search

terraform-aws-modules / terraform-aws-transit-gateway

Terraform module to create AWS Transit Gateway resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/transit-gateway/aws
Apache License 2.0
141 stars 224 forks source link

Error creating transit gateway attachments between shared accounts. Error: No RAM Resource Share () invitation found #93

Closed whitehousepost closed 1 year ago

whitehousepost commented 1 year ago

Description

I'm having an issue with sharing a tgw between accounts in the same organization with autoaccept enabled.

Both accounts are in the same organization and auto accept is enabled. The resources (vpc, subnets) in the client account are not terraform created.

Error received:

│ Error: No RAM Resource Share () invitation found
│ 
│ NOTE: If both AWS accounts are in the same AWS Organization and RAM Sharing with AWS Organizations is enabled, this resource is not necessary
│ 
│   with module.tgw_peer.aws_ram_resource_share_accepter.this[0],
│   on .terraform/modules/tgw_peer/main.tf line 170, in resource "aws_ram_resource_share_accepter" "this":
│  170: resource "aws_ram_resource_share_accepter" "this" {
│

⚠️ Note

Before you submit an issue, please perform the following first:

  1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
  2. Re-initialize the project root to pull down modules: terraform init
  3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

Reproduction Code [Required]

#Providers, versions and additional prerequisites.
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "4.46.0"
    }
  }
}

provider "aws" {
  region  = var.vpcRegion
  profile = "ent"
}
provider "aws" {
  alias = "dev"
  region  = var.vpcRegion
  shared_config_files = [<credentials>]
  profile = "dev"
}

#VPC declaration
module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "3.18.1"

  name = "ent-core-infrastructure"
  cidr = "10.5.0.0/16"

  azs                                  = ["${var.vpcRegion}a", "${var.vpcRegion}b", "${var.vpcRegion}c"]
  public_subnets                       = ["10.5.1.0/24", "10.5.2.0/24", "10.5.3.0/24"]
  private_subnets                      = ["10.5.4.0/24", "10.5.5.0/24", "10.5.6.0/24"]
  intra_subnets                        = ["10.5.7.0/24", "10.5.8.0/24", "10.5.9.0/24"]
  single_nat_gateway                   = true
  enable_nat_gateway                   = true
  enable_flow_log                      = false
  create_flow_log_cloudwatch_iam_role  = false
  create_flow_log_cloudwatch_log_group = false
}

#Transit gateway declaration
module "tgw" {
  source  = "terraform-aws-modules/transit-gateway/aws"
  version = "2.8.1"

  name = "e2-ent-tgw-001"
  description = "Enterprise Transit Gateway. Provisioned using Terraform. Acts as the central interface between offices and AWS."

  enable_auto_accept_shared_attachments = true
  enable_mutlicast_support = true

  vpc_attachments = {
    ent-core-infrastructure = {
      vpc_id      = module.vpc.vpc_id
      subnet_ids  = module.vpc.private_subnets
      dns_support = true

      transit_gateway_default_route_table_association = false
      transit_gateway_default_route_table_propagation = false

    }
  }

  #share_tgw = true
  ram_name = "enterprise-transit-gateway-share"
  ram_allow_external_principals = true
  ram_principals = [
    635757009592
  ]
}

module "tgw_peer" {
  source = "terraform-aws-modules/transit-gateway/aws"

  providers = {
    aws = aws.dev
  }

  name = "test-peer"
  description = "test dev peering using a module"

  create_tgw = false
  #share_tgw = true
  #ram_resource_share_arn = module.tgw.ram_resource_share_id
  enable_auto_accept_shared_attachments = true

  vpc_attachments = {
    dev_vpc = {
#existing vpc
      vpc_id = "vpc-xxxxxxxxxxxxxxxxx"
      tgw_id = module.tgw.ec2_transit_gateway_id
      subnet_ids = ["subnet-xxxxxxxx", "subnet-xxxxxxxx"]
      dns_support = true

      transit_gateway_default_route_table_propagation = false
      transit_gateway_default_route_table_association = false

      tgw_routes = [
        {
          destination_cidr_block = "10.5.0.0/16"
        },
        {
          destination_cidr_block = "10.20.0.0/16"
        }
      ]
    }
  }

  depends_on = [module.tgw]
}

Steps to reproduce the behavior:

no

yes

simply running a terraform apply on this will produce this error

Expected behavior

Create a transit gateway in the master account, create an attachment to it in a vpc in the sub-account. Resulting in a clean run.

