Separate resources for vpn gateway and vpn gateway attachement

[lbernail]

Hi

We have been looking for a way to fully create a vpc (with subnets, routing tables, NACLs...) with terraform but reuse an existing vpn gateway. The reason why we can't create the gateway in terraform is that we already have configured the VPN connections and cannot easily reconfigure our firewall (creating a new connection with terraform would generate new ipsec secrets). In several cases we also have directconnect VIFs linked with a VPN gateway and cannot recreate the gateway easily.

Today it does not look like it is possible to attach an existing vpn gateway to a vpc with terraform (there is no aws_vpn_gateway_attachment resource). Did we miss something? As a workaround we use a local_provisioner on the vpc resource to attach the gateway but it would be a lot easier with an attachement resource.

[jonapich]

The trick is to create an identical resource in another account, or using slightly different settings that don't conflict. Then you should be able to edit the .tfstate file and change the id of the identical to the existing resource (if you used the same account, also change the little bits that made it different in your .tf and .tfstate files). Then, when you run terraform plan, it should be tricked into thinking the resource is the one it provisioned.

I have yet to try this trick out ;) But that's what I read elsewhere. Good luck!

[lbernail]

Thanks @muikrad! There is probably a way to work around this issue by manipulating the state file but I was trying to find a solution that was not too much of a hack

If anyone else faces this in the future here is the solution we ended up choosing:

Add a local-exec provisioner in the vpc resource

resource "aws_vpc" "main" {
    cidr_block = "${var.vpc_cidr}"
    provisioner "local-exec" {
        command = "./attach_gateway.sh ${aws_vpc.main.id} ${var.vpn_gw}"
    }
}

Use the following script to attach the gateway and wait for the attachement

#!/bin/bash

if [ $# -ne 2 ]
then
    echo "Usage: $0 <target_vpc> <vpn_gateway_id>"
    exit 1
fi

vpc=$1
gw=$2
timeout=60

cur_vpc=$(aws ec2 describe-vpn-gateways --vpn-gateway-ids $gw \
                                      --filters "Name=attachment.state,Values=attached" \
                                      --query "VpnGateways[0].VpcAttachments[0].VpcId" \
                                      --output text)

ret=$?
[ $ret -ne 0 ] && exit $ret

if [ "$cur_vpc" != 'None' ]
then
    if [ "$cur_vpc" == "$vpc" ]
    then
        echo "Already attached to target VPC"
        exit 0
    else
        echo "ERROR: Attached to another VPC" >&2
        exit 1
    fi
fi


echo "Attaching"
aws ec2 attach-vpn-gateway --vpn-gateway-id $gw --vpc-id $vpc > /dev/null || exit

i=0
while [ $(($i*5)) -lt $timeout ]
do
    state=$(aws ec2 describe-vpn-gateways --vpn-gateway-ids $gw \
                                          --query "VpnGateways[0].VpcAttachments[0].State" \
                                          --filters "Name=attachment.vpc-id,Values=$vpc" \
                                          --output text)
    if [ "$state" == "attached" ]
    then
        exit 0
    else
        sleep 5
        i=$(($i+1))
    fi
done

exit 2

The script exits with non-zero exit codes when there is an issue, which stops terraform (which is what we want in our case because we need an attached gateway to configure routes)

This is far from ideal but it works fine (main limitation: we cannot destroy the vpc because the gateway remains attached)

[bryanlovely]

We have the same issue -- our Direct Connect Virtual Interfaces are fixed and require a permanent Virtual Private Gateway. Therefore, we need a way to build a VPC, attach the pre-existing VPG, then build the route tables that include the VPG. And then on destruction we need a way to automatically detach the VPG.

It looks like @lbernail 's script will work, except for destruction. During the development phase, not being able to fully destroy all resources via Terraform will throw a spanner in the works.

May I suggest adding

attached_vpg_id - (Optional) The ID of a pre-existing Virtual Private Gateway to attach to the VPN.

to the aws_vpc definition.

[ddura]

+1 on the feature. We manage a set of VPNs in AWS (and associated VPN Gateways and Customer Gateways) and don't have the ability to destroy/recreate those (secrets, etc. as mentioned above.) Would like to have a resource to just attach (and detach on destroy) an existing VPN Gateway to a VPC that is being created in terraform.

[clairedai]

We encounter the same issue here. +1. It is quite common in corporate infrastructure. only existing VGW can be used

[ghost]

Yet another vote for this additional resource. We have existing Direct Connect interfaces with associated Virtual Private Gateway's that we need to manually attach/detach whenever we execute our Terraform code.

This really should be as simple as the solution described by @bryanlovely

[dhait]

Same boat here. Adding/deleting VPN's messes with our router configuration, so we leave the gateway unattached until needed.

[kwilczynski]

I am happy to announce that his has been resolved via #7870 .

[stack72]

<3 that this can be closed! Thanks @kwilczynski

[lbernail]

Very good news. Thank you!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.