diff --git a/vpc-transit-gateway-association-data/OFF/credentials.vpc-transit-gateway.tf.off b/vpc-transit-gateway-association-data/OFF/credentials.vpc-transit-gateway.tf.off
new file mode 100644
index 0000000..f7c439e
--- /dev/null
+++ b/vpc-transit-gateway-association-data/OFF/credentials.vpc-transit-gateway.tf.off
@@ -0,0 +1,11 @@
+provider "aws" {
+ alias = "tgw_west"
+ region = "us-gov-west-1"
+ profile = var.network_account_profile
+}
+
+provider "aws" {
+ alias = "tgw_east"
+ region = "us-gov-east-1"
+ profile = var.network_account_profile
+}
diff --git a/vpc-transit-gateway-association-data/OFF/vpc-transit-gateway.tf.off b/vpc-transit-gateway-association-data/OFF/vpc-transit-gateway.tf.off
new file mode 100644
index 0000000..6567821
--- /dev/null
+++ b/vpc-transit-gateway-association-data/OFF/vpc-transit-gateway.tf.off
@@ -0,0 +1,225 @@
+locals {
+ trs_region_outputs = data.terraform_remote_state.vpc_east.outputs
+# tgw_id = local.trs_region_outputs.transit_gateway_id
+# tgw_id = data.aws_ec2_transit_gateway.gateway_east.id
+ info_vpc = data.terraform_remote_state.vpc.outputs.info_vpc
+}
+
+data "aws_ec2_transit_gateway" "gateway_east" { }
+
+data "aws_ec2_transit_gateway" "gateway_west" {
+ provider = aws.tgw_main_west
+}
+
+data "aws_ec2_transit_gateway_peering_attachment" "peer_west" {
+ provider = aws.tgw_main_west
+ filter {
+ name = "tag:Name"
+ values = [ "tgw-proto-peer" ]
+ }
+}
+
+locals {
+ transit_gateway_peer_attachment_id_west = data.aws_ec2_transit_gateway_peering_attachment.peer_west.id
+}
+
+module "routing_attachment" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//routing"
+ vpc_id = local.vpc_id
+
+ vpc_full_name = var.vpc_full_name
+ availability_zones = []
+ private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+ create_public_route_table = false
+ private_route_table_label = "attachment"
+ enable_igw = false
+ enable_nat = false
+ enable_vpc_endpoint_s3 = false
+ enable_vpc_endpoint_dynamodb = false
+
+ vpc_name = var.vpc_name
+ vpc_short_name = var.vpc_short_name
+ vpc_cidr_block = var.vpc_cidr_block
+ vpc_index = var.vpc_index
+
+ tags = merge(
+ local.common_tags,
+ local.tags,
+ )
+}
+
+# routes to tgw (for now, 10.128/16, should be each of the highest cidr blocks per account). It would be nice to use prefix lists, but not supported in gov
+resource "aws_route" "gateway" {
+ for_each = module.routing.private_route_table_ids
+ route_table_id = each.value
+# destination_cidr_block = "0.0.0.0/0"
+ destination_cidr_block = "10.128.0.0/16"
+ transit_gateway_id = data.aws_ec2_transit_gateway.gateway_east.id
+ depends_on = [ aws_ec2_transit_gateway_vpc_attachment.vpc_attachment ]
+}
+
+#---
+# route tables east
+#---
+data "aws_ec2_transit_gateway_route_tables" "route_tables_east" {
+ provider = aws.tgw_main_east
+ filter {
+ name = "transit-gateway-id"
+ values = [ data.aws_ec2_transit_gateway.gateway_east.id ]
+ }
+}
+
+data "aws_ec2_transit_gateway_route_table" "route_tables_east" {
+ provider = aws.tgw_main_east
+ for_each = toset(data.aws_ec2_transit_gateway_route_tables.route_tables_east.ids)
+ id = each.key
+}
+
+locals {
+ transit_gateway_route_table_ids_east = { for k,v in data.aws_ec2_transit_gateway_route_table.route_tables_east: v.tags["boc:network_vrf"] => k }
+}
+
+#---
+# route tables west
+#---
+data "aws_ec2_transit_gateway_route_tables" "route_tables_west" {
+ provider = aws.tgw_main_west
+ filter {
+ name = "transit-gateway-id"
+ values = [ data.aws_ec2_transit_gateway.gateway_west.id ]
+ }
+}
+
+data "aws_ec2_transit_gateway_route_table" "route_tables_west" {
+ provider = aws.tgw_main_west
+ for_each = toset(data.aws_ec2_transit_gateway_route_tables.route_tables_west.ids)
+ id = each.key
+}
+
+locals {
+ transit_gateway_route_table_ids_west = { for k,v in data.aws_ec2_transit_gateway_route_table.route_tables_west: v.tags["boc:network_vrf"] => k }
+}
+
+
+#---
+# assocaite this vpc to route table in east