Actual behavior

module.tgw.aws_ram_resource_share.this[0]: Creating...
module.vpc.aws_eip.nat[0]: Creating...
module.tgw.aws_ec2_transit_gateway.this[0]: Creating...
module.vpc.aws_vpc.this[0]: Creating...
module.vpc.aws_eip.nat[0]: Creation complete after 1s [id=eipalloc-0fa702f441bc91b2a]
module.tgw.aws_ram_resource_share.this[0]: Creation complete after 1s [id=arn:aws:ram:us-east-2:845940089308:resource-share/836a1157-d934-4cc0-8ab4-97121919b482]
module.tgw.aws_ram_principal_association.this[0]: Creating...
module.tgw.aws_ram_principal_association.this[1]: Creating...
module.vpc.aws_vpc.this[0]: Creation complete after 1s [id=vpc-0539a16057343bbb8]
module.vpc.aws_subnet.private[1]: Creating...
module.vpc.aws_route_table.private[0]: Creating...
module.vpc.aws_route_table.public[0]: Creating...
module.vpc.aws_subnet.public[1]: Creating...
module.vpc.aws_route_table.intra[0]: Creating...
module.vpc.aws_subnet.public[0]: Creating...
module.vpc.aws_subnet.intra[2]: Creating...
module.tgw.aws_ram_principal_association.this[1]: Creation complete after 0s [id=arn:aws:ram:us-east-2:845940089308:resource-share/836a1157-d934-4cc0-8ab4-97121919b482,635757009592]
module.vpc.aws_subnet.public[2]: Creating...
module.tgw.aws_ram_principal_association.this[0]: Creation complete after 1s [id=arn:aws:ram:us-east-2:845940089308:resource-share/836a1157-d934-4cc0-8ab4-97121919b482,778348368122]
module.vpc.aws_route_table.intra[0]: Creation complete after 1s [id=rtb-0fff5ea3f40b2a838]
module.vpc.aws_internet_gateway.this[0]: Creating...
module.vpc.aws_subnet.private[0]: Creating...
module.vpc.aws_route_table.public[0]: Creation complete after 1s [id=rtb-070441310eab3c9f1]
module.vpc.aws_subnet.private[2]: Creating...
module.vpc.aws_subnet.private[1]: Creation complete after 1s [id=subnet-03a9cbe89ee0cdc90]
module.vpc.aws_subnet.intra[0]: Creating...
module.vpc.aws_route_table.private[0]: Creation complete after 1s [id=rtb-00836f2861fae2e6f]
module.vpc.aws_subnet.intra[1]: Creating...
module.vpc.aws_subnet.intra[2]: Creation complete after 1s [id=subnet-07e5fcc661f2f60f3]
module.vpc.aws_internet_gateway.this[0]: Creation complete after 0s [id=igw-055a18a645f1e0e6c]
module.vpc.aws_route.public_internet_gateway[0]: Creating...
module.vpc.aws_subnet.private[0]: Creation complete after 0s [id=subnet-0fe23728ddb5d593b]
module.vpc.aws_subnet.private[2]: Creation complete after 0s [id=subnet-0a6f760a35a1d9346]
module.vpc.aws_route_table_association.private[1]: Creating...
module.vpc.aws_route_table_association.private[2]: Creating...
module.vpc.aws_route_table_association.private[0]: Creating...
module.vpc.aws_subnet.intra[1]: Creation complete after 0s [id=subnet-0cb91956aba2196d1]
module.vpc.aws_subnet.intra[0]: Creation complete after 0s [id=subnet-0489db9d27a054fd9]
module.vpc.aws_route_table_association.intra[2]: Creating...
module.vpc.aws_route_table_association.intra[0]: Creating...
module.vpc.aws_route_table_association.private[0]: Creation complete after 0s [id=rtbassoc-00dbe883fbb176716]
module.vpc.aws_route_table_association.private[2]: Creation complete after 0s [id=rtbassoc-02dc25805f57efd6d]
module.vpc.aws_route.public_internet_gateway[0]: Creation complete after 0s [id=r-rtb-070441310eab3c9f11080289494]
module.vpc.aws_route_table_association.intra[1]: Creating...
module.vpc.aws_route_table_association.private[1]: Creation complete after 1s [id=rtbassoc-02bebc6b166aaf31d]
module.tgw.aws_ec2_transit_gateway.this[0]: Still creating... [10s elapsed]
module.vpc.aws_subnet.public[1]: Still creating... [10s elapsed]
module.vpc.aws_subnet.public[0]: Still creating... [10s elapsed]
module.vpc.aws_subnet.public[2]: Still creating... [10s elapsed]
