terraform-provider-aws
terraform-provider-aws copied to clipboard
hashicorp
error associating EC2 Transit Gateway Route Table () association MissingParameter: Missing required parameter in request: TransitGatewayRouteTableId.
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
Terraform v0.12.25
- provider.aws v2.62.0
Affected Resource(s)
aws_ec2_transit_gateway aws_ec2_transit_gateway_vpc_attachment aws_ec2_transit_gateway_route_table aws_ec2_transit_gateway_route_table_association aws_ec2_transit_gateway_route_table_propagation
Terraform Configuration Files
#create transit gateway resource "aws_ec2_transit_gateway" "tgw" { description = "tgw sec_vpc con el resto de vpc" auto_accept_shared_attachments = "disable" default_route_table_association = "disable" default_route_table_propagation = "disable" dns_support = "enable" tags = { Name = "TGW" } }
route tables for vpc sec
resource "aws_ec2_transit_gateway_route_table" "sec" { transit_gateway_id = aws_ec2_transit_gateway.tgw.id tags = { Name = "tgw-routetable-sec" } } #route tables for vpc spoke resource "aws_ec2_transit_gateway_route_table" "spoke" { transit_gateway_id = aws_ec2_transit_gateway.tgw.id tags = { Name = "tgw-routetable-spoke" } }
resource "aws_ec2_transit_gateway_route_table_association" "sec" { transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw.id transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.sec.id } resource "aws_ec2_transit_gateway_route_table_association" "spoke" { transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc.id transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.spoke.id }
#propagation for vpc sec resource "aws_ec2_transit_gateway_route_table_propagation" "sec" { transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw.id transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.sec.id }
#propagation for vpc spoke resource "aws_ec2_transit_gateway_route_table_propagation" "spoke" { transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc.id transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.spoke.id }
#create attachment-TGW against vpc sec where are both firewalls
resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-sec-fw" { vpc_id = aws_vpc.sec-vpc.id transit_gateway_id = aws_ec2_transit_gateway.tgw.id subnet_ids = ["${aws_subnet.private-fw-a.id}","${aws_subnet.private-fw-b.id}"] tags = { Name = "sec-vpc-attachment" } } #create attachment-TGW against vpc spoke resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-spoke-vpc" { vpc_id = aws_vpc.spoke-vpc.id transit_gateway_id = aws_ec2_transit_gateway.tgw.id subnet_ids = ["${aws_subnet.spoke-private-eu-west-1a.id}","${aws_subnet.spoke-private-eu-west-1b.id}"] tags = { Name = "spoke-vpc-attachment" } }
Debug Output
aws_ec2_transit_gateway.tgw: Still creating... [20s elapsed] aws_ec2_transit_gateway.tgw: Creation complete after 29s [id=tgw-0da9fc5cbcacd209f] aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw: Creating... aws_ec2_transit_gateway_route_table.sec: Creating... aws_route_table.RT-sec-private: Creating... aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc: Creating... aws_ec2_transit_gateway_route_table.spoke: Creating... aws_route_table.RT-spoke-private: Creating... aws_route_table.RT-spoke-private: Creation complete after 5s [id=rtb-0c75eac891a00bc97] aws_route_table_association.RT-spoke-private-1: Creating... aws_route_table_association.RT-spoke-private-2: Creating... aws_route_table.RT-sec-private: Creation complete after 5s [id=rtb-0fa3f0fa9f5cbb628] aws_route_table_association.private-RT-to-private-fwb: Creating... aws_route_table_association.private-RT-to-private-fwa: Creating... aws_route_table_association.RT-spoke-private-1: Creation complete after 0s [id=rtbassoc-088f420d556aff315] aws_route_table_association.RT-spoke-private-2: Creation complete after 0s [id=rtbassoc-0af2dc2d7d7a550b6] aws_route_table_association.private-RT-to-private-fwb: Creation complete after 1s [id=rtbassoc-0ba4618eafbeaa106] aws_route_table_association.private-RT-to-private-fwa: Creation complete after 1s [id=rtbassoc-09b7b10e3f3513c28] aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw: