diff --git a/common/version.tf b/common/version.tf
index 5dbeb1c..d100514 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,5 +1,5 @@
locals {
- _module_version = "2.4.1"
+ _module_version = "2.4.2"
_module_names = {
"_main_" = "aws-vpc-setup"
@@ -18,7 +18,8 @@ locals {
"vpn" = "aws-vpc-setup/vpn"
"vpn-transit-gateway" = "aws-vpc-setup/vpn-transit-gateway"
"vpn-transit-gateway" = "aws-vpc-setup/vpn-transit-gateway"
- "vpc-transit-gateway-association" = "aws-vpc-setup/vpc-transit-gateway-association"
- "vpc-transit-gateway-association-data" = "aws-vpc-setup/vpc-transit-gateway-association-data"
+ "vpc-transit-gateway-association/data" = "aws-vpc-setup/vpc-transit-gateway-association/data"
+ "vpc-transit-gateway-association/self" = "aws-vpc-setup/vpc-transit-gateway-association/self"
+ "vpc-transit-gateway-association/peer" = "aws-vpc-setup/vpc-transit-gateway-association/peer"
}
}
diff --git a/vpc-transit-gateway-association-data/availabilty_zones.tf b/vpc-transit-gateway-association-data/availabilty_zones.tf
deleted file mode 120000
index 00a240c..0000000
--- a/vpc-transit-gateway-association-data/availabilty_zones.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/availabilty_zones.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/data.tf b/vpc-transit-gateway-association-data/data.tf
deleted file mode 120000
index 995624d..0000000
--- a/vpc-transit-gateway-association-data/data.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/data.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/defaults.tf b/vpc-transit-gateway-association-data/defaults.tf
deleted file mode 120000
index a5556ac..0000000
--- a/vpc-transit-gateway-association-data/defaults.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/defaults.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/main.tf b/vpc-transit-gateway-association-data/main.tf
deleted file mode 100644
index 2585da5..0000000
--- a/vpc-transit-gateway-association-data/main.tf
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
-* # About aws-vpc-setup :: vpc-transit-gateway-association
-*
-* This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. It does the following:
-*
-* * gets transit gateway ID shared to this account and region
-* * gets transit gateway route tables
-* * creates routes for the attachment subnets to the transit gatewway
-* * creates routes to all other things on the transit gateway through a network prefix
-* * attaches the VPC to the transit gateway
-* * propagates the route to the associated route tables for the envirornment/VRF
-* * services is propagated to all
-* * creates static routes for transit gateway route tables in a peer region
-
-* # Usage
-*
-* ```hcl
-* module "vpc_tgw" {
-* source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association?ref=tf-upgrade"
-* network_account_profile = "057445207498-ent-gov-network-sa"
-* }
-* ```
-*/
-
-locals {
- account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
- account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
- region = data.aws_region.current.name
- region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
-
- base_tags = {
- "boc:tf_module_version" = local._module_version
- "boc:tf_module_name" = lookup(local._module_names, local._module_name, local._module_names["_main_"])
- "boc:created_by" = "terraform"
- }
-}
-
-
-# vpc_id = local.vpc_id
-# vpc_full_name = var.vpc_full_name
-# availability_zones = []
-# subnet_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
-# route_table_label = "attachment"
diff --git a/vpc-transit-gateway-association-data/module_name.tf b/vpc-transit-gateway-association-data/module_name.tf
deleted file mode 100644
index 1f505b5..0000000
--- a/vpc-transit-gateway-association-data/module_name.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-locals {
- _module_name = "vpc-transit-gateway-association-data"
-}
diff --git a/vpc-transit-gateway-association-data/prefixes.tf b/vpc-transit-gateway-association-data/prefixes.tf
deleted file mode 120000
index 7e265d5..0000000
--- a/vpc-transit-gateway-association-data/prefixes.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/prefixes.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/variables.common.availability_zones.tf b/vpc-transit-gateway-association-data/variables.common.availability_zones.tf
deleted file mode 120000
index dca20a3..0000000
--- a/vpc-transit-gateway-association-data/variables.common.availability_zones.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/variables.common.availability_zones.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/variables.common.tf b/vpc-transit-gateway-association-data/variables.common.tf
deleted file mode 120000
index 7439ed8..0000000
--- a/vpc-transit-gateway-association-data/variables.common.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/variables.common.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/variables.common.vpc.tf b/vpc-transit-gateway-association-data/variables.common.vpc.tf
deleted file mode 120000
index 5e77d37..0000000
--- a/vpc-transit-gateway-association-data/variables.common.vpc.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/variables.common.vpc.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/variables.common.vpc_id.tf b/vpc-transit-gateway-association-data/variables.common.vpc_id.tf
deleted file mode 120000
index bc2e061..0000000
--- a/vpc-transit-gateway-association-data/variables.common.vpc_id.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/variables.common.vpc_id.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/variables.create.tf b/vpc-transit-gateway-association-data/variables.create.tf
deleted file mode 120000
index de1275b..0000000
--- a/vpc-transit-gateway-association-data/variables.create.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/variables.create.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/version.tf b/vpc-transit-gateway-association-data/version.tf
deleted file mode 120000
index b83c5b7..0000000
--- a/vpc-transit-gateway-association-data/version.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/version.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/OFF/credentials.vpc-transit-gateway.tf.off b/vpc-transit-gateway-association/OFF/credentials.vpc-transit-gateway.tf.off
deleted file mode 100644
index f7c439e..0000000
--- a/vpc-transit-gateway-association/OFF/credentials.vpc-transit-gateway.tf.off
+++ /dev/null
@@ -1,11 +0,0 @@
-provider "aws" {
- alias = "tgw_west"
- region = "us-gov-west-1"
- profile = var.network_account_profile
-}
-
-provider "aws" {
- alias = "tgw_east"
- region = "us-gov-east-1"
- profile = var.network_account_profile
-}
diff --git a/vpc-transit-gateway-association/OFF/vpc-transit-gateway.tf.off b/vpc-transit-gateway-association/OFF/vpc-transit-gateway.tf.off
deleted file mode 100644
index 6567821..0000000
--- a/vpc-transit-gateway-association/OFF/vpc-transit-gateway.tf.off
+++ /dev/null
@@ -1,225 +0,0 @@
-locals {
- trs_region_outputs = data.terraform_remote_state.vpc_east.outputs
-# tgw_id = local.trs_region_outputs.transit_gateway_id
-# tgw_id = data.aws_ec2_transit_gateway.gateway_east.id
- info_vpc = data.terraform_remote_state.vpc.outputs.info_vpc
-}
-
-data "aws_ec2_transit_gateway" "gateway_east" { }
-
-data "aws_ec2_transit_gateway" "gateway_west" {
- provider = aws.tgw_main_west
-}
-
-data "aws_ec2_transit_gateway_peering_attachment" "peer_west" {
- provider = aws.tgw_main_west
- filter {
- name = "tag:Name"
- values = [ "tgw-proto-peer" ]
- }
-}
-
-locals {
- transit_gateway_peer_attachment_id_west = data.aws_ec2_transit_gateway_peering_attachment.peer_west.id
-}
-
-module "routing_attachment" {
- source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//routing"
- vpc_id = local.vpc_id
-
- vpc_full_name = var.vpc_full_name
- availability_zones = []
- private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
- create_public_route_table = false
- private_route_table_label = "attachment"
- enable_igw = false
- enable_nat = false
- enable_vpc_endpoint_s3 = false
- enable_vpc_endpoint_dynamodb = false
-
- vpc_name = var.vpc_name
- vpc_short_name = var.vpc_short_name
- vpc_cidr_block = var.vpc_cidr_block
- vpc_index = var.vpc_index
-
- tags = merge(
- local.common_tags,
- local.tags,
- )
-}
-
-# routes to tgw (for now, 10.128/16, should be each of the highest cidr blocks per account). It would be nice to use prefix lists, but not supported in gov
-resource "aws_route" "gateway" {
- for_each = module.routing.private_route_table_ids
- route_table_id = each.value
-# destination_cidr_block = "0.0.0.0/0"
- destination_cidr_block = "10.128.0.0/16"
- transit_gateway_id = data.aws_ec2_transit_gateway.gateway_east.id
- depends_on = [ aws_ec2_transit_gateway_vpc_attachment.vpc_attachment ]
-}
-
-#---
-# route tables east
-#---
-data "aws_ec2_transit_gateway_route_tables" "route_tables_east" {
- provider = aws.tgw_main_east
- filter {
- name = "transit-gateway-id"
- values = [ data.aws_ec2_transit_gateway.gateway_east.id ]
- }
-}
-
-data "aws_ec2_transit_gateway_route_table" "route_tables_east" {
- provider = aws.tgw_main_east
- for_each = toset(data.aws_ec2_transit_gateway_route_tables.route_tables_east.ids)
- id = each.key
-}
-
-locals {
- transit_gateway_route_table_ids_east = { for k,v in data.aws_ec2_transit_gateway_route_table.route_tables_east: v.tags["boc:network_vrf"] => k }
-}
-
-#---
-# route tables west
-#---
-data "aws_ec2_transit_gateway_route_tables" "route_tables_west" {
- provider = aws.tgw_main_west
- filter {
- name = "transit-gateway-id"
- values = [ data.aws_ec2_transit_gateway.gateway_west.id ]
- }
-}
-
-data "aws_ec2_transit_gateway_route_table" "route_tables_west" {
- provider = aws.tgw_main_west
- for_each = toset(data.aws_ec2_transit_gateway_route_tables.route_tables_west.ids)
- id = each.key
-}
-
-locals {
- transit_gateway_route_table_ids_west = { for k,v in data.aws_ec2_transit_gateway_route_table.route_tables_west: v.tags["boc:network_vrf"] => k }
-}
-
-
-#---
-# assocaite this vpc to route table in east
-#---
-resource "aws_ec2_transit_gateway_route_table_association" "route_table" {
- provider = aws.tgw_main_east
- transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
- transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east[var.tgw_environment]
-}
-
-#---
-# attach this vpc to tgw
-#---
-resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_attachment" {
- subnet_ids = [for sn in module.subnets.private_subnets_ids : sn.id if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
- transit_gateway_id = data.aws_ec2_transit_gateway.gateway_east.id
- vpc_id = local.vpc_id
- dns_support = "enable"
- ipv6_support = "disable"
- transit_gateway_default_route_table_association = true
- transit_gateway_default_route_table_propagation = true
-
- tags = merge(
- local.common_tags,
- tomap({ Name = "tgwa-proto-${var.vpc_short_name}-${local.region}" }),
- tomap({ "boc:tgw_environment" = var.tgw_environment }),
- )
-}
-
-# will need to adjust this where there are common, services, shared
-data "aws_ec2_transit_gateway_vpc_attachment" "vpc_services" {
- filter {
- name = "tag:boc:tgw_environment"
- values = ["services"]
- }
-}
-
-#---
-# propagate services in {environment} route table in east
-#---
-# resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_self" {
-# provider = aws.tgw_main_east
-# count = var.tgw_environment != "services" ? 1 : 0
-# transit_gateway_attachment_id = data.aws_ec2_transit_gateway_vpc_attachment.vpc_services.id
-# transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east[var.tgw_environment]
-# }
-
-#---
-# also add route to other environment in other region to peering attachment in west
-#---
-## resource "aws_ec2_transit_gateway_route" "vpc_self_peers" {
-## provider = aws.tgw_main_west
-## for_each = var.tgw_environment != "services" ? toset([ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment == var.tgw_environment]) : toset([])
-## destination_cidr_block = each.key
-## transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west
-## transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[var.tgw_environment]
-## }
-
-# propagate in services to this attachment in all route tables
-resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_services" {
- provider = aws.tgw_main_east
- for_each = var.tgw_environment == "services" ? local.transit_gateway_route_table_ids_east : { for k,v in local.transit_gateway_route_table_ids_east: k => v if k == var.tgw_environment }
-# count = var.tgw_environment != "services" ? 1 : 0
- transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
- transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east[each.key]
-}
-
-## # for services, add static IP to all environments in other region to peering attachment
-## resource "aws_ec2_transit_gateway_route" "vpc_services_peers" {
-## provider = aws.tgw_main_west
-## for_each = var.tgw_environment == "services" ? toset([ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment != ""]) : toset([ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment == "services"])
-## destination_cidr_block = each.key
-## transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west
-## transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[var.tgw_environment]
-## }
-
-# propagate all to inter-region table
-resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_inter-region" {
- provider = aws.tgw_main_east
- count = var.tgw_environment != "services" ? 1 : 0
- transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
- transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east["inter-region"]
-}
-
-# peer route tables for our vpc to tgw peer
-locals {
- peer_rt = [ for r in keys(local.transit_gateway_route_table_ids_west): r if r!="inter-region" && r!="services" ]
-## peer_rt0 = { for k,v in local.info_vpc: v.cidr_block => v.tgw_environment if v.region == local.region && v.tgw_environment != "" }
-## peer_rt1 = transpose({ for k,v in local.info_vpc: v.cidr_block => [ v.tgw_environment ] if v.region == local.region && v.tgw_environment != "" })
-## peer_rt2 = merge(local.peer_rt1,
-## { "services" = [ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment != "" ] },
-## )
-## peer_rt3 = { for v in local.peer_rt2[var.tgw_environment]: format("%v:%v",var.tgw_environment,v) => {
-## label = format("%v:%v",var.tgw_environment,v),
-## tgw_environment = var.tgw_environment,
-## environment = local.peer_rt0[v],
-## cidr_block = v }
-## }
-}
-
-# for services, add static IP to all environments in other region to peering attachment
-resource "aws_ec2_transit_gateway_route" "peer_vpc_environment" {
- provider = aws.tgw_main_west
- destination_cidr_block = var.vpc_cidr_block
- transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west
- transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[var.tgw_environment]
-}
-
-resource "aws_ec2_transit_gateway_route" "peer_vpc_to_services" {
- provider = aws.tgw_main_west
- count = var.tgw_environment != "services" ? 1 : 0
- destination_cidr_block = var.vpc_cidr_block
- transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west
- transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west["services"]
-}
-
-resource "aws_ec2_transit_gateway_route" "peer_vpc_services" {
- provider = aws.tgw_main_west
- for_each = var.tgw_environment == "services" ? local.peer_rt : toset([])
- destination_cidr_block = var.vpc_cidr_block
- transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west
- transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[each.key]
-}
diff --git a/vpc-transit-gateway-association/README.md b/vpc-transit-gateway-association/README.md
index a18e242..84c6c4c 100644
--- a/vpc-transit-gateway-association/README.md
+++ b/vpc-transit-gateway-association/README.md
@@ -1,102 +1,63 @@
-# About aws-vpc-setup :: vpc-transit-gateway-association
-
-This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. It does the following:
-
-* gets transit gateway ID shared to this account and region
-* gets transit gateway route tables
-* creates routes for the attachment subnets to the transit gatewway
-* creates routes to all other things on the transit gateway through a network prefix
-* attaches the VPC to the transit gateway
-* propagates the route to the associated route tables for the envirornment/VRF
- * services is propagated to all
-* creates static routes for transit gateway route tables in a peer region
-
-## Requirements
-
-| Name | Version |
-|------|---------|
-| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.66.0 |
-| [ldap](#requirement\_ldap) | >= 0.5.4 |
-| [local](#requirement\_local) | >= 1.0.0 |
-| [null](#requirement\_null) | >= 3.0 |
-| [random](#requirement\_random) | >= 3.0 |
-| [template](#requirement\_template) | >= 2.0 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| [aws](#provider\_aws) | >= 3.66.0 |
-| [aws.network\_account](#provider\_aws.network\_account) | >= 3.66.0 |
-| [aws.peer](#provider\_aws.peer) | >= 3.66.0 |
-| [aws.self](#provider\_aws.self) | >= 3.66.0 |
-| [null](#provider\_null) | >= 3.0 |
-
-## Modules
-
-| Name | Source | Version |
-|------|--------|---------|
-| [routing\_attachment\_ipv4](#module\_routing\_attachment\_ipv4) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//routing | tf-upgrade |
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_ec2_transit_gateway_route.vpc_peer_all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route) | resource |
-| [aws_ec2_transit_gateway_route.vpc_peer_common](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route) | resource |
-| [aws_ec2_transit_gateway_route.vpc_peer_own_rt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route) | resource |
-| [aws_ec2_transit_gateway_route_table_association.route_table_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource |
-| [aws_ec2_transit_gateway_route_table_propagation.vpc_self_common](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |
-| [aws_ec2_transit_gateway_route_table_propagation.vpc_self_own_rt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |
-| [aws_ec2_transit_gateway_vpc_attachment.vpc_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment) | resource |
-| [aws_route.gateway_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
-| [null_resource.vpc_attachment_exists](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
-| [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_ec2_transit_gateway.gateway_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
-| [aws_ec2_transit_gateway.gateway_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
-| [aws_ec2_transit_gateway_peering_attachment.attachment_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source |
-| [aws_ec2_transit_gateway_peering_attachment.attachment_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source |
-| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
-| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
-| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
-| [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
-| [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
-| [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | object({
availablity_zone = map(any)
gateway_self = string
gateway_peer = string
route_tables_self = map(any)
route_tables_peer = map(any)
map_route_tables_self = map(any)
map_route_tables_peer = map(any)
prefix_list_id_ipv4 = string
}) | n/a | yes |
-| [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
-| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
-| [private\_route\_table\_ids](#input\_private\_route\_table\_ids) | Map of private route table IDs (which exclude the attachment subnets) | `map(string)` | `{}` | no |
-| [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | list(object({
subnet = string
label = string
availability_zone = string
id = string
})) | `[]` | no |
-| [route\_prefix\_list\_name](#input\_route\_prefix\_list\_name) | Shared prefix list name used for routing to TGW. It is comprised of all of the network CIDR blocks in AWS using TGW. | `string` | `"transit-gateway.prod"` | no |
-| [route\_table\_label](#input\_route\_table\_label) | Route table lable for the attachment subnets | `string` | `"attachment"` | no |
-| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
-| [transit\_gateway\_environment](#input\_transit\_gateway\_environment) | Transit Gateway Environment (aka, VRF) to which to connnect this VPC | `string` | n/a | yes |
-| [transit\_gateway\_label](#input\_transit\_gateway\_label) | Transit Gateway label for specific instance (sa, prod) | `string` | `"prod"` | no |
