private_propagating_vgws

[jgrill]

I'm having trouble using the following with this module:

resource "aws_vpn_gateway_route_propagation" "SpokeA" {
  count          = "${length(module.spokeA.private_route_table_ids)}"
  vpn_gateway_id = "${module.spokeA.vgw_id}"
  route_table_id = "${element(module.spokeA.private_route_table_ids, count.index)}"
}

The problem I'm having is every other time I run Terraform the propagation is turned off and then on again.

I noticed private_propagating_vgws in the variables and main.tf of this module but am a bit puzzled as to how to use this parameter in combination with enable_vpn_gateway="true".

Can someone provide an example of the correct way to enable route propagation on the route tables associated with the VPC created by this module?

[ohaiwalt]

@jgrill I'm experiencing something similar, I think. Here's my currently working VPC using both the options you mentioned:

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "1.23.0"

  name = "${var.environment}-vpc"
  cidr = "${var.vpc_cidr}"

  azs              = "${var.vpc_azs}"
  public_subnets   = "${var.vpc_public_subnets}"
  private_subnets  = "${var.vpc_private_subnets}"
  database_subnets = "${var.vpc_database_subnets}"

  enable_nat_gateway = true
  enable_vpn_gateway = true

  propagate_public_route_tables_vgw  = true
  propagate_private_route_tables_vgw = true

  tags = {
    Terraform   = "true"
    Environment = "${var.environment}"
  }
}

I have noticed I have multiple subnets and route tables, but only the default route table is affected.

Terraform will perform the following actions:

  ~ module.vpc.aws_default_route_table.this
      propagating_vgws.#:          "1" => "0"
      propagating_vgws.3429146190: "vgw-8423d7ed" => ""
      tags.Name:                   "foo-vpc-private-us-east-1a" => "foo-vpc-default"


Plan: 0 to add, 1 to change, 0 to destroy.

[ohaiwalt]

@antonbabenko any thoughts here? It appears that somehow the interaction w/the default route table is affecting propagating routes.

[antonbabenko]

First, thanks for opening this one. VPN is more complicated than other types of issues and it is harder to debug (at least for me), so I need your help to triage this one.

Looking into previous releases and trying to understand when things broke:

1. v1.19.0...v1.20.0 - Add default route table resource. Does v1.20.0 work as expected?
2. v1.22.0...v1.23.0 - propagating_vgws were moved in aws_vpn_gateway_route_propagation from aws_route_table. Does v1.22.0 work as expected? If it does then we need to add this block:

variable "propagate_default_route_tables_vgw" {
  description = "Should be true if you want route table propagation"
  default     = false
}

resource "aws_vpn_gateway_route_propagation" "default" {
  count = "${var.create_vpc && var.propagate_default_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? 1 : 0}"

  route_table_id = "${element(aws_default_route_table.this.*.id, count.index)}"
  vpn_gateway_id = "${element(concat(aws_vpn_gateway.this.*.id, aws_vpn_gateway_attachment.this.*.vpn_gateway_id), count.index)}"
}

Can you guys try it out on your setup and say if it works?

[ohaiwalt]

Appreciate the quick response, I've got a dev environment that's available. Will give those versions a shot and report back.

[ohaiwalt]

Using the following vpc definition, the result was no longer flip-flopping on route propagation but still not desired result. Public routes were propagating, private routes are not. Does this config look correct for this version?

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "1.22.0"

  name = "${var.environment}-vpc"
  cidr = "${var.vpc_cidr}"

  azs              = "${var.vpc_azs}"
  public_subnets   = "${var.vpc_public_subnets}"
  private_subnets  = "${var.vpc_private_subnets}"
  database_subnets = "${var.vpc_database_subnets}"

  enable_nat_gateway = true
  enable_vpn_gateway = true

  private_propagating_vgws = ["${module.vpc.vgw_id}"]
  public_propagating_vgws = ["${module.vpc.vgw_id}"]

  tags = {
    Terraform   = "true"
    Environment = "${var.environment}"
  }
}

There was still flip-flopping for subnet names and default names, but routes were deterministic, if incorrect.

  ~ module.vpc.aws_default_route_table.this
      tags.Name: "foo-vpc-private-us-east-1c" => "foo-vpc-default"

Results for versions 1.22.0 and 1.20.0 were the same, 1.19.0 was fully idempotent with the removal of the default resources.

[antonbabenko]

Right, so let's look into how to improve version 1.23.0.

I don't quite understand does it work well when you add the proposed piece of code into it? propagate_private_route_tables_vgw and propagate_public_route_tables_vgw should be also set to true.

[ohaiwalt]

Sorry, I misunderstood a bit there. I didn't think to pull down the module and add the code. After doing so, and setting the propagate_default_route_tables_vgw var to true, the flip-flop is still happening. The following are two subsequent runs of terraform apply:

Terraform will perform the following actions:

  ~ module.vpc.aws_default_route_table.this
      tags.Name:      "foo-vpc-private-us-east-1c" => "foo-vpc-default"

  + module.vpc.aws_vpn_gateway_route_propagation.default
      id:             <computed>
      route_table_id: "rtb-8647eafb"
      vpn_gateway_id: "vgw-9b23d7f2"

  + module.vpc.aws_vpn_gateway_route_propagation.private[2]
      id:             <computed>
      route_table_id: "rtb-8647eafb"
      vpn_gateway_id: "vgw-9b23d7f2"


Plan: 2 to add, 1 to change, 0 to destroy.

Terraform will perform the following actions:

  ~ module.vpc.aws_default_route_table.this
      propagating_vgws.#:          "1" => "0"
      propagating_vgws.3924747615: "vgw-9b23d7f2" => ""

  ~ module.vpc.aws_route_table.private[2]
      tags.Name:                   "foo-vpc-default" => "foo-vpc-private-us-east-1c"


Plan: 0 to add, 2 to change, 0 to destroy.

[antonbabenko]

@ohaiwalt Could you please try code from #94 ? I have tried it, updated examples to include VPN in complete example and it seems to work as expected.

[antonbabenko]

@ohaiwalt You can test it like this:

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "1.24.0-pre"

  # the rest...
}

[ohaiwalt]

@antonbabenko looks like that one did it! Only one change:

Terraform will perform the following actions:

  ~ module.vpc.aws_default_route_table.this
      tags.Name: "foo-vpc-private-us-east-1c" => "foo-vpc-default"


Plan: 0 to add, 1 to change, 0 to destroy.

[antonbabenko]

Yes, but tag name should be changed just once as far as I understand. When I run complete example it does not try to change it at least. Could you try it and I will release version 1.24.0 as stable.

[DrFaust92]

Closing this, if any one is still having issues with this in the the latest provider version please open a new issue

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.