Can't associate VPCs in second account with non-default route table

[2stacks]

Versions

terraform = v0.13.5
aws provider = v3.2.0
transit-gateway module = 1.3.0

Module settings

Account A

create_tgw = true 
share_tgw = true
ram_allow_external_principals = true
ram_principals = [<account_b>]
enable_default_route_table_association = false
enable_default_route_table_propagation = false

Account B

create_tgw = false 
share_tgw = true

vpc_attachments = {
  vpc-1 = {
    <snip>
    tgw_id = module.account_a.this_ec2_transit_gateway_id
    transit_gateway_route_table_id = module.account_a.this_ec2_transit_gateway_route_table_id
    transit_gateway_default_route_table_association = false
    transit_gateway_default_route_table_propagation = false
  }
}

For this to work, the VPC attachment needs to be created in Account B but the association/propagation or routes need to be created in Account A. The module tries to create all resources in Account B and fails.

module.account_b.aws_ec2_transit_gateway_route_table_association.this["vpc-1"]  will be created
module.account_b.aws_ec2_transit_gateway_route_table_propagation.this["vpc-1"] will be created
module.account_b.aws_ec2_transit_gateway_vpc_attachment.this["vpc-1"] will be created

Error messages;

Error: error associating EC2 Transit Gateway Route Table (tgw-rtb-<id>) association (tgw-attach-<id>): InvalidRouteTableID.NotFound: Transit Gateway Route Table tgw-rtb-<id> was deleted or does not exist.
        status code: 400, request id: <id>

Error: error associating EC2 Transit Gateway Route Table (tgw-rtb-<id>) association (tgw-attach-<id>): InvalidRouteTableID.NotFound: Transit Gateway Route Table tgw-rtb-<id> was deleted or does not exist.
        status code: 400, request id: <id>

[morp86]

Hey @2stacks, did you ever figure out this issue? Im bumping into the exact same problem.

As you mentioned, the VPC attachment needs to be created in Account B but the association/propagation or routes need to be created in Account A. The module tries to create all resources in Account B and fails.

Any help would be appreciated.

[2stacks]

I ended up forking the module and rewriting a lot of it. I don't know if I'll have time to contribute upstream but perhaps I can answer any questions you have.

…

On Wed, Jun 2, 2021, 8:49 AM morp86 ***@***.***> wrote: Hey @2stacks <https://github.com/2stacks>, did you ever figure out this issue? Im bumping into the exact same problem. As you mentioned, the VPC attachment needs to be created in Account B but the association/propagation or routes need to be created in Account A. The module tries to create all resources in Account B and fails. Any help would be appreciated. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#27 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADUNEHEOZE7YH2DYLI7VYHTTQYSEDANCNFSM4TXLRJUA> .

[morp86]

Thanks for your quick reply. Id be mainly interested in the part you used to get the association / propagation working for attachments created in other accounts, if thats included in your code.

If you wouldn't mind sharing your TGW code, I might be able to figure out / pull the parts I need.

[ThisIsQasim]

Quite a few people are reporting this issue (including myself) @antonbabenko @tfhartmann can you take a look here? Any help would be appreciated.

[2stacks]

Was there supposed to be a link? I plan to upload what I have for comment/collaboration. It's fairly opinionated so it may not make a good module but perhaps it can be used to improve the existing TGW module.

[morp86]

To close the loop here. I ended rewriting allot of the code as well. The way to get around creating the resources in the wrong account is by adding an addition config block to you TGW module section.

Section for TGW account:

module "transit_gateway" {
source = "../../"

#Takes care of sharing the TGW resource to other accounts using AWS RAM.
ram_resource_share_enabled = true
ram_principal = var.customer_account_numbers
allow_external_principals = true

providers = {
aws = aws.network
}

tags_name = "xxxxx"
description = "xxxxx"
tags_environment = "prod"

#Creates TGW in Networking account
create_transit_gateway = true
create_transit_gateway_route_table = true
default_route_table_association = "enable"
default_route_table_propagation = "disable"
create_transit_gateway_route_table_association = false
create_transit_gateway_route_table_propagation = true
existing_transit_gateway_route_table_id = module.transit_gateway.transit_gateway_shared_route_table_id
create_transit_gateway_route_table_association_and_propagation = false

#Create route table association and propagation for Customer VPC attachments
config = {

#  vpc-123456 = {                              <-- Please use VPC-ID for name.
#  vpc_id                            = null             <-- Can be set to null, as we arent create an attachment.
#  subnet_ids                        = null             <-- Can be set to null, as we arent create an attachment.
#  transit_gateway_vpc_attachment_id = module.account1234567890.transit_gateway_vpc_attachment_ids["vpc-123456"]   <-- Reuse attachment ID create by the Customer account module.
#},

#Module for attachment in customer account:

module "account1234567890" {
source = "../../"

providers = {
aws = aws.account1234567890
}

ram_resource_share_enabled = true
ram_principal = null
ram_resource_share_arn = module.transit_gateway.ram_resource_share_id
existing_transit_gateway_id = module.transit_gateway.transit_gateway_id
existing_transit_gateway_route_table_id = module.transit_gateway.transit_gateway_shared_route_table_id
create_transit_gateway = false
create_transit_gateway_route_table = false
create_transit_gateway_vpc_attachment = true
create_transit_gateway_route_table_association = false
create_transit_gateway_route_table_propagation = false
create_transit_gateway_route_table_association_and_propagation = false

config = {
vpc-123456 = {
vpc_id = "vpc-123456"
subnet_ids = ["subnet-11111111","subnet-2222222","subnet-3333333"]
transit_gateway_vpc_attachment_id = null # <-- this wont be used in module for customers.
accountnumber = "123456" # <--- Im using this for RAM sharing
}
}
}

Hope this helps!

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.