Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CfnTransitGatewayRouteTable: not returning the default routing table to add additional routes #24473

Open
edwinperez opened this issue Mar 6, 2023 · 8 comments
Open

CfnTransitGatewayRouteTable: not returning the default routing table to add additional routes #24473

edwinperez opened this issue Mar 6, 2023 · 8 comments
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p1

Comments

@edwinperez
Copy link

Describe the bug

In: "aws-cdk": "2.46.0"
When creating TransitGateway:

const securityCenterTransitGateway = new CfnTransitGateway(stack, 'Security-Center-Transit-Gateway', {
      description: "Security Center TransitGateway",
      vpnEcmpSupport: 'enable',
      autoAcceptSharedAttachments: "enable",
      defaultRouteTableAssociation: "enable",
      defaultRouteTablePropagation: "enable",
      tags: [{
        key: 'Name',
        value: "Security Center Transit Gateway"
      }],
    });

you get the following error:
failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "enable DefaultRouteTableAssociation conflicts with AssociationDefaultRouteTableId null

Essentially the AssociationDefaultRouteTableId and PropagationDefaultRouteTableId are required. However in order to create a routing table you must have the transitGatewayID: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnTransitGatewayRouteTable.html

If you try to overwrite TransitGateway properties after you initialize a routing table you get a circular dependency error.

Expected Behavior

You must be able to create a routing table and overwrite the TransitGateway params to enable default association and propagation.

Current Behavior

It is impossible to configure default propagation and association routing table.

Reproduction Steps

  1. create a TWG:
// Creates Transit gateway
    const securityCenterTransitGateway = new CfnTransitGateway(stack, 'Security-Center-Transit-Gateway', {
      description: "Security Center TransitGateway",
      vpnEcmpSupport: 'enable',
      autoAcceptSharedAttachments: "enable",
      defaultRouteTableAssociation: "enable",
      defaultRouteTablePropagation: "enable",
      tags: [{
        key: 'Name',
        value: "Security Center Transit Gateway"
      }],
    });

This will give you the error: failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "enable DefaultRouteTableAssociation conflicts with AssociationDefaultRouteTableId null

  1. create a TWG instance without the defaults:
// Creates Transit gateway
    const securityCenterTransitGateway = new CfnTransitGateway(stack, 'Security-Center-Transit-Gateway', {
      description: "Security Center TransitGateway",
      vpnEcmpSupport: 'enable',
      autoAcceptSharedAttachments: "enable",
      tags: [{
        key: 'Name',
        value: "Security Center Transit Gateway"
      }],
    });
  1. create a new route table:
const securityCenterDefaultTgwRouteTable = new CfnTransitGatewayRouteTable(stack, 'Security-Center-Default-Tgw-Route-Table', {
      transitGatewayId: securityCenterTransitGateway.ref,
      tags: [{
        key: 'Name',
        value: 'SecurityCenterDefaultTgwRouteTable',
      }],
    });
  1. Try to overwrite the TWG property:
securityCenterTransitGateway.addOverride('Properties.associationDefaultRouteTableId', securityCenterDefaultTgwRouteTable.ref);
securityCenterTransitGateway.addOverride('Properties.defaultRouteTableAssociation', 'enable');

Get the error:
[[securityCenterDefaultTgwRouteTable](failed: Error [ValidationError]: Circular dependency between resources: [securityCenterDefaultTgwRouteTable, ....)

Possible Solution

Remove circular dependency or create a custom resource to update once created.

Additional Information/Context

No response

CDK CLI Version

2.46.0

Framework Version

No response

Node.js Version

v16.15.0

OS

13.1 (22C65)

Language

Typescript

Language Version

4.6.3

Other information

No response
@edwinperez edwinperez added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 6, 2023
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Mar 6, 2023
@pahud pahud self-assigned this Mar 6, 2023
@pahud pahud added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Mar 6, 2023
@pahud
Copy link
Contributor

pahud commented Mar 6, 2023

Thank you for your feedback. As TransitGateway is currently L1 construct, it's pretty much cloudformation resources mapping at this moment. But I will try reproduce this in my environment and see what I can do with that. Meanwhile, any community feedbacks are welcome and highly appreciated here.

