error associating EC2 Transit Gateway Route Table () association MissingParameter: Missing required parameter in request: TransitGatewayRouteTableId.

[dmartinezrubio]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.25

• provider.aws v2.62.0

Affected Resource(s)

aws_ec2_transit_gateway
aws_ec2_transit_gateway_vpc_attachment
aws_ec2_transit_gateway_route_table
aws_ec2_transit_gateway_route_table_association
aws_ec2_transit_gateway_route_table_propagation

Terraform Configuration Files

#create transit gateway
resource "aws_ec2_transit_gateway" "tgw" {
description = "tgw sec_vpc con el resto de vpc"
auto_accept_shared_attachments = "disable"
default_route_table_association = "disable"
default_route_table_propagation = "disable"
dns_support = "enable"
tags = {
Name = "TGW"
}
}

route tables for vpc sec

resource "aws_ec2_transit_gateway_route_table" "sec" {
transit_gateway_id = aws_ec2_transit_gateway.tgw.id
tags = {
Name = "tgw-routetable-sec"
}
}
#route tables for vpc spoke
resource "aws_ec2_transit_gateway_route_table" "spoke" {
transit_gateway_id = aws_ec2_transit_gateway.tgw.id
tags = {
Name = "tgw-routetable-spoke"
}
}

resource "aws_ec2_transit_gateway_route_table_association" "sec" {
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw.id
transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.sec.id
}
resource "aws_ec2_transit_gateway_route_table_association" "spoke" {
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc.id
transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.spoke.id
}

#propagation for vpc sec
resource "aws_ec2_transit_gateway_route_table_propagation" "sec" {
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw.id
transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.sec.id
}

#propagation for vpc spoke
resource "aws_ec2_transit_gateway_route_table_propagation" "spoke" {
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc.id
transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.spoke.id
}

#create attachment-TGW against vpc sec where are both firewalls

resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-sec-fw" {
vpc_id = aws_vpc.sec-vpc.id
transit_gateway_id = aws_ec2_transit_gateway.tgw.id
subnet_ids = ["${aws_subnet.private-fw-a.id}","${aws_subnet.private-fw-b.id}"]
tags = {
Name = "sec-vpc-attachment"
}
}
#create attachment-TGW against vpc spoke
resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-spoke-vpc" {
vpc_id = aws_vpc.spoke-vpc.id
transit_gateway_id = aws_ec2_transit_gateway.tgw.id
subnet_ids = ["${aws_subnet.spoke-private-eu-west-1a.id}","${aws_subnet.spoke-private-eu-west-1b.id}"]
tags = {
Name = "spoke-vpc-attachment"
}
}

Debug Output

aws_ec2_transit_gateway.tgw: Still creating... [20s elapsed]
aws_ec2_transit_gateway.tgw: Creation complete after 29s [id=tgw-0da9fc5cbcacd209f]
aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw: Creating...
aws_ec2_transit_gateway_route_table.sec: Creating...
aws_route_table.RT-sec-private: Creating...
aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc: Creating...
aws_ec2_transit_gateway_route_table.spoke: Creating...
aws_route_table.RT-spoke-private: Creating...
aws_route_table.RT-spoke-private: Creation complete after 5s [id=rtb-0c75eac891a00bc97]
aws_route_table_association.RT-spoke-private-1: Creating...
aws_route_table_association.RT-spoke-private-2: Creating...
aws_route_table.RT-sec-private: Creation complete after 5s [id=rtb-0fa3f0fa9f5cbb628]
aws_route_table_association.private-RT-to-private-fwb: Creating...
aws_route_table_association.private-RT-to-private-fwa: Creating...
aws_route_table_association.RT-spoke-private-1: Creation complete after 0s [id=rtbassoc-088f420d556aff315]
aws_route_table_association.RT-spoke-private-2: Creation complete after 0s [id=rtbassoc-0af2dc2d7d7a550b6]
aws_route_table_association.private-RT-to-private-fwb: Creation complete after 1s [id=rtbassoc-0ba4618eafbeaa106]
aws_route_table_association.private-RT-to-private-fwa: Creation complete after 1s [id=rtbassoc-09b7b10e3f3513c28]
aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw: Still creating... [10s elapsed]
aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc: Still creating... [10s elapsed]
aws_ec2_transit_gateway_route_table.sec: Still creating... [10s elapsed]
aws_ec2_transit_gateway_route_table.spoke: Still creating... [10s elapsed]
aws_ec2_transit_gateway_route_table.sec: Creation complete after 18s [id=tgw-rtb-018763c896b996c5f]
aws_ec2_transit_gateway_route_table.spoke: Creation complete after 18s [id=tgw-rtb-0b3af9d21519828ce]
aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw: Still creating... [20s elapsed]
aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc: Still creating... [20s elapsed]
aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc: Still creating... [30s elapsed]
aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw: Still creating... [30s elapsed]
aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc: Still creating... [40s elapsed]
aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw: Still creating... [40s elapsed]
aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw: Still creating... [50s elapsed]
aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc: Still creating... [50s elapsed]
aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw: Still creating... [1m0s elapsed]
aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc: Still creating... [1m0s elapsed]

