Skip to main content
Sponsor @cloudposse

Module: transit-gateway

Terraform module to provision:

  • AWS Transit Gateway
  • AWS Resource Access Manager (AWS RAM) Resource Share to share the Transit Gateway with the Organization or another AWS Account (configurable via the variables ram_resource_share_enabled and ram_principals)
  • Transit Gateway route table
  • Transit Gateway VPC attachments to connect multiple VPCs via the Transit Gateway
  • Transit Gateway route table propagations to create propagated routes and allow traffic from the Transit Gateway to the VPC attachments
  • Transit Gateway route table associations to allow traffic from the VPC attachments to the Transit Gateway
  • Transit Gateway static routes (static routes have a higher precedence than propagated routes)
  • Subnet routes to route traffic from the subnets in each VPC to the other Transit Gateway VPC attachments

Introduction

This module is configurable via the variable transit_gateway_config - see usage and examples below.

The variable transit_gateway_config is a map of environment names (e.g. prod, staging, dev) to the environment configurations.

Each environment configuration contains the following fields:

  • vpc_id - The ID of the VPC for which to create a VPC attachment and route table associations and propagations.
  • vpc_cidr - VPC CIDR block.
  • subnet_ids - The IDs of the subnets in the VPC.
  • static_routes - A list of Transit Gateway static route configurations. Note that static routes have a higher precedence than propagated routes.
  • subnet_route_table_ids - The IDs of the subnet route tables. The route tables are used to add routes to allow traffix from the subnets in one VPC to the other VPC attachments.
  • route_to - A set of environment names to route traffic from the current environment to the specified environments. In the example below, in the prod environment we create subnet routes to route traffic from the prod subnets to the VPC attachments in the staging and dev environments. Specify either route_to or route_to_cidr_blocks. route_to_cidr_blocks supersedes route_to.
  • route_to_cidr_blocks - A set of VPC CIDR blocks to route traffic from the current environment to the specified VPC CIDR blocks. In the example below, in the staging environment we create subnet routes to route traffic from the staging subnets to the dev VPC CIDR. Specify either route_to or route_to_cidr_blocks. route_to_cidr_blocks supersedes route_to.
  • transit_gateway_vpc_attachment_id - An existing Transit Gateway Attachment ID. If provided, the module will use it instead of creating a new one.

You now have the option to have Terraform manage route table entries by key, whereas previously they were only managed by index. The advantage of managing them by key is that if a route table ID or destination CIDR changes, only that entry is affected, whereas when managed by index, all the entries after the first affected index may be destroyed and re-created at a different index. The reason this is left as an option, with the default being to manage the entries by index, is that if you are creating the VPC or subnets at the same time you are creating the Transit Gateway, then Terraform will not be able to generate the keys during the plan phase and the plan will fail with the error The "for_each" value depends on resource attributes that cannot be determined until apply.... We recommend setting route_keys_enabled to true unless you get this error, in which case you must leave it set to its default value of false.

NOTE: This module requires Terraform 0.13 and newer since it uses module expansion with for_each.

Usage

Here's how to invoke this module in your projects:

locals {
  transit_gateway_config = {
    prod = {
      vpc_id                            = module.vpc_prod.vpc_id
      vpc_cidr                          = module.vpc_prod.vpc_cidr_block
      subnet_ids                        = module.subnets_prod.private_subnet_ids
      subnet_route_table_ids            = module.subnets_prod.private_route_table_ids
      route_to                          = ["staging", "dev"]
      route_to_cidr_blocks              = null
      transit_gateway_vpc_attachment_id = null

      static_routes = [
        {
          blackhole              = true
          destination_cidr_block = "0.0.0.0/0"
        },
        {
          blackhole              = false
          destination_cidr_block = "172.16.1.0/24"
        }
      ]
    },

    staging = {
      vpc_id                            = module.vpc_staging.vpc_id
      vpc_cidr                          = module.vpc_staging.vpc_cidr_block
      subnet_ids                        = module.subnets_staging.private_subnet_ids
      subnet_route_table_ids            = module.subnets_staging.private_route_table_ids
      route_to                          = null
      route_to_cidr_blocks              = [module.vpc_dev.vpc_cidr_block]
      transit_gateway_vpc_attachment_id = null

      static_routes = [
        {
          blackhole              = false
          destination_cidr_block = "172.32.1.0/24"
        }
      ]
    },

