terraform aws_route_table always change

Terraform Version

Terraform v0.12.6

Q: Terraform aws_route_table always change?

main.tf

resource "aws_route_table" "route_to_nat" {
  vpc_id = "${aws_vpc.vpc.id}"
  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = "${aws_nat_gateway.nat.id}"
  }
  tags = {
    "Name"  = "Route-To-Nat"
  }
}

Error

  # aws_lb_target_group_attachment.test must be replaced
-/+ resource "aws_lb_target_group_attachment" "test" {
      ~ id               = "arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxx:targetgroup/test-lb-tg-tf/583716da0369baf2-20190814081528833600000001" -> (known after apply)
        port             = 80
        target_group_arn = "arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxx:targetgroup/test-lb-tg-tf/583716da0369baf2"
      ~ target_id        = "i-075a770cca5ab74e4" -> (known after apply) # forces replacement
    }

  # aws_route_table.route_to_nat will be updated in-place
  ~ resource "aws_route_table" "route_to_nat" {
        id               = "rtb-06e975d7fb6e235e3"
        owner_id         = "xxxxxxxxxxxx"
        propagating_vgws = []
      ~ route            = [
          - {
              - cidr_block                = "0.0.0.0/0"
              - egress_only_gateway_id    = ""
              - gateway_id                = ""
              - instance_id               = ""
              - ipv6_cidr_block           = ""
              - nat_gateway_id            = "nat-02fb444b359ab0f52"
              - network_interface_id      = ""
              - transit_gateway_id        = ""
              - vpc_peering_connection_id = ""
            },
          + {
              + cidr_block                = "0.0.0.0/0"
              + egress_only_gateway_id    = ""
              + gateway_id                = "nat-02fb444b359ab0f52"
              + instance_id               = ""
              + ipv6_cidr_block           = ""
              + nat_gateway_id            = ""
              + network_interface_id      = ""
              + transit_gateway_id        = ""
              + vpc_peering_connection_id = ""
            },
        ]
        tags             = {
            "Name" = "Route-To-Nat"
        }
        vpc_id           = "vpc-0b5320622318ef4c2"
    }

Solution

Use nat_gateway_id instead of gateway_id.

• Data Source: aws route table
  • gateway_id - The Internet Gateway ID.
  • nat_gateway_id - The NAT Gateway ID.
• Resource: aws route table
  • gateway_id - (Optional) Identifier of a VPC internet gateway or a virtual private gateway.
  • nat_gateway_id - (Optional) Identifier of a VPC NAT gateway.

  NOTE on gatewayid and natgatewayid: The AWS API is very forgiving with these two attributes and the awsroutetable resource can be created with a NAT ID specified as a Gateway ID attribute.This will lead to a permanent diff between your configuration and statefile, as the API returns the correct parameters in the returned route table. If you're experiencing constant diffs in your awsroute_table resources, the first thing to check is whether or not you're specifying a NAT ID instead of a Gateway ID, or vice-versa.

Reference:

• routing table entries always changed but in reality they don't change
• awsroutetable always triggers modify