diff --git a/CHANGELOG.md b/CHANGELOG.md
index 31680c3..0c0d9ad 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -192,3 +192,7 @@
- vpn-transit-gateway
- add variable use_single_cgw to use only one CGW per site instead of one per site per VPN
+* 2.4.0 -- 2022-10-07
+ - tag-shared-vpc-resources
+ - new submoule to tag vpcs, dhcp options, subnets, route tables, network acls
+ - transit gateways do not support taggging at this time
diff --git a/common/version.tf b/common/version.tf
index de52fea..5326d74 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,5 +1,5 @@
locals {
- _module_version = "2.3.1"
+ _module_version = "2.4.0"
_module_names = {
"_main_" = "aws-vpc-setup"
@@ -12,9 +12,11 @@ locals {
"routing" = "aws-vpc-setup/routing"
"security-groups" = "aws-vpc-setup/security-groups"
"subnets" = "aws-vpc-setup/subnets"
+ "tag-shared-vpc-resources" = "aws-vpc-setup/tag-shared-vpc-resources"
"vpc" = "aws-vpc-setup/vpc"
"vpc-interface-endpoint" = "aws-vpc-setup/vpc-interface-endpoint"
"vpn" = "aws-vpc-setup/vpn"
"vpn-transit-gateway" = "aws-vpc-setup/vpn-transit-gateway"
+ "vpn-transit-gateway" = "aws-vpc-setup/vpn-transit-gateway"
}
}
diff --git a/common/versions.tf b/common/versions.tf
index a43df27..ddf258e 100644
--- a/common/versions.tf
+++ b/common/versions.tf
@@ -21,6 +21,10 @@ terraform {
source = "trevex/ldap"
version = ">= 0.5.4"
}
+ local = {
+ source = "hashicorp/local"
+ version = ">= 1.0.0"
+ }
}
required_version = ">= 0.13"
}
diff --git a/tag-shared-vpc-resources/README.md b/tag-shared-vpc-resources/README.md
new file mode 100644
index 0000000..45e2913
--- /dev/null
+++ b/tag-shared-vpc-resources/README.md
@@ -0,0 +1,85 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13 |
+| [aws](#requirement\_aws) | >= 3.66.0 |
+| [ldap](#requirement\_ldap) | >= 0.5.4 |
+| [local](#requirement\_local) | >= 1.0.0 |
+| [null](#requirement\_null) | >= 3.0 |
+| [random](#requirement\_random) | >= 3.0 |
+| [template](#requirement\_template) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 3.66.0 |
+| [aws.network\_account](#provider\_aws.network\_account) | >= 3.66.0 |
+| [local](#provider\_local) | >= 1.0.0 |
+| [null](#provider\_null) | >= 3.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ec2_tag.dhcp_options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.network_acls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.route_tables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.transit_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.vpcs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [null_resource.network_acl](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_ec2_transit_gateway.transit_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
+| [aws_network_acls.network_acls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/network_acls) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_route_table.route_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source |
+| [aws_route_tables.route_tables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source |
+| [aws_subnet.subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
+| [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
+| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+| [aws_vpc_dhcp_options.dhcp_options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_dhcp_options) | data source |
+| [aws_vpcs.vpcs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source |
