aws_ec2_transit_gateway_route_table_association fails because aws_ec2_transit_gateway object not yet created

[ghost]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

% terraform -v
Terraform v1.0.8
on darwin_amd64

Providers:

terraform {
  required_version = ">= 1.0"
  required_providers {
    aws = ">= 3.62"
    http = ">= 2.1.0"
  }
}

Affected Resource(s)

• aws_ec2_transit_gateway_route_table_association

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

See https://github.com/grf5/f5-bigip-aws-tgw-lambda-failover

Debug Output

https://gist.github.com/grf5/efdc3595e8eba0c50bec2874e3d98059

Panic Output

Not applicable.

Expected Behavior

The AWS provider should have paused the route_table association until the transit gateway was fully completely deployed, or retried until done so.

Actual Behavior

Terraform barked that the tgw doesn't yet exist and exited.

Steps to Reproduce

1. Clone the repository listed above.
2. Copy "admin.auto.tfvars.example" to "admin.auto.tfvars" and substitute any necessary variables (optional).
3. Add AWS environment credentials to your Terraform environment.
4. Run "setup.sh"

Important Factoids

References

None

[justinretzolk]

Hey @grf5 👋 Thank you for taking the time to file this issue! It looks like the debug output may have cut off before the end, so I'm not seeing what Terraform actually output at the end. Would you mind updating with that information as well so we can get a better idea of exactly what Terraform output at the end of the apply?

[ghost]

@justinretzolk,

I believe this should contain the full log:

https://gist.githubusercontent.com/grf5/efdc3595e8eba0c50bec2874e3d98059/raw/fb01b936202c9855ead94398c3788df7a98cf1f5/terraform.log

[mattburgess]

Hey @grf5 - the problem appears to be in the creation of the route itself:

2021-10-12T12:46:22.435-0400 [INFO]  provider.terraform-provider-aws_v3.62.0_x5: 2021/10/12 12:46:22 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/CreateRoute Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 400 Bad Request
Connection: close
Transfer-Encoding: chunked
Cache-Control: no-cache, no-store
Content-Type: text/xml;charset=UTF-8
Date: Tue, 12 Oct 2021 16:46:22 GMT
Server: AmazonEC2
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: accept-encoding
X-Amzn-Requestid: 58039ad3-b559-4f76-935b-3ad6ae27b02c

-----------------------------------------------------: timestamp=2021-10-12T12:46:22.435-0400
2021-10-12T12:46:22.436-0400 [INFO]  provider.terraform-provider-aws_v3.62.0_x5: 2021/10/12 12:46:22 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>InvalidGatewayID.NotFound</Code><Message>The gateway ID 'tgw-0d73655633958cad8' does not exist</Message></Error></Errors><RequestID>58039ad3-b559-4f76-935b-3ad6ae27b02c</RequestID></Response>: timestamp=2021-10-12T12:46:22.435-0400
2021-10-12T12:46:22.436-0400 [INFO]  provider.terraform-provider-aws_v3.62.0_x5: 2021/10/12 12:46:22 [DEBUG] [aws-sdk-go] DEBUG: Validate Response ec2/CreateRoute failed, attempt 0/25, error InvalidGatewayID.NotFound: The gateway ID 'tgw-0d73655633958cad8' does not exist
    status code: 400, request id: 58039ad3-b559-4f76-935b-3ad6ae27b02c: timestamp=2021-10-12T12:46:22.435-0400

And although not exactly obvious, it appears to be correct! If you look at https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route there's a warning about how forgiving the AWS API is in regard to passing in a gateway_id when a non-internet gateway was intended. If you try changing https://github.com/grf5/f5-bigip-aws-tgw-lambda-failover/blob/main/terraform/main.tf#L259 and similar places in that file from gateway_id to transit_gateway_id then I think things might improve.

[ghost]

@mattburgess, you are correct. Thanks for pointing this out! Probably better if this eventually warns or fails when using the mismatched value, but I'll take your correct answer. Thanks for your help!

[mattburgess]

@justinretzolk - whilst looking at those docs, I also wondered, like @grf5 if there was any plan-time validation that could be done here as a quality-of-life improvement. The only thing I can think of is to put a ValidateFunc on each of the route target attributes that checks whether the prefix of the id matches with what we'd expect, e.g. for a gateway_id we'd expect it to be igw- or vgw-. I'm not sure how brittle that might be, and I also think it might be a 4.0 candidate as it has the potential to reject Terraform config that has previously been accepted by both TF & the AWS API. I'm happy to give this a go though, if you think there's enough value in it.

[github-actions[bot]]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.