-| [transit\_gateway\_routing\_type](#input\_transit\_gateway\_routing\_type) | Transit Gateway routing type, to select either self or peer (where we may have many peers) | `string` | n/a | yes |
-| [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
-| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
-| [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |
-| [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
-| [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
-| [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| [gateway\_peer](#output\_gateway\_peer) | Transit Gateway peer (other region) |
-| [gateway\_self](#output\_gateway\_self) | Transit Gateway self (this region) |
-| [map\_route\_tables\_peer](#output\_map\_route\_tables\_peer) | Transit Gateway route tables map (VRF:id) peer (other region) |
-| [map\_route\_tables\_self](#output\_map\_route\_tables\_self) | Transit Gateway route tables map (VRF:id) self (this region) |
-| [route\_tables\_peer](#output\_route\_tables\_peer) | Transit Gateway route tables peer (other region) |
-| [route\_tables\_self](#output\_route\_tables\_self) | Transit Gateway route tables self (this region) |
+module "vpc_tgw_data" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/data?ref=tf-upgrade"
+ providers = {
+ aws = aws
+ aws.network_account = aws.network_account
+ aws.self = aws.tgw_east
+ aws.peer = aws.tgw_west
+ }
+
+ network_account_profile = var.network_account_profile
+ vpc_id = local.vpc_id
+ vpc_full_name = var.vpc_full_name
+ private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+ private_route_table_ids = module.routing.private_route_table_ids
+ transit_gateway_environment = var.tgw_environment
+ transit_gateway_label = var.tgw_label
+ route_prefix_list_name = format("transit-gateway.%v", var.tgw_label)
+}
+
+
+# call once for self, once for each peer (if we have multiple regions for peeers, change the peer to each region)
+# note the self must be done before the peer
+module "vpc_tgw_self" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/self?ref=tf-upgrade"
+ providers = {
+ aws = aws
+ aws.network_account = aws.network_account
+ aws.self = aws.tgw_east
+ aws.peer = aws.tgw_west
+ }
+
+ network_account_profile = var.network_account_profile
+ vpc_id = local.vpc_id
+ vpc_full_name = var.vpc_full_name
+ private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+ private_route_table_ids = module.routing.private_route_table_ids
+ transit_gateway_environment = var.tgw_environment
+ transit_gateway_label = var.tgw_label
+ route_prefix_list_name = format("transit-gateway.%v", var.tgw_label)
+ data_input = module.vpc_tgw_data.data_output
+}
+
+module "vpc_tgw_peer" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/peer?ref=tf-upgrade"
+ providers = {
+ aws = aws
+ aws.network_account = aws.network_account
+ aws.self = aws.tgw_east
+ aws.peer = aws.tgw_west
+ }
+
+ network_account_profile = var.network_account_profile
+ vpc_id = local.vpc_id
+ vpc_full_name = var.vpc_full_name
+ private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+ private_route_table_ids = module.routing.private_route_table_ids
+ transit_gateway_environment = var.tgw_environment
+ transit_gateway_label = var.tgw_label
+ route_prefix_list_name = format("transit-gateway.%v", var.tgw_label)
+ data_input = module.vpc_tgw_data.data_output
+
+ depends_on = [module.vpc_tgw_self]
+}
diff --git a/vpc-transit-gateway-association/associate.tf b/vpc-transit-gateway-association/associate.tf
deleted file mode 100644
index a217077..0000000
--- a/vpc-transit-gateway-association/associate.tf
+++ /dev/null
@@ -1,102 +0,0 @@
-#---
-# attach this vpc to tgw (my region, my account)
-#---
-resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_attachment" {
- count = var.transit_gateway_routing_type == "self" ? 1 : 0
- # subnet_ids = [for sn in module.subnets.private_subnets_ids : sn.id if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
- subnet_ids = [for k, v in var.private_subnets_ids : v.id]
- transit_gateway_id = data.aws_ec2_transit_gateway.gateway_self.id
- vpc_id = var.vpc_id
- dns_support = "enable"
- ipv6_support = "disable"
- transit_gateway_default_route_table_association = true
- transit_gateway_default_route_table_propagation = true
-
- tags = merge(
- local.base_tags,
- {
- Name = format("tgwa-%v-%v-%v", var.transit_gateway_label, var.vpc_full_name, local.region),
- "boc:tgw_environment" = var.transit_gateway_environment,
- },
- )
-}
-
-#---
-# assocaite this vpc to route table in self (my region, network account)
-#---
-resource "aws_ec2_transit_gateway_route_table_association" "route_table_self" {
- count = var.transit_gateway_routing_type == "self" ? 1 : 0
- provider = aws.self
- transit_gateway_attachment_id = one(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[*].id)
- transit_gateway_route_table_id = local.transit_gateway_route_table_ids_self[var.transit_gateway_environment]
-}
-
-#---
-# get rt variables for use later
-#---
-locals {
- propagate_all_rt = ["services", "inter-region"]
- selected_rt = [for k in keys(local.transit_gateway_route_table_ids_self) : k if ! contains(local.propagate_all_rt, k)]
-}
-
-#---
-# propagate this attachment to necessary RT (my region, network account)
-# for services, it is all but services
-# for all others, it is just itself
-# we will cover services and inter-region separately
-#---
-resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_self_own_rt" {
- provider = aws.self
- for_each = var.transit_gateway_routing_type == "self" ? { for k in local.selected_rt : k => local.transit_gateway_route_table_ids_self[k] } : {}
-
- transit_gateway_attachment_id = one(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[*].id)
- transit_gateway_route_table_id = each.value
-}
-
-#---
-# propagate to services, inter-region
-# propagate all to inter-region table
-#---
-resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_self_common" {
- provider = aws.self
- for_each = var.transit_gateway_routing_type == "self" ? { for k in local.propagate_all_rt : k => local.transit_gateway_route_table_ids_self[k] } : {}
-
- transit_gateway_attachment_id = one(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[*].id)
- transit_gateway_route_table_id = each.value
-}
-
-#---
-# add routes to peer for non-services
-#---
-resource "aws_ec2_transit_gateway_route" "vpc_peer_own_rt" {
- provider = aws.peer
- for_each = var.transit_gateway_routing_type == "peer" ? { for k in local.selected_rt : k => local.transit_gateway_route_table_ids_peer[k] if k == var.transit_gateway_environment } : {}
- destination_cidr_block = data.aws_vpc.vpc.cidr_block
-
- transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
- transit_gateway_route_table_id = each.value
-}
-
-#---
-# always add routes to services
-#--
-resource "aws_ec2_transit_gateway_route" "vpc_peer_common" {
- provider = aws.peer
- for_each = var.transit_gateway_routing_type == "peer" ? { "services" = local.transit_gateway_route_table_ids_peer["services"] } : {}
- destination_cidr_block = data.aws_vpc.vpc.cidr_block
-
- transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
- transit_gateway_route_table_id = each.value
-}
-
-#---
-# if services, add routes to all other route tables
-#--
-resource "aws_ec2_transit_gateway_route" "vpc_peer_all" {
- provider = aws.peer
- for_each = var.transit_gateway_routing_type == "peer" && contains(local.propagate_all_rt, var.transit_gateway_environment) ? { for k in local.selected_rt : k => local.transit_gateway_route_table_ids_peer[k] } : {}
- destination_cidr_block = data.aws_vpc.vpc.cidr_block
-
- transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
- transit_gateway_route_table_id = each.value
-}
diff --git a/vpc-transit-gateway-association/data.tf b/vpc-transit-gateway-association/data.tf
deleted file mode 120000
index 995624d..0000000
--- a/vpc-transit-gateway-association/data.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/data.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/README.md b/vpc-transit-gateway-association/data/README.md
similarity index 85%
rename from vpc-transit-gateway-association-data/README.md
rename to vpc-transit-gateway-association/data/README.md
index 1a3c765..a02bedb 100644
--- a/vpc-transit-gateway-association-data/README.md
+++ b/vpc-transit-gateway-association/data/README.md
@@ -1,15 +1,42 @@
-# About aws-vpc-setup :: vpc-transit-gateway-association
+# About aws-vpc-setup :: vpc-transit-gateway-association/data
-This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. It does the following:
+This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. This is part of a three
+section TGW setup, consisting of data (required,this), self, and peer (remote(s)). They do the following:
-* gets transit gateway ID shared to this account and region
-* gets transit gateway route tables
-* creates routes for the attachment subnets to the transit gatewway
-* creates routes to all other things on the transit gateway through a network prefix
-* attaches the VPC to the transit gateway
-* propagates the route to the associated route tables for the envirornment/VRF
+* data
+ * gets transit gateway ID shared to this account and region
+ * gets transit gateway route tables
+* self
+ * creates routes for the attachment subnets to the transit gatewway
+ * creates routes to all other things on the transit gateway through a network prefix
+ * attaches the VPC to the transit gateway
+ * propagates the route to the associated route tables for the envirornment/VRF
* services is propagated to all
-* creates static routes for transit gateway route tables in a peer region
+* peer
+ * creates static routes for transit gateway route tables in a peer region
+
+# Usage
+
+```hcl
+module "vpc_tgw_data" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/data?ref=tf-upgrade"
+ providers = {
+ aws = aws
+ aws.network_account = aws.network_account
+ aws.self = aws.tgw_east
+ aws.peer = aws.tgw_west
+ }
+
+ network_account_profile = var.network_account_profile
+ vpc_id = local.vpc_id
+ vpc_full_name = var.vpc_full_name
+ private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+ private_route_table_ids = module.routing.private_route_table_ids
+ transit_gateway_environment = var.tgw_environment
+ transit_gateway_label = var.tgw_label
+ route_prefix_list_name = format("transit-gateway.%v", var.tgw_label)
+}
+```
## Requirements
@@ -77,7 +104,6 @@ No modules.