+| [local_file.network_acl](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
+| [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
+| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [tag\_enabled\_dhcp\_options](#input\_tag\_enabled\_dhcp\_options) | Flag to tag or not tag shared VPC DHCP option sets | `bool` | `true` | no |
+| [tag\_enabled\_network\_acls](#input\_tag\_enabled\_network\_acls) | Flag to tag or not tag shared Network ACLs | `bool` | `true` | no |
+| [tag\_enabled\_route\_tables](#input\_tag\_enabled\_route\_tables) | Flag to tag or not tag shared VPC route tables | `bool` | `true` | no |
+| [tag\_enabled\_subnets](#input\_tag\_enabled\_subnets) | Flag to tag or not tag shared VPC subnets | `bool` | `true` | no |
+| [tag\_enabled\_transit\_gateway](#input\_tag\_enabled\_transit\_gateway) | Flag to tag or not tag shared VPC Transit Gateway (not currently possible in AWS; this has no effect) | `bool` | `false` | no |
+| [tag\_enabled\_vpcs](#input\_tag\_enabled\_vpcs) | Flag to tag or not tag shared VPCs | `bool` | `true` | no |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
+| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
+| [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
+| [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
+| [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [account\_caller\_arn](#output\_account\_caller\_arn) | AWS Caller ARN |
+| [account\_caller\_arn\_partition](#output\_account\_caller\_arn\_partition) | AWS Caller ARN Partition |
+| [caller\_account\_id](#output\_caller\_account\_id) | AWS Account ID |
+| [profile](#output\_profile) | AWS Profile |
+| [region](#output\_region) | AWS Region |
+| [vpc\_full\_name](#output\_vpc\_full\_name) | VPC Full Name |
diff --git a/tag-shared-vpc-resources/data.shared.tf b/tag-shared-vpc-resources/data.shared.tf
new file mode 100644
index 0000000..d0ef9c1
--- /dev/null
+++ b/tag-shared-vpc-resources/data.shared.tf
@@ -0,0 +1,12 @@
+data "aws_caller_identity" "network_account" {
+ provider = aws.network_account
+}
+
+data "aws_arn" "network_account" {
+ provider = aws.network_account
+ arn = data.aws_caller_identity.network_account.arn
+}
+
+# output "network_account" {
+# value = data.aws_arn.network_account
+# }
diff --git a/tag-shared-vpc-resources/data.tf b/tag-shared-vpc-resources/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/tag-shared-vpc-resources/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/tag-shared-vpc-resources/defaults.tf b/tag-shared-vpc-resources/defaults.tf
new file mode 120000
index 0000000..a5556ac
--- /dev/null
+++ b/tag-shared-vpc-resources/defaults.tf
@@ -0,0 +1 @@
+../common/defaults.tf
\ No newline at end of file
diff --git a/tag-shared-vpc-resources/network_account.credentials.tf b/tag-shared-vpc-resources/network_account.credentials.tf
new file mode 100644
index 0000000..6fd4953
--- /dev/null
+++ b/tag-shared-vpc-resources/network_account.credentials.tf
@@ -0,0 +1,5 @@
+provider "aws" {
+ alias = "network_account"
+ region = var.region
+ profile = var.network_account_profile
+}
diff --git a/tag-shared-vpc-resources/outputs.common.tf b/tag-shared-vpc-resources/outputs.common.tf
new file mode 100644
index 0000000..bb663cf
--- /dev/null
+++ b/tag-shared-vpc-resources/outputs.common.tf
@@ -0,0 +1,29 @@
+output "caller_account_id" {
+ description = "AWS Account ID"
+ value = data.aws_caller_identity.current.account_id
+}
+
+output "account_caller_arn" {
+ description = "AWS Caller ARN"