+#---
+resource "aws_ec2_transit_gateway_route_table_association" "route_table" {
+ provider = aws.tgw_main_east
+ transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+ transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east[var.tgw_environment]
+}
+
+#---
+# attach this vpc to tgw
+#---
+resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_attachment" {
+ subnet_ids = [for sn in module.subnets.private_subnets_ids : sn.id if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+ transit_gateway_id = data.aws_ec2_transit_gateway.gateway_east.id
+ vpc_id = local.vpc_id
+ dns_support = "enable"
+ ipv6_support = "disable"
+ transit_gateway_default_route_table_association = true
+ transit_gateway_default_route_table_propagation = true
+
+ tags = merge(
+ local.common_tags,
+ tomap({ Name = "tgwa-proto-${var.vpc_short_name}-${local.region}" }),
+ tomap({ "boc:tgw_environment" = var.tgw_environment }),
+ )
+}
+
+# will need to adjust this where there are common, services, shared
+data "aws_ec2_transit_gateway_vpc_attachment" "vpc_services" {
+ filter {
+ name = "tag:boc:tgw_environment"
+ values = ["services"]
+ }
+}
+
+#---
+# propagate services in {environment} route table in east
+#---
+# resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_self" {
+# provider = aws.tgw_main_east
+# count = var.tgw_environment != "services" ? 1 : 0
+# transit_gateway_attachment_id = data.aws_ec2_transit_gateway_vpc_attachment.vpc_services.id
+# transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east[var.tgw_environment]
+# }
+
+#---
+# also add route to other environment in other region to peering attachment in west
+#---
+## resource "aws_ec2_transit_gateway_route" "vpc_self_peers" {
+## provider = aws.tgw_main_west
+## for_each = var.tgw_environment != "services" ? toset([ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment == var.tgw_environment]) : toset([])
+## destination_cidr_block = each.key
+## transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west
+## transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[var.tgw_environment]
+## }
+
+# propagate in services to this attachment in all route tables
+resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_services" {
+ provider = aws.tgw_main_east
+ for_each = var.tgw_environment == "services" ? local.transit_gateway_route_table_ids_east : { for k,v in local.transit_gateway_route_table_ids_east: k => v if k == var.tgw_environment }
+# count = var.tgw_environment != "services" ? 1 : 0
+ transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+ transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east[each.key]
+}
+
+## # for services, add static IP to all environments in other region to peering attachment
+## resource "aws_ec2_transit_gateway_route" "vpc_services_peers" {
+## provider = aws.tgw_main_west
+## for_each = var.tgw_environment == "services" ? toset([ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment != ""]) : toset([ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment == "services"])
+## destination_cidr_block = each.key
+## transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west
+## transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[var.tgw_environment]
+## }
+
+# propagate all to inter-region table
+resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_inter-region" {
+ provider = aws.tgw_main_east
+ count = var.tgw_environment != "services" ? 1 : 0
+ transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+ transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east["inter-region"]
+}
+
+# peer route tables for our vpc to tgw peer
+locals {
+ peer_rt = [ for r in keys(local.transit_gateway_route_table_ids_west): r if r!="inter-region" && r!="services" ]
+## peer_rt0 = { for k,v in local.info_vpc: v.cidr_block => v.tgw_environment if v.region == local.region && v.tgw_environment != "" }