Still creating... [10s elapsed] aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc: Still creating... [10s elapsed] aws_ec2_transit_gateway_route_table.sec: Still creating... [10s elapsed] aws_ec2_transit_gateway_route_table.spoke: Still creating... [10s elapsed] aws_ec2_transit_gateway_route_table.sec: Creation complete after 18s [id=tgw-rtb-018763c896b996c5f] aws_ec2_transit_gateway_route_table.spoke: Creation complete after 18s [id=tgw-rtb-0b3af9d21519828ce] aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw: Still creating... [20s elapsed] aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc: Still creating... [20s elapsed] aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc: Still creating... [30s elapsed] aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw: Still creating... [30s elapsed] aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc: Still creating... [40s elapsed] aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw: Still creating... [40s elapsed] aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw: Still creating... [50s elapsed] aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc: Still creating... [50s elapsed] aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw: Still creating... [1m0s elapsed] aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc: Still creating... [1m0s elapsed]
Error: error updating EC2 Transit Gateway Attachment (tgw-attach-04643cc2db9804f8e) Route Table () association: error associating EC2 Transit Gateway Route Table () association (tgw-attach-04643cc2db9804f8e): MissingParameter: Missing required parameter in request: TransitGatewayRouteTableId. status code: 400, request id: d3dd5ecc-0cc3-46ff-91c5-a57ed82d451e
on tgw.tf line 54, in resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-sec-fw": 54: resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-sec-fw" {
Error: error updating EC2 Transit Gateway Attachment (tgw-attach-05517f0cda4c2eaa7) Route Table () association: error associating EC2 Transit Gateway Route Table () association (tgw-attach-05517f0cda4c2eaa7): MissingParameter: Missing required parameter in request: TransitGatewayRouteTableId. status code: 400, request id: 3dd083bc-0b6c-42b1-b25f-163c8494e0ab
on tgw.tf line 63, in resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-spoke-vpc": 63: resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-spoke-vpc" {
Expected Behavior
EC2 Transit Gateway VPC Attachment should be created without error.
Actual Behavior
It fails, it is build correctly all the infraestructure: a. transit gw b. transit gw attachment without associate route table c.transit gw route tables it's build without associations, propagations and routes (related with the error)
Steps to Reproduce
-
terraform apply
Important Factoids
References
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetTransitGatewayRouteTableAssociations.html
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetTransitGatewayRouteTablePropagations.html
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTransitGatewayVpcAttachments.html
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTransitGatewayVpcAttachment.html
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateTransitGatewayRouteTable.html
@dmartinezrubio Thanks for reporting this.
In this case it seems that transitGateway.Options.AssociationDefaultRouteTableId is nil:
https://github.com/terraform-providers/terraform-provider-aws/blob/98df32df0b341acc1673ce21355662c3c4facb4b/aws/resource_aws_ec2_transit_gateway_vpc_attachment.go#L119
Could you paste the HCL for the aws_ec2_transit_gateway resources?
sorry, it's my first time...how can I get the HCL for the aws_ec2_transit_gateway resources?
@dmartinezrubio Yes, it is there at the top, sorry didn't see it initially; Thanks.
ok, any kind of help it will be good! I spend last 3 days testing and trying to solve it.
I can reproduce this in our acceptance tests (TestAccAWSEc2TransitGatewayVpcAttachment_TransitGatewayDefaultRouteTableAssociationAndPropagationDisabled) if I set transit_gateway_default_route_table_association = true (the default).
I'll dive deeper...