+ value = data.aws_caller_identity.current.arn
+}
+
+output "account_caller_arn_partition" {
+ description = "AWS Caller ARN Partition"
+ value = data.aws_arn.current.partition
+}
+
+output "profile" {
+ description = "AWS Profile"
+ value = var.profile
+}
+
+output "region" {
+ description = "AWS Region"
+ value = local.region
+}
+
+output "vpc_full_name" {
+ description = "VPC Full Name"
+ value = var.vpc_full_name
+}
diff --git a/tag-shared-vpc-resources/prefixes.tf b/tag-shared-vpc-resources/prefixes.tf
new file mode 120000
index 0000000..7e265d5
--- /dev/null
+++ b/tag-shared-vpc-resources/prefixes.tf
@@ -0,0 +1 @@
+../common/prefixes.tf
\ No newline at end of file
diff --git a/tag-shared-vpc-resources/region.tf b/tag-shared-vpc-resources/region.tf
new file mode 100644
index 0000000..b7b1696
--- /dev/null
+++ b/tag-shared-vpc-resources/region.tf
@@ -0,0 +1,4 @@
+locals {
+ region = var.region
+}
+
diff --git a/tag-shared-vpc-resources/tag-dhcp-ooptions.tf b/tag-shared-vpc-resources/tag-dhcp-ooptions.tf
new file mode 100644
index 0000000..c26dbf8
--- /dev/null
+++ b/tag-shared-vpc-resources/tag-dhcp-ooptions.tf
@@ -0,0 +1,23 @@
+data "aws_vpc_dhcp_options" "dhcp_options" {
+ provider = aws.network_account
+ for_each = local._dhcpopt_enabled ? { for k, v in data.aws_vpc.vpc : v.dhcp_options_id => v } : {}
+ dhcp_options_id = each.key
+}
+
+## output "dhcp_options" {
+## value = data.aws_vpc_dhcp_options.dhcp_options
+## }
+
+locals {
+ _dhcpopt_enabled = var.tag_enabled_dhcp_options
+ dhcp_options_tags = { for k, v in data.aws_vpc_dhcp_options.dhcp_options : k => merge(v.tags, { "boc:vpc:owner_id" = v.owner_id }) }
+ dhcp_options_tags_map = flatten([for k, v in local.dhcp_options_tags : [for tk, tv in v : { label = format("%v__%v", k, tk), dhcp_options_id = k, key = tk, value = tv }]])
+}
+
+resource "aws_ec2_tag" "dhcp_options" {
+ for_each = { for t in local.dhcp_options_tags_map : t.label => t }
+
+ resource_id = each.value.dhcp_options_id
+ key = each.value.key
+ value = each.value.value
+}
diff --git a/tag-shared-vpc-resources/tag-network-acls.tf b/tag-shared-vpc-resources/tag-network-acls.tf
new file mode 100644
index 0000000..f0d4603
--- /dev/null
+++ b/tag-shared-vpc-resources/tag-network-acls.tf
@@ -0,0 +1,73 @@
+data "aws_network_acls" "network_acls" {
+ for_each = local._nacl_enabled ? toset(data.aws_vpcs.vpcs.ids) : toset([])
+ filter {
+ name = "owner-id"
+ values = [data.aws_arn.network_account.account]
+ }
+ filter {
+ name = "vpc-id"
+ values = [each.key]
+ }
+}
+
+## data "aws_network_acl" "network_acl" {
+## provider = aws.network_account
+## for_each = toset(flatten(concat([for k, v in data.aws_network_acls.network_acls : v.ids])))
+## id = each.key
+## }
+
+# there is no aws_network_acl data resource. Fake this out with null_resource
+# aws --profile "057445207498-ent-gov-network-sa" --region $(get-region) ec2 describe-network-acls --network-acl-id "acl-0c19a5f3ea6a86d51" > X.json
+
+resource "null_resource" "network_acl" {
+ for_each = toset(flatten(concat([for k, v in data.aws_network_acls.network_acls : v.ids])))
+ triggers = {
+ directory = "setup"
+ network_acl_id = each.key
+ filename = "network_acl.${each.key}.json"
+ }
+
+ provisioner "local-exec" {
+ command = "test -d ${path.root}/${self.triggers.directory} || mkdir -p ${path.root}/${self.triggers.directory}"
+ }
+
+ provisioner "local-exec" {
+ working_dir = "${path.root}/${self.triggers.directory}"
+ command = "aws ec2 describe-network-acls --network-acl-id ${each.key} --output json > ${self.triggers.filename}"
+ environment = {
+ AWS_PROFILE = var.network_account_profile
+ AWS_REGION = local.region
+ }
+ }
+}
+
+data "local_file" "network_acl" {
+ # for_each = toset(flatten(concat([for k, v in data.aws_network_acls.network_acls : v.ids])))
+ for_each = null_resource.network_acl
+ filename = format("%v/%v/%v", path.root, each.value.triggers.directory, each.value.triggers.filename)
+}
+
+## output "network_acls" {
+## value = data.aws_network_acls.network_acls
+## }
+##
+## output "network_acl" {
+## ## value = data.aws_network_acl.network_acl
+## value = local.network_acls
+## }
+
+locals {
+ _nacl_enabled = var.tag_enabled_network_acls
+ _network_acls = local._nacl_enabled ? { for k, v in data.local_file.network_acl : k => jsondecode(v.content) } : {}
+ network_acls = { for k, v in local._network_acls : k => lookup(v, "NetworkAcls", [{ "Tags" : [], "OwnerId" : "" }])[0] }
+ network_acls_tags = { for k, v in local.network_acls : k => merge({ for t in v.Tags : t.Key => t.Value }, { "boc:vpc:owner_id" = v.OwnerId }) }
+ network_acls_tags_map = flatten([for k, v in local.network_acls_tags : [for tk, tv in v : { label = format("%v__%v", k, tk), network_acl_id = k, key = tk, value = tv }]])
+}
+
+resource "aws_ec2_tag" "network_acls" {
+ for_each = { for t in local.network_acls_tags_map : t.label => t }
+
+ resource_id = each.value.network_acl_id
+ key = each.value.key
+ value = each.value.value
+}
diff --git a/tag-shared-vpc-resources/tag-route-tables.tf b/tag-shared-vpc-resources/tag-route-tables.tf
new file mode 100644
index 0000000..a0d40ea
--- /dev/null
+++ b/tag-shared-vpc-resources/tag-route-tables.tf
@@ -0,0 +1,40 @@
+data "aws_route_tables" "route_tables" {
+ for_each = local._rt_enabled ? toset(data.aws_vpcs.vpcs.ids) : toset([])
+ filter {
+ name = "owner-id"
+ # values = [ local.network_account_id ]
+ values = [data.aws_arn.network_account.account]
+ }
+ filter {
+ name = "vpc-id"
+ values = [each.key]
+ }
+}
+
+data "aws_route_table" "route_table" {
+ provider = aws.network_account
+ for_each = toset(flatten(concat([for k, v in data.aws_route_tables.route_tables : v.ids])))
+ route_table_id = each.key
+}
+
+## output "route_tables" {
+## value = data.aws_route_tables.route_tables
+## }
+##
+## output "route_table" {
+## value = data.aws_route_table.route_table
+## }
+
+locals {
+ _rt_enabled = var.tag_enabled_route_tables
+ route_tables_tags = { for k, v in data.aws_route_table.route_table : k => merge(v.tags, { "boc:vpc:owner_id" = v.owner_id }) }
+ route_tables_tags_map = flatten([for k, v in local.route_tables_tags : [for tk, tv in v : { label = format("%v__%v", k, tk), route_table_id = k, key = tk, value = tv }]])
+}
+
+resource "aws_ec2_tag" "route_tables" {
+ for_each = { for t in local.route_tables_tags_map : t.label => t }
+
+ resource_id = each.value.route_table_id
+ key = each.value.key
+ value = each.value.value
+}
diff --git a/tag-shared-vpc-resources/tag-subnets.tf b/tag-shared-vpc-resources/tag-subnets.tf
new file mode 100644
index 0000000..d58fb58
--- /dev/null
+++ b/tag-shared-vpc-resources/tag-subnets.tf
@@ -0,0 +1,39 @@
+data "aws_subnets" "subnets" {
+ for_each = local._subnet_enabled ? toset(data.aws_vpcs.vpcs.ids) : toset([])
+ filter {
+ name = "owner-id"
+ values = [data.aws_arn.network_account.account]
+ }
+ filter {
+ name = "vpc-id"
+ values = [each.key]
+ }
+}
+
+data "aws_subnet" "subnet" {