+## peer_rt1 = transpose({ for k,v in local.info_vpc: v.cidr_block => [ v.tgw_environment ] if v.region == local.region && v.tgw_environment != "" })
+## peer_rt2 = merge(local.peer_rt1,
+## { "services" = [ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment != "" ] },
+## )
+## peer_rt3 = { for v in local.peer_rt2[var.tgw_environment]: format("%v:%v",var.tgw_environment,v) => {
+## label = format("%v:%v",var.tgw_environment,v),
+## tgw_environment = var.tgw_environment,
+## environment = local.peer_rt0[v],
+## cidr_block = v }
+## }
+}
+
+# for services, add static IP to all environments in other region to peering attachment
+resource "aws_ec2_transit_gateway_route" "peer_vpc_environment" {
+ provider = aws.tgw_main_west
+ destination_cidr_block = var.vpc_cidr_block
+ transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west
+ transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[var.tgw_environment]
+}
+
+resource "aws_ec2_transit_gateway_route" "peer_vpc_to_services" {
+ provider = aws.tgw_main_west
+ count = var.tgw_environment != "services" ? 1 : 0
+ destination_cidr_block = var.vpc_cidr_block
+ transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west
+ transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west["services"]
+}
+
+resource "aws_ec2_transit_gateway_route" "peer_vpc_services" {
+ provider = aws.tgw_main_west
+ for_each = var.tgw_environment == "services" ? local.peer_rt : toset([])
+ destination_cidr_block = var.vpc_cidr_block
+ transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west
+ transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[each.key]
+}
diff --git a/vpc-transit-gateway-association-data/README.md b/vpc-transit-gateway-association-data/README.md
new file mode 100644
index 0000000..57e58aa
--- /dev/null
+++ b/vpc-transit-gateway-association-data/README.md
@@ -0,0 +1,95 @@
+# About aws-vpc-setup :: vpc-transit-gateway-association
+
+This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. It does the following:
+
+* gets transit gateway ID shared to this account and region
+* gets transit gateway route tables
+* creates routes for the attachment subnets to the transit gatewway
+* creates routes to all other things on the transit gateway through a network prefix
+* attaches the VPC to the transit gateway
+* propagates the route to the associated route tables for the envirornment/VRF
+ * services is propagated to all
+* creates static routes for transit gateway route tables in a peer region
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13 |
+| [aws](#requirement\_aws) | >= 3.66.0 |
+| [ldap](#requirement\_ldap) | >= 0.5.4 |
+| [local](#requirement\_local) | >= 1.0.0 |
+| [null](#requirement\_null) | >= 3.0 |
+| [random](#requirement\_random) | >= 3.0 |
+| [template](#requirement\_template) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 3.66.0 |
+| [aws.network\_account](#provider\_aws.network\_account) | >= 3.66.0 |
+| [aws.peer](#provider\_aws.peer) | >= 3.66.0 |
+| [aws.self](#provider\_aws.self) | >= 3.66.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_availability_zone.zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zone) | data source |
+| [aws_availability_zones.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_ec2_managed_prefix_list.tgw_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
+| [aws_ec2_managed_prefix_lists.tgw_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_lists) | data source |
+| [aws_ec2_transit_gateway.gateway_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
+| [aws_ec2_transit_gateway.gateway_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
+| [aws_ec2_transit_gateway_peering_attachment.attachment_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source |
+| [aws_ec2_transit_gateway_peering_attachment.attachment_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source |
