diff --git a/vpc-transit-gateway-association/self/README.md b/vpc-transit-gateway-association/self/README.md
index 2c0b6b3..5e5bf9e 100644
--- a/vpc-transit-gateway-association/self/README.md
+++ b/vpc-transit-gateway-association/self/README.md
@@ -261,6 +261,7 @@ module "vpc_tgw_self" {
| [create\_prefix\_list\_routing](#input\_create\_prefix\_list\_routing) | Flag to create (or not) prefix list routing. This is to be applied only on the TGW main account and VPCs | `bool` | `false` | no |
| [create\_static\_peer\_routing](#input\_create\_static\_peer\_routing) | Flag to create (or not) static peer. This can be applied on every account including the TGW main account. This conflicts with craete\_prefix\_list\_routing | `bool` | `false` | no |
| [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | object({
availablity_zone = map(any)
gateway_self = string
gateway_peer = string
route_tables_self = map(any)
route_tables_peer = map(any)
map_route_tables_self = map(any)
map_route_tables_peer = map(any)
map_vpn_route_tables_self = map(any)
map_vpn_route_tables_peer = map(any)
prefix_list_id_ipv4 = string
vpn_prefix_list_id_ipv4 = string
vpc_id = string
vpc_cidr_block = string
vpc_cidr_blocks = list(string)
}) | n/a | yes |
+| [enable\_tgw\_attachment](#input\_enable\_tgw\_attachment) | Flag to enable or disable attachment to Transit Gateway (for subnets with separate route tables which are not the attachment subnets) | `bool` | `true` | no |
| [enable\_vpn\_routing](#input\_enable\_vpn\_routing) | Flag to enable VPN routing, handled through a prefix list. This is used in the transition from per-VPC VPNs to TGW | `bool` | `true` | no |
| [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
diff --git a/vpc-transit-gateway-association/self/associate.tf b/vpc-transit-gateway-association/self/associate.tf
index c57a1f9..e8146e2 100644
--- a/vpc-transit-gateway-association/self/associate.tf
+++ b/vpc-transit-gateway-association/self/associate.tf
@@ -10,6 +10,7 @@ locals {
# attach this vpc to tgw (my region, my account)
#---
resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_attachment" {
+ count = var.enable_tgw_attachment ? 1 : 0
provider = aws
# subnet_ids = [for sn in module.subnets.private_subnets_ids : sn.id if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
subnet_ids = [for k, v in var.private_subnets_ids : v.id]
@@ -33,24 +34,25 @@ resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_attachment" {
# if this is the network account, no need to add the additional tags as they are already there
resource "aws_ec2_tag" "vpc_attachment" {
provider = aws.self
- for_each = ! local.self_is_network_account ? merge(local.base_tags, var.tags, local.attachment_tags) : {}
+ for_each = var.enable_tgw_attachment && ! local.self_is_network_account ? merge(local.base_tags, var.tags, local.attachment_tags) : {}
- resource_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+ resource_id = try(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[0].id, null)
key = each.key
value = each.value
}
output "vpc_attachment_id" {
description = "Transit Gateway VPC Attachment ID for this VPC"
- value = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+ value = try(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[0].id, null)
}
#---
# assocaite this vpc to route table in self (my region, network account)
#---
resource "aws_ec2_transit_gateway_route_table_association" "route_table_self" {
+ count = var.enable_tgw_attachment ? 1 : 0
provider = aws.self
- transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+ transit_gateway_attachment_id = try(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[0].id, null)
# transit_gateway_route_table_id = local.transit_gateway_route_table_ids_self[var.transit_gateway_environment]
transit_gateway_route_table_id = var.data_input.map_route_tables_self[var.transit_gateway_environment]
}
@@ -75,9 +77,9 @@ locals {
resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_self_own_rt" {
provider = aws.self
# for_each = var.transit_gateway_environment == "services" ? { for k in local.selected_rt : k => local.transit_gateway_route_table_ids_self[k] } : { (var.transit_gateway_environment) = local.transit_gateway_route_table_ids_self[var.transit_gateway_environment] }
- for_each = var.transit_gateway_environment == "services" ? { for k in local.selected_rt : k => var.data_input.map_route_tables_self[k] } : { (var.transit_gateway_environment) = var.data_input.map_route_tables_self[var.transit_gateway_environment] }
+ for_each = var.transit_gateway_environment == "services" ? { for k in local.selected_rt : k => var.data_input.map_route_tables_self[k] if var.enable_vpc_attachment } : var.enable_vpc_attachment ? { (var.transit_gateway_environment) = var.data_input.map_route_tables_self[var.transit_gateway_environment] } : {}
- transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+ transit_gateway_attachment_id = try(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[0].id, null)
transit_gateway_route_table_id = each.value
}
@@ -88,9 +90,9 @@ resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_self_own_rt" {
resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_self_common" {
provider = aws.self
# for_each = { for k in local.propagate_all_rt : k => local.transit_gateway_route_table_ids_self[k] }
- for_each = { for k in local.propagate_all_rt : k => var.data_input.map_route_tables_self[k] }
+ for_each = { for k in local.propagate_all_rt : k => var.data_input.map_route_tables_self[k] if var.enable_tgw_attachment }
- transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+ transit_gateway_attachment_id = try(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[0].id, null)
transit_gateway_route_table_id = each.value
}
@@ -99,8 +101,8 @@ resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_self_common" {
#---
resource "aws_ec2_transit_gateway_route_table_propagation" "vpn_vpc_self_own_rt" {
provider = aws.self
- for_each = var.vpn_route_prefix_list_name != null ? { (var.transit_gateway_environment) = var.data_input.map_vpn_route_tables_self[var.transit_gateway_environment] } : {}
+ for_each = var.enable_tgw_attachment && var.vpn_route_prefix_list_name != null ? { (var.transit_gateway_environment) = var.data_input.map_vpn_route_tables_self[var.transit_gateway_environment] } : {}
- transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+ transit_gateway_attachment_id = try(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[0].id, null)
transit_gateway_route_table_id = each.value
}
diff --git a/vpc-transit-gateway-association/self/routing.tf b/vpc-transit-gateway-association/self/routing.tf
index 32ad416..3d65973 100644
--- a/vpc-transit-gateway-association/self/routing.tf
+++ b/vpc-transit-gateway-association/self/routing.tf
@@ -40,8 +40,9 @@ module "routing_attachment_ipv4" {
## }
resource "null_resource" "vpc_attachment_exists" {
+ count = var.enable_tgw_attachment ? 1 : 0
triggers = {
- vpc_attachment = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+ vpc_attachment = try(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[0].id, null)
}
}
diff --git a/vpc-transit-gateway-association/self/variables.tf b/vpc-transit-gateway-association/self/variables.tf
index e7128c0..846077d 100644
--- a/vpc-transit-gateway-association/self/variables.tf
+++ b/vpc-transit-gateway-association/self/variables.tf
@@ -86,3 +86,9 @@ variable "security_group_referencing_support" {
type = bool
default = true
}
+
+variable "enable_tgw_attachment" {
+ description = "Flag to enable or disable attachment to Transit Gateway (for subnets with separate route tables which are not the attachment subnets)"
+ type = bool
+ default = true
+}