Merge pull request #9224 from anouvel/transit_gateway_blackhole_route

Add support for Transit gateway blackhole route
hashicorp · Jul 4, 2019 · 61d69b9 · 61d69b9
2 parents 4debbe3 + 7fa6514
commit 61d69b9
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 3 deletions.
diff --git a/aws/resource_aws_ec2_transit_gateway_route.go b/aws/resource_aws_ec2_transit_gateway_route.go
@@ -28,9 +28,15 @@ func resourceAwsEc2TransitGatewayRoute() *schema.Resource {
 				Required: true,
 				ForceNew: true,
 			},
+			"blackhole": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				ForceNew: true,
+				Default:  false,
+			},
 			"transit_gateway_attachment_id": {
 				Type:         schema.TypeString,
-				Required:     true,
+				Optional:     true,
 				ForceNew:     true,
 				ValidateFunc: validation.NoZeroValues,
 			},
@@ -52,6 +58,7 @@ func resourceAwsEc2TransitGatewayRouteCreate(d *schema.ResourceData, meta interf
 
 	input := &ec2.CreateTransitGatewayRouteInput{
 		DestinationCidrBlock:       aws.String(destination),
+		Blackhole:                  aws.Bool(d.Get("blackhole").(bool)),
 		TransitGatewayAttachmentId: aws.String(d.Get("transit_gateway_attachment_id").(string)),
 		TransitGatewayRouteTableId: aws.String(transitGatewayRouteTableID),
 	}
@@ -130,8 +137,10 @@ func resourceAwsEc2TransitGatewayRouteRead(d *schema.ResourceData, meta interfac
 	d.Set("transit_gateway_attachment_id", "")
 	if len(transitGatewayRoute.TransitGatewayAttachments) > 0 && transitGatewayRoute.TransitGatewayAttachments[0] != nil {
 		d.Set("transit_gateway_attachment_id", transitGatewayRoute.TransitGatewayAttachments[0].TransitGatewayAttachmentId)
+		d.Set("blackhole", false)
+	} else {
+		d.Set("blackhole", true)
 	}
-
 	d.Set("transit_gateway_route_table_id", transitGatewayRouteTableID)
 
 	return nil

diff --git a/aws/resource_aws_ec2_transit_gateway_route_test.go b/aws/resource_aws_ec2_transit_gateway_route_test.go
@@ -25,6 +25,7 @@ func TestAccAWSEc2TransitGatewayRoute_basic(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSEc2TransitGatewayRouteExists(resourceName, &transitGatewayRoute1),
 					resource.TestCheckResourceAttr(resourceName, "destination_cidr_block", "0.0.0.0/0"),
+					resource.TestCheckResourceAttr(resourceName, "blackhole", "false"),
 					resource.TestCheckResourceAttrPair(resourceName, "transit_gateway_attachment_id", transitGatewayVpcAttachmentResourceName, "id"),
 					resource.TestCheckResourceAttrPair(resourceName, "transit_gateway_route_table_id", transitGatewayResourceName, "association_default_route_table_id"),
 				),
@@ -38,6 +39,35 @@ func TestAccAWSEc2TransitGatewayRoute_basic(t *testing.T) {
 	})
 }
 
+func TestAccAWSEc2TransitGatewayRoute_blackhole(t *testing.T) {
+	var transitGatewayRoute1 ec2.TransitGatewayRoute
+	resourceName := "aws_ec2_transit_gateway_route.test_blackhole"
+	transitGatewayResourceName := "aws_ec2_transit_gateway.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t); testAccPreCheckAWSEc2TransitGateway(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSEc2TransitGatewayRouteDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSEc2TransitGatewayRouteConfigDestinationCidrBlock(),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSEc2TransitGatewayRouteExists(resourceName, &transitGatewayRoute1),
+					resource.TestCheckResourceAttr(resourceName, "destination_cidr_block", "10.1.0.0/16"),
+					resource.TestCheckResourceAttr(resourceName, "blackhole", "true"),
+					resource.TestCheckResourceAttr(resourceName, "transit_gateway_attachment_id", ""),
+					resource.TestCheckResourceAttrPair(resourceName, "transit_gateway_route_table_id", transitGatewayResourceName, "association_default_route_table_id"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccAWSEc2TransitGatewayRoute_disappears(t *testing.T) {
 	var transitGateway1 ec2.TransitGateway
 	var transitGatewayRoute1 ec2.TransitGatewayRoute
@@ -212,5 +242,11 @@ resource "aws_ec2_transit_gateway_route" "test" {
   transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.test.id}"
   transit_gateway_route_table_id = "${aws_ec2_transit_gateway.test.association_default_route_table_id}"
 }
+
+resource "aws_ec2_transit_gateway_route" "test_blackhole" {
+  destination_cidr_block         = "10.1.0.0/16"
+  blackhole                      = true
+  transit_gateway_route_table_id = "${aws_ec2_transit_gateway.test.association_default_route_table_id}"
+}
 `)
 }
diff --git a/website/docs/r/ec2_transit_gateway_route.html.markdown b/website/docs/r/ec2_transit_gateway_route.html.markdown
@@ -12,6 +12,8 @@ Manages an EC2 Transit Gateway Route.
 
 ## Example Usage
 
+### Standard usage
+
 ```hcl
 resource "aws_ec2_transit_gateway_route" "example" {
   destination_cidr_block         = "0.0.0.0/0"
@@ -20,12 +22,23 @@ resource "aws_ec2_transit_gateway_route" "example" {
 }
 ```
 
+### Blackhole route
+
+```hcl
+resource "aws_ec2_transit_gateway_route" "example" {
+  destination_cidr_block         = "0.0.0.0/0"
+  blackhole                      = true
+  transit_gateway_route_table_id = "${aws_ec2_transit_gateway.example.association_default_route_table_id}"
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
 
 * `destination_cidr_block` - (Required) IPv4 CIDR range used for destination matches. Routing decisions are based on the most specific match.
-* `transit_gateway_attachment_id` - (Required) Identifier of EC2 Transit Gateway Attachment.
+* `transit_gateway_attachment_id` - (Optional) Identifier of EC2 Transit Gateway Attachment (required if `blackhole` is set to false).
+* `blackhole` - (Optional) Indicates whether to drop traffic that matches this route (default to `false`).
 * `transit_gateway_route_table_id` - (Required) Identifier of EC2 Transit Gateway Route Table.
 
 ## Attribute Reference