Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ibm_is_vpc_routing_table_route ingress route to VPN not working #4559

Closed
powellquiring opened this issue May 8, 2023 · 3 comments · Fixed by #4564
Closed

ibm_is_vpc_routing_table_route ingress route to VPN not working #4559

powellquiring opened this issue May 8, 2023 · 3 comments · Fixed by #4564
Assignees
@astha-jain
Labels
service/VPC Infrastructure Issues related to the VPC Infrastructure

Comments

@powellquiring
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

% tf version
Terraform v1.4.6
on darwin_arm64
+ provider registry.terraform.io/ibm-cloud/ibm v1.52.1

Affected Resource(s)

  • ibm_is_vpc_routing_table_route

Terraform Configuration Files

Terraform example is here: https://github.com/IBM-Cloud/vpc-transit/blob/master/modules/vpn_tf/vpn.tf

Added ingress route in hub to VPN using terraform:

Terraform will perform the following actions:

  # module.enterprise_link_vpn[0].ibm_is_vpc_routing_table_route.transit_tgw_ingress["0"] will be created
  + resource "ibm_is_vpc_routing_table_route" "transit_tgw_ingress" {
      + action          = "deliver"
      + created_at      = (known after apply)
      + creator         = (known after apply)
      + destination     = "192.168.0.0/24"
      + href            = (known after apply)
      + id              = (known after apply)
      + lifecycle_state = (known after apply)
      + name            = "zus-south-1-to-enterprise"
      + next_hop        = "0717-a8415a69-5b96-4574-86ad-2a2e505246ef"
      + origin          = (known after apply)
      + route_id        = (known after apply)
      + routing_table   = "r006-2c356bc2-dfa5-4130-9202-a2be0cfc1c40"
      + vpc             = "r006-b4a17eb1-9612-4b05-bb78-bbdb910074b9"
      + zone            = "us-south-1"
    }

Plan: 1 to add, 0 to change, 0 to destroy.
module.enterprise_link_vpn[0].ibm_is_vpc_routing_table_route.transit_tgw_ingress["0"]: Creating...
╷
│ Error: Routing table route validation failed -  route with a next_hop associated with a VPN connection can not be added to the routing table with one of the ingress flags enabled
│
│   with module.enterprise_link_vpn[0].ibm_is_vpc_routing_table_route.transit_tgw_ingress["0"],
│   on ../modules/vpn_tf/vpn.tf line 140, in resource "ibm_is_vpc_routing_table_route" "transit_tgw_ingress":
│  140: resource "ibm_is_vpc_routing_table_route" "transit_tgw_ingress" {
│

Trying the following from the CLI, notice the VPC and Route Table are the same as the ones above. This worked:

V=r006-b4a17eb1-9612-4b05-bb78-bbdb910074b9
IRT=r006-2c356bc2-dfa5-4130-9202-a2be0cfc1c40
ibmcloud is vpc-routing-table-update $V $IRT --accept-routes-from-resource-type-filters vpn_gateway

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please share a link to the ZIP file.
@github-actions github-actions bot added the service/VPC Infrastructure Issues related to the VPC Infrastructure label May 8, 2023
@astha-jain astha-jain self-assigned this May 8, 2023
@powellquiring
Copy link
Author

https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table_route#example-usage

  • The docs are not clear. It looks like this would be required to set up an ingress to VPN gateway (ibm_is_vpn_gateway_connection) but I can not figure out how to use this:
    image

@SunithaGudisagarIBM1
Copy link
Contributor

SunithaGudisagarIBM1 commented May 10, 2023
edited
Loading

Hi @powellquiring,

Yes, i was able to reproduce the issue and will update the doc with the correct example.

Thank you
Sunitha

resource "ibm_is_vpc" "example" {
  name = "example-vpc"
}

resource "ibm_is_subnet" "testacc_subnet1" {
  name            = "example-subnet"
  vpc             = ibm_is_vpc.example.id
  zone            = "us-south-1"
  ipv4_cidr_block = "10.240.0.0/24"
}

resource "ibm_is_vpn_gateway" "testacc_VPNGateway1" {
  name   = "example-gateway"
  subnet = ibm_is_subnet.testacc_subnet1.id
  mode   = "route"
}

resource "ibm_is_vpn_gateway_connection" "testacc_VPNGatewayConnection1" {
  name          = "example-gateway-connection"
  vpn_gateway   = ibm_is_vpn_gateway.testacc_VPNGateway1.id
  peer_address  = ibm_is_vpn_gateway.testacc_VPNGateway1.public_ip_address
  preshared_key = "VPNDemoPassword"
}

resource "ibm_is_vpc_routing_table" "example" {
  vpc                           = ibm_is_vpc.example.id
  name                          = "example-routing-table"
  route_direct_link_ingress     = true
  route_transit_gateway_ingress = false
  route_vpc_zone_ingress        = false
}

resource "ibm_is_vpc_routing_table_route" "example" {
  vpc           = ibm_is_vpc.example.id
  routing_table = ibm_is_vpc_routing_table.example.routing_table
  zone          = "us-south-1"
  name          = "custom-route-2"
  destination   = "192.168.4.0/24"
  action        = "deliver"
  // next_hop      = "10.240.0.0" //ibm_is_vpn_gateway_connection.example.gateway_connection // Example value "10.0.0.4" 
  next_hop = ibm_is_vpn_gateway_connection.testacc_VPNGatewayConnection1.gateway_connection 
}
Screenshot 2023-05-10 at 10 02 25 PM

With the below setup, the configuration works fine..

resource "ibm_is_vpc" "example" {
  name = "example-vpc"
}

resource "ibm_is_subnet" "testacc_subnet1" {
  name            = "example-subnet"
  vpc             = ibm_is_vpc.example.id
  zone            = "us-south-1"
  ipv4_cidr_block = "10.240.0.0/24"
}

resource "ibm_is_vpn_gateway" "testacc_VPNGateway1" {
  name   = "example-gateway"
  subnet = ibm_is_subnet.testacc_subnet1.id
  mode   = "route"
}

resource "ibm_is_vpn_gateway_connection" "testacc_VPNGatewayConnection1" {
  name          = "example-gateway-connection"
  vpn_gateway   = ibm_is_vpn_gateway.testacc_VPNGateway1.id
  peer_address  = ibm_is_vpn_gateway.testacc_VPNGateway1.public_ip_address
  preshared_key = "VPNDemoPassword"
}

resource "ibm_is_vpc_routing_table" "example" {
  vpc                           = ibm_is_vpc.example.id
  name                          = "example-routing-table"
  route_direct_link_ingress     = false
  route_transit_gateway_ingress = false
  route_vpc_zone_ingress        = false
}

resource "ibm_is_vpc_routing_table_route" "example" {
  vpc           = ibm_is_vpc.example.id
  routing_table = ibm_is_vpc_routing_table.example.routing_table
  zone          = "us-south-1"
  name          = "custom-route-2"
  destination   = "192.168.4.0/24"
  action        = "deliver"
  // next_hop      = "10.240.0.0" //ibm_is_vpn_gateway_connection.example.gateway_connection // Example value "10.0.0.4" 
  next_hop = ibm_is_vpn_gateway_connection.testacc_VPNGatewayConnection1.gateway_connection 
}
Screenshot 2023-05-10 at 10 36 08 PM

Merged
@SunithaGudisagarIBM1
Copy link
Contributor

#4564

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@astha-jain astha-jain

Labels
service/VPC Infrastructure Issues related to the VPC Infrastructure
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Example rectification ibm-vpc/terraform-provider-ibm
3 participants
@powellquiring @astha-jain @SunithaGudisagarIBM1