* 2.13.1 -- 2026-02-23

- vpc-transit-gateway-association/self - add variable for dns_support, default to false (disabled) - this comes from the resolution of AWS support case 176963314006987 from ent-gov-operations-prod account
terraform-modules · Feb 23, 2026 · 6ee5efd · 6ee5efd
1 parent 693c031
commit 6ee5efd
Show file tree

Hide file tree

Showing 6 changed files with 28 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -492,3 +492,9 @@
 * 2.13.0 -- 2025-10-15
   - vpc-interface-endpoint
     - add use_route53_profiles option
+
+* 2.13.1 -- 2026-02-23
+  - vpc-transit-gateway-association/self
+    - add variable for dns_support, default to false (disabled)
+    - this comes from the resolution of AWS support case 176963314006987 from ent-gov-operations-prod account
+
diff --git a/common/version.tf b/common/version.tf
@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.13.0"
+  _module_version = "2.13.1"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 

diff --git a/vpc-transit-gateway-association/self/README.md b/vpc-transit-gateway-association/self/README.md
@@ -261,6 +261,7 @@ module "vpc_tgw_self" {
 | <a name="input_create_prefix_list_routing"></a> [create\_prefix\_list\_routing](#input\_create\_prefix\_list\_routing) | Flag to create (or not) prefix list routing. This is to be applied only on the TGW main account and VPCs | `bool` | `false` | no |
 | <a name="input_create_static_peer_routing"></a> [create\_static\_peer\_routing](#input\_create\_static\_peer\_routing) | Flag to create (or not) static peer. This can be applied on every account including the TGW main account. This conflicts with craete\_prefix\_list\_routing | `bool` | `false` | no |
 | <a name="input_data_input"></a> [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | <pre>object({<br/>    availablity_zone          = map(any)<br/>    gateway_self              = string<br/>    gateway_peer              = string<br/>    route_tables_self         = map(any)<br/>    route_tables_peer         = map(any)<br/>    map_route_tables_self     = map(any)<br/>    map_route_tables_peer     = map(any)<br/>    map_vpn_route_tables_self = map(any)<br/>    map_vpn_route_tables_peer = map(any)<br/>    prefix_list_id_ipv4       = string<br/>    vpn_prefix_list_id_ipv4   = string<br/>    vpc_id                    = string<br/>    vpc_cidr_block            = string<br/>    vpc_cidr_blocks           = list(string)<br/>  })</pre> | n/a | yes |
+| <a name="input_dns_support"></a> [dns\_support](#input\_dns\_support) | Flag to enable or disable DNS support on Transit Gateway Attachment (default: false) | `bool` | `false` | no |
 | <a name="input_enable_tgw_attachment"></a> [enable\_tgw\_attachment](#input\_enable\_tgw\_attachment) | Flag to enable or disable attachment to Transit Gateway (for subnets with separate route tables which are not the attachment subnets) | `bool` | `true` | no |
 | <a name="input_enable_vpn_routing"></a> [enable\_vpn\_routing](#input\_enable\_vpn\_routing) | Flag to enable VPN routing, handled through a prefix list.  This is used in the transition from per-VPC VPNs to TGW | `bool` | `true` | no |
 | <a name="input_network_account_profile"></a> [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |

diff --git a/vpc-transit-gateway-association/self/associate.tf b/vpc-transit-gateway-association/self/associate.tf
@@ -13,10 +13,11 @@ resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_attachment" {
   count    = var.enable_tgw_attachment ? 1 : 0
   provider = aws
   #  subnet_ids                                      = [for sn in module.subnets.private_subnets_ids : sn.id if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
-  subnet_ids                                      = [for k, v in var.private_subnets_ids : v.id]
-  transit_gateway_id                              = data.aws_ec2_transit_gateway.gateway_self.id
-  vpc_id                                          = var.vpc_id
-  dns_support                                     = "enable"
+  subnet_ids         = [for k, v in var.private_subnets_ids : v.id]
+  transit_gateway_id = data.aws_ec2_transit_gateway.gateway_self.id
+  vpc_id             = var.vpc_id
+  #  dns_support                                     = "enable"
+  dns_support                                     = var.dns_support ? "enable" : "disable"
   ipv6_support                                    = "disable"
   transit_gateway_default_route_table_association = false
   transit_gateway_default_route_table_propagation = false
@@ -34,7 +35,7 @@ resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_attachment" {
 # if this is the network account, no need to add the additional tags as they are already there
 resource "aws_ec2_tag" "vpc_attachment" {
   provider = aws.self
-  for_each = var.enable_tgw_attachment && ! local.self_is_network_account ? merge(local.base_tags, var.tags, local.attachment_tags) : {}
+  for_each = var.enable_tgw_attachment && !local.self_is_network_account ? merge(local.base_tags, var.tags, local.attachment_tags) : {}
 
   resource_id = try(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[0].id, null)
   key         = each.key
@@ -64,8 +65,8 @@ locals {
   #  propagate_all_rt = ["services", "inter-region"]
   propagate_all_rt = var.propagate_all_route_table_names
   #  selected_rt      = [for k in keys(local.transit_gateway_route_table_ids_self) : k if ! contains(local.propagate_all_rt, k)]
-  selected_rt     = [for k in keys(var.data_input.map_route_tables_self) : k if ! contains(local.propagate_all_rt, k)]
-  vpn_selected_rt = [for k in keys(var.data_input.map_route_tables_self) : k if ! contains(local.propagate_all_rt, k)]
+  selected_rt     = [for k in keys(var.data_input.map_route_tables_self) : k if !contains(local.propagate_all_rt, k)]
+  vpn_selected_rt = [for k in keys(var.data_input.map_route_tables_self) : k if !contains(local.propagate_all_rt, k)]
 }
 
 #---

diff --git a/vpc-transit-gateway-association/self/main.tf b/vpc-transit-gateway-association/self/main.tf
@@ -51,8 +51,8 @@ locals {
   self_is_network_account = data.aws_caller_identity.current.account_id == data.aws_caller_identity.network_account.account_id
 
   # these two options cannot both be true.  To create prefix list routing, this is only done on the network account
-  create_prefix_list_routing = var.create_prefix_list_routing && local.self_is_network_account && ! var.create_static_peer_routing
-  create_static_peer_routing = var.create_static_peer_routing && ! var.create_prefix_list_routing
+  create_prefix_list_routing = var.create_prefix_list_routing && local.self_is_network_account && !var.create_static_peer_routing
+  create_static_peer_routing = var.create_static_peer_routing && !var.create_prefix_list_routing
 
   base_tags = {
     "boc:tf_module_version" = local._module_version

diff --git a/vpc-transit-gateway-association/self/variables.tf b/vpc-transit-gateway-association/self/variables.tf
@@ -92,3 +92,13 @@ variable "enable_tgw_attachment" {
   type        = bool
   default     = true
 }
+
+# we want this disabled because it automatically creates PTR zones for each block in a VPC cidr, and it prevents
+# access from the resolver rules properly.
+# resolution from AWS ticket in ent-gov-operations-prod 20260223 ticket 176963314006987
+
+variable "dns_support" {
+  description = "Flag to enable or disable DNS support on Transit Gateway Attachment (default: false)"
+  type        = bool
+  default     = false
+}