Error: error updating EC2 Transit Gateway Attachment (tgw-attach-04643cc2db9804f8e) Route Table () association: error associating EC2 Transit Gateway Route Table () association (tgw-attach-04643cc2db9804f8e): MissingParameter: Missing required parameter in request: TransitGatewayRouteTableId.
status code: 400, request id: d3dd5ecc-0cc3-46ff-91c5-a57ed82d451e

on tgw.tf line 54, in resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-sec-fw":
54: resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-sec-fw" {

Error: error updating EC2 Transit Gateway Attachment (tgw-attach-05517f0cda4c2eaa7) Route Table () association: error associating EC2 Transit Gateway Route Table () association (tgw-attach-05517f0cda4c2eaa7): MissingParameter: Missing required parameter in request: TransitGatewayRouteTableId.
status code: 400, request id: 3dd083bc-0b6c-42b1-b25f-163c8494e0ab

on tgw.tf line 63, in resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-spoke-vpc":
63: resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-spoke-vpc" {

Expected Behavior

EC2 Transit Gateway VPC Attachment should be created without error.

Actual Behavior

It fails, it is build correctly all the infraestructure:
a. transit gw
b. transit gw attachment without associate route table
c.transit gw route tables it's build without associations, propagations and routes (related with the error)

Steps to Reproduce

1. terraform apply

Important Factoids

References

https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetTransitGatewayRouteTableAssociations.html

https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetTransitGatewayRouteTablePropagations.html

https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeTransitGatewayVpcAttachments.html

https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTransitGatewayVpcAttachment.html

https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateTransitGatewayRouteTable.html

[ewbankkit]

@dmartinezrubio Thanks for reporting this.

In this case it seems that transitGateway.Options.AssociationDefaultRouteTableId is nil:

https://github.com/terraform-providers/terraform-provider-aws/blob/98df32df0b341acc1673ce21355662c3c4facb4b/aws/resource_aws_ec2_transit_gateway_vpc_attachment.go#L119

Could you paste the HCL for the aws_ec2_transit_gateway resources?

[dmartinezrubio]

sorry, it's my first time...how can I get the HCL for the aws_ec2_transit_gateway resources?

[dmartinezrubio]

the hlc code I attached at the beginning of my post

[ewbankkit]

@dmartinezrubio Yes, it is there at the top, sorry didn't see it initially; Thanks.

[dmartinezrubio]

ok, any kind of help it will be good! I spend last 3 days testing and trying to solve it.

[ewbankkit]

I can reproduce this in our acceptance tests (TestAccAWSEc2TransitGatewayVpcAttachment_TransitGatewayDefaultRouteTableAssociationAndPropagationDisabled) if I set transit_gateway_default_route_table_association = true (the default).
I'll dive deeper...

[dmartinezrubio]

if I modify this value to "enable" I receive next error:

Error: error updating EC2 Transit Gateway Attachment (tgw-attach-0fc5b0c0d16ae0c16) Route Table () propagation: error enabling EC2 Transit Gateway Attachment (tgw-attach-0fc5b0c0d16ae0c16) propagation to Route Table (): MissingParameter: Missing required parameter in request: TransitGatewayRouteTableId.
status code: 400, request id: 060a5d61-b6a3-4088-a554-ee4c6fcaf32b

on tgw.tf line 54, in resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-sec-fw":
54: resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-sec-fw" {

Error: error updating EC2 Transit Gateway Attachment (tgw-attach-0bb9b82e65ad400f3) Route Table () propagation: error enabling EC2 Transit Gateway Attachment (tgw-attach-0bb9b82e65ad400f3) propagation to Route Table (): MissingParameter: Missing required parameter in request: TransitGatewayRouteTableId.
status code: 400, request id: d2225b44-01f7-4780-ad6f-532dd1d3f2aa

on tgw.tf line 63, in resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-spoke-vpc":
63: resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-spoke-vpc" {

