Terraform module to create one or many Amazon Transit Gateway Attachments to an existing Amazon Transit Gateway.
Amazon Transit Gateway (TGW) connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router β each new connection is only made once. Attachments to your TGW can be made from any account in your organization to enable cross-account connectivity.
- Supports (One or Many) of the following:
- Transit Gateway Attachments
- Transit Gateway Peering Attachment
- Transit Gateway Peering Attachment Accepter
- TGW Routes
- NAT Gateway routes
- Local Gateway routes
- Network Interface routes
- VPC Endpoint routes
- VPC Peering routes
- VPC Peering
- VPC peers are already in place. This is because when we create routes in the route table(s), we need to already know the peering Id to create this route.
- Transit Gateway
- A transit gateway already exists somewhere in the AWS Organization. This Id is used when creating transit gateway attachments.
- Transit Gateway Peering (Advanced scenario)
- You need at least 2 transit gateways, a peer and an accepter.
You can create a transit gateway attachment for an existing transit gateway in your organization. You can also create multiple transit gateway attachments if you have more than one transit gateway in your organization that you need to attach in a given account. You can also create transit gateway peering attachments between multiple transit gateways.
module "transit_gateway_attachment" {
source = "adamwshero/transit-gateway-attachment/aws"
version = "~> 1.5.0"
transit_gateway_attachments = {
attachment-1 = {
vpc_id = dependency.vpc.outputs.vpc_id
transit_gateway_id = local.account.locals.tgw_id_1
subnet_ids = dependency.vpc.outputs.private_subnets
}
}
transit_gateway_routes = {
"private_rtb" = {
route_table_ids = dependency.vpc.outputs.private_route_table_ids
destination_cidr_blocks = ["${local.common.cidr-1}", "${local.common.cidr-2}"]
transit_gateway_id = local.external_deps.dependency.settings.outputs.settings.transit_gateway_id
}
}
vpc_peering_routes = {
"private_pcx" = {
route_table_ids = dependency.vpc.outputs.private_route_table_ids
destination_cidr_blocks = ["${local.common.vpc-peer-cidr-1}"]
vpc_peering_connection_id = "${local.common.pcx-1}"
}
}
tags = {
Environment = local.env
Owner = "DevOps"
CreatedByTerraform = true
}
}
terraform {
source = "git@github.com:adamwshero/terraform-aws-transit-gateway-attachment//.?ref=1.5.0"
}
inputs = {
transit_gateway_attachments = {
attachment-1 = {
vpc_id = dependency.vpc.outputs.vpc_id
transit_gateway_id = local.account.locals.tgw_id_1
subnet_ids = dependency.vpc.outputs.private_subnets
}
}
transit_gateway_routes = {
"private_rtb" = {
route_table_ids = dependency.vpc.outputs.private_route_table_ids
destination_cidr_blocks = ["${local.common.cidr-1}", "${local.common.cidr-2}"]
transit_gateway_id = local.external_deps.dependency.settings.outputs.settings.transit_gateway_id
}
}
vpc_peering_routes = {
"private_pcx" = {
route_table_ids = dependency.vpc.outputs.private_route_table_ids
destination_cidr_blocks = ["${local.common.vpc-peer-cidr-1}"]
vpc_peering_connection_id = "${local.common.pcx-1}"
}
}
tags = local.tags
}
| Name | Version |
|---|---|
| aws | >= 4.0.0 |
| terraform | >= 0.14.0 |
| terragrunt | >= 0.28.0 |
| Name | Version |
|---|---|
| aws | >= 4.0.0 |
No modules.
| Name | Type |
|---|---|
| aws_ec2_transit_gateway_peering_attachment.this | resource |
| aws_ec2_transit_gateway_peering_attachment_accepter.this | resource |
| aws_ec2_transit_gateway_vpc_attachment.this | resource |
| aws_route.this_local_gateway_route | resource |
| aws_route.this_nat_gateway_route | resource |
| aws_route.this_network_interface_route | resource |
| aws_route.this_tgw_route | resource |
| aws_route.this_vpc_endpoint_route | resource |
| aws_route.this_vpc_peering_route | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| appliance_mode_support | (Optional) Whether Appliance Mode support is enabled. If enabled, a traffic flow between a source and destination uses the same Availability Zone for the VPC attachment for the lifetime of that flow. Valid values: disable, enable. Default value: disable. |
string |
"disable" |
no |
| create_attachment | Determines whether to create tgw attachment or not. | bool |
true |
no |
| create_peering_attachment | Determines whether to create a tgw peering attachment or not. | bool |
false |
no |
| create_peering_attachment_accepter | Determines whether to create a tgw peering attachment or not. | bool |
false |
no |
| dns_support | (Optional) Whether DNS support is enabled. Valid values: disable, enable. Default value: enable. |
string |
"enable" |
no |
| ipv6_support | (Optional) Whether IPv6 support is enabled. Valid values: disable, enable. Default value: disable. |
string |
"disable" |
no |
| security_group_referencing_support | (Optional) Whether Security Group Referencing support is enabled. Valid values: disable, enable. Default value: disable. |
string |
"disable" |
no |
| local_gateway_routes | Map of objects that define the local gateway routes to be created | any |
{} |
no |
| nat_gateway_routes | Map of objects that define the nat gateway routes to be created | any |
{} |
no |
| network_interface_routes | Map of objects that define the network interface routes to be created | any |
{} |
no |
| subnet_ids | (Required) Identifiers of EC2 Subnets. | list(string) |
[ |
no |
| tags | (Optional) Key-value tags for the EC2 Transit Gateway VPC Attachment. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. |
map(string) |
n/a | yes |
| transit_gateway_attachments | Map of objects that define the transit gateway attachments to be created | any |
{} |
no |
| transit_gateway_default_route_table_association | (Optional) Boolean whether the VPC Attachment should be associated with the EC2 Transit Gateway association default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways. Default value: true. |
bool |
true |
no |
| transit_gateway_default_route_table_propagation | (Optional) Boolean whether the VPC Attachment should propagate routes with the EC2 Transit Gateway propagation default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways. Default value: true. |
bool |
true |
no |
| transit_gateway_id | (Required) Identifier of EC2 Transit Gateway. | string |
"" |
no |
| transit_gateway_peering_attachments | Map of objects that define the transit gateway peering attachments to be created | any |
{} |
no |
| transit_gateway_peering_attachments_accepter | Map of objects that define the transit gateway peering attachments to be created | any |
{} |
no |
| transit_gateway_routes | Map of objects that define the transit gateway routes to be created | any |
{} |
no |
| vpc_endpoint_routes | Map of objects that define the nat gateway routes to be created | any |
{} |
no |
| vpc_id | (Required) Identifier of EC2 VPC. | string |
"" |
no |
| vpc_peering_routes | Map of objects that define the vpc peering routes to be created | any |
{} |
no |
| Name | Description |
|---|---|
| transit_gateway_attachments | Map of transit gateway attachments. |
| transit_gateway_route_ids | The IDs of the created routes. |