Terraform-provider-aws: EC2 Transit Gateway attachment associations cannot be non-default

Created on 21 Jan 2019  ·  4Comments  ·  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.11
Tested with AWS Provider version 1.51.0 1.54.0, 1.56.0

Affected Resource(s)

  • aws_ec2_transit_gateway
  • aws_ec2_transit_gateway_vpc_attachment
  • aws_ec2_transit_gateway_route_table
  • aws_ec2_transit_gateway_route_table_association
  • aws_ec2_transit_gateway_route_table_propagation

Steps to Reproduce

This is the exact issue being mentioned in #6664 which has been closed. In that ticket it's written that the issue got fixed with the release of AWS Provider 1.51.0 but that is not the case.
This still remains an issue and i have tested with AWS Provider version 1.51.0 1.54.0, 1.56.0 and still failing.

Anyone knows if this is truly fixed or if there's any update on this please?

Thank you!

picture piersf
👍3

Most helpful comment

Hi @dbektas
Just as you posted this, figured out the issue. And your post above was useful and helped me confirm the suspicion and solution.

For anyone else encountering this issue, below is the explanation and the solution:
In #6664 was written that to prevent the creation of the default routing table when the TGW is created, you need to set the two TGW attributes default_route_table_association and default_route_table_propagation to disable . This will indeed prevent the default route table from being created. But when you add an Attachment resource, that will be looking for the default routing table because the TGW-Attachment attributes transit_gateway_default_route_table_association and transit_gateway_default_route_table_propagation are set to true by default and then one will get the error mentioned in #6664.

You must also set the TGW-Attachment attributes transit_gateway_default_route_table_association and transit_gateway_default_route_table_propagation to false

After setting those 4 attributes, the TGW gateway and TGW-Attachment get created successfully, no default routing table is created and i am able to associate the Attachment with a custom/newly TGW Routing Table resource.

@dbektas Thank you for your time and effort!

picture piersf on 22 Jan 2019
👍8

All 4 comments

Hi @piersf

played around yesterday with TGW and encountered no such problems. However, I encountered problems when using TGW with RAM attachments in multi-acc env. #6670

Please refer to my snippet below, could be helpful:

modules/transitGateway

resource "aws_ec2_transit_gateway" "this" {
    amazon_side_asn                 = "${var.amazon_side_asn}"
    dns_support                     = "${var.tgw_dns_support}"
    vpn_ecmp_support                = "${var.vpn_ecmp_support}"
    default_route_table_association = "${var.default_route_table_association}"
    default_route_table_propagation = "${var.default_route_table_propagation}"
    auto_accept_shared_attachments  = "${var.auto_accept_shared_attachments}"
    description                     = "${var.tgw_description}"
    tags {
      Name = "${var.tgw_name}"
    }
}

resource "aws_ec2_transit_gateway_vpc_attachment" "this" {
    transit_gateway_id                              = "${aws_ec2_transit_gateway.this.id}"
    dns_support                                     = "${var.vpc_attachment_dns_support}"
    vpc_id                                          = "${var.vpc_id}"
    subnet_ids                                      = ["${var.subnet_ids}"]
    transit_gateway_default_route_table_association = "${var.transit_gateway_default_route_table_association}"
    transit_gateway_default_route_table_propagation = "${var.transit_gateway_default_route_table_propagation}"
    tags {
      Name = "${var.tgw_vpc_attachment_name}"
    }
}

resource "aws_ec2_transit_gateway_route_table_association" "this" {
    transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.this.id}"
    transit_gateway_route_table_id = "${aws_ec2_transit_gateway_route_table.this.id}"
}

resource "aws_ec2_transit_gateway_route_table" "this" {
    transit_gateway_id = "${aws_ec2_transit_gateway.this.id}"
    tags {
      Name = "${var.tgw_route_table_name}"
    }
}

resource "aws_ec2_transit_gateway_route" "this" {
    destination_cidr_block         = "${var.destination_cidr_block}"
    transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.this.id}"
    transit_gateway_route_table_id = "${aws_ec2_transit_gateway_route_table.this.id}"
}

main.tf

module "mainTGW" {
  source = "./modules/transitGateway"