if I modify this value to "enable" I receive next error:
Error: error updating EC2 Transit Gateway Attachment (tgw-attach-0fc5b0c0d16ae0c16) Route Table () propagation: error enabling EC2 Transit Gateway Attachment (tgw-attach-0fc5b0c0d16ae0c16) propagation to Route Table (): MissingParameter: Missing required parameter in request: TransitGatewayRouteTableId. status code: 400, request id: 060a5d61-b6a3-4088-a554-ee4c6fcaf32b
on tgw.tf line 54, in resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-sec-fw": 54: resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-sec-fw" {
Error: error updating EC2 Transit Gateway Attachment (tgw-attach-0bb9b82e65ad400f3) Route Table () propagation: error enabling EC2 Transit Gateway Attachment (tgw-attach-0bb9b82e65ad400f3) propagation to Route Table (): MissingParameter: Missing required parameter in request: TransitGatewayRouteTableId. status code: 400, request id: d2225b44-01f7-4780-ad6f-532dd1d3f2aa
on tgw.tf line 63, in resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-spoke-vpc": 63: resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-spoke-vpc" {
@dmartinezrubio For your Transit Gateway
resource "aws_ec2_transit_gateway" "tgw" {
description = "tgw sec_vpc con el resto de vpc"
auto_accept_shared_attachments = "disable"
default_route_table_association = "disable"
default_route_table_propagation = "disable"
dns_support = "enable"
tags = {
Name = "TGW"
}
}
disabling both default route table association and propagation means that no TGW default route table is created, so the VPC attachment
resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-sec-fw" {
vpc_id = aws_vpc.sec-vpc.id
transit_gateway_id = aws_ec2_transit_gateway.tgw.id
subnet_ids = ["${aws_subnet.private-fw-a.id}","${aws_subnet.private-fw-b.id}"]
tags = {
Name = "sec-vpc-attachment"
}
}
and tgw-att-spoke-vpc should have transit_gateway_default_route_table_association = false and transit_gateway_default_route_table_propagation = false (the default for both these attributes is true).
Alternatively you can enable both default_route_table_association and default_route_table_propagation in the TGW.
We probably should change the code so that transit_gateway_default_route_table_propagation and transit_gateway_default_route_table_association have no effect if the transit gateway has no equivalent default route table.
That was my original idea, but if I configure my TGW with default_route_table_association = "enable" & default_route_table_propagation = "enable" and both attachment with transit_gateway_default_route_table_association = false & transit_gateway_default_route_table_propagation = false....all it's deployed but in "transit gw route table" it's created 3 route table [screenshot]. I don't want the first of all (route table without name) and I don't know how to remove in HLC:
@dmartinezrubio That unnamed route table is the TGW's default route table, created implicitly when default_route_table_association = "enable" or default_route_table_propagation = "enable".
Did you try with default_route_table_propagation = "disable", default_route_table_association = "enable" and transit_gateway_default_route_table_association = false, transit_gateway_default_route_table_propagation = false on the VPC attachments?
Same result except that the uname RT now has "no" in default propagation RT
I solved it. The combination is all disable in Transit Gateway and transit_gateway_default_route_table_association = false, transit_gateway_default_route_table_propagation = false on the VPC attachments
Now I've to solve other questions like the propagations in every attachment but I hope to solve it
Regards
is it possible in "aws_ec2_transit_gateway_route_table_propagation" to attach 2 "transit_gateway_attachment_id" & 2 "transit_gateway_route_table_id"?
Example: (it fails) resource "aws_ec2_transit_gateway_route_table_propagation" "sec" { transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw.id transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.sec.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc.id transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.spoke.id
I solved it. The combination is all disable in Transit Gateway and transit_gateway_default_route_table_association = false, transit_gateway_default_route_table_propagation = false on the VPC attachments
Now I've to solve other questions like the propagations in every attachment but I hope to solve it
Regards
FYI: This will not work if the TGW is shared (RAM)
Works by adding:
transit_gateway_default_route_table_association = false
transit_gateway_default_route_table_propagation = false
Maybe first steps would be to improve the documentation around this, I can help on it if you guys would like!
How do you handle this if you don't have a default transit gateway route table? Ours has 3 separate non-default route tables. One of which is for incoming peering attachments where all VPC's get propagated and peering attachments are associated. Then we have environment specific route tables where VPC's are associated & propagated after attachment.
With enable/disable as only option for transit_gateway_default_route_table_association and transit_gateway_default_route_table_propagation I can't enable and then specify the incoming route table for attachment propagation. It only assumes there is a default route table not letting you specify any other route table.
In fact if you try to enable it once they are disabled you get a warning that it needs to replace the TGW.
# aws_ec2_transit_gateway.tgw_sa_east_1 must be replaced
-/+ resource "aws_ec2_transit_gateway" "tgw_sa_east_1" {
.
.
