[Bug]: aws_ec2_transit_gateway_peering_attachment options block causes 400 error

[madchap]

Terraform Core Version

OpenTofu 1.8.8

AWS Provider Version

5.86.1

Affected Resource(s)

• aws_ec2_transit_gateway_peering_attachment

I am specifying right away that I am using eu-central-2 (main below, opt-in), and I've had my share of issues with it. The 2nd region (DR) is eu-central-1.

The first time the plan got applied, dynamic_routing was disabled. So I applied the option to enable it. This forces a replacement. Deletion went through, and was greeted with the following upon the re-creation attempt:

Error: creating EC2 Transit Gateway Peering Attachment: operation error EC2: CreateTransitGatewayPeeringAttachment, https response error StatusCode: 400, RequestID: eb6353cf-41d2-496f-a82d-b7d0b725333c, api error IncorrectState: You cannot create a dynamic peering attachment.
  │
  │   with module.transit-gateways-cross-region-peering[0].aws_ec2_transit_gateway_peering_attachment.main_region,
  │   on x-region-transit-peering/x-tgw-attachements.tf line 1, in resource "aws_ec2_transit_gateway_peering_attachment" "main_region":
  │    1: resource "aws_ec2_transit_gateway_peering_attachment" "main_region" {

I have the following code, which worked the first time around:

resource "aws_ec2_transit_gateway_peering_attachment" "main_region" {
    # euc2 initiates the peering request

    peer_account_id         = data.aws_ec2_transit_gateway.dr_region.owner_id
    peer_region             = data.aws_region.dr_region.name
    peer_transit_gateway_id = data.aws_ec2_transit_gateway.dr_region.id
    transit_gateway_id      = data.aws_ec2_transit_gateway.main_region.id
    options {
        dynamic_routing = "enable"
    }

    tags = { 
        Name = "EUC1 <-> EUC2 Peering",
        Side = "Requestor" 
    }
}

resource "aws_ec2_transit_gateway_peering_attachment_accepter" "dr_region" {
    # dr accepts the pending request
    provider = aws.dr

    transit_gateway_attachment_id = aws_ec2_transit_gateway_peering_attachment.main_region.id

    tags = { Side = "Acceptor" }
}

data "aws_ec2_transit_gateway" "main_region" {
  filter {
    name   = "options.amazon-side-asn"
    values = ["64532"]
  }
}

data "aws_ec2_transit_gateway" "dr_region" {
    provider = aws.dr
  
    filter {
        name   = "options.amazon-side-asn"
        values = ["64533"]
    }
}

data "aws_ec2_transit_gateway_peering_attachment" "dr_region" {
    provider = aws.dr

    filter {
        name   = "transit-gateway-id"
        values = [ data.aws_ec2_transit_gateway.dr_region.id ]
    }

    depends_on = [ aws_ec2_transit_gateway_peering_attachment.main_region ]
}

data "aws_region" "main" {}

data "aws_region" "dr_region" {
    provider = aws.dr
}

Expected Behavior

The re-creation would go through, as the resources are in "Deleted" state, they can be re-created.
Passing the options block works as expected to enable or disable dynamic routing.

Actual Behavior

I can no longer create TGW peering between the regions if specifying the options block.

Terraform Configuration Files

All above normally.

I isolated the run to just this module, which is all the configuration pasted above. Given nothing else has changed, I can only assume the "Deleted"

Steps to Reproduce

• Pick the eu-central-2 (main) and eu-central-1 (dr) regions and no other. (just had some undocumented behavior with AWS managed Grafana because of euc2 confirmed by AWS, so...).
• Create TGWs
• Change the dynamic option
• Re-apply the plan. It should force a replacement.
• Observe you can't recreate

Debug Output

gpg encrypted debug log.

tf_run_gpg.log

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[madchap]

So I guess ultimately, I lied.

I just commented out the options block:

    # options {
    #     dynamic_routing = "enable"
    # }

and it works 🤷

Somewhat unexpected possibly, is that dynamic routing is disabled by default?

[justinretzolk]

Hey @madchap 👋 Thank you for taking the time to raise this! Based on your update, it seems like we're okay to close this. To be sure, can you confirm that before I do so?

[madchap]

I am not sure. Is it normal that we cannot use the options block, whereas it is documented?

[justinretzolk]

@madchap I looked around a bit to try to find some more solid information, but I'm still not 100% sure this is the whole picture. I'll link to all of the information I've found so far below and hopefully that'll either answer the question or help until someone from the team/community has more of an opportunity to look into it.

These AWS documents seem to indicate that peered transit gateways require static routes:

• Transit gateway peering attachments in Amazon VPC Transit Gateways
• Add a route to a transit gateway route table using Amazon VPC Transit Gateways
• How Amazon VPC Transit Gateways work

...and these ones seem to indicate that dynamic routing can be used when setting up peering between a transit gateway and Cloud WAN:

• Peerings in AWS Cloud WAN
• Transit gateway policy tables in Amazon VPC Transit Gateways