[ewbankkit]

@dmartinezrubio For your Transit Gateway

resource "aws_ec2_transit_gateway" "tgw" {
  description                     = "tgw sec_vpc con el resto de vpc"
  auto_accept_shared_attachments  = "disable"
  default_route_table_association = "disable"
  default_route_table_propagation = "disable"
  dns_support                     = "enable"

  tags = {
    Name = "TGW"
  }
}

disabling both default route table association and propagation means that no TGW default route table is created, so the VPC attachment

resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-att-sec-fw" {
  vpc_id             = aws_vpc.sec-vpc.id
  transit_gateway_id = aws_ec2_transit_gateway.tgw.id
  subnet_ids         = ["${aws_subnet.private-fw-a.id}","${aws_subnet.private-fw-b.id}"]

  tags = {
    Name = "sec-vpc-attachment"
  }
}

and tgw-att-spoke-vpc should have transit_gateway_default_route_table_association = false and transit_gateway_default_route_table_propagation = false (the default for both these attributes is true).

Alternatively you can enable both default_route_table_association and default_route_table_propagation in the TGW.

[ewbankkit]

We probably should change the code so that transit_gateway_default_route_table_propagation and transit_gateway_default_route_table_association have no effect if the transit gateway has no equivalent default route table.

[dmartinezrubio]

That was my original idea, but if I configure my TGW with default_route_table_association = "enable" & default_route_table_propagation = "enable" and both attachment with transit_gateway_default_route_table_association = false & transit_gateway_default_route_table_propagation = false....all it's deployed but in "transit gw route table" it's created 3 route table [screenshot]. I don't want the first of all (route table without name) and I don't know how to remove in HLC:

[ewbankkit]

@dmartinezrubio That unnamed route table is the TGW's default route table, created implicitly when default_route_table_association = "enable" or default_route_table_propagation = "enable".

Did you try with default_route_table_propagation = "disable", default_route_table_association = "enable" and transit_gateway_default_route_table_association = false, transit_gateway_default_route_table_propagation = false on the VPC attachments?

[dmartinezrubio]

Same result except that the uname RT now has "no" in default propagation RT

[dmartinezrubio]

I solved it. The combination is all disable in Transit Gateway and transit_gateway_default_route_table_association = false, transit_gateway_default_route_table_propagation = false on the VPC attachments

Now I've to solve other questions like the propagations in every attachment but I hope to solve it

Regards

[dmartinezrubio]

is it possible in "aws_ec2_transit_gateway_route_table_propagation" to attach 2 "transit_gateway_attachment_id" & 2 "transit_gateway_route_table_id"?

[dmartinezrubio]

Example: (it fails)
resource "aws_ec2_transit_gateway_route_table_propagation" "sec" {
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.tgw-att-sec-fw.id
transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.sec.id
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.tgw-att-spoke-vpc.id
transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.spoke.id

[yongzhang]

the same issue

[rmasclef]

I solved it. The combination is all disable in Transit Gateway and transit_gateway_default_route_table_association = false, transit_gateway_default_route_table_propagation = false on the VPC attachments

Now I've to solve other questions like the propagations in every attachment but I hope to solve it

Regards

FYI: This will not work if the TGW is shared (RAM)

[dbgoytia]

Works by adding:

  transit_gateway_default_route_table_association = false
  transit_gateway_default_route_table_propagation = false

Maybe first steps would be to improve the documentation around this, I can help on it if you guys would like!

[geof2001]

How do you handle this if you don't have a default transit gateway route table? Ours has 3 separate non-default route tables. One of which is for incoming peering attachments where all VPC's get propagated and peering attachments are associated. Then we have environment specific route tables where VPC's are associated & propagated after attachment.

With enable/disable as only option for transit_gateway_default_route_table_association and transit_gateway_default_route_table_propagation I can't enable and then specify the incoming route table for attachment propagation. It only assumes there is a default route table not letting you specify any other route table.

In fact if you try to enable it once they are disabled you get a warning that it needs to replace the TGW.

    # aws_ec2_transit_gateway.tgw_sa_east_1 must be replaced
    -/+ resource "aws_ec2_transit_gateway" "tgw_sa_east_1" {
    .
    .
        ~ default_route_table_association    = "disable" -> "enable" # forces replacement
        ~ default_route_table_propagation    = "disable" -> "enable" # forces replacement

Where as in the UI or CLI you have the option to specify the ID

         DefaultRouteTableAssociation -> (string)
              Enable or disable automatic association with the default associ-
              ation route table.

