Unable to create route_table with variable number of route_rules

[tomzepf-oracle-zz]

Terraform Version

0.10.8

OCI Provider Version

2.0.4

Description:

There does not appear to be a way to construct a route table with a variable number (count/splat) of route_rules. This makes it impossible to route a variable length list of CIDRs to a DRG or IG.

Support is needed for something like:

resource "oci_core_route_table" "rt" {
  display_name   = "rt"
  compartment_id = "${oci_core_virtual_network.vcn.compartment_id}"
  vcn_id         = "${oci_core_virtual_network.vcn.id}"

  route_rules {
    cidr_block        = "0.0.0.0/0"
    network_entity_id = "${oci_core_internet_gateway.ig.id}"
  }

  route_rules {
    count             = "${length(var.ext-cidrs)}"
    cidr_block        = "${element(var.ext-cidrs, count.index)}"
    network_entity_id = "${oci_core_drg.drg.0.id}"
  }
}

[briangustafson]

This is a good call out and use case - I agree that there doesn’t appear to be any way to support it based on what we have now. This is a limitation on Terraform’s interpolation syntax, so to support this we would have to provide some other way of specifying route rules.

[caelx]

This would be possible if route_rules were its own entity instead of part of the routing table itself. Also looking for this functionality as I have configuration for defining variable numbers of ipsec tunnels.

[olkoko]

Seconded adding standalone resource definition for "route rules".
We also need standalone definitions for "security rules", separate from "security lists", to be able to define variable number of security rules based on the requirements.

[alistar79]

Really need this myself. I'm trying for each of our customers to pass in a list of networks to a module which could be one or many to route_rules to create one rule per net to route subnet back to customer networks. Can't see a work around at all yet! Anyone have anything promising I can play with to see if we can get a workaround?

[dstogsdill]

Agreed, managing route rules through Terraform is problematic. In my use case I have a VCN bootstrap module that creates the Route Tables, DRG, IGW, NAT instance, etc. The module will then create Default Route entries per route table plus some routes that point to the DRG.

I have a separate module to perform VCN Peering which will create an LPG and add the necessary route table. When this happens the routes created in the VCN Bootstrap module gets removed and replaced with the routes in the VCN Peering module.

A separate resource to manage Route Rules would greatly improve this experience.

To work around this I've created separate module to manage Route Rules. Unfortunately i have to create the rules using local-exec and CLI commands.

The problem with this approach is that the route entries are removed and added when terraform is re run so some caution should be taken in a production environment.

Of course all this gets resolved with version 0.12 of Terraform.
hashicorp/terraform#7034

//route-table module
/main.tf

locals {
  public_routes = "${replace(jsonencode(concat(var.onprem_routes_json, var.public_routes)), "DRG", data.oci_core_drgs.drgs.drgs.0.id)}"
  private_routes = "${replace(jsonencode(concat(var.onprem_routes_json, var.private_routes)), "DRG", data.oci_core_drgs.drgs.drgs.0.id)}"
}


resource "null_resource" "update_rt_private1" {
  provisioner "local-exec" {
    command = "oci network route-table update --rt-id=${data.oci_core_route_tables.private-1.route_tables.0.id} --route-rules='${local.private_routes}' --force"
  }
  triggers {
    run_now = "${timestamp()}"
  }
}

resource "null_resource" "update_rt_public" {
  provisioner "local-exec" {
    command = "oci network route-table update --rt-id=${data.oci_core_route_tables.public.route_tables.0.id} --route-rules='${local.public_routes}' --force"
  }
  triggers {
    run_now = "${timestamp()}"
  }
}

// Some more code

//TF File

module VCN-Bootstrap {
  source = "../../modules/network/VCN"
   //
  Some Code
  //
}

module "VCN-Peer-to-VCN2" {
  source = "../../modules/network/local-peering"
  //
  Some Code
  //
}
module "Update-Routes" {
  source = "../../modules/network/route-tables"
  compartment_ocid = "${var.compartment_ocid}"
  public_routes = ["${module.VCN-Bootstrap.public_routes}"]
  private_routes = ["${module.VCN-Bootstrap.private_routes}", "${module.VCN-Peer-to-VCN2.peering_route}"]
  vcn_name = "VCN1"
}

[dragon299]

Also looking for this, to auto-generate rules for local_peering_gateways. Is there anything planned in the near future?

[afedorch]

The latest versions of oci terraform provider support Terraform v0.12 command.

Please let us know if this configuration example could be useful for you to create core_route_table with variable number of route_rules:

variable "tenancy_ocid" {}
variable "user_ocid" {}
variable "fingerprint" {}
variable "private_key_path" {}
variable "compartment_ocid" {}
variable "region" {}

provider "oci" {
  tenancy_ocid     = "${var.tenancy_ocid}"
  user_ocid        = "${var.user_ocid}"
  fingerprint      = "${var.fingerprint}"
  private_key_path = "${var.private_key_path}"
  region           = "${var.region}"
  version          = "3.28.2"
}

resource "oci_core_virtual_network" "TFExampleVCN" {
  cidr_block     = "10.1.0.0/16"
  compartment_id = "${var.compartment_ocid}"
  display_name   = "TFExampleVCN"
  dns_label      = "tfexamplevcn"
}

resource "oci_core_internet_gateway" "ExampleIG" {
  compartment_id = "${var.compartment_ocid}"
  display_name   = "TFExampleIG"
  vcn_id         = "${oci_core_virtual_network.TFExampleVCN.id}"
}

variable "cidrs_example" {
  type    = list(string)
  default = ["10.2.0.0/16", "10.3.0.0/16"]
}

resource oci_core_drg "TFExampleDRG" {
  compartment_id = "${var.compartment_ocid}"
  display_name   = "TFExampleDRG"
}

resource "oci_core_route_table" "ExampleRouteTableWithRules" {
  compartment_id = "${var.compartment_ocid}"
  vcn_id         = "${oci_core_virtual_network.TFExampleVCN.id}"
  display_name   = "TFExampleRouteTable"

  dynamic "route_rules" {
    for_each = var.cidrs_example
    content {
      destination       = route_rules.value
      destination_type  = "CIDR_BLOCK"
      network_entity_id = "${oci_core_drg.TFExampleDRG.id}"
    }
  }
}

Terraform output for the route table resource:

  + resource "oci_core_route_table" "ExampleRouteTableWithRules" {
      + compartment_id = "xxx"
      + defined_tags   = (known after apply)
      + display_name   = "TFExampleRouteTable"
      + freeform_tags  = (known after apply)
      + id             = (known after apply)
      + state          = (known after apply)
      + time_created   = (known after apply)
      + time_modified  = (known after apply)
      + vcn_id         = (known after apply)

      + route_rules {
          + cidr_block        = (known after apply)
          + destination       = "10.2.0.0/16"
          + destination_type  = "CIDR_BLOCK"
          + network_entity_id = (known after apply)
        }
      + route_rules {
          + cidr_block        = (known after apply)
          + destination       = "10.3.0.0/16"
          + destination_type  = "CIDR_BLOCK"
          + network_entity_id = (known after apply)
        }
    }

[afedorch]

the example above allows creating route_table with variable number of route_rules. Please, open a separate request if we still need a separate route_rules resource. thanks!

[AshishTDBA]

How do you add a Service Gateway , nat gateway in the same route table in this example

[valdecircarvalho]

Thanks a lot!