add prefix list association for routing

vpc-transit-gateway-association/self/README.md

@@ -74,6 +74,9 @@ module "vpc_tgw_self" {
 | Name | Type |
 |------|------|
 | [aws_ec2_tag.vpc_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_transit_gateway_prefix_list_reference.vpc_self_all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_prefix_list_reference) | resource |
+| [aws_ec2_transit_gateway_prefix_list_reference.vpc_self_common](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_prefix_list_reference) | resource |
+| [aws_ec2_transit_gateway_prefix_list_reference.vpc_self_own_env](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_prefix_list_reference) | resource |
 | [aws_ec2_transit_gateway_route_table_association.route_table_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource |
 | [aws_ec2_transit_gateway_route_table_propagation.vpc_self_common](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |
 | [aws_ec2_transit_gateway_route_table_propagation.vpc_self_own_rt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |
@@ -86,6 +89,8 @@ module "vpc_tgw_self" {
 | [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_ec2_managed_prefix_list.tgw_crossregion_env](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
+| [aws_ec2_managed_prefix_lists.tgw_crossregion_env](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_lists) | data source |
 | [aws_ec2_transit_gateway.gateway_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
 | [aws_ec2_transit_gateway.gateway_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
 | [aws_ec2_transit_gateway_peering_attachment.attachment_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source |

vpc-transit-gateway-association/self/data.prefix_lists.tf

@@ -0,0 +1,13 @@
+data "aws_ec2_managed_prefix_lists" "tgw_crossregion_env" {
+  for_each = toset(local._defaults["transit-gateway-environments"])
+  filter {
+    name   = "prefix-list-name"
+    values = [format("%v.crossregion.transit-gateway.%v", each.key, var.tgw_label)]
+  }
+}
+
+data "aws_ec2_managed_prefix_list" "tgw_crossregion_env" {
+  for_each = data.aws_ec2_managed_prefix_lists.tgw_crossregion_env
+  id       = each.value.ids[0]
+}
+

vpc-transit-gateway-association/self/routing.tf

@@ -67,3 +67,46 @@ resource "aws_route" "gateway_vpn_ipv4" {
 
   depends_on = [null_resource.vpc_attachment_exists]
 }
+
+#---
+# routing using prefix lists.  We want cross-region prefix lists.  For services, we create a cross-region prefix list to the
+# peer TGW for every environment.   For non-services, we create, we create that for services and the env.
+# this is done only once, at the TGW main configuration.
+#---
+resource "aws_ec2_transit_gateway_prefix_list_reference" "vpc_self_common" {
+  provider = aws.self
+  for_each = { "services" = var.data_input.map_route_tables_self["services"] }
+
+  prefix_list_id                 = data.aws_ec2_managed_prefix_list.tgw_crossregion_env[each.key].id
+  transit_gateway_attachment_id  = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
+  transit_gateway_route_table_id = each.value
+}
+
+locals {
+  propagate_all_rt = ["services", "inter-region"]
+  #  selected_rt      = [for k in keys(local.transit_gateway_route_table_ids_peer) : k if ! contains(local.propagate_all_rt, k)]
+  selected_rt = [for k in keys(var.data_input.map_route_tables_peer) : k if ! contains(local.propagate_all_rt, k)]
+}
+
+#---
+# add routes to peer for non-services
+#---
+resource "aws_ec2_transit_gateway_prefix_list_reference" "vpc_self_own_env" {
+  provider = aws.self
+  for_each = { for k in local.selected_rt : k => var.data_input.map_route_tables_self[k] if k == var.transit_gateway_environment }
+
+  prefix_list_id                = data.aws_ec2_managed_prefix_list.tgw_crossregion_env[each.key].id
+  transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
+}
+
+#---
+# if services, add routes to all other route tables
+#--
+resource "aws_ec2_transit_gateway_prefix_list_reference" "vpc_self_all" {
+  provider = aws.self
+  for_each = contains(local.propagate_all_rt, var.transit_gateway_environment) ? { for k in local.selected_rt : k => var.data_input.map_route_tables_self[k] } : {}
+
+  prefix_list_id                 = data.aws_ec2_managed_prefix_list.tgw_crossregion_env[each.key].id
+  transit_gateway_attachment_id  = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
+  transit_gateway_route_table_id = each.value
+}