Fix errors in EC2 Transit Gateway VPC Attachment when TGW is shared from another account #7513
Conversation
…as deleted or no longer exists" when attaching to Shared Transit Gateway from another AWS Account hashicorp#6670 Managing transit gateway route tables does not seem to make sense for a shared TGW In transit gateway attachement resource, add checks to see if the VPC has the same owner as the TGW. If not, skip the route table sections.
ghost
added
size/M
|
🙏 Please review this. It is blocking us 😢 @bflad |
|
This is also impacting us, some movement on this would be amazing! |
|
@andrewsuperbrilliant The acceptance tests seem to fail |
|
@andrewsuperbrilliant any updates? |
|
@Puneeth-n, that test should pass now. |
|
👍 |
|
🥇 |
There was a problem hiding this comment.
Hi @andrewsuperbrilliant 👋 Thanks so much for submitting this. I was able to provide some review items below by experimenting with our acceptance testing framework and multiple account testing.
Given the complexity and requirements associated with implementing the acceptance testing in this case, we would prefer just resource and resource documentation updates in this pull request and we will add the testing afterwards once we have finalized our desired testing implementation. Once this pull request is updated we will run the acceptance testing again before merge just to confirm everything.
One item not noted below that we would also like addressed is updating the resource documentation for the two arguments in website/docs/r/ec2_transit_gateway_vpc_attachment.html.markdown:
* `transit_gateway_default_route_table_association` - (Optional) Boolean whether the VPC Attachment should be associated with the EC2 Transit Gateway association default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways. Default value: `true`.
* `transit_gateway_default_route_table_propagation` - (Optional) Boolean whether the VPC Attachment should propagate routes with the EC2 Transit Gateway propagation default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways. Default value: `true`.Output from the acceptance testing with below changes (including our experimental new test):
--- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_SharedTransitGateway (233.35s)
--- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_TransitGatewayDefaultRouteTableAssociationAndPropagationDisabled (270.65s)
--- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_disappears (350.59s)
--- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_TransitGatewayDefaultRouteTablePropagation (381.75s)
--- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_Tags (387.63s)
--- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_Ipv6Support (388.37s)
--- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_basic (389.22s)
--- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_DnsSupport (449.51s)
--- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_TransitGatewayDefaultRouteTableAssociation (511.77s)
--- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_SubnetIds (514.14s)
Experimental test configuration just for reference, does not need to included:
resource "aws_ec2_transit_gateway" "test" {
provider = "aws.alternate"
}
resource "aws_ram_resource_share" "test" {
provider = "aws.alternate"
name = %[1]q
}
resource "aws_ram_resource_association" "test" {
provider = "aws.alternate"
resource_arn = "${aws_ec2_transit_gateway.test.arn}"
resource_share_arn = "${aws_ram_resource_share.test.id}"
}
resource "aws_ram_principal_association" "test" {
provider = "aws.alternate"
principal = "--OMITTED--"
resource_share_arn = "${aws_ram_resource_share.test.id}"
}
resource "aws_vpc" "test" {
cidr_block = "10.0.0.0/16"
tags = {
Name = "tf-acc-test-ec2-transit-gateway-vpc-attachment"
}
}
resource "aws_subnet" "test" {
cidr_block = "10.0.0.0/24"
vpc_id = "${aws_vpc.test.id}"
tags = {
Name = "tf-acc-test-ec2-transit-gateway-vpc-attachment"
}
}
resource "aws_ec2_transit_gateway_vpc_attachment" "test" {
depends_on = ["aws_ram_principal_association.test", "aws_ram_resource_association.test"]
subnet_ids = ["${aws_subnet.test.id}"]
transit_gateway_id = "${aws_ec2_transit_gateway.test.id}"
vpc_id = "${aws_vpc.test.id}"
}| if err := ec2TransitGatewayRouteTableAssociationUpdate(conn, aws.StringValue(transitGateway.Options.AssociationDefaultRouteTableId), d.Id(), d.Get("transit_gateway_default_route_table_association").(bool)); err != nil { | ||
| return fmt.Errorf("error updating EC2 Transit Gateway Attachment (%s) Route Table (%s) association: %s", d.Id(), aws.StringValue(transitGateway.Options.AssociationDefaultRouteTableId), err) | ||
| } | ||
| if *transitGateway.OwnerId == vpcOwnerID { |
There was a problem hiding this comment.
We can remove the above DescribeVpcs API call by checking the VPC owner ID available from creating the VPC attachment here. We should also leave an inline comment for future code maintainers about why this check is here.
| if *transitGateway.OwnerId == vpcOwnerID { | |
| // We cannot modify Transit Gateway Route Tables for Resource Access Manager shared Transit Gateways | |
| if aws.StringValue(transitGateway.OwnerId) == aws.StringValue(output.TransitGatewayVpcAttachment.VpcOwnerId) { |
| } | ||
| var transitGatewayDefaultRouteTableAssociation *ec2.TransitGatewayRouteTableAssociation | ||
| var transitGatewayDefaultRouteTablePropagation *ec2.TransitGatewayRouteTablePropagation | ||
| if *transitGateway.OwnerId == vpcOwnerID { |
There was a problem hiding this comment.
