5-6966-4f01-9886-c40c13c8a5e3  fr-par  []
8dc22c8f-596a-41ff-8299-7a165c75527a  main     87b67ee8-xxxx-xxxx-xxxx-xxxxxxxxxxxx  ccb52cb5-6966-4f01-9886-c40c13c8a5e3  fr-par  [vpc-gw 4ac0a452-9cbc-441c-a139-7c855410b5e2]

$ scw vpc private-network list>
ID                                    NAME  ORGANIZATION ID                       PROJECT ID                            REGION  TAGS  CREATED AT     UPDATED AT     SUBNETS
8b90956d-c912-4e75-9d64-afd545d553dd  main  87b67ee8-xxxx-xxxx-xxxx-xxxxxxxxxxxx  ccb52cb5-6966-4f01-9886-c40c13c8a5e3  fr-par  []    3 minutes ago  3 minutes ago  2
$ scw vpc private-network get 8b90956d-c912-4e75-9d64-afd545d553dd
ID                   8b90956d-c912-4e75-9d64-afd545d553dd
Name                 main
OrganizationID       87b67ee8-xxxx-xxxx-xxxx-xxxxxxxxxxxx
ProjectID            ccb52cb5-6966-4f01-9886-c40c13c8a5e3
Region               fr-par
CreatedAt            3 minutes ago
UpdatedAt            3 minutes ago
Subnets.0.ID         7277f7a8-b26e-427f-899f-24e7f3a5d22f
Subnets.0.CreatedAt  3 minutes ago
Subnets.0.UpdatedAt  3 minutes ago
Subnets.0.Subnet     10.0.0.0/22
Subnets.1.ID         bc1afb21-1eda-45e1-a1fa-f95a03002132
Subnets.1.CreatedAt  3 minutes ago
Subnets.1.UpdatedAt  3 minutes ago
Subnets.1.Subnet     fd79:24b5:5468:a7ee::/64
VpcID                5b7c8339-a09d-4bf8-8ad2-63f79cf33268
DHCPEnabled          true

Actual Behavior II

The only way to the above code to run without errors is adding enable_dhcp = false to the scaleway_vpc_gateway_network resource. (Setting enable_dhcp = true gives the exact same error).

• two vpc's called main
• a private network with dhcp disabled
• a public gateway connected to the network

$ scw vpc vpc list
ID                                    NAME     ORGANIZATION ID                       PROJECT ID                            REGION  TAGS
cccc4450-c905-4053-9a3b-68b32b1f434d  default  87b67ee8-xxxx-xxxx-xxxx-xxxxxxxxxxxx  ccb52cb5-6966-4f01-9886-c40c13c8a5e3  fr-par  [default]
3f25a17a-ca91-48bc-8b47-2f2c710aebbf  main     87b67ee8-xxxx-xxxx-xxxx-xxxxxxxxxxxx  ccb52cb5-6966-4f01-9886-c40c13c8a5e3  fr-par  []
e3fb8c00-dc53-41b7-ae58-cafb6515342e  main     87b67ee8-xxxx-xxxx-xxxx-xxxxxxxxxxxx  ccb52cb5-6966-4f01-9886-c40c13c8a5e3  fr-par  [vpc-gw b255f2dc-c41b-4287-b1d6-cd2ebd79c4b9]

