* 2.11.4 -- 2025-02-14

  - vpc-transit-gateway-association
    - add inspection as possible tgw_environment

CHANGELOG.md

@@ -443,3 +443,11 @@
 * 2.11.2 -- 2025-01-08
   - vpc-interface-endpoint
     - add lab-gov-dmz-network-nonprod account to allowed list of central vpc endpoint accounts
+
+* 2.11.3 -- 2025-02-12
+  - routing
+    - fix nat gateway for_each (for public stuff)
+
+* 2.11.4 -- 2025-02-14
+  - vpc-transit-gateway-association
+    - add inspection as possible tgw_environment

common/variables.common.vpc.tf

@@ -26,7 +26,7 @@ variable "vpc_index" {
 }
 
 variable "vpc_environment" {
-  description = "VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod)"
+  description = "VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod, inpection)"
   type        = string
   default     = null
 }

common/version.tf

@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.11.2"
+  _module_version = "2.11.4"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 

routing/README.md

@@ -204,7 +204,7 @@ No modules.
 | <a name="input_public_subnets_ids"></a> [public\_subnets\_ids](#input\_public\_subnets\_ids) | List of public subnet objects including: subnet, label, availability\_zone, id | <pre>list(object({<br/>    subnet            = string<br/>    label             = string<br/>    availability_zone = string<br/>    id                = string<br/>    tags              = optional(map(string))<br/>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_vpc_cidr_block"></a> [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | VPC CIDR Block | `string` | n/a | yes |
-| <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
+| <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod, inpection) | `string` | `null` | no |
 | <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |
 | <a name="input_vpc_index"></a> [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |

routing/main.tf

@@ -120,7 +120,8 @@ locals {
 }
 
 resource "aws_nat_gateway" "nat" {
-  for_each      = var.enable_igw && var.enable_nat ? zipmap(local.availability_zones, local.public_subnets_ids_az) : {}
+  #  for_each      = var.enable_igw && var.enable_nat ? zipmap(local.availability_zones, local.public_subnets_ids_az) : {}
+  for_each      = var.enable_igw && var.enable_nat ? { for k, v in local.public_subnets_ids_az : v.availability_zone => v.id } : {}
   allocation_id = aws_eip.nat[each.key].id
   subnet_id     = each.value
   #  depends_on    = [aws_internet_gateway.gateway]

vpc-transit-gateway-association/data/README.md

@@ -130,3 +130,140 @@ No modules.
 | <a name="output_prefix_list_id_ipv4"></a> [prefix\_list\_id\_ipv4](#output\_prefix\_list\_id\_ipv4) | Managed prefix ID for IPv4 |
 | <a name="output_route_tables_peer"></a> [route\_tables\_peer](#output\_route\_tables\_peer) | Transit Gateway route tables peer (other region) |
 | <a name="output_route_tables_self"></a> [route\_tables\_self](#output\_route\_tables\_self) | Transit Gateway route tables self (this region) |
+
+<!-- BEGIN_TF_DOCS -->
+# About aws-vpc-setup ::  vpc-transit-gateway-association/data
+
+This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. This is part of a three
+section TGW setup, consisting of data (required,this), self, and peer (remote(s)).  They do the following:
+
+* data
+  * gets transit gateway ID shared to this account and region
+  * gets transit gateway route tables
+* self
+  * creates routes for the attachment subnets to the transit gatewway
+  * creates routes to all other things on the transit gateway through a network prefix
+  * attaches the VPC to the transit gateway
+  * propagates the route to the associated route tables for the envirornment/VRF
+  * services is propagated to all
+* peer
+  * creates static routes for transit gateway route tables in a peer region
+
+# Usage
+
+```hcl
+module "vpc_tgw_data" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/data?ref=tf-upgrade"
+  providers = {
+    aws                 = aws
+    aws.network_account = aws.network_account
+    aws.self            = aws.tgw_east
+    aws.peer            = aws.tgw_west
+  }
+
+  network_account_profile      = var.network_account_profile
+  vpc_id                       = local.vpc_id
+  vpc_full_name                = var.vpc_full_name
+  private_subnets_ids          = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+  private_route_table_ids      = module.routing.private_route_table_ids
+  transit_gateway_environment  = var.tgw_environment
+  transit_gateway_label        = var.tgw_label
+  route_prefix_list_name       = format("transit-gateway.%v", var.tgw_label)
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
+| <a name="requirement_ldap"></a> [ldap](#requirement\_ldap) | >= 0.5.4 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.0.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
+| <a name="requirement_template"></a> [template](#requirement\_template) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
+| <a name="provider_aws.network_account"></a> [aws.network\_account](#provider\_aws.network\_account) | >= 3.66.0 |
+| <a name="provider_aws.peer"></a> [aws.peer](#provider\_aws.peer) | >= 3.66.0 |
+| <a name="provider_aws.self"></a> [aws.self](#provider\_aws.self) | >= 3.66.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_availability_zone.zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zone) | data source |
+| [aws_availability_zones.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_ec2_managed_prefix_list.tgw_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
+| [aws_ec2_managed_prefix_list.tgw_vpn_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
+| [aws_ec2_managed_prefix_lists.tgw_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_lists) | data source |
+| [aws_ec2_managed_prefix_lists.tgw_vpn_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_lists) | data source |
+| [aws_ec2_transit_gateway.gateway_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
+| [aws_ec2_transit_gateway.gateway_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
+| [aws_ec2_transit_gateway_peering_attachment.attachment_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source |
+| [aws_ec2_transit_gateway_peering_attachment.attachment_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source |
+| [aws_ec2_transit_gateway_route_table.route_tables_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_table) | data source |
+| [aws_ec2_transit_gateway_route_table.route_tables_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_table) | data source |
+| [aws_ec2_transit_gateway_route_tables.route_tables_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_tables) | data source |
+| [aws_ec2_transit_gateway_route_tables.route_tables_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_tables) | data source |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
+| <a name="input_create"></a> [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
+| <a name="input_network_account_profile"></a> [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_private_route_table_ids"></a> [private\_route\_table\_ids](#input\_private\_route\_table\_ids) | Map of private route table IDs (which exclude the attachment subnets) | `map(string)` | `{}` | no |
+| <a name="input_private_subnets_ids"></a> [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | <pre>list(object({<br/>    subnet            = string<br/>    label             = string<br/>    availability_zone = string<br/>    id                = string<br/>  }))</pre> | `[]` | no |
+| <a name="input_route_prefix_list_name"></a> [route\_prefix\_list\_name](#input\_route\_prefix\_list\_name) | Shared prefix list name used for routing to TGW.  It is comprised of all of the network CIDR blocks in AWS using TGW. | `string` | `"transit-gateway.prod"` | no |
+| <a name="input_route_table_label"></a> [route\_table\_label](#input\_route\_table\_label) | Route table lable for the attachment subnets | `string` | `"attachment"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_transit_gateway_environment"></a> [transit\_gateway\_environment](#input\_transit\_gateway\_environment) | Transit Gateway Environment (aka, VRF) to which to connnect this VPC | `string` | n/a | yes |
+| <a name="input_transit_gateway_label"></a> [transit\_gateway\_label](#input\_transit\_gateway\_label) | Transit Gateway label for specific instance (sa, prod) | `string` | `"prod"` | no |
+| <a name="input_vpc_cidr_block"></a> [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | VPC CIDR Block | `string` | `null` | no |
+| <a name="input_vpc_cidr_blocks"></a> [vpc\_cidr\_blocks](#input\_vpc\_cidr\_blocks) | VPC CIDR Block List | `list(string)` | `[]` | no |
+| <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod, inpection) | `string` | `null` | no |
+| <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |
+| <a name="input_vpc_index"></a> [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
+| <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
+| <a name="input_vpc_short_name"></a> [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
+| <a name="input_vpn_route_prefix_list_name"></a> [vpn\_route\_prefix\_list\_name](#input\_vpn\_route\_prefix\_list\_name) | Shared prefix list name used for routing to TGW through VPN.  If null, existing VPN routing if any will be used. | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_availability_zone_ids"></a> [availability\_zone\_ids](#output\_availability\_zone\_ids) | VPC Availability zone id list (3) |
+| <a name="output_availability_zone_names"></a> [availability\_zone\_names](#output\_availability\_zone\_names) | VPC Availability zone name list (3) |
+| <a name="output_availability_zone_suffixes"></a> [availability\_zone\_suffixes](#output\_availability\_zone\_suffixes) | VPC Availability zone suffix list (3) |
+| <a name="output_availablity_zone"></a> [availablity\_zone](#output\_availablity\_zone) | map of data resource aws\_availability\_zone from list of zone names |
+| <a name="output_data_output"></a> [data\_output](#output\_data\_output) | Map of data generated by this submodule need for the vpc-transit-gateway-association module |
+| <a name="output_gateway_peer"></a> [gateway\_peer](#output\_gateway\_peer) | Transit Gateway peer (other region) |
+| <a name="output_gateway_self"></a> [gateway\_self](#output\_gateway\_self) | Transit Gateway self (this region) |
+| <a name="output_map_route_tables_peer"></a> [map\_route\_tables\_peer](#output\_map\_route\_tables\_peer) | Transit Gateway route tables map (VRF:id) peer (other region) |
+| <a name="output_map_route_tables_self"></a> [map\_route\_tables\_self](#output\_map\_route\_tables\_self) | Transit Gateway route tables map (VRF:id) self (this region) |
+| <a name="output_prefix_list_id_ipv4"></a> [prefix\_list\_id\_ipv4](#output\_prefix\_list\_id\_ipv4) | Managed prefix ID for IPv4 |
+| <a name="output_route_tables_peer"></a> [route\_tables\_peer](#output\_route\_tables\_peer) | Transit Gateway route tables peer (other region) |
+| <a name="output_route_tables_self"></a> [route\_tables\_self](#output\_route\_tables\_self) | Transit Gateway route tables self (this region) |
+<!-- END_TF_DOCS -->

vpc-transit-gateway-association/data/variables.tf

@@ -8,7 +8,7 @@ variable "transit_gateway_environment" {
   type        = string
 
   validation {
-    condition     = contains(["services", "dev", "test", "stage", "prod", "cre"], var.transit_gateway_environment)
+    condition     = contains(["services", "dev", "test", "stage", "prod", "cre", "inspection"], var.transit_gateway_environment)
     error_message = "transit_gateway_environment value must be one of the valid VRF selections"
   }
 }