error associating EC2 Transit Gateway Route Table : Resource.AlreadyAssociated

[nmarchini]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.13.5

• provider registry.terraform.io/hashicorp/aws v3.18.0

Affected Resource(s)

• aws_ec2_transit_gateway_vpc_attachment
• aws_ec2_transit_gateway_route_table_association

Terraform Configuration Files

data aws_ec2_transit_gateway_route_table "security" {
  provider = aws.network

  filter {
    name = "tag:Name"
    values = [
      "*security*"
    ]
  }
}

resource "aws_ec2_transit_gateway_vpc_attachment" "network-account-transit-gateway-attachment" {
  subnet_ids                                      = data.aws_subnet_ids.tgw.ids
  transit_gateway_id                              = var.network_account_transit_gateway_id
  vpc_id                                          = aws_vpc.this.id
# We cannot specify the options below as the TGW is shared via Resource Access Manager
# transit_gateway_default_route_table_association = false
# transit_gateway_default_route_table_propagation = false
}

resource "aws_ec2_transit_gateway_route_table_association" "spokes" {
  provider = aws.network
  transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpc_attachment.network-account-transit-gateway-attachment.id
  transit_gateway_route_table_id = data.aws_ec2_transit_gateway_route_table.security.id
}

Debug Output

If you need this please let me know as I can see sensitive data in the TRACE log file.

Expected Behaviour

We share the TGW from one account (network) to a spoke account. We need to make the TGW VPC attachment to the TGW and then modify the route table association.
What I expect with the code above it that the Transit Gateway Attachment is removed from the Default TGW route table and attached to the desired TGW Route Table

Actual Behaviour

Error: error associating EC2 Transit Gateway Route Table (tgw-rtb-036596be294d1a2fe) association (tgw-attach-0fc5fd286320605e9): Resource.AlreadyAssociated: Transit Gateway Attachment tgw-attach-0fc5fd286320605e9 is already associated to a route table.
	status code: 400, request id: c0e5c857-dcac-4a30-b361-e4b98ac9d1ae

Steps to Reproduce

1. terraform apply

Important Factoids

TGW is shared via RAM from network account to spoke account. Spoke account Code has a second AWS provider within the configuration that allows it to assume a role in the network account to update the Route Table association

References

• #0000

[melaraj2]

OK, I have a workaround for this issue, it's ugly but it works.

1. When you create the attachment it has to be done by the account the is the recipient of the shared TGW.
2. Then when changing the association, it needs to be done by the account that is sharing the TGW.
3. But before you do that, you must disassociate the attachment from the default route table.
4. The only way to pull this off is to run the command using the aws cli, here is how i Pulled it off with terraform

resource "null_resource" "disassociateRt" {
  depends_on = [aws_ec2_transit_gateway_vpc_attachment.tgw-attachment]
  provisioner "local-exec" {
    command="aws ec2 disassociate-transit-gateway-route-table --transit-gateway-route-table-id ${data.aws_ec2_transit_gateway.selected.association_default_route_table_id} --transit-gateway-attachment-id ${aws_ec2_transit_gateway_vpc_attachment.tgw-attachment.id} --profile RoutingAccount;sleep 90"
  }
}

resource "aws_ec2_transit_gateway_route_table_association" "spokeAccountRouteTableAssociation" {
  depends_on = [null_resource.disassociateRt]
  transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.tgw-attachment.id
  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.SpokeAccountAttachmentRoutTable.id
  provider = aws.routing
}

My AWS credentials are stored in ~/.aws/credentials using profiles.

Permanent Fix
Terraform resource aws_ec2_transit_gateway_route_table_association should support an argument to first disassociate the current route table association so that those two operations take place at once. Perhaps remove_current_attachment_association (boolean). It should wait until disassociation is complete to move on with the new association.

[melaraj2]

Another option, if you can modify the transit gateway is to set default_route_table_association to disable as below. If you do that then you don't have to make any additional changes.

resource "aws_ec2_transit_gateway" "routing_transit_gateway" {
  description = "TransactRx Shared TGW"
  tags = {
    Name = "TransactRxSharedTGW"
  }
  auto_accept_shared_attachments = "enable"
  default_route_table_association = "disable"
}

[semyonslepov]

Facing the same issue in a similar setup.

Another option, if you can modify the transit gateway is to set default_route_table_association to disable as below

The problem with this approach is that you can't disable default association on the attachment side:

This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways

( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment )

If you set default_route_table_association to false in such a setup, creation of the corresponding ec2_transit_gateway_vpc_attachment_accepter resource will fail (it will look for the default route table).

So yeah, having this in place would help solve the issue I believe:

Terraform resource aws_ec2_transit_gateway_route_table_association should support an argument to first disassociate the current route table association so that those two operations take place at once.

[mosheavni]

+1 for that
When creating a peering attachment with the aws_ec2_transit_gateway_peering_attachment_accepter resource, it associates the peering to the default route table, and associating it to a new one is just not possible.

[github-actions]

This functionality has been released in v5.2.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.