  amazon_side_asn                                 = "${lookup(var.mainTGW, "amazon_side_asn")}"
  tgw_dns_support                                 = "${lookup(var.mainTGW, "tgw_dns_support")}"
  vpn_ecmp_support                                = "${lookup(var.mainTGW, "vpn_ecmp_support")}"
  default_route_table_association                 = "${lookup(var.mainTGW, "default_route_table_association")}"
  default_route_table_propagation                 = "${lookup(var.mainTGW, "default_route_table_propagation")}"
  auto_accept_shared_attachments                  = "${lookup(var.mainTGW, "auto_accept_shared_attachments")}"
  tgw_description                                 = "${lookup(var.mainTGW, "tgw_description")}"
  tgw_name                                        = "${lookup(var.mainTGW, "tgw_name")}"

  vpc_attachment_dns_support                      = "${lookup(var.mainTGWVPCatt, "vpc_attachment_dns_support")}"
  transit_gateway_default_route_table_association = "${lookup(var.mainTGWVPCatt, "transit_gateway_default_route_table_association")}"
  transit_gateway_default_route_table_propagation = "${lookup(var.mainTGWVPCatt, "transit_gateway_default_route_table_propagation")}"
  tgw_vpc_attachment_name                         = "${lookup(var.mainTGWVPCatt, "tgw_vpc_attachment_name")}"
  vpc_id                                          = "${var.vpc_id}"
  subnet_ids                                      = ["${var.subnet_ids}"]

  tgw_route_table_name                            = "${lookup(var.mainTGWRT, "tgw_route_table_name")}"

  destination_cidr_block                          = "${lookup(var.mainTGWroutes, "destination_cidr_block")}"
}

vars.tf

variable "region" {
  default = ""
}

variable "vpc_id" {
  default = ""
}

variable "subnet_ids" {
  default = []
}

variable "mainTGW" {
  type = "map"
  default = {
    "amazon_side_asn"                 = 64517
    "tgw_dns_support"                 = "enable"
    "vpn_ecmp_support"                = "enable"
    "default_route_table_association" = "disable"
    "default_route_table_propagation" = "disable"
    "auto_accept_shared_attachments"  = "enable"
    "tgw_description"                 = "Main Transit Gateway in Network Infra Account"
    "tgw_name"                        = "mainTGW"
  }
}

variable "mainTGWVPCatt" {
  type = "map"
  default = {
    "vpc_attachment_dns_support"                      = "enable"
    "transit_gateway_default_route_table_association" = false
    "transit_gateway_default_route_table_propagation" = false
    "tgw_vpc_attachment_name"                         = "redVPC"
  }
}

## Route Domain
variable "mainTGWRT" {
  type = "map"
  default = {
    "tgw_route_table_name" = "SharedServicesDomain"
  }
}

variable "mainTGWroutes" {
  type = "map"
  default = {
    "destination_cidr_block" = "10.0.0.0/8"
  }
}

and insert your VPC id and subnet_ids in .tfvars file.

Let me know if this helped.

dbektas picture dbektas on 22 Jan 2019
👍2

Hi @dbektas
Just as you posted this, figured out the issue. And your post above was useful and helped me confirm the suspicion and solution.

For anyone else encountering this issue, below is the explanation and the solution:
In #6664 was written that to prevent the creation of the default routing table when the TGW is created, you need to set the two TGW attributes default_route_table_association and default_route_table_propagation to disable . This will indeed prevent the default route table from being created. But when you add an Attachment resource, that will be looking for the default routing table because the TGW-Attachment attributes transit_gateway_default_route_table_association and transit_gateway_default_route_table_propagation are set to true by default and then one will get the error mentioned in #6664.

You must also set the TGW-Attachment attributes transit_gateway_default_route_table_association and transit_gateway_default_route_table_propagation to false

After setting those 4 attributes, the TGW gateway and TGW-Attachment get created successfully, no default routing table is created and i am able to associate the Attachment with a custom/newly TGW Routing Table resource.

@dbektas Thank you for your time and effort!

piersf picture piersf on 22 Jan 2019
👍8

Adding transit_gateway_default_route_table_propagation = false was exactly what I needed to get it working properly. In addition to what I already was using... transit_gateway_default_route_table_association = false
Thanks again

NicMaze picture NicMaze on 22 Mar 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 30 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

joelittlejohn picture joelittlejohn  ·  3Comments
hashibot picture hashibot  ·  3Comments
hashibot picture hashibot  ·  3Comments
dvishniakov picture dvishniakov  ·  3Comments
hashibot picture hashibot  ·  3Comments