Giters

terraform-aws-modules / terraform-aws-transit-gateway

Terraform module to create AWS Transit Gateway resources 🇺🇦

Home Page:https://registry.terraform.io/modules/terraform-aws-modules/transit-gateway/aws

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Transit Gateway routes not getting detected in Multi Account Peering

rajat-tomar opened this issue · comments

commented

Description

We have multiple AWS Accounts in our AWS organisation. To establish cross account connectivity, we have set up Transit Gateway in one Central Account and have been sharing it with the other Accounts using Resource Access Manager(RAM) and VPC Attachments.

We were following the multi-account example given in the repository. But, the Transit Gateway Peering is not detecting the destination routes as well as the blackhole Routes. Also, although we're setting transit_gateway_default_route_table_association = false & transit_gateway_default_route_table_propagation = false it again automatically gets set to true. When we run plan again, it shows diff trying to make value true to false and this cycle goes on

# module.tgw_peer.aws_ec2_transit_gateway_vpc_attachment.this["staging_vpc"] will be updated in-place
  ~ resource "aws_ec2_transit_gateway_vpc_attachment" "this" {
        id                                              = "tgw-attach-id"
        tags                                            = {
            "Name" = "staging-tgw"
        }
      ~ transit_gateway_default_route_table_association = true -> false
      ~ transit_gateway_default_route_table_propagation = true -> false
        # (8 unchanged attributes hidden)
    }

If your request is for a new feature, please use the Feature request template.

  • ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

  1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
  2. Re-initialize the project root to pull down modules: terraform init
  3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

  • Module version [Required]: 2.12.2

  • Terraform version: v1.8.4

  • Provider version(s): 5.51.1

Reproduction Code [Required]

Transit Gateway Owner

module "tgw" {
  source  = "terraform-aws-modules/transit-gateway/aws"
  version = "~> 2.0"

  name        = "core-tgw"
  description = "Core TGW shared with other application AWS accounts"

  enable_auto_accept_shared_attachments = true

  vpc_attachments = {
    core_vpc = {
      vpc_id       = data.terraform_remote_state.core_vpc.outputs.vpc_id
      subnet_ids   = data.terraform_remote_state.core_vpc.outputs.private_subnets
      dns_support  = true
      ipv6_support = false

      transit_gateway_default_route_table_association = false
      transit_gateway_default_route_table_propagation = false

      tgw_routes = [
        {
          destination_cidr_block = "core-vpc-cidr"
        }
      ]
    },
  }

  ram_allow_external_principals = true
  ram_principals                = [staging-account-id]
}

resource "aws_route" "core_to_staging" {
  for_each               = toset(data.terraform_remote_state.core_vpc.outputs.private_route_table_ids)
  route_table_id         = each.value
  destination_cidr_block = "staging-vpc-cidr"
  transit_gateway_id     = module.tgw.ec2_transit_gateway_id
}

Steps to reproduce the behavior:

Staging Account TGW

module "tgw_peer" {
  source  = "terraform-aws-modules/transit-gateway/aws"
  version = "~> 2.0"

  name        = "staging-tgw"
  description = "Staging TGW Peer to Core TGW"

  create_tgw                            = false
  share_tgw                             = true
  ram_resource_share_arn                = data.terraform_remote_state.core_tgw.outputs.ram_resource_share_id
  enable_auto_accept_shared_attachments = true

  vpc_attachments = {
    staging_vpc = {
      tgw_id       = data.terraform_remote_state.core_tgw.outputs.ec2_transit_gateway_id
      vpc_id       = data.terraform_remote_state.staging_vpc.outputs.vpc_id
      subnet_ids   = data.terraform_remote_state.staging_vpc.outputs.private_subnets
      dns_support  = true
      ipv6_support = false

      transit_gateway_default_route_table_association = false
      transit_gateway_default_route_table_propagation = false

      tgw_routes = [
        {
          destination_cidr_block = "staging-vpc-cidr"
        },
        {
          blackhole              = true
          destination_cidr_block = "prod-cidr"
        }
      ]
    },
  }
}

resource "aws_route" "staging_to_core" {
  for_each               = toset(data.terraform_remote_state.staging_vpc.outputs.private_route_table_ids)
  route_table_id         = each.value
  destination_cidr_block = "core-vpc-cidr"
  transit_gateway_id     = data.terraform_remote_state.core_tgw.outputs.ec2_transit_gateway_id
}
No Yes

Expected behavior

It should detect the routes being defined in tgw_peer and create routes for the same in the route table including blackhole route.

Actual behavior

Routes in VPC attachment not being detected as well as transit_gateway_default_route_table_association & transit_gateway_default_route_table_propagation are automatically being set as true even after explicitly defining as false

Terminal Output Screenshot(s)

Additional context

commented

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

commented

This issue was automatically closed because of stale in 10 days

commented

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.