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
| [transit\_gateway\_environment](#input\_transit\_gateway\_environment) | Transit Gateway Environment (aka, VRF) to which to connnect this VPC | `string` | n/a | yes |
| [transit\_gateway\_label](#input\_transit\_gateway\_label) | Transit Gateway label for specific instance (sa, prod) | `string` | `"prod"` | no |
-| [transit\_gateway\_routing\_type](#input\_transit\_gateway\_routing\_type) | Transit Gateway routing type, to select either self or peer (where we may have many peers) | `string` | n/a | yes |
| [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
| [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |
diff --git a/vpc-transit-gateway-association/data/availabilty_zones.tf b/vpc-transit-gateway-association/data/availabilty_zones.tf
new file mode 120000
index 0000000..224b546
--- /dev/null
+++ b/vpc-transit-gateway-association/data/availabilty_zones.tf
@@ -0,0 +1 @@
+../../common/availabilty_zones.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/data.network_account.tf b/vpc-transit-gateway-association/data/data.network_account.tf
similarity index 100%
rename from vpc-transit-gateway-association-data/data.network_account.tf
rename to vpc-transit-gateway-association/data/data.network_account.tf
diff --git a/vpc-transit-gateway-association-data/data.routing.tf b/vpc-transit-gateway-association/data/data.routing.tf
similarity index 100%
rename from vpc-transit-gateway-association-data/data.routing.tf
rename to vpc-transit-gateway-association/data/data.routing.tf
diff --git a/vpc-transit-gateway-association/data/data.tf b/vpc-transit-gateway-association/data/data.tf
new file mode 120000
index 0000000..37fff16
--- /dev/null
+++ b/vpc-transit-gateway-association/data/data.tf
@@ -0,0 +1 @@
+../../common/data.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/data.transit-gateway.tf b/vpc-transit-gateway-association/data/data.transit-gateway.tf
similarity index 100%
rename from vpc-transit-gateway-association-data/data.transit-gateway.tf
rename to vpc-transit-gateway-association/data/data.transit-gateway.tf
diff --git a/vpc-transit-gateway-association-data/data.vpc.tf b/vpc-transit-gateway-association/data/data.vpc.tf
similarity index 100%
rename from vpc-transit-gateway-association-data/data.vpc.tf
rename to vpc-transit-gateway-association/data/data.vpc.tf
diff --git a/vpc-transit-gateway-association/data/defaults.tf b/vpc-transit-gateway-association/data/defaults.tf
new file mode 120000
index 0000000..1227df3
--- /dev/null
+++ b/vpc-transit-gateway-association/data/defaults.tf
@@ -0,0 +1 @@
+../../common/defaults.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/data/main.tf b/vpc-transit-gateway-association/data/main.tf
new file mode 100644
index 0000000..06274e0
--- /dev/null
+++ b/vpc-transit-gateway-association/data/main.tf
@@ -0,0 +1,63 @@
+/*
+* # About aws-vpc-setup :: vpc-transit-gateway-association/data
+*
+* This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. This is part of a three
+* section TGW setup, consisting of data (required,this), self, and peer (remote(s)). They do the following:
+*
+* * data
+* * gets transit gateway ID shared to this account and region
+* * gets transit gateway route tables
+* * self
+* * creates routes for the attachment subnets to the transit gatewway
+* * creates routes to all other things on the transit gateway through a network prefix
+* * attaches the VPC to the transit gateway
+* * propagates the route to the associated route tables for the envirornment/VRF
+* * services is propagated to all
+* * peer
+* * creates static routes for transit gateway route tables in a peer region
+*
+* # Usage
+*
+* ```hcl
+* module "vpc_tgw_data" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/data?ref=tf-upgrade"
+* providers = {
+* aws = aws
+* aws.network_account = aws.network_account
+* aws.self = aws.tgw_east
+* aws.peer = aws.tgw_west
+* }
+*
+* network_account_profile = var.network_account_profile
+* vpc_id = local.vpc_id
+* vpc_full_name = var.vpc_full_name
+* private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+* private_route_table_ids = module.routing.private_route_table_ids
+* transit_gateway_environment = var.tgw_environment
+* transit_gateway_label = var.tgw_label
+* route_prefix_list_name = format("transit-gateway.%v", var.tgw_label)
+* }
+* ````
+*/
+
+locals {
+ account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+ account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+ region = data.aws_region.current.name
+ region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+
+ base_tags = {
+ "boc:tf_module_version" = local._module_version
+ "boc:tf_module_name" = lookup(local._module_names, local._module_name, local._module_names["_main_"])
+ "boc:created_by" = "terraform"
+ }
+}
+
+
+# vpc_id = local.vpc_id
+# vpc_full_name = var.vpc_full_name
+# availability_zones = []
+# subnet_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+# route_table_label = "attachment"
+
+
diff --git a/vpc-transit-gateway-association/data/module_name.tf b/vpc-transit-gateway-association/data/module_name.tf
new file mode 100644
index 0000000..3245c2c
--- /dev/null
+++ b/vpc-transit-gateway-association/data/module_name.tf
@@ -0,0 +1,3 @@
+locals {
+ _module_name = "vpc-transit-gateway-association/data"
+}
diff --git a/vpc-transit-gateway-association-data/outputs.tf b/vpc-transit-gateway-association/data/outputs.tf
similarity index 100%
rename from vpc-transit-gateway-association-data/outputs.tf
rename to vpc-transit-gateway-association/data/outputs.tf
diff --git a/vpc-transit-gateway-association/data/prefixes.tf b/vpc-transit-gateway-association/data/prefixes.tf
new file mode 120000
index 0000000..5bc256c
--- /dev/null
+++ b/vpc-transit-gateway-association/data/prefixes.tf
@@ -0,0 +1 @@
+../../common/prefixes.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/data/variables.common.availability_zones.tf b/vpc-transit-gateway-association/data/variables.common.availability_zones.tf
new file mode 120000
index 0000000..ec237ef
--- /dev/null
+++ b/vpc-transit-gateway-association/data/variables.common.availability_zones.tf
@@ -0,0 +1 @@
+../../common/variables.common.availability_zones.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/data/variables.common.tf b/vpc-transit-gateway-association/data/variables.common.tf
new file mode 120000
index 0000000..e01226c
--- /dev/null
+++ b/vpc-transit-gateway-association/data/variables.common.tf
@@ -0,0 +1 @@
+../../common/variables.common.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/data/variables.common.vpc.tf b/vpc-transit-gateway-association/data/variables.common.vpc.tf
new file mode 120000
index 0000000..b7a8eef
--- /dev/null
+++ b/vpc-transit-gateway-association/data/variables.common.vpc.tf
@@ -0,0 +1 @@
+../../common/variables.common.vpc.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/data/variables.common.vpc_id.tf b/vpc-transit-gateway-association/data/variables.common.vpc_id.tf
new file mode 120000
index 0000000..aabcfbd
--- /dev/null
+++ b/vpc-transit-gateway-association/data/variables.common.vpc_id.tf
@@ -0,0 +1 @@
+../../common/variables.common.vpc_id.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/data/variables.create.tf b/vpc-transit-gateway-association/data/variables.create.tf
new file mode 120000
index 0000000..ae0c122
--- /dev/null
+++ b/vpc-transit-gateway-association/data/variables.create.tf
@@ -0,0 +1 @@
+../../common/variables.create.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/variables.subnets.tf b/vpc-transit-gateway-association/data/variables.subnets.tf
similarity index 100%
rename from vpc-transit-gateway-association-data/variables.subnets.tf
rename to vpc-transit-gateway-association/data/variables.subnets.tf
diff --git a/vpc-transit-gateway-association/variables.tf b/vpc-transit-gateway-association/data/variables.tf
similarity index 79%
rename from vpc-transit-gateway-association/variables.tf
rename to vpc-transit-gateway-association/data/variables.tf
index fe85c1a..0656be0 100644
--- a/vpc-transit-gateway-association/variables.tf
+++ b/vpc-transit-gateway-association/data/variables.tf
@@ -13,15 +13,15 @@ variable "transit_gateway_environment" {
}
}
-variable "transit_gateway_routing_type" {
- description = "Transit Gateway routing type, to select either self or peer (where we may have many peers)"
- type = string
-
- validation {
- condition = contains(["self", "peer"], var.transit_gateway_routing_type)
- error_message = "transit_gateway_routing_type must be either self or peer"
- }
-}
+## variable "transit_gateway_routing_type" {
+## description = "Transit Gateway routing type, to select either self or peer (where we may have many peers)"
+## type = string
+##
+## validation {
+## condition = contains(["self", "peer"], var.transit_gateway_routing_type)
+## error_message = "transit_gateway_routing_type must be either self or peer"
+## }
+## }
variable "route_table_label" {
description = "Route table lable for the attachment subnets"
diff --git a/vpc-transit-gateway-association/data/version.tf b/vpc-transit-gateway-association/data/version.tf
new file mode 120000
index 0000000..4950c91
--- /dev/null
+++ b/vpc-transit-gateway-association/data/version.tf
@@ -0,0 +1 @@
+../../common/version.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/versions.tf b/vpc-transit-gateway-association/data/versions.tf
similarity index 100%
rename from vpc-transit-gateway-association-data/versions.tf
rename to vpc-transit-gateway-association/data/versions.tf
diff --git a/vpc-transit-gateway-association/defaults.tf b/vpc-transit-gateway-association/defaults.tf
deleted file mode 120000
index a5556ac..0000000
--- a/vpc-transit-gateway-association/defaults.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/defaults.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/main.tf b/vpc-transit-gateway-association/main.tf
deleted file mode 100644
index 2585da5..0000000
--- a/vpc-transit-gateway-association/main.tf
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
-* # About aws-vpc-setup :: vpc-transit-gateway-association
-*
-* This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. It does the following:
-*
-* * gets transit gateway ID shared to this account and region
-* * gets transit gateway route tables
-* * creates routes for the attachment subnets to the transit gatewway
-* * creates routes to all other things on the transit gateway through a network prefix
-* * attaches the VPC to the transit gateway
-* * propagates the route to the associated route tables for the envirornment/VRF
-* * services is propagated to all
-* * creates static routes for transit gateway route tables in a peer region
-
-* # Usage
-*
-* ```hcl
-* module "vpc_tgw" {
-* source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association?ref=tf-upgrade"
-* network_account_profile = "057445207498-ent-gov-network-sa"
-* }
-* ```
-*/
-
-locals {
- account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
- account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
- region = data.aws_region.current.name
- region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
-
- base_tags = {
- "boc:tf_module_version" = local._module_version
- "boc:tf_module_name" = lookup(local._module_names, local._module_name, local._module_names["_main_"])
- "boc:created_by" = "terraform"
- }
-}
-
-
-# vpc_id = local.vpc_id