module.vpc.aws_subnet.public[0]: Creation complete after 11s [id=subnet-0a9be6c77de83df75]
module.vpc.aws_subnet.public[1]: Creation complete after 11s [id=subnet-02745b5cecd95fa65]
module.vpc.aws_subnet.public[2]: Creation complete after 11s [id=subnet-027bd5f23ad037261]
module.vpc.aws_route_table_association.public[0]: Creating...
module.vpc.aws_route_table_association.public[2]: Creating...
module.vpc.aws_nat_gateway.this[0]: Creating...
module.vpc.aws_route_table_association.public[1]: Creating...
module.vpc.aws_route_table_association.intra[2]: Still creating... [10s elapsed]
module.vpc.aws_route_table_association.intra[0]: Still creating... [10s elapsed]
module.vpc.aws_route_table_association.intra[1]: Still creating... [10s elapsed]
module.vpc.aws_route_table_association.public[2]: Creation complete after 1s [id=rtbassoc-04c6693b368430990]
module.vpc.aws_route_table_association.public[1]: Creation complete after 1s [id=rtbassoc-0b46b314f4b47a9c9]
module.vpc.aws_route_table_association.public[0]: Creation complete after 1s [id=rtbassoc-031641231e978e0b9]
module.vpc.aws_route_table_association.intra[2]: Creation complete after 14s [id=rtbassoc-0c7440b293d4cd8ae]
module.vpc.aws_route_table_association.intra[0]: Creation complete after 14s [id=rtbassoc-0eb3200d83c16ded5]
module.vpc.aws_route_table_association.intra[1]: Creation complete after 14s [id=rtbassoc-0f5f539a71ab7c679]
module.tgw.aws_ec2_transit_gateway.this[0]: Still creating... [20s elapsed]
module.vpc.aws_nat_gateway.this[0]: Still creating... [10s elapsed]
module.tgw.aws_ec2_transit_gateway.this[0]: Still creating... [30s elapsed]
module.vpc.aws_nat_gateway.this[0]: Still creating... [20s elapsed]
module.tgw.aws_ec2_transit_gateway.this[0]: Still creating... [40s elapsed]
module.vpc.aws_nat_gateway.this[0]: Still creating... [30s elapsed]
module.tgw.aws_ec2_transit_gateway.this[0]: Still creating... [50s elapsed]
module.vpc.aws_nat_gateway.this[0]: Still creating... [40s elapsed]
module.tgw.aws_ec2_transit_gateway.this[0]: Still creating... [1m0s elapsed]
module.vpc.aws_nat_gateway.this[0]: Still creating... [50s elapsed]
module.tgw.aws_ec2_transit_gateway.this[0]: Still creating... [1m10s elapsed]
module.vpc.aws_nat_gateway.this[0]: Still creating... [1m0s elapsed]
module.tgw.aws_ec2_transit_gateway.this[0]: Still creating... [1m20s elapsed]
module.vpc.aws_nat_gateway.this[0]: Still creating... [1m10s elapsed]
module.tgw.aws_ec2_transit_gateway.this[0]: Creation complete after 1m24s [id=tgw-0f09c208839fab7a3]
module.tgw.aws_ec2_tag.this["Name"]: Creating...
module.tgw.aws_ram_resource_association.this[0]: Creating...
module.tgw.aws_ec2_transit_gateway_route_table.this[0]: Creating...
module.tgw.aws_ec2_transit_gateway_vpc_attachment.this["ent-core-infrastructure"]: Creating...
module.tgw.aws_ec2_tag.this["Name"]: Creation complete after 0s [id=tgw-rtb-0c433b1024a8f3a91,Name]
module.tgw.aws_ram_resource_association.this[0]: Creation complete after 1s [id=arn:aws:ram:us-east-2:845940089308:resource-share/836a1157-d934-4cc0-8ab4-97121919b482,arn:aws:ec2:us-east-2:845940089308:transit-gateway/tgw-0f09c208839fab7a3]
module.vpc.aws_nat_gateway.this[0]: Still creating... [1m20s elapsed]
module.tgw.aws_ec2_transit_gateway_route_table.this[0]: Still creating... [10s elapsed]
module.tgw.aws_ec2_transit_gateway_vpc_attachment.this["ent-core-infrastructure"]: Still creating... [10s elapsed]
module.vpc.aws_nat_gateway.this[0]: Still creating... [1m30s elapsed]
module.tgw.aws_ec2_transit_gateway_vpc_attachment.this["ent-core-infrastructure"]: Still creating... [20s elapsed]
module.tgw.aws_ec2_transit_gateway_route_table.this[0]: Still creating... [20s elapsed]
module.vpc.aws_nat_gateway.this[0]: Creation complete after 1m34s [id=nat-0579642299de8f17c]
