[Enhancement]: Support for TGW intra-region peering

[igoratencompass]

Description

At the moment creating TGW peering attachment between two TGWs in the same region is not possible to achieve. There are some workarounds mentioned in #23828 and couple of other linked issues there but none of them works from one reason or another.

The crux of the problem being the lack of the Peering Attachment ID of the Acceptor in the attributes of the ec2_transit_gateway_peering_attachment resource. This makes then impossible to unambiguously discover it via the ec2_transit_gateway_peering_attachment data source due to limited filtering options provided by AWS API -- think many peering attachments already present or being created in parallel for the same Requesting TGW but different Acceptors in the region.

Affected Resource(s) and/or Data Source(s)

ec2_transit_gateway_peering_attachment

Potential Terraform Configuration

The ec2_transit_gateway_peering_attachment resource should utilize the AWS API outputs as per the AWS CLI documentation where we can see

TransitGatewayAttachmentId -> (string)
    The ID of the transit gateway peering attachment.

AccepterTransitGatewayAttachmentId -> (string)
    The ID of the accepter transit gateway attachment.

the Accepter TGW Attachment ID AccepterTransitGatewayAttachmentId is being returned to the caller amongst slew of other information about created resources.

References

This has already been raised once before https://github.com/hashicorp/terraform-provider-aws/issues/23828 but was closed without any resolution. There is a comment left about possible fix in the provider version 4.22.0 that never got released by the looks of it https://github.com/hashicorp/terraform-provider-aws/blob/v4.22.0/CHANGELOG.md

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[idolbni]

That issue aws provider v4.22 should resolve it, but it is not the case. When accepter side tgw-attachment created - it has no tags and no local peering tgw id fields to filter - limitation of AWS provider

We need a way to use proper filters to identify accepter side tgw attachment id, or better - accepter resource should allow to use local peering attachment ID. Now the workaround which worked for me - is to use filters

filter {
    name = "transit-gateway-id"
    values = [ aws_ec2_transit_gateway_peering_attachment.original_local_attachment.peer_transit_gateway_id ]
  }
  filter {
    name = "state"
    values = ["pendingAcceptance"]
  }

But obviously after deployment - that data structure finds nothing and throws error.

Also it looks like the AWS API should return accepterTransitGatewayAttachmentId https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TransitGatewayPeeringAttachment.html But is not being used by terraform aws provider

[o6uoq]

@igoratencompass is this still an issue for you?

When I query the AWS API, I receive null for AccepterTransitGatewayAttachmentId:

aws ec2 describe-transit-gateway-peering-attachments \
  --profile $AWS_PROFILE \
  --region $AWS_REGION \
  --query 'TransitGatewayPeeringAttachments[*].{AccepterTransitGatewayAttachmentId:AccepterTgwInfo.TransitGatewayAttachmentId, AccepterTgwId:AccepterTgwInfo.TransitGatewayId, AccepterRegion:AccepterTgwInfo.Region}' \
  --output json | jq -r '.TransitGatewayPeeringAttachments[].AccepterTgwInfo.TransitGatewayAttachmentId'
null
null