+| [aws_ec2_transit_gateway_route_table.route_tables_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_table) | data source |
+| [aws_ec2_transit_gateway_route_table.route_tables_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_table) | data source |
+| [aws_ec2_transit_gateway_route_tables.route_tables_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_tables) | data source |
+| [aws_ec2_transit_gateway_route_tables.route_tables_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_tables) | data source |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
+| [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
+| [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
+| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [route\_prefix\_list\_name](#input\_route\_prefix\_list\_name) | Shared prefix list name used for routing to TGW. It is comprised of all of the network CIDR blocks in AWS using TGW. | `string` | `"transit-gateway.prod"` | no |
+| [route\_table\_label](#input\_route\_table\_label) | Route table lable for the attachment subnets | `string` | `"attachment"` | no |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| [transit\_gateway\_environment](#input\_transit\_gateway\_environment) | Transit Gateway Environment (aka, VRF) to which to connnect this VPC | `string` | n/a | yes |
+| [transit\_gateway\_label](#input\_transit\_gateway\_label) | Transit Gateway label for specific instance (sa, prod) | `string` | `"prod"` | no |
+| [transit\_gateway\_routing\_type](#input\_transit\_gateway\_routing\_type) | Transit Gateway routing type, to select either self or peer (where we may have many peers) | `string` | n/a | yes |
+| [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [availability\_zone\_ids](#output\_availability\_zone\_ids) | VPC Availability zone id list (3) |
+| [availability\_zone\_names](#output\_availability\_zone\_names) | VPC Availability zone name list (3) |
+| [availability\_zone\_suffixes](#output\_availability\_zone\_suffixes) | VPC Availability zone suffix list (3) |
+| [availablity\_zone](#output\_availablity\_zone) | map of data resource aws\_availability\_zone from list of zone names |
+| [gateway\_peer](#output\_gateway\_peer) | Transit Gateway peer (other region) |
+| [gateway\_self](#output\_gateway\_self) | Transit Gateway self (this region) |
+| [map\_route\_tables\_peer](#output\_map\_route\_tables\_peer) | Transit Gateway route tables map (VRF:id) peer (other region) |
+| [map\_route\_tables\_self](#output\_map\_route\_tables\_self) | Transit Gateway route tables map (VRF:id) self (this region) |
+| [prefix\_list\_id\_ipv4](#output\_prefix\_list\_id\_ipv4) | Managed prefix ID for IPv4 |
+| [route\_tables\_peer](#output\_route\_tables\_peer) | Transit Gateway route tables peer (other region) |
+| [route\_tables\_self](#output\_route\_tables\_self) | Transit Gateway route tables self (this region) |
diff --git a/vpc-transit-gateway-association-data/availabilty_zones.tf b/vpc-transit-gateway-association-data/availabilty_zones.tf
new file mode 120000
index 0000000..00a240c
--- /dev/null
+++ b/vpc-transit-gateway-association-data/availabilty_zones.tf
@@ -0,0 +1 @@
+../common/availabilty_zones.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/data.network_account.tf b/vpc-transit-gateway-association-data/data.network_account.tf
new file mode 100644
index 0000000..d0ef9c1
--- /dev/null
+++ b/vpc-transit-gateway-association-data/data.network_account.tf
@@ -0,0 +1,12 @@
+data "aws_caller_identity" "network_account" {
+ provider = aws.network_account
+}
+
+data "aws_arn" "network_account" {
+ provider = aws.network_account
+ arn = data.aws_caller_identity.network_account.arn
+}
+
+# output "network_account" {
+# value = data.aws_arn.network_account
+# }
diff --git a/vpc-transit-gateway-association-data/data.routing.tf b/vpc-transit-gateway-association-data/data.routing.tf
new file mode 100644
index 0000000..c1b9d80