module.vpc.aws_route.private_nat_gateway[0]: Creating...
module.vpc.aws_route.private_nat_gateway[0]: Creation complete after 1s [id=r-rtb-00836f2861fae2e6f1080289494]
module.tgw.aws_ec2_transit_gateway_vpc_attachment.this["ent-core-infrastructure"]: Still creating... [30s elapsed]
module.tgw.aws_ec2_transit_gateway_route_table.this[0]: Still creating... [30s elapsed]
module.tgw.aws_ec2_transit_gateway_route_table.this[0]: Still creating... [40s elapsed]
module.tgw.aws_ec2_transit_gateway_vpc_attachment.this["ent-core-infrastructure"]: Still creating... [40s elapsed]
module.tgw.aws_ec2_transit_gateway_route_table.this[0]: Creation complete after 43s [id=tgw-rtb-0070fb2694306cc38]
module.tgw.aws_ec2_transit_gateway_vpc_attachment.this["ent-core-infrastructure"]: Still creating... [50s elapsed]
module.tgw.aws_ec2_transit_gateway_vpc_attachment.this["ent-core-infrastructure"]: Still creating... [1m0s elapsed]
module.tgw.aws_ec2_transit_gateway_vpc_attachment.this["ent-core-infrastructure"]: Still creating... [1m10s elapsed]
module.tgw.aws_ec2_transit_gateway_vpc_attachment.this["ent-core-infrastructure"]: Still creating... [1m20s elapsed]
module.tgw.aws_ec2_transit_gateway_vpc_attachment.this["ent-core-infrastructure"]: Still creating... [1m30s elapsed]
module.tgw.aws_ec2_transit_gateway_vpc_attachment.this["ent-core-infrastructure"]: Still creating... [1m40s elapsed]
module.tgw.aws_ec2_transit_gateway_vpc_attachment.this["ent-core-infrastructure"]: Creation complete after 1m49s [id=tgw-attach-0cc73f35c75659b8e]
module.tgw.aws_ec2_transit_gateway_route_table_propagation.this["ent-core-infrastructure"]: Creating...
module.tgw.aws_ec2_transit_gateway_route_table_association.this["ent-core-infrastructure"]: Creating...
module.tgw.aws_ec2_transit_gateway_route_table_propagation.this["ent-core-infrastructure"]: Creation complete after 0s [id=tgw-rtb-0070fb2694306cc38_tgw-attach-0cc73f35c75659b8e]
module.tgw.aws_ec2_transit_gateway_route_table_association.this["ent-core-infrastructure"]: Still creating... [10s elapsed]
module.tgw.aws_ec2_transit_gateway_route_table_association.this["ent-core-infrastructure"]: Still creating... [20s elapsed]
module.tgw.aws_ec2_transit_gateway_route_table_association.this["ent-core-infrastructure"]: Creation complete after 23s [id=tgw-rtb-0070fb2694306cc38_tgw-attach-0cc73f35c75659b8e]
module.tgw_peer.aws_ram_resource_share_accepter.this[0]: Creating...
module.tgw_peer.aws_ec2_transit_gateway_vpc_attachment.this["dev_vpc"]: Creating...
module.tgw_peer.aws_ec2_transit_gateway_vpc_attachment.this["dev_vpc"]: Still creating... [10s elapsed]
module.tgw_peer.aws_ec2_transit_gateway_vpc_attachment.this["dev_vpc"]: Still creating... [20s elapsed]
module.tgw_peer.aws_ec2_transit_gateway_vpc_attachment.this["dev_vpc"]: Still creating... [30s elapsed]
module.tgw_peer.aws_ec2_transit_gateway_vpc_attachment.this["dev_vpc"]: Still creating... [40s elapsed]
module.tgw_peer.aws_ec2_transit_gateway_vpc_attachment.this["dev_vpc"]: Still creating... [50s elapsed]
module.tgw_peer.aws_ec2_transit_gateway_vpc_attachment.this["dev_vpc"]: Still creating... [1m0s elapsed]
module.tgw_peer.aws_ec2_transit_gateway_vpc_attachment.this["dev_vpc"]: Creation complete after 1m5s [id=tgw-attach-054cc1181d65d5b1e]
╷
│ Error: No RAM Resource Share () invitation found
│ 
│ NOTE: If both AWS accounts are in the same AWS Organization and RAM Sharing with AWS Organizations is enabled, this resource is not necessary
│ 
│   with module.tgw_peer.aws_ram_resource_share_accepter.this[0],
│   on .terraform/modules/tgw_peer/main.tf line 170, in resource "aws_ram_resource_share_accepter" "this":
│  170: resource "aws_ram_resource_share_accepter" "this" {
│ 
╵

