Terraform template for AWS route table

Question

I have created a route table with routing rules that refers to an existing internet gateway (IGW) and the route table is associated to the a new VPC created via TF template. However same IGW is already attached to another VPC. When I apply template it throws the following error,

Error: Error creating route: InvalidParameterValue: route table "X" and network gateway "Y" belong to different networks
status code: 400, request id: ab91c2ab-ef1e-4905-8a78-b6759bc1e250

Is this because an internet gateway can be attached only to a single VPC and has to reside within the same VPC? Or is this error caused due to any other reason?

Answer 1

try below code with terraform.

it has VPC, IGW, Subnets, Route tables and NAT gateway.

and it works well.

variable "region" {
  default = "us-east-1"
}

variable "service_name" {
  default = "demo-service"
}

locals {
  public_subnets = {
    "${var.region}a" = "10.10.101.0/24"
    "${var.region}b" = "10.10.102.0/24"
    "${var.region}c" = "10.10.103.0/24"
  }
  private_subnets = {
    "${var.region}a" = "10.10.201.0/24"
    "${var.region}b" = "10.10.202.0/24"
    "${var.region}c" = "10.10.203.0/24"
  }
}

resource "aws_vpc" "this" {
  cidr_block = "10.10.0.0/16"

  enable_dns_support   = true
  enable_dns_hostnames = true

  tags = {
    Name = "${var.service_name}-vpc"
  }
}

resource "aws_internet_gateway" "this" {
  vpc_id = "${aws_vpc.this.id}"

  tags = {
    Name = "${var.service_name}-internet-gateway"
  }
}

resource "aws_subnet" "public" {
  count      = "${length(local.public_subnets)}"
  cidr_block = "${element(values(local.public_subnets), count.index)}"
  vpc_id     = "${aws_vpc.this.id}"

  map_public_ip_on_launch = true
  availability_zone       = "${element(keys(local.public_subnets), count.index)}"

  tags = {
    Name = "${var.service_name}-service-public"
  }
}

resource "aws_subnet" "private" {
  count      = "${length(local.private_subnets)}"
  cidr_block = "${element(values(local.private_subnets), count.index)}"
  vpc_id     = "${aws_vpc.this.id}"

  map_public_ip_on_launch = true
  availability_zone       = "${element(keys(local.private_subnets), count.index)}"

  tags = {
    Name = "${var.service_name}-service-private"
  }
}

resource "aws_default_route_table" "public" {
  default_route_table_id = "${aws_vpc.this.main_route_table_id}"

  tags = {
    Name = "${var.service_name}-public"
  }
}

resource "aws_route" "public_internet_gateway" {
  count                  = "${length(local.public_subnets)}"
  route_table_id         = "${aws_default_route_table.public.id}"
  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = "${aws_internet_gateway.this.id}"

  timeouts {
    create = "5m"
  }
}

resource "aws_route_table_association" "public" {
  count          = "${length(local.public_subnets)}"
  subnet_id      = "${element(aws_subnet.public.*.id, count.index)}"
  route_table_id = "${aws_default_route_table.public.id}"
}

resource "aws_route_table" "private" {
  vpc_id = "${aws_vpc.this.id}"

  tags = {
    Name = "${var.service_name}-private"
  }
}

resource "aws_route_table_association" "private" {
  count          = "${length(local.private_subnets)}"
  subnet_id      = "${element(aws_subnet.private.*.id, count.index)}"
  route_table_id = "${aws_route_table.private.id}"
}

resource "aws_eip" "nat" {
  vpc = true

  tags = {
    Name = "${var.service_name}-eip"
  }
}

resource "aws_nat_gateway" "this" {
  allocation_id = "${aws_eip.nat.id}"
  subnet_id     = "${aws_subnet.public.0.id}"

  tags = {
    Name = "${var.service_name}-nat-gw"
  }
}

resource "aws_route" "private_nat_gateway" {
  route_table_id         = "${aws_route_table.private.id}"
  destination_cidr_block = "0.0.0.0/0"
  nat_gateway_id         = "${aws_nat_gateway.this.id}"

  timeouts {
    create = "5m"
  }
}

Refer to this repository : ecs-with-codepipeline-example-by-terraform

Answer 2

Thank you all, it turned out to be an issue with VPC which internet gateway is attached to. Internet gateway must chose a VPC which it must be created. You cannot route traffic to an internet gateway not within the same VPC as it wouldn't have access to it otherwise. Therefore my attempt to route traffic to an internet gateway external to the VPC is not allowed.

This issue is resolved by creating a new internet gateway within the new VPC I created. However this mean I cannot use existing internet gateway thereby introducing other issue such as need to inform external partners to add permission to the new public IP of the internet gateway.