Open Cupidazul opened 10 months ago
@Cupidazul Thanks for diving deep and sharing your feedback.
For Items 1, 2, 3 - We have added this new use case to our backlog and will review in the next release.
For Item 4, the use case is to protect the route changes for TGW route tables that has approval required. We have added a backlog item to require approval if the tag was removed. However, not sure if we can add deletion protection. The user/roles in the spoke account or even SCPs should be implemented to deny VPC attachment deletion permissions.
For Item 5, as per design, you should be able to update the tags and it will trigger the workflow to update the association or propagation. Please advise if update is not working for you with the steps on how to duplicate the issue. It would be best to open a support case for this item if necessary.
For item 6, as per design, the attachment API requires at least one subnet ID. Tagging a VPC first can't create attachments. To start the attachment worflow, you must tag the VPC first then subnets. We can consider improving the UI experience by hiding the Approve/Reject button for VPC change item in the table to avoid confusion. To append a new subnet to the attachment they should be approved individually.
For item 7, this is outside the scope of the use cases and will not be supported as a feature for STNO.
Thanks again for reaching out to us.
Feature request?
We have been using STNO for some time now, its awesome, but only now we detected this behaviour.
STNO does all the glue from Spoke to Hub Accounts, most importantly:
Behind the scenes CIDRs that are configured on the VPC will get propagated to the routing tables where the Attachment is set to be propagate into. *1
Within the STNO Portal we only see one CIDR to be approved (probably only the first VPC CIDR).
In our LandingZone environment we have been experiencing these symptoms:
*1: This is inline with the public documentation here: https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html#tgw-route-propagation-overview , quoting from the same documentation: “For a VPC attachment, the CIDR blocks of the VPC are propagated to the transit gateway route table.” (Notice the “s” in CIDR blocks) .
Suggestions:
We thank you for your thoughts, feed-back or anythings onto helping us is appreciated very much.
Thanks and keep up the good work guys...