deploying outbound auto-scale cft cross-account

[davidaavilar]

Hi, there. We are using outbound-autoscale cft that it ask for tgw-id and rtb-tgw-id (assuming that the tgw was created in the same account that we are deploying), however, the tgw was not deployed within the same account that we are deploying our security VPC. How can we deploy this cft cross-account?

[panwce]

The lambda function triggered by the ASG lifecycle instance hook would require an IAM role with cross account permissions. We will investigate

[davidaavilar]

The lambda function triggered by the ASG lifecycle instance hook would require an IAM role with cross account permissions. We will investigate

Hi, there.. Thank you for your response.. I will appreciate if you could confirm us.. it only require to launch the cft on one unique account with rights over the account that tgw was created? Again, thanks!

[panwce]

The autoscale solution uses a lambda function that performs two actions 1). Creates a vpn based transit gateway attachment 2) Propagates routes advertised over the VPN attachment to other route tables The lambda function requires permissions to do both. It is the config_fw.py function that performs these functions

On Tue, 15 Oct 2019 at 15:15, davidaavilar ***@***.***> wrote: The lambda function triggered by the ASG lifecycle instance hook would require an IAM role with cross account permissions. We will investigate Hi, there.. Thank you for your response.. I will appreciate if you could confirm us.. it only require to launch the cft on one unique account with rights over the account that tgw was created? Again, thanks! — You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_wwce_aws-2Dcft_issues_3-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DALF7PASKJN744IAHW6TGGU3QOXF7TA5CNFSM4I7NOSTKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBI5PGQ-23issuecomment-2D542234522&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=7cEJA2BG7pP4EyxgCuUpzUEJhIIlF95WVztklioI_Ck&m=pH8nHRZuNb_sBFi27aHvNOcU6IxcMKoVHiuLtRqIuEk&s=Pru9iKOSICbBS0mzw07M9k-it7IXGMKdkO8rKd-qdS4&e=>, or unsubscribe <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ALF7PAVQMKUI3TOK4Q55IKLQOXF7TANCNFSM4I7NOSTA&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=7cEJA2BG7pP4EyxgCuUpzUEJhIIlF95WVztklioI_Ck&m=pH8nHRZuNb_sBFi27aHvNOcU6IxcMKoVHiuLtRqIuEk&s=1yiYydy5rzeEwCmVfgzmZ-USoKNbMrS5AiLManao0vM&e=> .

-- Justin Harris Consulting Engineer - Cloud Tel +44 7773 028509

[davidaavilar]

Hi, Justin. How are you? Thanks for your confirmation.. So, we need to add in the LambdaExecutionRole the ARN of the account? Do we have to make changes on lambda config.fw file? I'm not an AWS expert.. I've been seen this article https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/

Thanks for your help

[panwce]

This is the function that I believe may need to be moved to a lambda in the account that contains the TGW. The function manages route propagation and could be triggered by a SQS message from the security VPC account. I will try and test this over the next few days and get back to you. def manage_route_tables(): # primary_prepend_length = '1' # secondary_prepend_length = '2' # update_as_path(fw1, export_rule, api_key, primary_prepend_length) # panCommit(fw1, api_key, message="") # update_as_path(fw2, export_rule, api_key, secondary_prepend_length) # panCommit(fw2, api_key, message="") tgws = [] table_list = ec2_client.describe_transit_gateway_route_tables(Filters=[ {'Name': 'tag:Propagate', 'Values': ['NS']} ]) tables = table_list.get('TransitGatewayRouteTables') for table in tables: tgws.append(table.get('TransitGatewayRouteTableId')) logger.info('These tables are tagged for North South Route Propagation {}' .format(tgws)) # # attachments = get_vpn_connections() for attachment in attachments: while True: logger.info('Processing Attachment {}'.format(attachment)) attachment_state = get_attachment_state(attachment) if attachment_state == 'available' and not attachment.get('Association'): logger.info( 'Setting propagation for attachment {}'.format(attachment.get(' TransitGatewayAttachmentId'))) [create_vpn_propagation(attachment.get('TransitGatewayAttachmentId'), tgwrt) for tgwrt in tgws] res = create_vpn_association(attachment.get('TransitGatewayAttachmentId'), tgw_route_table_id) break elif attachment_state == 'available' and attachment.get('Association'): logger.info('Attachment {} is already association with route table'.format( attachment.get('TransitGatewayAttachmentId'))) break elif attachment_state == 'pending': logger.info('Waiting for attachment to come up') time.sleep(20) else: logger.info('Attachment is in an unknown state - moving on') break logger.info('Finished Processing Attachment {}'.format(attachment.get(' TransitGatewayAttachmentId')))