$ scw vpc-gw gateway-network list
ID                                    GATEWAY ID                            PRIVATE NETWORK ID                    STATUS  ADDRESS  MAC ADDRESS        ENABLE DHCP
aa93d5b3-8fc3-4a42-a6b8-5547a1540e00  b255f2dc-c41b-4287-b1d6-cd2ebd79c4b9  4a8a663f-163c-4d95-a1fe-8e50c662aa36  ready   -        02:00:00:13:63:33  false
$ scw vpc private-network list
ID                                    NAME  ORGANIZATION ID                       PROJECT ID                            REGION  TAGS  CREATED AT     UPDATED AT     SUBNETS
4a8a663f-163c-4d95-a1fe-8e50c662aa36  main  87b67ee8-xxxx-xxxx-xxxx-xxxxxxxxxxxx  ccb52cb5-6966-4f01-9886-c40c13c8a5e3  fr-par  []    2 minutes ago  2 minutes ago  2
$ scw vpc private-network get 4a8a663f-163c-4d95-a1fe-8e50c662aa36
ID                   4a8a663f-163c-4d95-a1fe-8e50c662aa36
Name                 main
OrganizationID       87b67ee8-xxxx-xxxx-xxxx-xxxxxxxxxxxx
ProjectID            ccb52cb5-6966-4f01-9886-c40c13c8a5e3
Region               fr-par
CreatedAt            2 minutes ago
UpdatedAt            2 minutes ago
Subnets.0.ID         8826ce34-4096-4178-861d-cffe6812f6b9
Subnets.0.CreatedAt  2 minutes ago
Subnets.0.UpdatedAt  2 minutes ago
Subnets.0.Subnet     10.0.0.0/22
Subnets.1.ID         d27b21fe-b1c4-4da3-939c-65c680fac691
Subnets.1.CreatedAt  2 minutes ago
Subnets.1.UpdatedAt  2 minutes ago
Subnets.1.Subnet     fd79:24b5:5468:201d::/64
VpcID                e3fb8c00-dc53-41b7-ae58-cafb6515342e
DHCPEnabled          false

Steps to Reproduce

1. terraform apply with the above code
2. Add enable_dhcp = false to the scaleway_vpc_gateway_network resource
3. terraform apply

Important Factoids

References

• #0000

[jeansebastienh]

I confirm, I reproduce the same behavior. The PN is not attached to the right vpc.

[sebbrousse]

I get the same, the (wanted) vpc is not linked to the private network and I have another vpc with the gateway's name which is linked to the private network.

[djacquensf9]

I confirm.
Does anyone has a quick-fix until Scaleway fixes this Public Gateways and VPC issue ?
Thanks 😉

[WinterNis]

Hi, if it helps, I went with this "quick fix" during my tests:

resource "scaleway_vpc" "vpc" {
    name = "myvpc"
}

data "scaleway_vpcs" "vpc_gws" {
  name = "myvpc"

  depends_on = [
    scaleway_vpc_public_gateway.mygateway,
  ]
}
locals {
  sorted_vpc_gws_created_at = distinct(sort(data.scaleway_vpcs.vpc_gws.vpcs.*.created_at))

  vpc_gw = flatten(
        [for created_at in local.sorted_vpc_gws_created_at:
            [ for elem in data.scaleway_vpcs.vpc_gws.vpcs.*: 
                 elem if created_at == elem.created_at
            ]     
        ])[length(data.scaleway_vpcs.vpc_gws.vpcs.*)-1]
}

resource "scaleway_vpc_private_network" "private" {
    name = "my-private-network"

    vpc_id = local.vpc_gw.id

    depends_on = [scaleway_vpc.vpc]
}

resource "scaleway_vpc_public_gateway" "gateway" {
    name = "mygateway"
    type = "VPC-GW-S"
    depends_on = [scaleway_vpc.vpc]
}

resource "scaleway_vpc_gateway_network" "private" {
  gateway_id = scaleway_vpc_public_gateway.gateway.id
  private_network_id = scaleway_vpc_private_network.gateway.id
}

Basically, on first apply, it will create a vpc, as described in the terraform code. Then, on gateway creation, a second vpc will be created automatically by scaleway according to this doc.
Also, on gateway network creation, the vpc used by the private network will automatically switch to this new created vpc.

Then, on following terraform apply the new value of the vpc will be the correct one as we get the vpc created most recently with the same name.

This works because the two vpcs (terraform created one and automagic created one) actually have the same name (myvpc in the example)

This is an ugly fix, and terraform destroy will not handle the first VPC deletion properly. The vpc will just hang there since only the second one will be deleted.
Hoping for a proper fix sometime soon 🙏

[yfodil]

The issue has been fixed, you'll need to create the Public Gateway with IPAM:

resource scaleway_vpc_gateway_network main {
  gateway_id = scaleway_vpc_public_gateway.pg01.id
  private_network_id = scaleway_vpc_private_network.pn01.id
  enable_masquerade = true
  ipam_config {
    push_default_route = true
  }
}