    dev = {
      vpc_id                            = module.vpc_dev.vpc_id
      vpc_cidr                          = module.vpc_dev.vpc_cidr_block
      subnet_ids                        = module.subnets_dev.private_subnet_ids
      subnet_route_table_ids            = module.subnets_dev.private_route_table_ids
      route_to                          = null
      route_to_cidr_blocks              = null
      transit_gateway_vpc_attachment_id = null
      static_routes                     = null
    }
  }
}

module "transit_gateway" {
  source = "cloudposse/transit-gateway/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"

  ram_resource_share_enabled = false
  config                     = local.transit_gateway_config

  context = module.this.context
}

Examples

Here is a working example of using this module:

Here are automated tests for the complete example using bats and Terratest (which tests and deploys the example on AWS):

Here is an example of using this module in a multi-account environment (with the Transit Gateway in one AWS account and all the VPC attachments and routes in different AWS accounts):

Variables

Required Variables

Optional Variables

allow_external_principals (bool) optional

Indicates whether principals outside your organization can be associated with a resource share


Default value: false

auto_accept_shared_attachments (string) optional

Whether resource attachment requests are automatically accepted. Valid values: disable, enable. Default value: disable


Default value: "enable"

config optional

Configuration for VPC attachments, Transit Gateway routes, and subnet routes


Type:

map(object({
vpc_id                            = string
vpc_cidr                          = string
subnet_ids                        = set(string)
subnet_route_table_ids            = set(string)
route_to                          = set(string)
route_to_cidr_blocks              = set(string)
transit_gateway_vpc_attachment_id = string
static_routes = set(object({
  blackhole              = bool
  destination_cidr_block = string
}))
}))

Default value: null

create_transit_gateway (bool) optional

Whether to create a Transit Gateway. If set to false, an existing Transit Gateway ID must be provided in the variable existing_transit_gateway_id


Default value: true

create_transit_gateway_route_table (bool) optional

Whether to create a Transit Gateway Route Table. If set to false, an existing Transit Gateway Route Table ID must be provided in the variable existing_transit_gateway_route_table_id


Default value: true

create_transit_gateway_route_table_association_and_propagation (bool) optional

Whether to create Transit Gateway Route Table associations and propagations


Default value: true

create_transit_gateway_vpc_attachment (bool) optional

Whether to create Transit Gateway VPC Attachments


Default value: true

default_route_table_association (string) optional

Whether resource attachments are automatically associated with the default association route table. Valid values: disable, enable. Default value: disable


Default value: "disable"

default_route_table_propagation (string) optional

Whether resource attachments automatically propagate routes to the default propagation route table. Valid values: disable, enable. Default value: disable


Default value: "disable"

dns_support (string) optional

Whether resource attachments automatically propagate routes to the default propagation route table. Valid values: disable, enable. Default value: enable


Default value: "enable"

existing_transit_gateway_id (string) optional

Existing Transit Gateway ID. If provided, the module will not create a Transit Gateway but instead will use the existing one


Default value: null

existing_transit_gateway_route_table_id (string) optional

Existing Transit Gateway Route Table ID. If provided, the module will not create a Transit Gateway Route Table but instead will use the existing one


Default value: null

ram_principal (string) optional

DEPRECATED, please use ram_principals instead.


The principal to associate with the resource share. Possible values are an
AWS account ID, an Organization ARN, or an Organization Unit ARN.



Default value: null

ram_principals (list(string)) optional

A list of principals to associate with the resource share. Possible values
are:


  • AWS account ID
  • Organization ARN
  • Organization Unit ARN

If this (and var.ram_principal) is not provided and
ram_resource_share_enabled is true, the Organization ARN will be used.



Default value: [ ]

ram_resource_share_enabled (bool) optional

Whether to enable sharing the Transit Gateway with the Organization using Resource Access Manager (RAM)


Default value: false

route_keys_enabled (bool) optional

If true, Terraform will use keys to label routes, preventing unnecessary changes,
but this requires that the VPCs and subnets already exist before using this module.
If false, Terraform will use numbers to label routes, and a single change may
cascade to a long list of changes because the index or order has changed, but
this will work when the true setting generates the error The "for_each" value depends on resource attributes...



Default value: false

route_timeouts optional

aws_route resource timeouts


Type:

object({
create = optional(string),
delete = optional(string),
update = optional(string)
})

Default value: { }

security_group_referencing_support_enabled (bool) optional

Enable or disable support for referencing security groups across VPCs in the transit gateway.