-# vpc_full_name = var.vpc_full_name
-# availability_zones = []
-# subnet_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
-# route_table_label = "attachment"
diff --git a/vpc-transit-gateway-association/module_name.tf b/vpc-transit-gateway-association/module_name.tf
deleted file mode 100644
index 979f028..0000000
--- a/vpc-transit-gateway-association/module_name.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-locals {
- _module_name = "vpc-transit-gateway-association"
-}
diff --git a/vpc-transit-gateway-association/peer/README.md b/vpc-transit-gateway-association/peer/README.md
new file mode 100644
index 0000000..ea4af65
--- /dev/null
+++ b/vpc-transit-gateway-association/peer/README.md
@@ -0,0 +1,122 @@
+# About aws-vpc-setup :: vpc-transit-gateway-association/peer
+
+This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. This is part of a three
+section TGW setup, consisting of data (required), self , and peer (this) (remote(s)). They do the following:
+
+* data
+ * gets transit gateway ID shared to this account and region
+ * gets transit gateway route tables
+* self
+ * creates routes for the attachment subnets to the transit gatewway
+ * creates routes to all other things on the transit gateway through a network prefix
+ * attaches the VPC to the transit gateway
+ * propagates the route to the associated route tables for the envirornment/VRF
+ * services is propagated to all
+* peer
+ * creates static routes for transit gateway route tables in a peer region
+
+# Usage
+
+```hcl
+module "vpc_tgw_peer" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/peer?ref=tf-upgrade"
+ providers = {
+ aws = aws
+ aws.network_account = aws.network_account
+ aws.self = aws.tgw_east
+ aws.peer = aws.tgw_west
+ }
+
+ network_account_profile = var.network_account_profile
+ vpc_id = local.vpc_id
+ vpc_full_name = var.vpc_full_name
+ private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+ private_route_table_ids = module.routing.private_route_table_ids
+ transit_gateway_environment = var.tgw_environment
+ transit_gateway_label = var.tgw_label
+ route_prefix_list_name = format("transit-gateway.%v", var.tgw_label)
+ data_input = module.vpc_tgw_data.data_output
+
+ depends_on = [module.vpc_tgw_self]
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13 |
+| [aws](#requirement\_aws) | >= 3.66.0 |
+| [ldap](#requirement\_ldap) | >= 0.5.4 |
+| [local](#requirement\_local) | >= 1.0.0 |
+| [null](#requirement\_null) | >= 3.0 |
+| [random](#requirement\_random) | >= 3.0 |
+| [template](#requirement\_template) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 3.66.0 |
+| [aws.network\_account](#provider\_aws.network\_account) | >= 3.66.0 |
+| [aws.peer](#provider\_aws.peer) | >= 3.66.0 |
+| [aws.self](#provider\_aws.self) | >= 3.66.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ec2_transit_gateway_route.vpc_peer_all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route) | resource |
+| [aws_ec2_transit_gateway_route.vpc_peer_common](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route) | resource |
+| [aws_ec2_transit_gateway_route.vpc_peer_own_rt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_ec2_transit_gateway.gateway_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
+| [aws_ec2_transit_gateway.gateway_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
+| [aws_ec2_transit_gateway_peering_attachment.attachment_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source |
+| [aws_ec2_transit_gateway_peering_attachment.attachment_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
+| [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
+| [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | object({
availablity_zone = map(any)
gateway_self = string
gateway_peer = string
route_tables_self = map(any)
route_tables_peer = map(any)
map_route_tables_self = map(any)
map_route_tables_peer = map(any)
prefix_list_id_ipv4 = string
}) | n/a | yes |
+| [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
+| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [private\_route\_table\_ids](#input\_private\_route\_table\_ids) | Map of private route table IDs (which exclude the attachment subnets) | `map(string)` | `{}` | no |
+| [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | list(object({
subnet = string
label = string
availability_zone = string
id = string
})) | `[]` | no |
+| [route\_prefix\_list\_name](#input\_route\_prefix\_list\_name) | Shared prefix list name used for routing to TGW. It is comprised of all of the network CIDR blocks in AWS using TGW. | `string` | `"transit-gateway.prod"` | no |
+| [route\_table\_label](#input\_route\_table\_label) | Route table lable for the attachment subnets | `string` | `"attachment"` | no |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| [transit\_gateway\_environment](#input\_transit\_gateway\_environment) | Transit Gateway Environment (aka, VRF) to which to connnect this VPC | `string` | n/a | yes |
+| [transit\_gateway\_label](#input\_transit\_gateway\_label) | Transit Gateway label for specific instance (sa, prod) | `string` | `"prod"` | no |
+| [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
+| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
+| [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |
+| [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
+| [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
+| [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [gateway\_peer](#output\_gateway\_peer) | Transit Gateway peer (other region) |
+| [gateway\_self](#output\_gateway\_self) | Transit Gateway self (this region) |
+| [map\_route\_tables\_peer](#output\_map\_route\_tables\_peer) | Transit Gateway route tables map (VRF:id) peer (other region) |
+| [map\_route\_tables\_self](#output\_map\_route\_tables\_self) | Transit Gateway route tables map (VRF:id) self (this region) |
+| [route\_tables\_peer](#output\_route\_tables\_peer) | Transit Gateway route tables peer (other region) |
+| [route\_tables\_self](#output\_route\_tables\_self) | Transit Gateway route tables self (this region) |
diff --git a/vpc-transit-gateway-association/peer/associate.tf b/vpc-transit-gateway-association/peer/associate.tf
new file mode 100644
index 0000000..4eb89a5
--- /dev/null
+++ b/vpc-transit-gateway-association/peer/associate.tf
@@ -0,0 +1,43 @@
+#---
+# get rt variables for use later
+#---
+locals {
+ propagate_all_rt = ["services", "inter-region"]
+ selected_rt = [for k in keys(local.transit_gateway_route_table_ids_peer) : k if ! contains(local.propagate_all_rt, k)]
+}
+
+#---
+# add routes to peer for non-services
+#---
+resource "aws_ec2_transit_gateway_route" "vpc_peer_own_rt" {
+ provider = aws.peer
+ for_each = { for k in local.selected_rt : k => local.transit_gateway_route_table_ids_peer[k] if k == var.transit_gateway_environment }
+ destination_cidr_block = data.aws_vpc.vpc.cidr_block
+
+ transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
+ transit_gateway_route_table_id = each.value
+}
+
+#---
+# always add routes to services
+#--
+resource "aws_ec2_transit_gateway_route" "vpc_peer_common" {
+ provider = aws.peer
+ for_each = { "services" = local.transit_gateway_route_table_ids_peer["services"] }
+ destination_cidr_block = data.aws_vpc.vpc.cidr_block
+
+ transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
+ transit_gateway_route_table_id = each.value
+}
+
+#---
+# if services, add routes to all other route tables
+#--
+resource "aws_ec2_transit_gateway_route" "vpc_peer_all" {
+ provider = aws.peer
+ for_each = contains(local.propagate_all_rt, var.transit_gateway_environment) ? { for k in local.selected_rt : k => local.transit_gateway_route_table_ids_peer[k] } : {}
+ destination_cidr_block = data.aws_vpc.vpc.cidr_block
+
+ transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
+ transit_gateway_route_table_id = each.value
+}
diff --git a/vpc-transit-gateway-association/data.network_account.tf b/vpc-transit-gateway-association/peer/data.network_account.tf
similarity index 100%
rename from vpc-transit-gateway-association/data.network_account.tf
rename to vpc-transit-gateway-association/peer/data.network_account.tf
diff --git a/vpc-transit-gateway-association/peer/data.tf b/vpc-transit-gateway-association/peer/data.tf
new file mode 120000
index 0000000..37fff16
--- /dev/null
+++ b/vpc-transit-gateway-association/peer/data.tf
@@ -0,0 +1 @@
+../../common/data.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/data.transit-gateway.tf b/vpc-transit-gateway-association/peer/data.transit-gateway.tf
similarity index 100%
rename from vpc-transit-gateway-association/data.transit-gateway.tf
rename to vpc-transit-gateway-association/peer/data.transit-gateway.tf
diff --git a/vpc-transit-gateway-association/data.vpc.tf b/vpc-transit-gateway-association/peer/data.vpc.tf
similarity index 100%
rename from vpc-transit-gateway-association/data.vpc.tf
rename to vpc-transit-gateway-association/peer/data.vpc.tf
diff --git a/vpc-transit-gateway-association/peer/defaults.tf b/vpc-transit-gateway-association/peer/defaults.tf
new file mode 120000
index 0000000..1227df3
--- /dev/null
+++ b/vpc-transit-gateway-association/peer/defaults.tf
@@ -0,0 +1 @@
+../../common/defaults.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/peer/main.tf b/vpc-transit-gateway-association/peer/main.tf
new file mode 100644
index 0000000..7fddf2a
--- /dev/null
+++ b/vpc-transit-gateway-association/peer/main.tf
@@ -0,0 +1,66 @@
+/*
+* # About aws-vpc-setup :: vpc-transit-gateway-association/peer
+*
+* This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. This is part of a three
+* section TGW setup, consisting of data (required), self , and peer (this) (remote(s)). They do the following:
+*
+* * data
+* * gets transit gateway ID shared to this account and region
+* * gets transit gateway route tables
+* * self
+* * creates routes for the attachment subnets to the transit gatewway
+* * creates routes to all other things on the transit gateway through a network prefix
+* * attaches the VPC to the transit gateway
+* * propagates the route to the associated route tables for the envirornment/VRF
+* * services is propagated to all
+* * peer
+* * creates static routes for transit gateway route tables in a peer region
+*
+* # Usage
+*
+* ```hcl
+* module "vpc_tgw_peer" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/peer?ref=tf-upgrade"
+* providers = {
+* aws = aws
+* aws.network_account = aws.network_account
+* aws.self = aws.tgw_east
+* aws.peer = aws.tgw_west
+* }
+*
+* network_account_profile = var.network_account_profile
+* vpc_id = local.vpc_id
+* vpc_full_name = var.vpc_full_name
+* private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+* private_route_table_ids = module.routing.private_route_table_ids
+* transit_gateway_environment = var.tgw_environment
+* transit_gateway_label = var.tgw_label
+* route_prefix_list_name = format("transit-gateway.%v", var.tgw_label)
+* data_input = module.vpc_tgw_data.data_output
+*
+* depends_on = [module.vpc_tgw_self]
+* }
+* ```
+*/
+
+locals {
+ account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+ account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+ region = data.aws_region.current.name
+ region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+
+ base_tags = {
+ "boc:tf_module_version" = local._module_version