          AssociationDefaultRouteTableId -> (string)
              The ID of the default association route table.

          DefaultRouteTablePropagation -> (string)
              Enable or disable automatic propagation of routes to the default
              propagation route table.

          PropagationDefaultRouteTableId -> (string)
              The ID of the default propagation route table.

These options let me specify the Id of the route table I want to be the default for either association or propagation.

[yannickvranckx]

To add to this:
If you keep the TGW configuration as:

resource "aws_ec2_transit_gateway" "tgw_euw_3" {
  description                     = var.tgw_desc
  dns_support                     = "enable"
  default_route_table_association = "disable" 
  default_route_table_propagation = "disable"
  tags = {
    Name = var.tgw_name_tag
  }
}

So both parameters are on disable on the TGW resources, this is because otherwise if you create a VPC attachment it will automatically connect itself to the default route table and rout table propagation. This causes an issue that if you create a VPC attachment later down the line, the resource will fail, because Terraform cannot remove it from the default and apply the new route table at the same time.

Now if you deploy the TGW like above, you also have to deploy your VPC attachment like this:

resource "aws_ec2_transit_gateway_vpc_attachment" "infra-test-attachment" {

  subnet_ids                                      = [aws_subnet.eu-west-3a-private.id]
  transit_gateway_id                              = local.tgw_id
  vpc_id                                          = aws_vpc.default.id
  transit_gateway_default_route_table_association = false
  transit_gateway_default_route_table_propagation = false

  tags = {
    Name    = var.tgw_info.0
    Side    = var.tgw_info.1
    Project = var.tgw_info.2
  }
}

Otherwise it will give you this error:

MissingParameter: Missing required parameter in request: TransitGatewayRouteTableId.

This is telling the module that there is no default route table to attach too, so you need the above on disabled

But you are still not out of the woods: Because each time you plan your environment via terraform, the following will show up:

Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the
last "terraform apply":
  # aws_ec2_transit_gateway_vpc_attachment.vpc_first_attachment has changed
  ~ resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_first_attachment" {
        id                                              = "tgw-attach-1234567890"
      + tags                                            = {}
        # (10 unchanged attributes hidden)
    }
  # aws_ec2_transit_gateway_vpc_attachment.vpc_second_attachment has changed
  ~ resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_second_attachment" {
        id                                              = "tgw-attach-1234567890
      + tags                                            = {}
        # (10 unchanged attributes hidden)
    }
Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

[vedimuthan]

To add to this: If you keep the TGW configuration as:

resource "aws_ec2_transit_gateway" "tgw_euw_3" {
  description                     = var.tgw_desc
  dns_support                     = "enable"
  default_route_table_association = "disable" 
  default_route_table_propagation = "disable"
  tags = {
    Name = var.tgw_name_tag
  }
}

So both parameters are on disable on the TGW resources, this is because otherwise if you create a VPC attachment it will automatically connect itself to the default route table and rout table propagation. This causes an issue that if you create a VPC attachment later down the line, the resource will fail, because Terraform cannot remove it from the default and apply the new route table at the same time.

Now if you deploy the TGW like above, you also have to deploy your VPC attachment like this:

resource "aws_ec2_transit_gateway_vpc_attachment" "infra-test-attachment" {

  subnet_ids                                      = [aws_subnet.eu-west-3a-private.id]
  transit_gateway_id                              = local.tgw_id
  vpc_id                                          = aws_vpc.default.id
  transit_gateway_default_route_table_association = false
  transit_gateway_default_route_table_propagation = false

  tags = {
    Name    = var.tgw_info.0
    Side    = var.tgw_info.1
    Project = var.tgw_info.2
  }
}

Otherwise it will give you this error:

MissingParameter: Missing required parameter in request: TransitGatewayRouteTableId.

This is telling the module that there is no default route table to attach too, so you need the above on disabled

But you are still not out of the woods: Because each time you plan your environment via terraform, the following will show up:

Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the
last "terraform apply":
  # aws_ec2_transit_gateway_vpc_attachment.vpc_first_attachment has changed
  ~ resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_first_attachment" {
        id                                              = "tgw-attach-1234567890"
      + tags                                            = {}
        # (10 unchanged attributes hidden)
    }
  # aws_ec2_transit_gateway_vpc_attachment.vpc_second_attachment has changed
  ~ resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_second_attachment" {
        id                                              = "tgw-attach-1234567890
      + tags                                            = {}
        # (10 unchanged attributes hidden)
    }
Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

This worked

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.