terraform-aws-mcaf-transit-gateway

Terraform module to setup and manage a Transit Gateway, it supports the following features:

• Peering with another Transit Gateway
• Sharing the Transit Gateway with other accounts
• Creation and attachment of VPN connections

Please take note of the information below regarding the usage of the module. Complete code examples can be found in the examples directory.

Transit Gateway peering

Peering a Transit Gateway is done in two steps, first the peering invite is send to the specified account and transit gateway. Second when the peering invite has been accepted by the other party the peering attachment becomes ready and configuration like the route table association and routing can be done.

1) Sending the peering invite

Example sending the invite in the first Terraform run:

transit_gateway_peering = {
  peering-1 = {
    peer_account_id         = "111111111111",
    peer_region             = "eu-west-1",
    peer_transit_gateway_id = "tgw-0123456789abcdefg"
    route_table_association = ""
    peer_routes             = {}
  }
}

2) Configuring the association and routing

Example setting the route table assocation and static routes from in route tables in the second Terraform run after the remote party has accepted the peering request, excluding optional blackhole routes:

transit_gateway_peering = {
  peering-1 = {
    peer_account_id         = "111111111111",
    peer_region             = "eu-west-1",
    peer_transit_gateway_id = "tgw-0123456789abcdefg"
    route_table_association = "vpc"

    peer_routes = {
      shared = ["10.1.1.0/24", "192.168.10.0/24"]
      test   = ["10.2.2.0/24", "192.168.10.0/24"]
    }
  }
}

Example setting the route table assocation and static routes from in route tables in the second Terraform run after the remote party has accepted the peering request, including blackhole routes:

transit_gateway_peering = {
  peering-1 = {
    peer_account_id         = "111111111111",
    peer_region             = "eu-west-1",
    peer_transit_gateway_id = "tgw-0123456789abcdefg"
    route_table_association = "vpc"

    peer_routes = {
      shared = ["10.1.1.0/24", "192.168.10.0/24"]
      test   = ["10.2.2.0/24", "192.168.10.0/24"]
    }

    blackhole_routes = {
      shared = ["10.2.2.0/24", "192.168.9.0/24"]
      test   = ["10.1.1.0/24", "192.168.9.0/24"]
    }
  }
}

Transit Gateway sharing

Sharing a Transit Gateway is done in two steps, first is to share the Transit Gateway which makes it available in the specified account. Second, when the the other party has created the Transit Gateway attachment in the specified account, is accepting the attachment and configuring the route table association and propagation.

1) Sharing the Transit Gateway with the specified account

Example sharing the Transit gateway in the first Terraform run:

transit_gateway_sharing = {
  sharing-1 = {
    principal_account_id          = "222222222222"
    route_table_association       = ""
    route_table_propagation       = []
    transit_gateway_attachment_id = ""
  }
}

2) Configuring the association and propagation of the attached VPC

Example accepting the attachment, setting the route table assocation and propagation for the attached VPC in the remote account in the second Terraform run:

transit_gateway_sharing = {
  sharing-1 = {
    principal_account_id          = "222222222222"
    route_table_association       = "vpc"
    route_table_propagation       = ["shared", "vpc"]
    transit_gateway_attachment_id = "tgw-attach-062000946f17af583"
  }
}

Using KMS encryption for the logs

The module supports using a KMS key to encrypt the logfiles created by the Transit Gateway or the VPNs. Please note that the example provided uses a KMS key policy that works out of the box but is not scoped down to least privilege.

Requirements

Name	Version
terraform	>= 1.3
aws	>= 4.39.0
time	>= 0.9.0

Providers

Name	Version
aws	>= 4.39.0
time	>= 0.9.0

Modules

No modules.

Resources

Name	Type
aws_cloudwatch_log_group.transit_gateway_flow_logs	resource
aws_cloudwatch_log_group.transit_gateway_vpn_logs	resource
aws_customer_gateway.default	resource
aws_ec2_tag.vpn	resource
aws_ec2_transit_gateway.default	resource
aws_ec2_transit_gateway_peering_attachment.default	resource
aws_ec2_transit_gateway_route.peering	resource
aws_ec2_transit_gateway_route_table.default	resource
aws_ec2_transit_gateway_route_table_association.peering	resource
aws_ec2_transit_gateway_route_table_association.sharing	resource
aws_ec2_transit_gateway_route_table_association.vpn	resource
aws_ec2_transit_gateway_route_table_propagation.sharing	resource
aws_ec2_transit_gateway_route_table_propagation.vpn	resource
aws_ec2_transit_gateway_vpc_attachment_accepter.default	resource
aws_flow_log.cloudwatch_transit_gateway	resource
aws_flow_log.s3_transit_gateway	resource
aws_iam_policy.transit_gateway_cloudwatch_flow_logs	resource
aws_iam_role.transit_gateway_cloudwatch_flow_logs	resource
aws_iam_role_policy_attachment.transit_gateway_cloudwatch_flow_logs	resource
aws_ram_principal_association.default	resource
aws_ram_resource_association.default	resource
aws_ram_resource_share.default	resource
aws_vpn_connection.default	resource
time_sleep.ten_seconds	resource
aws_caller_identity.default	data source
aws_iam_policy_document.transit_gateway_cloudwatch_flow_log	data source
aws_iam_policy_document.transit_gateway_cloudwatch_flow_logs_assume_role	data source
aws_region.default	data source