--- /dev/null
+++ b/vpc-transit-gateway-association-data/data.routing.tf
@@ -0,0 +1,13 @@
+data "aws_ec2_managed_prefix_lists" "tgw_ipv4" {
+ filter {
+ name = "prefix-list-name"
+ values = [var.route_prefix_list_name, format("%v.ipv4", var.route_prefix_list_name)]
+ }
+}
+
+data "aws_ec2_managed_prefix_list" "tgw_ipv4" {
+ for_each = toset(data.aws_ec2_managed_prefix_lists.tgw_ipv4.ids)
+ id = each.key
+}
+
+# destination_prefix_list_id = one([for k, v in data.aws_ec2_managed_prefix_list.tgw_ipv4 : k if v.address_family == "IPv4"])
diff --git a/vpc-transit-gateway-association-data/data.tf b/vpc-transit-gateway-association-data/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/vpc-transit-gateway-association-data/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/data.transit-gateway.tf b/vpc-transit-gateway-association-data/data.transit-gateway.tf
new file mode 100644
index 0000000..552a02d
--- /dev/null
+++ b/vpc-transit-gateway-association-data/data.transit-gateway.tf
@@ -0,0 +1,84 @@
+#---
+# transit gateways
+
+data "aws_ec2_transit_gateway" "gateway_self" {
+ provider = aws.self
+ filter {
+ name = "owner-id"
+ values = [data.aws_arn.network_account.account]
+ }
+}
+
+data "aws_ec2_transit_gateway" "gateway_peer" {
+ provider = aws.peer
+ filter {
+ name = "owner-id"
+ values = [data.aws_arn.network_account.account]
+ }
+}
+
+#---
+# tgw route tables self
+#---
+data "aws_ec2_transit_gateway_route_tables" "route_tables_self" {
+ provider = aws.self
+ filter {
+ name = "transit-gateway-id"
+ values = [data.aws_ec2_transit_gateway.gateway_self.id]
+ }
+}
+
+data "aws_ec2_transit_gateway_route_table" "route_tables_self" {
+ provider = aws.self
+ for_each = toset(data.aws_ec2_transit_gateway_route_tables.route_tables_self.ids)
+ id = each.key
+}
+
+locals {
+ transit_gateway_route_table_ids_self = { for k, v in data.aws_ec2_transit_gateway_route_table.route_tables_self : v.tags["boc:network_vrf"] => k if contains(keys(v.tags), "boc:network_vrf") }
+}
+
+#---
+# route tables west
+#---
+data "aws_ec2_transit_gateway_route_tables" "route_tables_peer" {
+ provider = aws.peer
+ filter {
+ name = "transit-gateway-id"
+ values = [data.aws_ec2_transit_gateway.gateway_peer.id]
+ }
+}
+
+data "aws_ec2_transit_gateway_route_table" "route_tables_peer" {
+ provider = aws.peer
+ for_each = toset(data.aws_ec2_transit_gateway_route_tables.route_tables_peer.ids)
+ id = each.key
+}
+
+locals {
+ transit_gateway_route_table_ids_peer = { for k, v in data.aws_ec2_transit_gateway_route_table.route_tables_peer : v.tags["boc:network_vrf"] => k if contains(keys(v.tags), "boc:network_vrf") }
+}
+
+# These two hold a map of VRF => route table
+# * transit_gateway_route_table_ids_self
+# * transit_gateway_route_table_ids_peer
+
+#---
+# peering attachments
+#---
+data "aws_ec2_transit_gateway_peering_attachment" "attachment_self" {
+ provider = aws.self
+ filter {
+ name = "transit-gateway-id"
+ values = [data.aws_ec2_transit_gateway.gateway_self.id]
+ }
+}
+
+data "aws_ec2_transit_gateway_peering_attachment" "attachment_peer" {
+ provider = aws.peer
+ filter {
+ name = "transit-gateway-id"
+ values = [data.aws_ec2_transit_gateway.gateway_peer.id]
+ }
+}
+
diff --git a/vpc-transit-gateway-association-data/data.vpc.tf b/vpc-transit-gateway-association-data/data.vpc.tf
new file mode 100644
index 0000000..34f3677
--- /dev/null
+++ b/vpc-transit-gateway-association-data/data.vpc.tf
@@ -0,0 +1,3 @@
+data "aws_vpc" "vpc" {
+ id = var.vpc_id
+}
diff --git a/vpc-transit-gateway-association-data/defaults.tf b/vpc-transit-gateway-association-data/defaults.tf
new file mode 120000
index 0000000..a5556ac
--- /dev/null
+++ b/vpc-transit-gateway-association-data/defaults.tf
@@ -0,0 +1 @@
+../common/defaults.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/main.tf b/vpc-transit-gateway-association-data/main.tf
new file mode 100644
index 0000000..2585da5
--- /dev/null