@pahud
Copy link
Contributor

pahud commented Mar 8, 2023
edited
Loading

Essentially the AssociationDefaultRouteTableId and PropagationDefaultRouteTableId are required. However in order to create a routing table you must have the transitGatewayID: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnTransitGatewayRouteTable.html

Hi

I got your point here. This causes circular dependency and it seems not possible to deploy with native cloudformation resources like that. I'll try reproduce it in my account.

@pahud pahud added p1 needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Mar 8, 2023
@pahud pahud removed their assignment Mar 8, 2023
@pahud
Copy link
Contributor

pahud commented Mar 8, 2023

Hi,

From my test with cdk 2.68.0, you should be able to deploy this with no error.

    new ec2.CfnTransitGateway(this, 'TGW', {
      autoAcceptSharedAttachments: 'enable',
      defaultRouteTableAssociation: 'enable',
      vpnEcmpSupport: 'enable',
      defaultRouteTablePropagation: 'enable',
    })

According to the doc:

When you create a transit gateway, we create a default transit gateway route table and use it as the default association route table and the default propagation route table.

Let me know if it works with you.

@pahud pahud added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed p1 needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. labels Mar 8, 2023
@edwinperez
Copy link
Author

Thank you for the update, we need to create a custom table due to some other requirements. Ended up creating a custom resource to update those values using SDK.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Mar 9, 2023
@pahud
Copy link
Contributor

pahud commented Mar 9, 2023

@edwinperez Yeah I also noticed some limitation. The TransitGateway CFN resource will not return its default routing table ID(see return values) so it would be difficult to add additional route into the generated default routing table. To fill such gap, custom resource would be required at this moment. I will keep this issue open until we fill the gap from CFN.

@pahud pahud added the needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. label Mar 9, 2023
@pahud pahud changed the title CfnTransitGatewayRouteTable: Props dependency conflict and circular dependency. CfnTransitGatewayRouteTable: not returning the default routing table to add additional routes Mar 9, 2023
@pahud pahud mentioned this issue Mar 9, 2023
Open
@pahud
Copy link
Contributor

pahud commented Mar 9, 2023

I have reported this to the CFN coverage map
aws-cloudformation/cloudformation-coverage-roadmap#1556

@pahud pahud added the p1 label Mar 15, 2023
@tmokmss
Copy link
Contributor

tmokmss commented May 8, 2023
edited
Loading

Here's the code of a custom resource to get the default route table ID:

    const getDefaultRouteTableId = new cr.AwsCustomResource(this, 'GetDefaultRouteTableId', {
      onUpdate: {
        service: 'EC2',
        action: 'describeTransitGateways',
        parameters: {
          TransitGatewayIds: [this.tgw.ref],
        },
        physicalResourceId: cr.PhysicalResourceId.of('GetDefaultRouteTableId'),
      },
      policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
        resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE,
      }),
    });
    const routeTableId = getDefaultRouteTableId.getResponseField(
      'TransitGateways.0.Options.AssociationDefaultRouteTableId',
    );

    peerCidrs.forEach((cidr, i) => {
      new ec2.CfnTransitGatewayRoute(this, `TgwRoute${i}`, {
        destinationCidrBlock: cidr,
        transitGatewayRouteTableId: routeTableId,
        transitGatewayAttachmentId: peeringAttachmentId,
      });
    });

@tdalbo92
Copy link

tdalbo92 commented Mar 2, 2024

It feels really broken to have the Transit Gateway L1 automatically create a default route table, and then have no way to access it? A custom resource is definitely not ideal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pahud @edwinperez @tmokmss @tdalbo92