Additional context

example from the module

provider "aws" {
  region = local.region
}

# This provider is required for attachment only installation in another AWS Account
provider "aws" {
  region = local.region
  alias  = "peer"
}

locals {
  name   = "ex-tgw-${replace(basename(path.cwd), "_", "-")}"
  region = "eu-west-1"

  tags = {
    Example    = local.name
    GithubRepo = "terraform-aws-eks"
    GithubOrg  = "terraform-aws-transit-gateway"
  }
}

################################################################################
# Transit Gateway Module
################################################################################

module "tgw" {
  source = "../../"

  name            = local.name
  description     = "My TGW shared with several other AWS accounts"
  amazon_side_asn = 64532

  # When "true" there is no need for RAM resources if using multiple AWS accounts
  enable_auto_accept_shared_attachments = true

  vpc_attachments = {
    vpc1 = {
      vpc_id       = module.vpc1.vpc_id
      subnet_ids   = module.vpc1.private_subnets
      dns_support  = true
      ipv6_support = true

      transit_gateway_default_route_table_association = false
      transit_gateway_default_route_table_propagation = false

      tgw_routes = [
        {
          destination_cidr_block = "30.0.0.0/16"
        },
        {
          blackhole              = true
          destination_cidr_block = "0.0.0.0/0"
        }
      ]
    },
    vpc2 = {
      vpc_id     = module.vpc2.vpc_id
      subnet_ids = module.vpc2.private_subnets

      tgw_routes = [
        {
          destination_cidr_block = "50.0.0.0/16"
        },
        {
          blackhole              = true
          destination_cidr_block = "10.10.10.10/32"
        }
      ]
    },
  }

  ram_allow_external_principals = true
  ram_principals                = [307990089504]

  tags = local.tags
}

module "tgw_peer" {
  # This is optional and connects to another account. Meaning you need to be authenticated with 2 separate AWS Accounts
  source = "../../"

  providers = {
    aws = aws.peer
  }

  name            = "${local.name}-peer"
  description     = "My TGW shared with several other AWS accounts"
  amazon_side_asn = 64532

  create_tgw             = false
  share_tgw              = true
  ram_resource_share_arn = module.tgw.ram_resource_share_id
  # When "true" there is no need for RAM resources if using multiple AWS accounts
  enable_auto_accept_shared_attachments = true

  vpc_attachments = {
    vpc1 = {
      tgw_id       = module.tgw.ec2_transit_gateway_id
      vpc_id       = module.vpc1.vpc_id
      subnet_ids   = module.vpc1.private_subnets
      dns_support  = true
      ipv6_support = true

      transit_gateway_default_route_table_association = false
      transit_gateway_default_route_table_propagation = false

      tgw_routes = [
        {
          destination_cidr_block = "30.0.0.0/16"
        },
        {
          blackhole              = true
          destination_cidr_block = "0.0.0.0/0"
        }
      ]
    },
  }

  ram_allow_external_principals = true
  ram_principals                = [307990089504]

  tags = local.tags
}

################################################################################
# Supporting resources
################################################################################

module "vpc1" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> 3.0"

  name = "${local.name}-vpc1"
  cidr = "10.10.0.0/16"

  azs             = ["${local.region}a", "${local.region}b", "${local.region}c"]
  private_subnets = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"]

  enable_ipv6                                    = true
  private_subnet_assign_ipv6_address_on_creation = true
  private_subnet_ipv6_prefixes                   = [0, 1, 2]

  tags = local.tags
}

module "vpc2" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> 3.0"

  providers = {
    aws = aws.peer
  }

  name = "${local.name}-vpc2"
  cidr = "10.20.0.0/16"

  azs             = ["${local.region}a", "${local.region}b", "${local.region}c"]
  private_subnets = ["10.20.1.0/24", "10.20.2.0/24", "10.20.3.0/24"]

  enable_ipv6 = false

  tags = local.tags
}
whitehousepost commented 1 year ago

Setting both:

  create_tgw = false
  share_tgw = false

Allowed for completion of this.

github-actions[bot] commented 1 year ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.