We can remove the above DescribeVpcs API call by using the Transit Gateway VPC Attachment information we already have available. We should also leave an inline comment here for future code maintainers about this conditional. Please note this whole comment details about the defaults should be included to go along with a change below.
// We cannot read Transit Gateway Route Tables for Resource Access Manager shared Transit Gateways
// Default these to a non-nil value so we can match the existing schema of Default: true
transitGatewayDefaultRouteTableAssociation := &ec2.TransitGatewayRouteTableAssociation{}
transitGatewayDefaultRouteTablePropagation := &ec2.TransitGatewayRouteTablePropagation{}
if aws.StringValue(transitGateway.OwnerId) == aws.StringValue(transitGatewayVpcAttachment.VpcOwnerId) {| @@ -192,8 +224,10 @@ func resourceAwsEc2TransitGatewayVpcAttachmentRead(d *schema.ResourceData, meta | |||
| return fmt.Errorf("error setting tags: %s", err) | |||
| } | |||
|
|
|||
| d.Set("transit_gateway_default_route_table_association", (transitGatewayDefaultRouteTableAssociation != nil)) | |||
| d.Set("transit_gateway_default_route_table_propagation", (transitGatewayDefaultRouteTablePropagation != nil)) | |||
| if *transitGateway.OwnerId == vpcOwnerID { | |||
There was a problem hiding this comment.
This conditional should be removed to match with the above change. 👍 Without calling d.Set() for the below attributes in the RAM shared Transit Gateway scenario, operators will be presented a plan immediately after import similar to:
"transit_gateway_default_route_table_association": "" => "true"
"transit_gateway_default_route_table_propagation": "" => "true"
| if d.HasChange("transit_gateway_default_route_table_association") { | ||
| if err := ec2TransitGatewayRouteTableAssociationUpdate(conn, aws.StringValue(transitGateway.Options.AssociationDefaultRouteTableId), d.Id(), d.Get("transit_gateway_default_route_table_association").(bool)); err != nil { | ||
| return fmt.Errorf("error updating EC2 Transit Gateway Attachment (%s) Route Table (%s) association: %s", d.Id(), aws.StringValue(transitGateway.Options.AssociationDefaultRouteTableId), err) | ||
| if *transitGateway.OwnerId == vpcOwnerID { |
There was a problem hiding this comment.
Given that it would be invalid to attempt adjusting these configuration arguments since we cannot manage the EC2 Transit Gateway Default Route Table for a RAM shared Transit Gateway, we can either remove all these proposed resourceAwsEc2TransitGatewayVpcAttachmentUpdate changes and allow the API to return any errors (I personally think this is preferable in this situation, paired with updates to the resource documentation) or continue with these adjustments where Terraform will instead just return a perpetual plan difference, e.g. "true" => "false".
If we do keep these changes, we can remove the above DescribeVpcs API call above by using information present in the Terraform state here. 👍 We should also provide an inline comment for future code maintainers about this conditional.
| if *transitGateway.OwnerId == vpcOwnerID { | |
| // We cannot modify Transit Gateway Route Tables for Resource Access Manager shared Transit Gateways | |
| if aws.StringValue(transitGateway.OwnerId) == d.Get("vpc_owner_id").(string) { |
|
@andrewsuperbrilliant any updates on this? would be nice if we could get it merged. |
|
also being blocked by this issue |
|
Hi again @andrewsuperbrilliant 👋 since we haven't heard back from you, we have addressed the feedback in a followup commit (920b498) so we can get this released today. Thanks for your contribution. |
…dback Output from acceptance testing: ``` --- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_basic (333.79s) --- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_disappears (306.32s) --- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_DnsSupport (334.40s) --- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_Ipv6Support (335.74s) --- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_SharedTransitGateway (250.72s) --- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_SubnetIds (485.69s) --- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_Tags (361.38s) --- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_TransitGatewayDefaultRouteTableAssociation (481.03s) --- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_TransitGatewayDefaultRouteTableAssociationAndPropagationDisabled (246.08s) --- PASS: TestAccAWSEc2TransitGatewayVpcAttachment_TransitGatewayDefaultRouteTablePropagation (364.23s) ```
|
@bflad being more familiar with the aws-provider code base (this was my first peak into terraform source code), your comments all look great to me. I've been traveling this week and haven't had a chance to look at the comments that were provided. Just glad my initial work around code was a starting point for a better fix. Happy to see a fix moving to master! Thanks |
|
This has been released in version 2.2.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
Since version 2.17.0 is higher than 2.2, I expected it to be fixed in version 2.17.0. Could you advise what could be going wrong here? The VPC lives in a different account than the TGW because of RAM |
|
@BrunoCarrier 👋 Please note this in the
Since you mention using RAM, you'll want to ensure they are either omitted from the configuration or set to match the default. Hope this helps. |
|
The issue is actually with the aws_ec2_transit_gateway_vpc_attachment_accepter resource, not aws_ec2_transit_gateway_vpc_attachment @bflad |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Fix EC2 Transit Gateway VPC Attachment "Transit gateway route table was deleted or no longer exists" when attaching to Shared Transit Gateway from another AWS Account
See: #6670
Managing transit gateway route tables does not seem to make sense for a shared TGW
In transit gateway attachment resource, add checks to see if the VPC has the same owner as the TGW. If not, skip the route table sections.
Output from acceptance testing: