* 2.11.6 -- 2025-02-20

- vpc-transit-gateway-association/self - add variables: - appliance_mode_support default false (for firewall subnets) - security_group_referencing_support default true
terraform-modules · Feb 20, 2025 · 642b263 · 642b263
1 parent 09fb4b8
commit 642b263
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -455,3 +455,9 @@
 * 2.11.5 -- 2025-02-18
   - vpc-transit-gateway-association
     - allow additional propgate_rt_all options via variable propagate_all_route_table_names
+
+* 2.11.6 -- 2025-02-20
+  - vpc-transit-gateway-association/self
+    - add variables:
+      - appliance_mode_support default false (for firewall subnets)
+      - security_group_referencing_support default true
diff --git a/common/version.tf b/common/version.tf
@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.11.5"
+  _module_version = "2.11.6"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 

diff --git a/vpc-transit-gateway-association/self/README.md b/vpc-transit-gateway-association/self/README.md
@@ -255,6 +255,7 @@ module "vpc_tgw_self" {
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| <a name="input_appliance_mode_support"></a> [appliance\_mode\_support](#input\_appliance\_mode\_support) | Flag to enable or disable appliance mode support on the VPC TGW Attachment (needed for firewalls) | `bool` | `false` | no |
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
 | <a name="input_create"></a> [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
 | <a name="input_create_prefix_list_routing"></a> [create\_prefix\_list\_routing](#input\_create\_prefix\_list\_routing) | Flag to create (or not) prefix list routing. This is to be applied only on the TGW main account and VPCs | `bool` | `false` | no |
@@ -268,6 +269,7 @@ module "vpc_tgw_self" {
 | <a name="input_propagate_all_route_table_names"></a> [propagate\_all\_route\_table\_names](#input\_propagate\_all\_route\_table\_names) | List of route table names to propagate routes into for every attachment | `list(string)` | <pre>[<br/>  "services",<br/>  "inter-region"<br/>]</pre> | no |
 | <a name="input_route_prefix_list_name"></a> [route\_prefix\_list\_name](#input\_route\_prefix\_list\_name) | Shared prefix list name used for routing to TGW.  It is comprised of all of the network CIDR blocks in AWS using TGW. | `string` | `"transit-gateway.prod"` | no |
 | <a name="input_route_table_label"></a> [route\_table\_label](#input\_route\_table\_label) | Route table lable for the attachment subnets | `string` | `"attachment"` | no |
+| <a name="input_security_group_referencing_support"></a> [security\_group\_referencing\_support](#input\_security\_group\_referencing\_support) | Flag to enable or disable security group referencing cross-TGW on the VPC TGW Attachment | `bool` | `true` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_transit_gateway_environment"></a> [transit\_gateway\_environment](#input\_transit\_gateway\_environment) | Transit Gateway Environment (aka, VRF) to which to connnect this VPC | `string` | n/a | yes |
 | <a name="input_transit_gateway_environments"></a> [transit\_gateway\_environments](#input\_transit\_gateway\_environments) | Transit Gateway Environments possible.  Pass a different list to use in the Lab or DMZ environment | `list(string)` | `[]` | no |

diff --git a/vpc-transit-gateway-association/self/associate.tf b/vpc-transit-gateway-association/self/associate.tf
@@ -19,6 +19,8 @@ resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_attachment" {
   ipv6_support                                    = "disable"
   transit_gateway_default_route_table_association = false
   transit_gateway_default_route_table_propagation = false
+  appliance_mode_support                          = var.appliance_mode_support ? "enable" : "disable"
+  security_group_referencing_support              = var.security_group_referencing_support ? "enable" : "disable"
 
   tags = merge(
     local.base_tags,

diff --git a/vpc-transit-gateway-association/self/variables.tf b/vpc-transit-gateway-association/self/variables.tf
@@ -74,3 +74,15 @@ variable "propagate_all_route_table_names" {
     error_message = "propagate_all_route_table_names must be one of: services, inter-region, inspection, cross-boundary."
   }
 }
+
+variable "appliance_mode_support" {
+  description = "Flag to enable or disable appliance mode support on the VPC TGW Attachment (needed for firewalls)"
+  type        = bool
+  default     = false
+}
+
+variable "security_group_referencing_support" {
+  description = "Flag to enable or disable security group referencing cross-TGW on the VPC TGW Attachment"
+  type        = bool
+  default     = true
+}