+ "boc:tf_module_name" = lookup(local._module_names, local._module_name, local._module_names["_main_"])
+ "boc:created_by" = "terraform"
+ }
+}
+
+
+# vpc_id = local.vpc_id
+# vpc_full_name = var.vpc_full_name
+# availability_zones = []
+# subnet_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+# route_table_label = "attachment"
+
+
diff --git a/vpc-transit-gateway-association/peer/module_name.tf b/vpc-transit-gateway-association/peer/module_name.tf
new file mode 100644
index 0000000..b765c06
--- /dev/null
+++ b/vpc-transit-gateway-association/peer/module_name.tf
@@ -0,0 +1,3 @@
+locals {
+ _module_name = "vpc-transit-gateway-association/peer"
+}
diff --git a/vpc-transit-gateway-association/outputs.tf b/vpc-transit-gateway-association/peer/outputs.tf
similarity index 94%
rename from vpc-transit-gateway-association/outputs.tf
rename to vpc-transit-gateway-association/peer/outputs.tf
index 7554b97..c161df8 100644
--- a/vpc-transit-gateway-association/outputs.tf
+++ b/vpc-transit-gateway-association/peer/outputs.tf
@@ -1,3 +1,5 @@
+# all these module (data, peer, self) output the same core data
+
output "gateway_self" {
description = "Transit Gateway self (this region)"
value = data.aws_ec2_transit_gateway.gateway_self.id
diff --git a/vpc-transit-gateway-association/peer/prefixes.tf b/vpc-transit-gateway-association/peer/prefixes.tf
new file mode 120000
index 0000000..5bc256c
--- /dev/null
+++ b/vpc-transit-gateway-association/peer/prefixes.tf
@@ -0,0 +1 @@
+../../common/prefixes.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/peer/variables.common.availability_zones.tf b/vpc-transit-gateway-association/peer/variables.common.availability_zones.tf
new file mode 120000
index 0000000..ec237ef
--- /dev/null
+++ b/vpc-transit-gateway-association/peer/variables.common.availability_zones.tf
@@ -0,0 +1 @@
+../../common/variables.common.availability_zones.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/peer/variables.common.tf b/vpc-transit-gateway-association/peer/variables.common.tf
new file mode 120000
index 0000000..e01226c
--- /dev/null
+++ b/vpc-transit-gateway-association/peer/variables.common.tf
@@ -0,0 +1 @@
+../../common/variables.common.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/peer/variables.common.vpc.tf b/vpc-transit-gateway-association/peer/variables.common.vpc.tf
new file mode 120000
index 0000000..b7a8eef
--- /dev/null
+++ b/vpc-transit-gateway-association/peer/variables.common.vpc.tf
@@ -0,0 +1 @@
+../../common/variables.common.vpc.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/peer/variables.common.vpc_id.tf b/vpc-transit-gateway-association/peer/variables.common.vpc_id.tf
new file mode 120000
index 0000000..aabcfbd
--- /dev/null
+++ b/vpc-transit-gateway-association/peer/variables.common.vpc_id.tf
@@ -0,0 +1 @@
+../../common/variables.common.vpc_id.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/peer/variables.create.tf b/vpc-transit-gateway-association/peer/variables.create.tf
new file mode 120000
index 0000000..ae0c122
--- /dev/null
+++ b/vpc-transit-gateway-association/peer/variables.create.tf
@@ -0,0 +1 @@
+../../common/variables.create.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/variables.data_input.tf b/vpc-transit-gateway-association/peer/variables.data_input.tf
similarity index 100%
rename from vpc-transit-gateway-association/variables.data_input.tf
rename to vpc-transit-gateway-association/peer/variables.data_input.tf
diff --git a/vpc-transit-gateway-association/variables.subnets.tf b/vpc-transit-gateway-association/peer/variables.subnets.tf
similarity index 100%
rename from vpc-transit-gateway-association/variables.subnets.tf
rename to vpc-transit-gateway-association/peer/variables.subnets.tf
diff --git a/vpc-transit-gateway-association-data/variables.tf b/vpc-transit-gateway-association/peer/variables.tf
similarity index 79%
rename from vpc-transit-gateway-association-data/variables.tf
rename to vpc-transit-gateway-association/peer/variables.tf
index fe85c1a..0656be0 100644
--- a/vpc-transit-gateway-association-data/variables.tf
+++ b/vpc-transit-gateway-association/peer/variables.tf
@@ -13,15 +13,15 @@ variable "transit_gateway_environment" {
}
}
-variable "transit_gateway_routing_type" {
- description = "Transit Gateway routing type, to select either self or peer (where we may have many peers)"
- type = string
-
- validation {
- condition = contains(["self", "peer"], var.transit_gateway_routing_type)
- error_message = "transit_gateway_routing_type must be either self or peer"
- }
-}
+## variable "transit_gateway_routing_type" {
+## description = "Transit Gateway routing type, to select either self or peer (where we may have many peers)"
+## type = string
+##
+## validation {
+## condition = contains(["self", "peer"], var.transit_gateway_routing_type)
+## error_message = "transit_gateway_routing_type must be either self or peer"
+## }
+## }
variable "route_table_label" {
description = "Route table lable for the attachment subnets"
diff --git a/vpc-transit-gateway-association/peer/version.tf b/vpc-transit-gateway-association/peer/version.tf
new file mode 120000
index 0000000..4950c91
--- /dev/null
+++ b/vpc-transit-gateway-association/peer/version.tf
@@ -0,0 +1 @@
+../../common/version.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/versions.tf b/vpc-transit-gateway-association/peer/versions.tf
similarity index 100%
rename from vpc-transit-gateway-association/versions.tf
rename to vpc-transit-gateway-association/peer/versions.tf
diff --git a/vpc-transit-gateway-association/prefixes.tf b/vpc-transit-gateway-association/prefixes.tf
deleted file mode 120000
index 7e265d5..0000000
--- a/vpc-transit-gateway-association/prefixes.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/prefixes.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/OFF/credentials.vpc-transit-gateway.tf.off b/vpc-transit-gateway-association/self/OFF/credentials.vpc-transit-gateway.tf.off
similarity index 100%
rename from vpc-transit-gateway-association-data/OFF/credentials.vpc-transit-gateway.tf.off
rename to vpc-transit-gateway-association/self/OFF/credentials.vpc-transit-gateway.tf.off
diff --git a/vpc-transit-gateway-association-data/OFF/vpc-transit-gateway.tf.off b/vpc-transit-gateway-association/self/OFF/vpc-transit-gateway.tf.off
similarity index 100%
rename from vpc-transit-gateway-association-data/OFF/vpc-transit-gateway.tf.off
rename to vpc-transit-gateway-association/self/OFF/vpc-transit-gateway.tf.off
diff --git a/vpc-transit-gateway-association/self/README.md b/vpc-transit-gateway-association/self/README.md
new file mode 100644
index 0000000..0796c70
--- /dev/null
+++ b/vpc-transit-gateway-association/self/README.md
@@ -0,0 +1,128 @@
+# About aws-vpc-setup :: vpc-transit-gateway-association/self
+
+This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. This is part of a three
+section TGW setup, consisting of data (required), self (this), and peer (remote(s)). They do the following:
+
+* data
+ * gets transit gateway ID shared to this account and region
+ * gets transit gateway route tables
+* self
+ * creates routes for the attachment subnets to the transit gatewway
+ * creates routes to all other things on the transit gateway through a network prefix
+ * attaches the VPC to the transit gateway
+ * propagates the route to the associated route tables for the envirornment/VRF
+ * services is propagated to all
+* peer
+ * creates static routes for transit gateway route tables in a peer region
+
+# Usage
+
+```hcl
+# call once for self, once for each peer (if we have multiple regions for peeers, change the peer to each region)
+# note the self must be done before the peer
+module "vpc_tgw_self" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/self?ref=tf-upgrade"
+ providers = {
+ aws = aws
+ aws.network_account = aws.network_account
+ aws.self = aws.tgw_east
+ aws.peer = aws.tgw_west
+ }
+
+ network_account_profile = var.network_account_profile
+ vpc_id = local.vpc_id
+ vpc_full_name = var.vpc_full_name
+ private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+ private_route_table_ids = module.routing.private_route_table_ids
+ transit_gateway_environment = var.tgw_environment
+ transit_gateway_label = var.tgw_label
+ route_prefix_list_name = format("transit-gateway.%v", var.tgw_label)
+ data_input = module.vpc_tgw_data.data_output
+}
+```` `
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13 |
+| [aws](#requirement\_aws) | >= 3.66.0 |
+| [ldap](#requirement\_ldap) | >= 0.5.4 |
+| [local](#requirement\_local) | >= 1.0.0 |
+| [null](#requirement\_null) | >= 3.0 |
+| [random](#requirement\_random) | >= 3.0 |
+| [template](#requirement\_template) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 3.66.0 |
+| [aws.network\_account](#provider\_aws.network\_account) | >= 3.66.0 |
+| [aws.peer](#provider\_aws.peer) | >= 3.66.0 |
+| [aws.self](#provider\_aws.self) | >= 3.66.0 |
+| [null](#provider\_null) | >= 3.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [routing\_attachment\_ipv4](#module\_routing\_attachment\_ipv4) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//routing | tf-upgrade |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ec2_transit_gateway_route_table_association.route_table_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource |
+| [aws_ec2_transit_gateway_route_table_propagation.vpc_self_common](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |
+| [aws_ec2_transit_gateway_route_table_propagation.vpc_self_own_rt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |
+| [aws_ec2_transit_gateway_vpc_attachment.vpc_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment) | resource |
+| [aws_route.gateway_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
+| [null_resource.vpc_attachment_exists](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_ec2_transit_gateway.gateway_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
+| [aws_ec2_transit_gateway.gateway_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
+| [aws_ec2_transit_gateway_peering_attachment.attachment_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source |
+| [aws_ec2_transit_gateway_peering_attachment.attachment_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
+| [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
+| [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | object({
availablity_zone = map(any)
gateway_self = string
gateway_peer = string
route_tables_self = map(any)
route_tables_peer = map(any)
map_route_tables_self = map(any)
map_route_tables_peer = map(any)
prefix_list_id_ipv4 = string
}) | n/a | yes |
+| [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
+| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [private\_route\_table\_ids](#input\_private\_route\_table\_ids) | Map of private route table IDs (which exclude the attachment subnets) | `map(string)` | `{}` | no |
+| [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | list(object({
subnet = string
label = string
availability_zone = string
id = string
})) | `[]` | no |
+| [route\_prefix\_list\_name](#input\_route\_prefix\_list\_name) | Shared prefix list name used for routing to TGW. It is comprised of all of the network CIDR blocks in AWS using TGW. | `string` | `"transit-gateway.prod"` | no |