On Wed, 16 Oct 2019 at 15:45, davidaavilar ***@***.***> wrote: Hi, Justin. How are you? Thanks for your confirmation.. So, we need to add in the LambdaExecutionRole the ARN of the account? Do we have to make changes on lambda config.fw file? I'm not an AWS expert.. I've been seen this article https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/ <https://urldefense.proofpoint.com/v2/url?u=https-3A__aws.amazon.com_premiumsupport_knowledge-2Dcenter_lambda-2Dfunction-2Dassume-2Diam-2Drole_&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=7cEJA2BG7pP4EyxgCuUpzUEJhIIlF95WVztklioI_Ck&m=yDMxXEIn9ytgjzh_INq6n1pQSk3W_pk1MF9Sc-s1Cws&s=CbWNmVg7Ky1ceanFu1_rFDfLq9ew2ghZtcaTOi3BFPU&e=> Thanks for your help — You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_wwce_aws-2Dcft_issues_3-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DALF7PASBYVDFOEOCNFRZDNDQO4SGRA5CNFSM4I7NOSTKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBMYE2A-23issuecomment-2D542737000&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=7cEJA2BG7pP4EyxgCuUpzUEJhIIlF95WVztklioI_Ck&m=yDMxXEIn9ytgjzh_INq6n1pQSk3W_pk1MF9Sc-s1Cws&s=gYSBLCanYZvq5BB87_a1P0dMF55Vd14e3WzkWw-4nFc&e=>, or unsubscribe <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ALF7PAUFAC3O5P73IAD4TZLQO4SGRANCNFSM4I7NOSTA&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=7cEJA2BG7pP4EyxgCuUpzUEJhIIlF95WVztklioI_Ck&m=yDMxXEIn9ytgjzh_INq6n1pQSk3W_pk1MF9Sc-s1Cws&s=1qelN0LsbPCYmtdFrP-7fdnnDvymineeIOChQl5LN_0&e=> .

-- Justin Harris Consulting Engineer - Cloud Tel +44 7773 028509

[davidaavilar]

Hi, Justin. How are you? Thank you for your support. I hope to hear about you soon.

[panwce]

Transitgateways shared via Resource Access Manager only support VPC attachments. I have an open support request with AWS to determine if they can support VPN connections cross account.

…

On Tue, 15 Oct 2019 at 15:15, davidaavilar ***@***.***> wrote: The lambda function triggered by the ASG lifecycle instance hook would require an IAM role with cross account permissions. We will investigate Hi, there.. Thank you for your response.. I will appreciate if you could confirm us.. it only require to launch the cft on one unique account with rights over the account that tgw was created? Again, thanks! — You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_wwce_aws-2Dcft_issues_3-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DALF7PASKJN744IAHW6TGGU3QOXF7TA5CNFSM4I7NOSTKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBI5PGQ-23issuecomment-2D542234522&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=7cEJA2BG7pP4EyxgCuUpzUEJhIIlF95WVztklioI_Ck&m=pH8nHRZuNb_sBFi27aHvNOcU6IxcMKoVHiuLtRqIuEk&s=Pru9iKOSICbBS0mzw07M9k-it7IXGMKdkO8rKd-qdS4&e=>, or unsubscribe <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ALF7PAVQMKUI3TOK4Q55IKLQOXF7TANCNFSM4I7NOSTA&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=7cEJA2BG7pP4EyxgCuUpzUEJhIIlF95WVztklioI_Ck&m=pH8nHRZuNb_sBFi27aHvNOcU6IxcMKoVHiuLtRqIuEk&s=1yiYydy5rzeEwCmVfgzmZ-USoKNbMrS5AiLManao0vM&e=> .

-- Justin Harris +44 7773 028509

[davidaavilar]

Hi, there. How are you? Did you get any response from AWS about this issue? I'm trying to scalate it too to the AWS team that we are working. Thank you for your support!

[panwce]

I have just had confirmation from AWS that TGW VPN connections are not supported across accounts. I will look at the lambda functions to see if they could be moved to the account that owns that TGW. This may take a little time. At present the security VPC and the TGW would need to be in the same account. "Thank you for the update, I understand that your customers have a requirement to be able to add VPN attachments from shared accounts to the Transit Gateway. This is currently not supported as per "Transit Gateway Sharing Considerations" documentation [1]: You can use AWS Resource Access Manager (RAM) to share a transit gateway for VPC attachments across accounts or across your organization in AWS Organizations. Take the following into account when you want to share a transit gateway. An AWS Site-to-Site VPN attachment must be in the same AWS account. I have added your case to the Feature Request to allow VPN attachments from accounts that share a Transit Gateway, unfortunately I cannot provide an ETA at this time. To learn about the latest product, service, and feature announcements from AWS, please continue to monitor 'What's New with AWS'" On Thu, 17 Oct 2019 at 23:35, Justin Harris <[email protected]> wrote:

…

This is the function that I believe may need to be moved to a lambda in the account that contains the TGW. The function manages route propagation and could be triggered by a SQS message from the security VPC account. I will try and test this over the next few days and get back to you. def manage_route_tables(): # primary_prepend_length = '1' # secondary_prepend_length = '2' # update_as_path(fw1, export_rule, api_key, primary_prepend_length) # panCommit(fw1, api_key, message="") # update_as_path(fw2, export_rule, api_key, secondary_prepend_length) # panCommit(fw2, api_key, message="") tgws = [] table_list = ec2_client.describe_transit_gateway_route_tables(Filters=[ {'Name': 'tag:Propagate', 'Values': ['NS']} ]) tables = table_list.get('TransitGatewayRouteTables') for table in tables: tgws.append(table.get('TransitGatewayRouteTableId')) logger.info('These tables are tagged for North South Route Propagation {}' .format(tgws)) # # attachments = get_vpn_connections() for attachment in attachments: while True: logger.info('Processing Attachment {}'.format(attachment)) attachment_state = get_attachment_state(attachment) if attachment_state == 'available' and not attachment.get('Association'): logger.info( 'Setting propagation for attachment {}'.format(attachment.get(' TransitGatewayAttachmentId'))) [create_vpn_propagation(attachment.get('TransitGatewayAttachmentId'), tgwrt) for tgwrt in tgws] res = create_vpn_association(attachment.get('TransitGatewayAttachmentId'), tgw_route_table_id) break elif attachment_state == 'available' and attachment.get('Association'): logger.info('Attachment {} is already association with route table' .format( attachment.get('TransitGatewayAttachmentId'))) break elif attachment_state == 'pending': logger.info('Waiting for attachment to come up') time.sleep(20) else: logger.info('Attachment is in an unknown state - moving on') break logger.info('Finished Processing Attachment {}'.format(attachment.get(' TransitGatewayAttachmentId'))) On Wed, 16 Oct 2019 at 15:45, davidaavilar ***@***.***> wrote: > Hi, Justin. How are you? Thanks for your confirmation.. So, we need to > add in the LambdaExecutionRole the ARN of the account? Do we have to make > changes on lambda config.fw file? I'm not an AWS expert.. I've been seen > this article > https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/ > <https://urldefense.proofpoint.com/v2/url?u=https-3A__aws.amazon.com_premiumsupport_knowledge-2Dcenter_lambda-2Dfunction-2Dassume-2Diam-2Drole_&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=7cEJA2BG7pP4EyxgCuUpzUEJhIIlF95WVztklioI_Ck&m=yDMxXEIn9ytgjzh_INq6n1pQSk3W_pk1MF9Sc-s1Cws&s=CbWNmVg7Ky1ceanFu1_rFDfLq9ew2ghZtcaTOi3BFPU&e=> > > Thanks for your help > > — > You are receiving this because you commented. > Reply to this email directly, view it on GitHub > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_wwce_aws-2Dcft_issues_3-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DALF7PASBYVDFOEOCNFRZDNDQO4SGRA5CNFSM4I7NOSTKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBMYE2A-23issuecomment-2D542737000&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=7cEJA2BG7pP4EyxgCuUpzUEJhIIlF95WVztklioI_Ck&m=yDMxXEIn9ytgjzh_INq6n1pQSk3W_pk1MF9Sc-s1Cws&s=gYSBLCanYZvq5BB87_a1P0dMF55Vd14e3WzkWw-4nFc&e=>, > or unsubscribe > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ALF7PAUFAC3O5P73IAD4TZLQO4SGRANCNFSM4I7NOSTA&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=7cEJA2BG7pP4EyxgCuUpzUEJhIIlF95WVztklioI_Ck&m=yDMxXEIn9ytgjzh_INq6n1pQSk3W_pk1MF9Sc-s1Cws&s=1qelN0LsbPCYmtdFrP-7fdnnDvymineeIOChQl5LN_0&e=> > . > -- Justin Harris Consulting Engineer - Cloud Tel +44 7773 028509

-- Justin Harris +44 7773 028509

[davidaavilar]

Hi, Justin. Thanks a lot for your support. Could you help me with the name of AWS's support engineer that replied you with that or the case number. With this, I can talk with AWS's architect that we cannot deploy VPN-attachment cross account.

I'm gonna discuss this with the customer to deploy the CFT in the same account. Please, let me know if you achieve move the Lambda function and if you are gonna to update the template with this. Thank you!