+++ b/vpc-transit-gateway-association-data/main.tf
@@ -0,0 +1,43 @@
+/*
+* # About aws-vpc-setup :: vpc-transit-gateway-association
+*
+* This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. It does the following:
+*
+* * gets transit gateway ID shared to this account and region
+* * gets transit gateway route tables
+* * creates routes for the attachment subnets to the transit gatewway
+* * creates routes to all other things on the transit gateway through a network prefix
+* * attaches the VPC to the transit gateway
+* * propagates the route to the associated route tables for the envirornment/VRF
+* * services is propagated to all
+* * creates static routes for transit gateway route tables in a peer region
+
+* # Usage
+*
+* ```hcl
+* module "vpc_tgw" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association?ref=tf-upgrade"
+* network_account_profile = "057445207498-ent-gov-network-sa"
+* }
+* ```
+*/
+
+locals {
+ account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+ account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+ region = data.aws_region.current.name
+ region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+
+ base_tags = {
+ "boc:tf_module_version" = local._module_version
+ "boc:tf_module_name" = lookup(local._module_names, local._module_name, local._module_names["_main_"])
+ "boc:created_by" = "terraform"
+ }
+}
+
+
+# vpc_id = local.vpc_id
+# vpc_full_name = var.vpc_full_name
+# availability_zones = []
+# subnet_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+# route_table_label = "attachment"
diff --git a/vpc-transit-gateway-association-data/module_name.tf b/vpc-transit-gateway-association-data/module_name.tf
new file mode 100644
index 0000000..1f505b5
--- /dev/null
+++ b/vpc-transit-gateway-association-data/module_name.tf
@@ -0,0 +1,3 @@
+locals {
+ _module_name = "vpc-transit-gateway-association-data"
+}
diff --git a/vpc-transit-gateway-association-data/outputs.tf b/vpc-transit-gateway-association-data/outputs.tf
new file mode 100644
index 0000000..ec3537e
--- /dev/null
+++ b/vpc-transit-gateway-association-data/outputs.tf
@@ -0,0 +1,39 @@
+output "availablity_zone" {
+ description = "map of data resource aws_availability_zone from list of zone names"
+ value = data.aws_availability_zone.zone
+}
+
+output "gateway_self" {
+ description = "Transit Gateway self (this region)"
+ value = data.aws_ec2_transit_gateway.gateway_self.id
+}
+
+output "gateway_peer" {
+ description = "Transit Gateway peer (other region)"
+ value = data.aws_ec2_transit_gateway.gateway_peer.id
+}
+
+output "route_tables_self" {
+ description = "Transit Gateway route tables self (this region)"
+ value = data.aws_ec2_transit_gateway_route_table.route_tables_self
+}
+
+output "route_tables_peer" {
+ description = "Transit Gateway route tables peer (other region)"
+ value = data.aws_ec2_transit_gateway_route_table.route_tables_peer
+}
+
+output "map_route_tables_self" {
+ description = "Transit Gateway route tables map (VRF:id) self (this region)"
+ value = local.transit_gateway_route_table_ids_self
+}
+
+output "map_route_tables_peer" {
+ description = "Transit Gateway route tables map (VRF:id) peer (other region)"
+ value = local.transit_gateway_route_table_ids_peer
+}
+
+output "prefix_list_id_ipv4" {
+ description = "Managed prefix ID for IPv4"
+ value = one([for k, v in data.aws_ec2_managed_prefix_list.tgw_ipv4 : k if v.address_family == "IPv4"])
+}
diff --git a/vpc-transit-gateway-association-data/prefixes.tf b/vpc-transit-gateway-association-data/prefixes.tf
new file mode 120000
index 0000000..7e265d5
--- /dev/null
+++ b/vpc-transit-gateway-association-data/prefixes.tf
@@ -0,0 +1 @@
+../common/prefixes.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/variables.common.availability_zones.tf b/vpc-transit-gateway-association-data/variables.common.availability_zones.tf
new file mode 120000
index 0000000..dca20a3
--- /dev/null