+| [route\_table\_label](#input\_route\_table\_label) | Route table lable for the attachment subnets | `string` | `"attachment"` | no |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| [transit\_gateway\_environment](#input\_transit\_gateway\_environment) | Transit Gateway Environment (aka, VRF) to which to connnect this VPC | `string` | n/a | yes |
+| [transit\_gateway\_label](#input\_transit\_gateway\_label) | Transit Gateway label for specific instance (sa, prod) | `string` | `"prod"` | no |
+| [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
+| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
+| [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |
+| [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
+| [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
+| [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [gateway\_peer](#output\_gateway\_peer) | Transit Gateway peer (other region) |
+| [gateway\_self](#output\_gateway\_self) | Transit Gateway self (this region) |
+| [map\_route\_tables\_peer](#output\_map\_route\_tables\_peer) | Transit Gateway route tables map (VRF:id) peer (other region) |
+| [map\_route\_tables\_self](#output\_map\_route\_tables\_self) | Transit Gateway route tables map (VRF:id) self (this region) |
+| [route\_tables\_peer](#output\_route\_tables\_peer) | Transit Gateway route tables peer (other region) |
+| [route\_tables\_self](#output\_route\_tables\_self) | Transit Gateway route tables self (this region) |
diff --git a/vpc-transit-gateway-association/self/associate.tf b/vpc-transit-gateway-association/self/associate.tf
new file mode 100644
index 0000000..1f3007d
--- /dev/null
+++ b/vpc-transit-gateway-association/self/associate.tf
@@ -0,0 +1,65 @@
+#---
+# attach this vpc to tgw (my region, my account)
+#---
+resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_attachment" {
+ # subnet_ids = [for sn in module.subnets.private_subnets_ids : sn.id if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+ subnet_ids = [for k, v in var.private_subnets_ids : v.id]
+ transit_gateway_id = data.aws_ec2_transit_gateway.gateway_self.id
+ vpc_id = var.vpc_id
+ dns_support = "enable"
+ ipv6_support = "disable"
+ transit_gateway_default_route_table_association = true
+ transit_gateway_default_route_table_propagation = true
+
+ tags = merge(
+ local.base_tags,
+ {
+ Name = format("tgwa-%v-%v-%v", var.transit_gateway_label, var.vpc_full_name, local.region),
+ "boc:tgw_environment" = var.transit_gateway_environment,
+ },
+ )
+}
+
+#---
+# assocaite this vpc to route table in self (my region, network account)
+#---
+resource "aws_ec2_transit_gateway_route_table_association" "route_table_self" {
+ provider = aws.self
+ transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+ transit_gateway_route_table_id = local.transit_gateway_route_table_ids_self[var.transit_gateway_environment]
+}
+
+#---
+# get rt variables for use later
+#---
+locals {
+ propagate_all_rt = ["services", "inter-region"]
+ selected_rt = [for k in keys(local.transit_gateway_route_table_ids_self) : k if ! contains(local.propagate_all_rt, k)]
+}
+
+#---
+# propagate this attachment to necessary RT (my region, network account)
+# for services, it is all but services
+# for all others, it is just itself
+# we will cover services and inter-region separately
+#---
+resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_self_own_rt" {
+ provider = aws.self
+ for_each = { for k in local.selected_rt : k => local.transit_gateway_route_table_ids_self[k] }
+
+ transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+ transit_gateway_route_table_id = each.value
+}
+
+#---
+# propagate to services, inter-region
+# propagate all to inter-region table
+#---
+resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_self_common" {
+ provider = aws.self
+ for_each = { for k in local.propagate_all_rt : k => local.transit_gateway_route_table_ids_self[k] }
+
+ transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+ transit_gateway_route_table_id = each.value
+}
+
diff --git a/vpc-transit-gateway-association/self/data.network_account.tf b/vpc-transit-gateway-association/self/data.network_account.tf
new file mode 100644
index 0000000..d0ef9c1
--- /dev/null
+++ b/vpc-transit-gateway-association/self/data.network_account.tf
@@ -0,0 +1,12 @@
+data "aws_caller_identity" "network_account" {
+ provider = aws.network_account
+}
+
+data "aws_arn" "network_account" {
+ provider = aws.network_account
+ arn = data.aws_caller_identity.network_account.arn
+}
+
+# output "network_account" {
+# value = data.aws_arn.network_account
+# }
diff --git a/vpc-transit-gateway-association/self/data.tf b/vpc-transit-gateway-association/self/data.tf
new file mode 120000
index 0000000..37fff16
--- /dev/null
+++ b/vpc-transit-gateway-association/self/data.tf
@@ -0,0 +1 @@
+../../common/data.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/self/data.transit-gateway.tf b/vpc-transit-gateway-association/self/data.transit-gateway.tf
new file mode 100644
index 0000000..9b8024f
--- /dev/null
+++ b/vpc-transit-gateway-association/self/data.transit-gateway.tf
@@ -0,0 +1,105 @@
+#---
+# transit gateways
+#---
+data "aws_ec2_transit_gateway" "gateway_self" {
+ provider = aws.self
+ filter {
+ name = "owner-id"
+ values = [data.aws_arn.network_account.account]
+ }
+}
+
+data "aws_ec2_transit_gateway" "gateway_peer" {
+ provider = aws.peer
+ filter {
+ name = "owner-id"
+ values = [data.aws_arn.network_account.account]
+ }
+}
+
+## these must be passed in
+## #---
+## # tgw route tables self
+## #---
+## data "aws_ec2_transit_gateway_route_tables" "route_tables_self" {
+## provider = aws.self
+## filter {
+## name = "transit-gateway-id"
+## values = [data.aws_ec2_transit_gateway.gateway_self.id]
+## }
+## }
+##
+## data "aws_ec2_transit_gateway_route_table" "route_tables_self" {
+## provider = aws.self
+## for_each = toset(data.aws_ec2_transit_gateway_route_tables.route_tables_self.ids)
+## id = each.key
+## }
+
+locals {
+ transit_gateway_route_table_ids_self = { for k, v in var.data_input.route_tables_self : v.tags["boc:network_vrf"] => k if contains(keys(v.tags), "boc:network_vrf") }
+}
+
+## these must be passed in
+## #---
+## # route tables west
+## #---
+## data "aws_ec2_transit_gateway_route_tables" "route_tables_peer" {
+## provider = aws.peer
+## filter {
+## name = "transit-gateway-id"
+## values = [data.aws_ec2_transit_gateway.gateway_peer.id]
+## }
+## }
+##
+## data "aws_ec2_transit_gateway_route_table" "route_tables_peer" {
+## provider = aws.peer
+## for_each = toset(data.aws_ec2_transit_gateway_route_tables.route_tables_peer.ids)
+## id = each.key
+## }
+
+locals {
+ transit_gateway_route_table_ids_peer = { for k, v in var.data_input.route_tables_peer : v.tags["boc:network_vrf"] => k if contains(keys(v.tags), "boc:network_vrf") }
+}
+
+# These two hold a map of VRF => route table
+# * transit_gateway_route_table_ids_self
+# * transit_gateway_route_table_ids_peer
+
+#---
+# peering attachments
+#---
+data "aws_ec2_transit_gateway_peering_attachment" "attachment_self" {
+ provider = aws.self
+ filter {
+ name = "transit-gateway-id"
+ values = [data.aws_ec2_transit_gateway.gateway_self.id]
+ }
+}
+
+data "aws_ec2_transit_gateway_peering_attachment" "attachment_peer" {
+ provider = aws.peer
+ filter {
+ name = "transit-gateway-id"
+ values = [data.aws_ec2_transit_gateway.gateway_peer.id]
+ }
+}
+
+## required from data_output
+# availablity_zone (does not appear to be used)
+# route_tables_self
+# route_tables_peer
+# prefix_list_id_ipv4
+
+## output "data_output" {
+## description = "Map of data generated by this submodule need for the vpc-transit-gateway-association module"
+## value = {
+## availablity_zone = data.aws_availability_zone.zone
+## gateway_self = data.aws_ec2_transit_gateway.gateway_self.id
+## gateway_peer = data.aws_ec2_transit_gateway.gateway_peer.id
+## route_tables_self = data.aws_ec2_transit_gateway_route_table.route_tables_self
+## route_tables_peer = data.aws_ec2_transit_gateway_route_table.route_tables_peer
+## map_route_tables_self = local.transit_gateway_route_table_ids_self
+## map_route_tables_peer = local.transit_gateway_route_table_ids_peer
+## prefix_list_id_ipv4 = one([for k, v in data.aws_ec2_managed_prefix_list.tgw_ipv4 : k if v.address_family == "IPv4"])
+## }
+## }
diff --git a/vpc-transit-gateway-association/self/data.vpc.tf b/vpc-transit-gateway-association/self/data.vpc.tf
new file mode 100644
index 0000000..34f3677
--- /dev/null
+++ b/vpc-transit-gateway-association/self/data.vpc.tf
@@ -0,0 +1,3 @@
+data "aws_vpc" "vpc" {
+ id = var.vpc_id
+}
diff --git a/vpc-transit-gateway-association/self/defaults.tf b/vpc-transit-gateway-association/self/defaults.tf
new file mode 120000
index 0000000..1227df3
--- /dev/null
+++ b/vpc-transit-gateway-association/self/defaults.tf
@@ -0,0 +1 @@
+../../common/defaults.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/self/main.tf b/vpc-transit-gateway-association/self/main.tf
new file mode 100644
index 0000000..c2c53b7
--- /dev/null
+++ b/vpc-transit-gateway-association/self/main.tf
@@ -0,0 +1,65 @@
+/*
+* # About aws-vpc-setup :: vpc-transit-gateway-association/self
+*
+* This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. This is part of a three
+* section TGW setup, consisting of data (required), self (this), and peer (remote(s)). They do the following:
+*
+* * data
+* * gets transit gateway ID shared to this account and region
+* * gets transit gateway route tables
+* * self
+* * creates routes for the attachment subnets to the transit gatewway
+* * creates routes to all other things on the transit gateway through a network prefix
+* * attaches the VPC to the transit gateway
+* * propagates the route to the associated route tables for the envirornment/VRF
+* * services is propagated to all
+* * peer
+* * creates static routes for transit gateway route tables in a peer region
+*
+* # Usage
+*
+* ```hcl
+* # call once for self, once for each peer (if we have multiple regions for peeers, change the peer to each region)
+* # note the self must be done before the peer
+* module "vpc_tgw_self" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/self?ref=tf-upgrade"
+* providers = {
+* aws = aws
+* aws.network_account = aws.network_account
+* aws.self = aws.tgw_east
+* aws.peer = aws.tgw_west
+* }
+*
+* network_account_profile = var.network_account_profile
+* vpc_id = local.vpc_id
+* vpc_full_name = var.vpc_full_name
+* private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+* private_route_table_ids = module.routing.private_route_table_ids
+* transit_gateway_environment = var.tgw_environment
+* transit_gateway_label = var.tgw_label
+* route_prefix_list_name = format("transit-gateway.%v", var.tgw_label)
+* data_input = module.vpc_tgw_data.data_output
+* }
+* ````
+*/
+
+locals {
+ account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+ account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+ region = data.aws_region.current.name
+ region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+
+ base_tags = {
+ "boc:tf_module_version" = local._module_version
+ "boc:tf_module_name" = lookup(local._module_names, local._module_name, local._module_names["_main_"])
+ "boc:created_by" = "terraform"
+ }
+}
+
+
+# vpc_id = local.vpc_id
+# vpc_full_name = var.vpc_full_name
+# availability_zones = []
+# subnet_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+# route_table_label = "attachment"
+
diff --git a/vpc-transit-gateway-association/self/module_name.tf b/vpc-transit-gateway-association/self/module_name.tf