~ default_route_table_association = "disable" -> "enable" # forces replacement
~ default_route_table_propagation = "disable" -> "enable" # forces replacement
Where as in the UI or CLI you have the option to specify the ID
DefaultRouteTableAssociation -> (string)
Enable or disable automatic association with the default associ-
ation route table.
AssociationDefaultRouteTableId -> (string)
The ID of the default association route table.
DefaultRouteTablePropagation -> (string)
Enable or disable automatic propagation of routes to the default
propagation route table.
PropagationDefaultRouteTableId -> (string)
The ID of the default propagation route table.
These options let me specify the Id of the route table I want to be the default for either association or propagation.
To add to this: If you keep the TGW configuration as:
resource "aws_ec2_transit_gateway" "tgw_euw_3" {
description = var.tgw_desc
dns_support = "enable"
default_route_table_association = "disable"
default_route_table_propagation = "disable"
tags = {
Name = var.tgw_name_tag
}
}
So both parameters are on disable on the TGW resources, this is because otherwise if you create a VPC attachment it will automatically connect itself to the default route table and rout table propagation. This causes an issue that if you create a VPC attachment later down the line, the resource will fail, because Terraform cannot remove it from the default and apply the new route table at the same time.
Now if you deploy the TGW like above, you also have to deploy your VPC attachment like this:
resource "aws_ec2_transit_gateway_vpc_attachment" "infra-test-attachment" {
subnet_ids = [aws_subnet.eu-west-3a-private.id]
transit_gateway_id = local.tgw_id
vpc_id = aws_vpc.default.id
transit_gateway_default_route_table_association = false
transit_gateway_default_route_table_propagation = false
tags = {
Name = var.tgw_info.0
Side = var.tgw_info.1
Project = var.tgw_info.2
}
}
Otherwise it will give you this error:
MissingParameter: Missing required parameter in request: TransitGatewayRouteTableId.
This is telling the module that there is no default route table to attach too, so you need the above on disabled
But you are still not out of the woods: Because each time you plan your environment via terraform, the following will show up:
Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the
last "terraform apply":
# aws_ec2_transit_gateway_vpc_attachment.vpc_first_attachment has changed
~ resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_first_attachment" {
id = "tgw-attach-1234567890"
+ tags = {}
# (10 unchanged attributes hidden)
}
# aws_ec2_transit_gateway_vpc_attachment.vpc_second_attachment has changed
~ resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_second_attachment" {
id = "tgw-attach-1234567890
+ tags = {}
# (10 unchanged attributes hidden)
}
Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.
To add to this: If you keep the TGW configuration as:
resource "aws_ec2_transit_gateway" "tgw_euw_3" { description = var.tgw_desc dns_support = "enable" default_route_table_association = "disable" default_route_table_propagation = "disable" tags = { Name = var.tgw_name_tag } }So both parameters are on disable on the TGW resources, this is because otherwise if you create a VPC attachment it will automatically connect itself to the default route table and rout table propagation. This causes an issue that if you create a VPC attachment later down the line, the resource will fail, because Terraform cannot remove it from the default and apply the new route table at the same time.
Now if you deploy the TGW like above, you also have to deploy your VPC attachment like this:
resource "aws_ec2_transit_gateway_vpc_attachment" "infra-test-attachment" { subnet_ids = [aws_subnet.eu-west-3a-private.id] transit_gateway_id = local.tgw_id vpc_id = aws_vpc.default.id transit_gateway_default_route_table_association = false transit_gateway_default_route_table_propagation = false tags = { Name = var.tgw_info.0 Side = var.tgw_info.1 Project = var.tgw_info.2 } }Otherwise it will give you this error:
MissingParameter: Missing required parameter in request: TransitGatewayRouteTableId.This is telling the module that there is no default route table to attach too, so you need the above on disabled
But you are still not out of the woods: Because each time you plan your environment via terraform, the following will show up:
Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply": # aws_ec2_transit_gateway_vpc_attachment.vpc_first_attachment has changed ~ resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_first_attachment" { id = "tgw-attach-1234567890" + tags = {} # (10 unchanged attributes hidden) } # aws_ec2_transit_gateway_vpc_attachment.vpc_second_attachment has changed ~ resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_second_attachment" { id = "tgw-attach-1234567890 + tags = {} # (10 unchanged attributes hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.
This worked