+++ b/vpc-transit-gateway-association-data/variables.common.availability_zones.tf
@@ -0,0 +1 @@
+../common/variables.common.availability_zones.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/variables.common.tf b/vpc-transit-gateway-association-data/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/vpc-transit-gateway-association-data/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/variables.common.vpc_id.tf b/vpc-transit-gateway-association-data/variables.common.vpc_id.tf
new file mode 120000
index 0000000..bc2e061
--- /dev/null
+++ b/vpc-transit-gateway-association-data/variables.common.vpc_id.tf
@@ -0,0 +1 @@
+../common/variables.common.vpc_id.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/variables.create.tf b/vpc-transit-gateway-association-data/variables.create.tf
new file mode 120000
index 0000000..de1275b
--- /dev/null
+++ b/vpc-transit-gateway-association-data/variables.create.tf
@@ -0,0 +1 @@
+../common/variables.create.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/variables.tf b/vpc-transit-gateway-association-data/variables.tf
new file mode 100644
index 0000000..d1c1568
--- /dev/null
+++ b/vpc-transit-gateway-association-data/variables.tf
@@ -0,0 +1,48 @@
+variable "network_account_profile" {
+ description = "AWS profile of the source account sharing the VPC resources"
+ type = string
+}
+
+variable "transit_gateway_environment" {
+ description = "Transit Gateway Environment (aka, VRF) to which to connnect this VPC"
+ type = string
+
+ validation {
+ condition = contains(["services", "dev", "test", "stage", "prod", "cre"], var.transit_gateway_environment)
+ error_message = "transit_gateway_environment value must be one of the valid VRF selections"
+ }
+}
+
+variable "transit_gateway_routing_type" {
+ description = "Transit Gateway routing type, to select either self or peer (where we may have many peers)"
+ type = string
+
+ validation {
+ condition = contains(["self", "peer"], var.transit_gateway_routing_type)
+ error_message = "transit_gateway_routing_type must be either self or peer"
+ }
+}
+
+variable "route_table_label" {
+ description = "Route table lable for the attachment subnets"
+ type = string
+ default = "attachment"
+}
+
+variable "route_prefix_list_name" {
+ description = "Shared prefix list name used for routing to TGW. It is comprised of all of the network CIDR blocks in AWS using TGW."
+ type = string
+ default = "transit-gateway.prod"
+}
+
+variable "transit_gateway_label" {
+ description = "Transit Gateway label for specific instance (sa, prod)"
+ type = string
+ default = "prod"
+}
+
+## variable "subnet_ids" {
+## description = "List of subnet IDs for this VPC for the TGW attachment. This should be not public, and should be a separate attachment set of /28 subnets with no other use"
+## type = list(string)
+## }
+
diff --git a/vpc-transit-gateway-association-data/version.tf b/vpc-transit-gateway-association-data/version.tf
new file mode 120000
index 0000000..b83c5b7
--- /dev/null
+++ b/vpc-transit-gateway-association-data/version.tf
@@ -0,0 +1 @@
+../common/version.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association-data/versions.tf b/vpc-transit-gateway-association-data/versions.tf
new file mode 100644
index 0000000..fb772a1
--- /dev/null
+++ b/vpc-transit-gateway-association-data/versions.tf
@@ -0,0 +1,31 @@
+terraform {
+ # experiments = [module_variable_optional_attrs]
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.66.0"
+ configuration_aliases = [aws.network_account, aws.self, aws.peer]
+ }
+ null = {
+ source = "hashicorp/null"
+ version = ">= 3.0"
+ }
+ random = {
+ source = "hashicorp/random"
+ version = ">= 3.0"
+ }
+ template = {
+ source = "hashicorp/template"
+ version = ">= 2.0"
+ }
+ ldap = {
+ source = "trevex/ldap"
+ version = ">= 0.5.4"
+ }
+ local = {
+ source = "hashicorp/local"
+ version = ">= 1.0.0"
+ }
+ }
+ required_version = ">= 0.13"
+}