[Bug]: `aws_ec2_transit_gateway` - Modifying `default_route_table_association` or `default_route_table_propagation` arguments to `enable` it is causing the replacement

[evairmarinho]

Terraform Core Version

1.1.5

AWS Provider Version

5.24.0

Affected Resource(s)

aws_ec2_transit_gateway

Expected Behavior

Modifying default_route_table_association or default_route_table_propagation arguments to enable should not cause the replacement of Transit Gateway.

Actual Behavior

Modifying default_route_table_association or default_route_table_propagation arguments to enable it is causing the replacement of Transit Gateway.

Relevant Error/Panic Output Snippet

# aws_ec2_transit_gateway.this[0] must be replaced
-/+ resource "aws_ec2_transit_gateway" "this" {
      ~ arn                                = "arn:aws:ec2:us-east-1:<NONE>:transit-gateway/tgw-<NONE>" -> (known after apply)
      + association_default_route_table_id = (known after apply)
      ~ default_route_table_association    = "disable" -> "enable" # forces replacement
      ~ default_route_table_propagation    = "disable" -> "enable" # forces replacement
      ~ id                                 = "tgw-<NONE>" -> (known after apply)
      ~ owner_id                           = "<NONE>" -> (known after apply)
      + propagation_default_route_table_id = (known after apply)
        tags                               = {
            "Name" = "tgw-poc"
        }
      - transit_gateway_cidr_blocks        = [] -> null
        # (7 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 2 to add, 0 to change, 2 to destroy.

Terraform Configuration Files

resource "aws_ec2_transit_gateway" "this" {
  amazon_side_asn                 = 65512
  auto_accept_shared_attachments  = "disable"
  default_route_table_association = "disable"
  default_route_table_propagation = "disable"
  description                     = "tgw-poc"
  dns_support                     = "enable"
  multicast_support               = "disable"
  vpn_ecmp_support                = "enable"
}

resource "aws_ec2_transit_gateway_route_table" "this" {
  transit_gateway_id = aws_ec2_transit_gateway.this.id
}

Steps to Reproduce

• Create a aws_ec2_transit_gateway with default_route_table_association and default_route_table_propagation arguments set to enable

• Modify default_route_table_association and default_route_table_propagation arguments to "enable"

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

In CloudFormation, this behavior does not exists:

TGW CloudFormation

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @evairmarinho 👋 Thank you for taking the time to raise this! I took a quick look at this while triaging, and it looks like this is intentional behavior that I suspect might be related to this note in the ModifyTransitGateway API documentation:

When you modify a transit gateway, the modified options are applied to new transit gateway attachments only. Your existing transit gateway attachments are not modified.

I'll leave this open so that someone from the team or community with more insight can comment, but wanted to pass along the little bit of information I was able to quickly find.

[evairmarinho]

Hey @justinretzolk , thanks for the contact. I have updated the References section in the issue. Take a look when you can.

[evairmarinho]

I get it that you say @justinretzolk . I have tested in CloudFormation the same scenario and i get this error:

Resource handler returned message: "enable DefaultRouteTableAssociation conflicts with AssociationDefaultRouteTableId null (Service: Ec2, Status Code: 400, Request ID: xpto)" (RequestToken: xpto, HandlerErrorCode: GeneralServiceException)

Maybe related with this issue in CloudFormation: https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/projects/1#card-88413391