DuplicateTransitGatewayAttachment: has non-deleted Transit Gateway Attachments with same VPC ID.

ryanmckeague commented 4 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

0.11.11

Affected Resource(s)

aws_ec2_transit_gateway_vpc_attachment

Terraform Configuration Files

VPC module in use: https://github.com/terraform-aws-modules/terraform-aws-vpc

module "vpc" {
  source = "/terraform-aws-vpc"

  #version = "1.72.0"

  name                 = "dalet-${var.env}"
  cidr                 = "10.0.0.0/16"
  azs                  = ["us-east-1a", "us-east-1b"]
  private_subnets      = ["10.0.1.0/24"]
  database_subnets     = ["10.0.2.0/24", "10.0.3.0/24"]                 #NOTE: 2x or more subnets are required
  intra_subnets        = ["10.0.4.0/24", "10.0.5.0/24"]
  enable_nat_gateway   = false
  enable_dns_hostnames = true
  enable_dns_support   = true

  enable_s3_endpoint   = true

  enable_monitoring_endpoint              = true
  monitoring_endpoint_private_dns_enabled = false
  monitoring_endpoint_security_group_ids  = ["${data.aws_security_group.default.id}"]
  enable_logs_endpoint                    = true
  logs_endpoint_private_dns_enabled       = false
  logs_endpoint_security_group_ids        = ["${data.aws_security_group.default.id}"]
  enable_events_endpoint                  = true
  events_endpoint_private_dns_enabled     = false
  events_endpoint_security_group_ids      = ["${data.aws_security_group.default.id}"]

  enable_cloudtrail_endpoint              = true
  cloudtrail_endpoint_private_dns_enabled = false
  cloudtrail_endpoint_security_group_ids  = ["${data.aws_security_group.default.id}"]

  enable_ssm_endpoint              = true
  ssm_endpoint_private_dns_enabled = false
  ssm_endpoint_security_group_ids  = ["${data.aws_security_group.default.id}"]

  enable_ssmmessages_endpoint              = true
  ssmmessages_endpoint_private_dns_enabled = false
  ssmmessages_endpoint_security_group_ids  = ["${data.aws_security_group.default.id}"]

}
data "aws_ec2_transit_gateway" "tgw_us_east_1" {
  id = "tgw-#############"
}
resource "aws_ec2_transit_gateway_vpc_attachment" "intra_az1_tgw_attachment" {
  count               = "${length(module.vpc.azs)}"
  subnet_ids         = ["${module.vpc.intra_subnets[count.index]}"]
  transit_gateway_id = "${data.aws_ec2_transit_gateway.tgw_us_east_1.id}"
  vpc_id             = "${module.vpc.vpc_id}"
}

Debug Output

Panic Output

Expected Behavior

2x Transit Gateway attachments should have been made. 1x to each subnet ID (each in a different AZ) defined in intra_subnets.

Actual Behavior

Error due to VPC ID being the same for each Transit Gateway attachment. VPC ID should be the same as the attachments are being made to 2x separate AZs within the same VPC.

Steps to Reproduce

terraform apply

Important Factoids

Running TF v0.11.11 as that is a requirement for the version running in TFE that will be deployed to.

References

0000

jason-mclaughlin-sp commented 4 years ago

If I understand what you're attempting to do(create two transit gateway attachments on a single VPC to the same transit gateway), that's not supported in AWS. While a VPC can have up to 5 transit gateway attachments, you can only have one attachment between the same VPC and transit gateway pair.

devopseze commented 4 years ago

An error occurred (DuplicateTransitGatewayAttachment) when calling the CreateTransitGatewayVpcAttachment operation: tgw-08ab8b4becc0f50e4 has non-deleted Transit Gateway Attachments with same VPC ID. Please looking where the issue is going from.

sergey-safarov commented 4 years ago

When you attach a VPC to a transit gateway, you must specify one subnet from each Availability Zone to be used by the transit gateway to route traffic. Specifying one subnet from an Availability Zone enables traffic to reach resources in every subnet in that Availability Zone.

https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpc-attachments.html

udxiaoxin commented 2 years ago

There is a same issue in my terraform code, the terraform try to create a new TGW gateway attachment which already exists in our AWS account. We try to import the duplicated attachment, then terraform try to delete and recreate the attachment.

I have try to manually changed the attributes of existing attachment to match it. They are exactly the same

The aws provider version is 3.73.0.

Any thoughts?

hashicorp / terraform-provider-aws