Inputs

Name	Description	Type	Default	Required
description	Description of the EC2 Transit Gateway	string	n/a	yes
name	Name of the EC2 Transit Gateway	string	n/a	yes
tags	Map of tags to set on Terraform created resources	map(string)	n/a	yes
cloudwatch_flow_logs_configuration	Cloudwatch flow logs configuration	object({ iam_policy_name_prefix = optional(string, "transit-gateway-flow-logs-to-cloudwatch-") iam_role_name_prefix = optional(string, "transit-gateway-flow-logs-role-") kms_key_arn = optional(string) log_group_name = optional(string, "/platform/transit-gateway-flow-logs") max_aggregation_interval = optional(number, 60) retention_in_days = optional(number, 90) traffic_type = optional(string, "ALL") })	{}	no
enable_cloudwatch_flow_logs	Set to true to enable Transit Gateway flow logs to be stored in Cloudwatch	bool	true	no
enable_s3_flow_logs	Set to true to enable Transit Gateway flow logs to be stored in S3	bool	false	no
route_tables	Route Tables to create on the Transit Gateway	list(any)	[ "default" ]	no
s3_flow_logs_configuration	S3 flow logs configuration	object({ max_aggregation_interval = optional(number, 60) traffic_type = optional(string, "ALL") file_format = optional(string, "parquet") per_hour_partition = optional(bool, true) log_destination = optional(string) })	{}	no
transit_gateway_asn	BGP ASN used on the Transit Gateway	number	64512	no
transit_gateway_default_route_table_association	Whether resource attachments are automatically associated with the default association route table	bool	false	no
transit_gateway_default_route_table_propagation	Whether resource attachments automatically propagate routes to the default propagation route table	bool	false	no
transit_gateway_peering	Transit Gateway peering configuration	map(object({ peer_account_id = string peer_region = string peer_transit_gateway_id = string route_table_association = string peer_routes = map(list(string)) }))	{}	no
transit_gateway_sharing	Transit Gateway sharing configuration	map(object({ principal_account_id = string route_table_association = string route_table_propagation = list(string) transit_gateway_attachment_id = string }))	{}	no
vpn_connection	VPN connection configuration	map(object({ customer_gateway_bgp_asn = number customer_gateway_ip_address = string enable_logs = optional(bool, true) log_kms_key_arn = optional(string) log_group_arn = optional(string) log_group_name = optional(string, "/platform/transit-gateway-vpn-logs") log_output_format = optional(string, "json") retention_in_days = optional(number, 90) route_table_association = string route_table_propagation = list(string) tunnel1_options = object({ dpd_timeout_action = optional(string, "clear") dpd_timeout_seconds = optional(number, 30) ike_versions = optional(list(string), ["ikev2"]) inside_cidr = string phase1_dh_group_numbers = optional(list(number), [21]) phase1_encryption_algorithms = optional(list(string), ["AES256-GCM-16"]) phase1_integrity_algorithms = optional(list(string), ["SHA2-512"]) phase1_lifetime_seconds = optional(number, 28800) phase2_dh_group_numbers = optional(list(number), [21]) phase2_encryption_algorithms = optional(list(string), ["AES256-GCM-16"]) phase2_integrity_algorithms = optional(list(string), ["SHA2-512"]) phase2_lifetime_seconds = optional(number, 3600) rekey_fuzz_percentage = optional(number, 100) rekey_margin_time_seconds = optional(number, 540) replay_window_size = optional(number, 1024) startup_action = optional(string, "add") }) tunnel2_options = object({ dpd_timeout_action = optional(string, "clear") dpd_timeout_seconds = optional(number, 30) ike_versions = optional(list(string), ["ikev2"]) inside_cidr = string phase1_dh_group_numbers = optional(list(number), [21]) phase1_encryption_algorithms = optional(list(string), ["AES256-GCM-16"]) phase1_integrity_algorithms = optional(list(string), ["SHA2-512"]) phase1_lifetime_seconds = optional(number, 28800) phase2_dh_group_numbers = optional(list(number), [21]) phase2_encryption_algorithms = optional(list(string), ["AES256-GCM-16"]) phase2_integrity_algorithms = optional(list(string), ["SHA2-512"]) phase2_lifetime_seconds = optional(number, 3600) rekey_fuzz_percentage = optional(number, 100) rekey_margin_time_seconds = optional(number, 540) replay_window_size = optional(number, 1024) startup_action = optional(string, "add") }) }))	{}	no

Outputs

Name	Description
transit_gateway_id	Transit Gateway identifier
transit_gateway_route_table_id	Transit Gateway Route Table and route table ID