+ provider = aws.network_account
+ for_each = toset(flatten(concat([for k, v in data.aws_subnets.subnets : v.ids])))
+ id = each.key
+}
+
+## output "subnets" {
+## value = data.aws_subnets.subnets
+## }
+##
+## output "subnet" {
+## value = data.aws_subnet.subnet
+## }
+
+locals {
+ _subnet_enabled = var.tag_enable_subnets
+ subnets_tags = { for k, v in data.aws_subnet.subnet : k => merge(v.tags, { "boc:vpc:owner_id" = v.owner_id }) }
+ subnets_tags_map = flatten([for k, v in local.subnets_tags : [for tk, tv in v : { label = format("%v__%v", k, tk), subnet_id = k, key = tk, value = tv }]])
+}
+
+resource "aws_ec2_tag" "subnets" {
+ for_each = { for t in local.subnets_tags_map : t.label => t }
+
+ resource_id = each.value.subnet_id
+ key = each.value.key
+ value = each.value.value
+}
diff --git a/tag-shared-vpc-resources/tag-transit-gateway.tf b/tag-shared-vpc-resources/tag-transit-gateway.tf
new file mode 100644
index 0000000..92f8ec2
--- /dev/null
+++ b/tag-shared-vpc-resources/tag-transit-gateway.tf
@@ -0,0 +1,38 @@
+data "aws_ec2_transit_gateway" "transit_gateway" {
+ count = local._tgw_enabled ? 1 : 0
+ provider = aws.network_account
+ filter {
+ name = "owner-id"
+ values = [data.aws_arn.network_account.account]
+ }
+}
+
+## output "transit_gateway" {
+## value = data.aws_ec2_transit_gateway.transit_gateway
+## }
+
+locals {
+ _tgw_eanbled = var.tag_enabled_transit_gateway ? false : false
+ _transit_gateway_tags = local._tgw_enabled ? { format("%v", data.aws_ec2_transit_gateway.transit_gateway[0].id) = data.aws_ec2_transit_gateway.transit_gateway[0] } : {}
+ transit_gateway_tags = { for k, v in local._transit_gateway_tags : k => merge(v.tags, { "boc:vpc:owner_id" = v.owner_id }) }
+ transit_gateway_tags_map = flatten([for k, v in local.transit_gateway_tags : [for tk, tv in v : { label = format("%v__%v", k, tk), transit_gateway_id = k, key = tk, value = tv }]])
+}
+
+resource "aws_ec2_tag" "transit_gateway" {
+ provider = aws
+ for_each = false ? { for t in local.transit_gateway_tags_map : t.label => t } : {}
+
+ resource_id = each.value.transit_gateway_id
+ key = each.value.key
+ value = each.value.value
+}
+
+## 20220926
+## this isn't working, opened support ticket 10858519821 with aws
+##
+## Error: error creating EC2 resource (tgw-0fde039e090bebac1) tag (Name): tagging resource (tgw-0fde039e090bebac1): couldn't find resource
+##
+## on tag-transit-gateway.tf line 19, in resource "aws_ec2_tag" "transit_gateway":
+## 19: resource "aws_ec2_tag" "transit_gateway" {
+##
+##
diff --git a/tag-shared-vpc-resources/tag-vpcs.tf b/tag-shared-vpc-resources/tag-vpcs.tf
new file mode 100644
index 0000000..5d9cecc
--- /dev/null
+++ b/tag-shared-vpc-resources/tag-vpcs.tf
@@ -0,0 +1,35 @@
+data "aws_vpcs" "vpcs" {
+ filter {
+ name = "owner-id"
+ # values = [ local.network_account_id ]
+ values = [data.aws_arn.network_account.account]
+ }
+}
+
+data "aws_vpc" "vpc" {
+ provider = aws.network_account
+ for_each = toset(data.aws_vpcs.vpcs.ids)
+ id = each.key
+}
+
+## output "vpcs" {
+## value = data.aws_vpcs.vpcs
+## }
+##
+## output "vpc" {
+## value = data.aws_vpc.vpc
+## }
+
+locals {
+ _vpc_enabled = var.tag_enabled_vpcs
+ vpcs_tags = local._vpc_enabled ? { for k, v in data.aws_vpc.vpc : k => merge(v.tags, { "boc:vpc:owner_id" = v.owner_id }) } : {}
+ vpcs_tags_map = flatten([for k, v in local.vpcs_tags : [for tk, tv in v : { label = format("%v__%v", k, tk), vpc_id = k, key = tk, value = tv }]])
+}
