Creating a non BGP customer gateway with terraform

[Dale Stirling]

We have a requirement to stand up a Customer VPN Gateway with Static routing. 

When looking at the terraform docs for the aws_customer_gateway resource and it states that the bgp_asn is a required field. This suggests that this resource is not compatible with the static routing option that exists within the AWS console.

The BGP asn is also a required field in the golang SDK. 

Is it possible to set up a non BGP VPN between an AWS VPC and an external network?

Thanks heaps :)

[Chris Barbour]

I suspect that the OP has found his own solution.

For anyone else reading this post, it appears that the correct solution is to assign an unused private ASN to the aws_customer_gateway, and to set `static_routes_only = true` on the aws_vpn_connection.

While the AWS GUI gives you the option to specify a static only customer gateway without an ARN, the APIs do not permit this. As best I can tell, Amazon silently sets the ARN to 65000 and then disables BGP. I will confirm when I get a chance.

[Andrew Langhorn]

Hello,

Yes, the AWS GUI sets the ASN to 65000 behind-the-scenes if you use static routing, or sets the ASN to whatever you choose if you use dynamic routing. I believe you can also set the ASN to any other value if you're using Static routing; the value is silently ignored, in essence. We ran in to this recently (not the first time I've seen it!), so I decided to raise it with AWS Support.

BgpAsn is a required parameter in the EC2 API in the Go SDK: https://github.com/aws/aws-sdk-go/blob/master/models/apis/ec2/2015-04-15/api-2.json#L2771

I raised this with AWS Support, who said that they'd go back internally to try to find out if there's a reason why it's a required parameter, rather than an optional one, since it should really only be required if using dynamic routing.

I'll update this thread when (if!) we hear back from AWS Support.

Andrew