add variable enable_tgw_attachment

terraform-modules · Feb 21, 2025 · 860042d · 860042d
1 parent 642b263
commit 860042d
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 11 deletions.
diff --git a/vpc-transit-gateway-association/self/README.md b/vpc-transit-gateway-association/self/README.md
@@ -261,6 +261,7 @@ module "vpc_tgw_self" {
 | <a name="input_create_prefix_list_routing"></a> [create\_prefix\_list\_routing](#input\_create\_prefix\_list\_routing) | Flag to create (or not) prefix list routing. This is to be applied only on the TGW main account and VPCs | `bool` | `false` | no |
 | <a name="input_create_static_peer_routing"></a> [create\_static\_peer\_routing](#input\_create\_static\_peer\_routing) | Flag to create (or not) static peer. This can be applied on every account including the TGW main account. This conflicts with craete\_prefix\_list\_routing | `bool` | `false` | no |
 | <a name="input_data_input"></a> [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | <pre>object({<br/>    availablity_zone          = map(any)<br/>    gateway_self              = string<br/>    gateway_peer              = string<br/>    route_tables_self         = map(any)<br/>    route_tables_peer         = map(any)<br/>    map_route_tables_self     = map(any)<br/>    map_route_tables_peer     = map(any)<br/>    map_vpn_route_tables_self = map(any)<br/>    map_vpn_route_tables_peer = map(any)<br/>    prefix_list_id_ipv4       = string<br/>    vpn_prefix_list_id_ipv4   = string<br/>    vpc_id                    = string<br/>    vpc_cidr_block            = string<br/>    vpc_cidr_blocks           = list(string)<br/>  })</pre> | n/a | yes |
+| <a name="input_enable_tgw_attachment"></a> [enable\_tgw\_attachment](#input\_enable\_tgw\_attachment) | Flag to enable or disable attachment to Transit Gateway (for subnets with separate route tables which are not the attachment subnets) | `bool` | `true` | no |
 | <a name="input_enable_vpn_routing"></a> [enable\_vpn\_routing](#input\_enable\_vpn\_routing) | Flag to enable VPN routing, handled through a prefix list.  This is used in the transition from per-VPC VPNs to TGW | `bool` | `true` | no |
 | <a name="input_network_account_profile"></a> [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |

diff --git a/vpc-transit-gateway-association/self/associate.tf b/vpc-transit-gateway-association/self/associate.tf
@@ -10,6 +10,7 @@ locals {
 # attach this vpc to tgw (my region, my account)
 #---
 resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_attachment" {
+  count    = var.enable_tgw_attachment ? 1 : 0
   provider = aws
   #  subnet_ids                                      = [for sn in module.subnets.private_subnets_ids : sn.id if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
   subnet_ids                                      = [for k, v in var.private_subnets_ids : v.id]
@@ -33,24 +34,25 @@ resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_attachment" {
 # if this is the network account, no need to add the additional tags as they are already there
 resource "aws_ec2_tag" "vpc_attachment" {
   provider = aws.self
-  for_each = ! local.self_is_network_account ? merge(local.base_tags, var.tags, local.attachment_tags) : {}
+  for_each = var.enable_tgw_attachment && ! local.self_is_network_account ? merge(local.base_tags, var.tags, local.attachment_tags) : {}
 
-  resource_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+  resource_id = try(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[0].id, null)
   key         = each.key
   value       = each.value
 }
 
 output "vpc_attachment_id" {
   description = "Transit Gateway VPC Attachment ID for this VPC"
-  value       = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+  value       = try(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[0].id, null)
 }
 
 #---
 # assocaite this vpc to route table in self (my region, network account)
 #---
 resource "aws_ec2_transit_gateway_route_table_association" "route_table_self" {
+  count                         = var.enable_tgw_attachment ? 1 : 0
   provider                      = aws.self
-  transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+  transit_gateway_attachment_id = try(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[0].id, null)
   #  transit_gateway_route_table_id = local.transit_gateway_route_table_ids_self[var.transit_gateway_environment]
   transit_gateway_route_table_id = var.data_input.map_route_tables_self[var.transit_gateway_environment]
 }
@@ -75,9 +77,9 @@ locals {
 resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_self_own_rt" {
   provider = aws.self
   #  for_each = var.transit_gateway_environment == "services" ? { for k in local.selected_rt : k => local.transit_gateway_route_table_ids_self[k] } : { (var.transit_gateway_environment) = local.transit_gateway_route_table_ids_self[var.transit_gateway_environment] }
-  for_each = var.transit_gateway_environment == "services" ? { for k in local.selected_rt : k => var.data_input.map_route_tables_self[k] } : { (var.transit_gateway_environment) = var.data_input.map_route_tables_self[var.transit_gateway_environment] }
+  for_each = var.transit_gateway_environment == "services" ? { for k in local.selected_rt : k => var.data_input.map_route_tables_self[k] if var.enable_vpc_attachment } : var.enable_vpc_attachment ? { (var.transit_gateway_environment) = var.data_input.map_route_tables_self[var.transit_gateway_environment] } : {}
 
-  transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+  transit_gateway_attachment_id  = try(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[0].id, null)
   transit_gateway_route_table_id = each.value
 }
 
@@ -88,9 +90,9 @@ resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_self_own_rt" {
 resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_self_common" {
   provider = aws.self
   #  for_each = { for k in local.propagate_all_rt : k => local.transit_gateway_route_table_ids_self[k] }
-  for_each = { for k in local.propagate_all_rt : k => var.data_input.map_route_tables_self[k] }
+  for_each = { for k in local.propagate_all_rt : k => var.data_input.map_route_tables_self[k] if var.enable_tgw_attachment }
 
-  transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+  transit_gateway_attachment_id  = try(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[0].id, null)
   transit_gateway_route_table_id = each.value
 }
 
@@ -99,8 +101,8 @@ resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_self_common" {
 #---
 resource "aws_ec2_transit_gateway_route_table_propagation" "vpn_vpc_self_own_rt" {
   provider = aws.self
-  for_each = var.vpn_route_prefix_list_name != null ? { (var.transit_gateway_environment) = var.data_input.map_vpn_route_tables_self[var.transit_gateway_environment] } : {}
+  for_each = var.enable_tgw_attachment && var.vpn_route_prefix_list_name != null ? { (var.transit_gateway_environment) = var.data_input.map_vpn_route_tables_self[var.transit_gateway_environment] } : {}
 
-  transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+  transit_gateway_attachment_id  = try(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[0].id, null)
   transit_gateway_route_table_id = each.value
 }
diff --git a/vpc-transit-gateway-association/self/routing.tf b/vpc-transit-gateway-association/self/routing.tf
@@ -40,8 +40,9 @@ module "routing_attachment_ipv4" {
 ## }
 
 resource "null_resource" "vpc_attachment_exists" {
+  count = var.enable_tgw_attachment ? 1 : 0
   triggers = {
-    vpc_attachment = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+    vpc_attachment = try(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[0].id, null)
   }
 }
 

diff --git a/vpc-transit-gateway-association/self/variables.tf b/vpc-transit-gateway-association/self/variables.tf
@@ -86,3 +86,9 @@ variable "security_group_referencing_support" {
   type        = bool
   default     = true
 }
+
+variable "enable_tgw_attachment" {
+  description = "Flag to enable or disable attachment to Transit Gateway (for subnets with separate route tables which are not the attachment subnets)"
+  type        = bool
+  default     = true
+}