+
+resource "aws_ec2_tag" "vpcs" {
+ for_each = { for t in local.vpcs_tags_map : t.label => t }
+
+ resource_id = each.value.vpc_id
+ key = each.value.key
+ value = each.value.value
+}
diff --git a/tag-shared-vpc-resources/tf-run.data b/tag-shared-vpc-resources/tf-run.data
new file mode 100644
index 0000000..37405d2
--- /dev/null
+++ b/tag-shared-vpc-resources/tf-run.data
@@ -0,0 +1,8 @@
+VERSION 1.0.1
+REMOTE-STATE
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+COMMAND tf-init -upgrade
+null_resource.network_acl
+ALL
+COMMAND tf-directory-setup.py -l s3
diff --git a/tag-shared-vpc-resources/variables.auto.tfvars.example b/tag-shared-vpc-resources/variables.auto.tfvars.example
new file mode 100644
index 0000000..5fc075e
--- /dev/null
+++ b/tag-shared-vpc-resources/variables.auto.tfvars.example
@@ -0,0 +1,2 @@
+# network_account_profile = "057405694017-ent-gov-network-prod"
+network_account_profile = "057445207498-ent-gov-network-sa"
diff --git a/tag-shared-vpc-resources/variables.common.tf b/tag-shared-vpc-resources/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/tag-shared-vpc-resources/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/tag-shared-vpc-resources/variables.common.vpc.tf b/tag-shared-vpc-resources/variables.common.vpc.tf
new file mode 120000
index 0000000..5e77d37
--- /dev/null
+++ b/tag-shared-vpc-resources/variables.common.vpc.tf
@@ -0,0 +1 @@
+../common/variables.common.vpc.tf
\ No newline at end of file
diff --git a/tag-shared-vpc-resources/variables.create.tf b/tag-shared-vpc-resources/variables.create.tf
new file mode 120000
index 0000000..de1275b
--- /dev/null
+++ b/tag-shared-vpc-resources/variables.create.tf
@@ -0,0 +1 @@
+../common/variables.create.tf
\ No newline at end of file
diff --git a/tag-shared-vpc-resources/variables.tf b/tag-shared-vpc-resources/variables.tf
new file mode 100644
index 0000000..d9b6dc0
--- /dev/null
+++ b/tag-shared-vpc-resources/variables.tf
@@ -0,0 +1,40 @@
+variable "network_account_profile" {
+ description = "AWS profile of the source account sharing the VPC resources"
+ type = string
+}
+
+variable "tag_enabled_vpcs" {
+ description = "Flag to tag or not tag shared VPCs"
+ type = bool
+ default = true
+}
+
+variable "tag_enabled_dhcp_options" {
+ description = "Flag to tag or not tag shared VPC DHCP option sets"
+ type = bool
+ default = true
+}
+
+variable "tag_enabled_route_tables" {
+ description = "Flag to tag or not tag shared VPC route tables"
+ type = bool
+ default = true
+}
+
+variable "tag_enabled_subnets" {
+ description = "Flag to tag or not tag shared VPC subnets"
+ type = bool
+ default = true
+}
+
+variable "tag_enabled_network_acls" {
+ description = "Flag to tag or not tag shared Network ACLs"
+ type = bool
+ default = true
+}
+
+variable "tag_enabled_transit_gateway" {
+ description = "Flag to tag or not tag shared VPC Transit Gateway (not currently possible in AWS; this has no effect)"
+ type = bool
+ default = false
+}
diff --git a/tag-shared-vpc-resources/version.tf b/tag-shared-vpc-resources/version.tf
new file mode 120000
index 0000000..b83c5b7
--- /dev/null
+++ b/tag-shared-vpc-resources/version.tf
@@ -0,0 +1 @@
+../common/version.tf
\ No newline at end of file
diff --git a/tag-shared-vpc-resources/versions.tf b/tag-shared-vpc-resources/versions.tf
new file mode 120000
index 0000000..a76a35d
--- /dev/null
+++ b/tag-shared-vpc-resources/versions.tf
@@ -0,0 +1 @@
+../common//versions.tf
\ No newline at end of file