aws-secure-environment-accelerator icon indicating copy to clipboard operation
aws-secure-environment-accelerator copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

Fix/issue 855 - TGW routes

Open fredbonin opened this issue 3 years ago • 1 comments

Fixed the issue by inserting the TGW local name in the construct name for associations.

I did not use the remote TGW name as mentioned here #855 since it might lead to collision : name would be tgw_associate_Main_core and tgw_associate_Main_core if 2 TGWs want to target Main TGW for the save core route.

With the TGW local name, it works : tgw_associate_TGW2_core and tgw_associate_TGW3_core

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

fredbonin avatar Dec 03 '21 17:12 fredbonin

PR is NOT working per design:

  • To test, requires a TGW in 3 regions (ca-central-1, us-east-1, and us-west-1)
  • Everything works fine with 2 TGW's (ca-central-1, us-east-1)
  • adding the 3 TGW works fine without an attachment/associations:
    • but obviously not usable
          {
            "name": "West",
            "asn": 64555,
            "region": "us-west-1",
            "features": {
              "DNS-support": true,
              "VPN-ECMP-support": true,
              "Default-route-table-association": false,
              "Default-route-table-propagation": false,
              "Auto-accept-sharing-attachments": true
            },
            "route-tables": ["core-w", "segregated-w", "shared-w", "standalone-w"],
            "tgw-routes": []
          }
  • adding JUST an attachment, the peering connection is never approved
    • while this SM succeeds, if a rt-association had been included, it would have failed the SM waiting for approval
          {
            "name": "West",
            "asn": 64555,
            "region": "us-west-1",
            "features": {
              "DNS-support": true,
              "VPN-ECMP-support": true,
              "Default-route-table-association": false,
              "Default-route-table-propagation": false,
              "Auto-accept-sharing-attachments": true
            },
            "route-tables": ["core-w", "segregated-w", "shared-w", "standalone-w"],
            "tgw-attach": {
              "associate-to-tgw": "Main",
              "account": "shared-network",
              "region": "${HOME_REGION}",
              "tgw-rt-associate-local": [],
              "tgw-rt-associate-remote": []
            },
            "tgw-routes": []
          }
  • If we manually approve the peering connection, change config to, and rerun SM:
              "tgw-rt-associate-local": ["core-w"],
              "tgw-rt-associate-remote": ["shared"]
  • SM succeeds, BUT, it DROPS the east to central tgw association, when it creates the West to central tgw association
  • PR needs reworking.

Brian969 avatar Feb 08 '22 18:02 Brian969

Thank you for contributing to ASEA. Note that customers should look at using Landing Zone Accelerator on AWS (LZA) We're currently only merging security and critical bug fixes. However all ASEA PRs and Issues are noted by the LZA team while developing that solution. Thank you!

archikierstead avatar Feb 23 '23 19:02 archikierstead