Creating a shared TGW across multiple AWS accounts fails

[chris-mac]

Description

Using this module to create a shared TGW across multiple AWS account fails.

⚠️ Note

Before you submit an issue, please perform the following first:

1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
2. Re-initialize the project root to pull down modules: terraform init
3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

• Terraform: 1.0.10

• Provider(s): 3.64.1

• Module: v2.5.0

Reproduction

Steps to reproduce the behavior:

• Use the module to create a TGW in account A
• Use the module to associate a VPC in account B with the TGW in account A
  All per the multi-account example

Expected behavior

A TGW is created in account A and we get a successful association with VPC in account B

Actual behavior

Routes and resources are not created

Probably related to:
#47

This may not strictly be a bug and needs some clarity of intended behaviour.
Our common set up would be to create the TGW resource in Account A using terraform to call in the module and be held in its own state file e.g.

Account A

module "tgw" {
  source  = "terraform-aws-modules/transit-gateway/aws"

  name            = "account-a-tgw"
  description     = "account-a-tgw"
  amazon_side_asn = 66666
  enable_auto_accept_shared_attachments = true

  vpc_attachments = {
    vpc1 = {
      vpc_id                                              = data.aws_vpc.default.id 
      subnet_ids                                       = data.aws_subnet_ids.this.ids
      dns_support                                    = true
      ipv6_support                                    = false
      transit_gateway_default_route_table_association = true
      transit_gateway_default_route_table_propagation = true
      vpc_route_table_ids                         = data.aws_route_tables.rts.ids
      # Route all internal traffic across TGW
      tgw_destination_cidr                  = "172.0.0.0/8"
      # Add TGW route for account A VPC
      tgw_routes = [
        {
          destination_cidr_block = "172.16.0.0/16"
        }
      ]
    }
  }
  ram_allow_external_principals = false
  ram_principals                = ["xxxxxxxxxx"]

  tags = {
    Purpose = "tgw-complete-example"
  }
}

Account B

## Lookup Account A TGW
data "aws_ec2_transit_gateway" "tgw" {
  filter {
    name   = "owner-id"
    values = ["50000000000"]
  }
  filter {
    name   = "options.amazon-side-asn"
    values = ["6666666"]
  }
  tags = {
    Name = "account-a-tgw"
    description = "account-a-tgw"
  }
}


## Use tgw module to set up tgw
module "tgw" {
  source  = "terraform-aws-modules/transit-gateway/aws"
  name            = "account-b-tgw-association"
  description     = "account-b-tgw-association"
  amazon_side_asn = 66666
  create_tgw  = false
  share_tgw   = false
  transit_gateway_id = data.aws_ec2_transit_gateway.tgw.id
  vpc_attachments = {
    vpc1 = {
      vpc_id                                              = data.aws_vpc.default.id 
      subnet_ids                                       = data.aws_subnet_ids.this.ids
      dns_support                                    = true
      ipv6_support                                    = false
      vpc_route_table_ids                         = data.aws_route_tables.rts.ids
      # Route all internal traffic across TGW
      tgw_destination_cidr                  = "172.0.0.0/8"
    }
 }
}

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[zeysh]

This may be related to hashicorp/terraform-provider-aws#20499

[luedigernet]

I run into the exact same issue. root cause is that line 126 & 134 the following fails because the indexed access is not available since the resource got not created when create tgw is set to false

transit_gateway_route_table_id = coalesce(lookup(each.value, "transit_gateway_route_table_id", null), var.transit_gateway_route_table_id, aws_ec2_transit_gateway_route_table.this[0].id)

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.