new file mode 100644
index 0000000..37f1a17
--- /dev/null
+++ b/vpc-transit-gateway-association/self/module_name.tf
@@ -0,0 +1,3 @@
+locals {
+ _module_name = "vpc-transit-gateway-association/self"
+}
diff --git a/vpc-transit-gateway-association/self/outputs.tf b/vpc-transit-gateway-association/self/outputs.tf
new file mode 100644
index 0000000..c161df8
--- /dev/null
+++ b/vpc-transit-gateway-association/self/outputs.tf
@@ -0,0 +1,33 @@
+# all these module (data, peer, self) output the same core data
+
+output "gateway_self" {
+ description = "Transit Gateway self (this region)"
+ value = data.aws_ec2_transit_gateway.gateway_self.id
+}
+
+output "gateway_peer" {
+ description = "Transit Gateway peer (other region)"
+ value = data.aws_ec2_transit_gateway.gateway_peer.id
+}
+
+output "route_tables_self" {
+ description = "Transit Gateway route tables self (this region)"
+ # value = data.aws_ec2_transit_gateway_route_table.route_tables_self
+ value = var.data_input.route_tables_self
+}
+
+output "route_tables_peer" {
+ description = "Transit Gateway route tables peer (other region)"
+ # value = data.aws_ec2_transit_gateway_route_table.route_tables_peer
+ value = var.data_input.route_tables_peer
+}
+
+output "map_route_tables_self" {
+ description = "Transit Gateway route tables map (VRF:id) self (this region)"
+ value = local.transit_gateway_route_table_ids_self
+}
+
+output "map_route_tables_peer" {
+ description = "Transit Gateway route tables map (VRF:id) peer (other region)"
+ value = local.transit_gateway_route_table_ids_peer
+}
diff --git a/vpc-transit-gateway-association/self/prefixes.tf b/vpc-transit-gateway-association/self/prefixes.tf
new file mode 120000
index 0000000..5bc256c
--- /dev/null
+++ b/vpc-transit-gateway-association/self/prefixes.tf
@@ -0,0 +1 @@
+../../common/prefixes.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/routing.tf b/vpc-transit-gateway-association/self/routing.tf
similarity index 80%
rename from vpc-transit-gateway-association/routing.tf
rename to vpc-transit-gateway-association/self/routing.tf
index 83e73ef..33a7efc 100644
--- a/vpc-transit-gateway-association/routing.tf
+++ b/vpc-transit-gateway-association/self/routing.tf
@@ -1,6 +1,5 @@
module "routing_attachment_ipv4" {
source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//routing?ref=tf-upgrade"
- count = var.transit_gateway_routing_type == "self" ? 1 : 0
vpc_id = var.vpc_id
vpc_full_name = var.vpc_full_name
@@ -39,13 +38,13 @@ module "routing_attachment_ipv4" {
resource "null_resource" "vpc_attachment_exists" {
triggers = {
- vpc_attachment = var.transit_gateway_routing_type == "self" ? one(aws_ec2_transit_gateway_vpc_attachment.vpc_attachment[*].id) : ""
+ vpc_attachment = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
}
}
# pick the first prefix list found, either NAME or NAME.ipv4
resource "aws_route" "gateway_ipv4" {
- for_each = var.transit_gateway_routing_type == "self" ? var.private_route_table_ids : {}
+ for_each = var.private_route_table_ids
route_table_id = each.value
# destination_cidr_block = "10.128.0.0/16"
@@ -55,3 +54,13 @@ resource "aws_route" "gateway_ipv4" {
depends_on = [null_resource.vpc_attachment_exists]
}
+
+# resource "aws_route" "gateway_vpn_ipv4" {
+# for_each = var.private_route_table_ids
+#
+# route_table_id = each.value
+# destination_prefix_list_id = var.data_input.prefix_list_id_ipv4
+# transit_gateway_id = data.aws_ec2_transit_gateway.gateway_self.id
+#
+# depends_on = [null_resource.vpc_attachment_exists]
+# }
diff --git a/vpc-transit-gateway-association/self/variables.common.availability_zones.tf b/vpc-transit-gateway-association/self/variables.common.availability_zones.tf
new file mode 120000
index 0000000..ec237ef
--- /dev/null
+++ b/vpc-transit-gateway-association/self/variables.common.availability_zones.tf
@@ -0,0 +1 @@
+../../common/variables.common.availability_zones.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/self/variables.common.tf b/vpc-transit-gateway-association/self/variables.common.tf
new file mode 120000
index 0000000..e01226c
--- /dev/null
+++ b/vpc-transit-gateway-association/self/variables.common.tf
@@ -0,0 +1 @@
+../../common/variables.common.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/self/variables.common.vpc.tf b/vpc-transit-gateway-association/self/variables.common.vpc.tf
new file mode 120000
index 0000000..b7a8eef
--- /dev/null
+++ b/vpc-transit-gateway-association/self/variables.common.vpc.tf
@@ -0,0 +1 @@
+../../common/variables.common.vpc.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/self/variables.common.vpc_id.tf b/vpc-transit-gateway-association/self/variables.common.vpc_id.tf
new file mode 120000
index 0000000..aabcfbd
--- /dev/null
+++ b/vpc-transit-gateway-association/self/variables.common.vpc_id.tf
@@ -0,0 +1 @@
+../../common/variables.common.vpc_id.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/self/variables.create.tf b/vpc-transit-gateway-association/self/variables.create.tf
new file mode 120000
index 0000000..ae0c122
--- /dev/null
+++ b/vpc-transit-gateway-association/self/variables.create.tf
@@ -0,0 +1 @@
+../../common/variables.create.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/self/variables.data_input.tf b/vpc-transit-gateway-association/self/variables.data_input.tf
new file mode 100644
index 0000000..a27009a
--- /dev/null
+++ b/vpc-transit-gateway-association/self/variables.data_input.tf
@@ -0,0 +1,13 @@
+variable "data_input" {
+ description = "Map of data generated by vpc-transit-gateway-association-data"
+ type = object({
+ availablity_zone = map(any)
+ gateway_self = string
+ gateway_peer = string
+ route_tables_self = map(any)
+ route_tables_peer = map(any)
+ map_route_tables_self = map(any)
+ map_route_tables_peer = map(any)
+ prefix_list_id_ipv4 = string
+ })
+}
diff --git a/vpc-transit-gateway-association/self/variables.subnets.tf b/vpc-transit-gateway-association/self/variables.subnets.tf
new file mode 100644
index 0000000..666405e
--- /dev/null
+++ b/vpc-transit-gateway-association/self/variables.subnets.tf
@@ -0,0 +1,12 @@
+# from routing/variables.f
+
+variable "private_subnets_ids" {
+ description = "List of private subnet objects including: subnet, label, availability_zone, id"
+ type = list(object({
+ subnet = string
+ label = string
+ availability_zone = string
+ id = string
+ }))
+ default = []
+}
diff --git a/vpc-transit-gateway-association/self/variables.tf b/vpc-transit-gateway-association/self/variables.tf
new file mode 100644
index 0000000..0656be0
--- /dev/null
+++ b/vpc-transit-gateway-association/self/variables.tf
@@ -0,0 +1,53 @@
+variable "network_account_profile" {
+ description = "AWS profile of the source account sharing the VPC resources"
+ type = string
+}
+
+variable "transit_gateway_environment" {
+ description = "Transit Gateway Environment (aka, VRF) to which to connnect this VPC"
+ type = string
+
+ validation {
+ condition = contains(["services", "dev", "test", "stage", "prod", "cre"], var.transit_gateway_environment)
+ error_message = "transit_gateway_environment value must be one of the valid VRF selections"
+ }
+}
+
+## variable "transit_gateway_routing_type" {
+## description = "Transit Gateway routing type, to select either self or peer (where we may have many peers)"
+## type = string
+##
+## validation {
+## condition = contains(["self", "peer"], var.transit_gateway_routing_type)
+## error_message = "transit_gateway_routing_type must be either self or peer"
+## }
+## }
+
+variable "route_table_label" {
+ description = "Route table lable for the attachment subnets"
+ type = string
+ default = "attachment"
+}
+
+variable "route_prefix_list_name" {
+ description = "Shared prefix list name used for routing to TGW. It is comprised of all of the network CIDR blocks in AWS using TGW."
+ type = string
+ default = "transit-gateway.prod"
+}
+
+variable "transit_gateway_label" {
+ description = "Transit Gateway label for specific instance (sa, prod)"
+ type = string
+ default = "prod"
+}
+
+## variable "subnet_ids" {
+## description = "List of subnet IDs for this VPC for the TGW attachment. This should be not public, and should be a separate attachment set of /28 subnets with no other use"
+## type = list(string)
+## }
+
+variable "private_route_table_ids" {
+ description = "Map of private route table IDs (which exclude the attachment subnets)"
+ type = map(string)
+ default = {}
+}
diff --git a/vpc-transit-gateway-association/self/version.tf b/vpc-transit-gateway-association/self/version.tf
new file mode 120000
index 0000000..4950c91
--- /dev/null
+++ b/vpc-transit-gateway-association/self/version.tf
@@ -0,0 +1 @@
+../../common/version.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/self/versions.tf b/vpc-transit-gateway-association/self/versions.tf
new file mode 100644
index 0000000..fb772a1
--- /dev/null
+++ b/vpc-transit-gateway-association/self/versions.tf
@@ -0,0 +1,31 @@
+terraform {
+ # experiments = [module_variable_optional_attrs]
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.66.0"
+ configuration_aliases = [aws.network_account, aws.self, aws.peer]
+ }
+ null = {
+ source = "hashicorp/null"
+ version = ">= 3.0"
+ }
+ random = {
+ source = "hashicorp/random"
+ version = ">= 3.0"
+ }
+ template = {
+ source = "hashicorp/template"
+ version = ">= 2.0"
+ }
+ ldap = {
+ source = "trevex/ldap"
+ version = ">= 0.5.4"
+ }
+ local = {
+ source = "hashicorp/local"
+ version = ">= 1.0.0"
+ }
+ }
+ required_version = ">= 0.13"
+}
diff --git a/vpc-transit-gateway-association/variables.common.availability_zones.tf b/vpc-transit-gateway-association/variables.common.availability_zones.tf
deleted file mode 120000
index dca20a3..0000000
--- a/vpc-transit-gateway-association/variables.common.availability_zones.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/variables.common.availability_zones.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/variables.common.tf b/vpc-transit-gateway-association/variables.common.tf
deleted file mode 120000
index 7439ed8..0000000
--- a/vpc-transit-gateway-association/variables.common.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/variables.common.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/variables.common.vpc.tf b/vpc-transit-gateway-association/variables.common.vpc.tf
deleted file mode 120000
index 5e77d37..0000000
--- a/vpc-transit-gateway-association/variables.common.vpc.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/variables.common.vpc.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/variables.common.vpc_id.tf b/vpc-transit-gateway-association/variables.common.vpc_id.tf
deleted file mode 120000
index bc2e061..0000000
--- a/vpc-transit-gateway-association/variables.common.vpc_id.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/variables.common.vpc_id.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/variables.create.tf b/vpc-transit-gateway-association/variables.create.tf
deleted file mode 120000
index de1275b..0000000
--- a/vpc-transit-gateway-association/variables.create.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/variables.create.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/version.tf b/vpc-transit-gateway-association/version.tf
deleted file mode 120000
index b83c5b7..0000000
--- a/vpc-transit-gateway-association/version.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/version.tf
\ No newline at end of file