Default value: false

transit_gateway_cidr_blocks (list(string)) optional

The list of associated CIDR blocks. It can contain up to 1 IPv4 CIDR block
of size up to /24 and up to one IPv6 CIDR block of size up to /64. The IPv4
block must not be from range 169.254.0.0/16.



Default value: null

transit_gateway_description (string) optional

Transit Gateway description. If not provided, one will be automatically generated.


Default value: ""

vpc_attachment_appliance_mode_support (string) optional

Whether Appliance Mode support is enabled. If enabled, a traffic flow between a source and destination uses the same Availability Zone for the VPC attachment for the lifetime of that flow. Valid values: disable, enable


Default value: "disable"

vpc_attachment_dns_support (string) optional

Whether resource attachments automatically propagate routes to the default propagation route table. Valid values: disable, enable. Default value: enable


Default value: "enable"

vpc_attachment_ipv6_support (string) optional

Whether resource attachments automatically propagate routes to the default propagation route table. Valid values: disable, enable. Default value: enable


Default value: "disable"

vpn_ecmp_support (string) optional

Whether resource attachments automatically propagate routes to the default propagation route table. Valid values: disable, enable. Default value: enable


Default value: "enable"

Context Variables

The following variables are defined in the context.tf file of this module and part of the terraform-null-label pattern.

additional_tag_map (map(string)) optional

Additional key-value pairs to add to each map in tags_as_list_of_maps. Not added to tags or id.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration.


Required: No

Default value: { }

attributes (list(string)) optional

ID element. Additional attributes (e.g. workers or cluster) to add to id,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the delimiter
and treated as a single ID element.


Required: No

Default value: [ ]

context (any) optional

Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as null to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged.


Required: No

Default value:

{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
delimiter (string) optional

Delimiter to be used between ID elements.
Defaults to - (hyphen). Set to "" to use no delimiter at all.


Required: No

Default value: null

descriptor_formats (any) optional

Describe additional descriptors to be output in the descriptors output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
\{<br/> format = string<br/> labels = list(string)<br/> \}
(Type is any so the map values can later be enhanced to provide additional options.)
format is a Terraform format string to be passed to the format() function.
labels is a list of labels, in order, to pass to format() function.
Label values will be normalized before being passed to format() so they will be
identical to how they appear in id.
Default is {} (descriptors output will be empty).


Required: No

Default value: { }

enabled (bool) optional

Set to false to prevent the module from creating any resources
Required: No

Default value: null

environment (string) optional

ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'
Required: No

Default value: null

id_length_limit (number) optional

Limit id to this many characters (minimum 6).
Set to 0 for unlimited length.
Set to null for keep the existing setting, which defaults to 0.
Does not affect id_full.


Required: No

Default value: null

label_key_case (string) optional

Controls the letter case of the tags keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the tags input.
Possible values: lower, title, upper.
Default value: title.


Required: No

Default value: null

label_order (list(string)) optional

The order in which the labels (ID elements) appear in the id.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.


Required: No

Default value: null

label_value_case (string) optional

Controls the letter case of ID elements (labels) as included in id,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the tags input.
Possible values: lower, title, upper and none (no transformation).
Set this to title and set delimiter to "" to yield Pascal Case IDs.
Default value: lower.


Required: No

Default value: null

labels_as_tags (set(string)) optional

Set of labels (ID elements) to include as tags in the tags output.
Default is to include all labels.
Tags with empty values will not be included in the tags output.
Set to [] to suppress all generated tags.
Notes:
The value of the name tag, if included, will be the id, not the name.
Unlike other null-label inputs, the initial setting of labels_as_tags cannot be
changed in later chained modules. Attempts to change it will be silently ignored.


Required: No

Default value:

[
  "default"
]
name (string) optional

ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a tag.
The "name" tag is set to the full id string. There is no tag with the value of the name input.


Required: No

Default value: null

namespace (string) optional

ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique
Required: No

Default value: null

regex_replace_chars (string) optional

Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits.


Required: No

Default value: null

stage (string) optional

ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'
Required: No

Default value: null

tags (map(string)) optional

Additional tags (e.g. {'BusinessUnit': 'XYZ'}).
Neither the tag keys nor the tag values will be modified by this module.


Required: No

Default value: { }

tenant (string) optional

ID element (Rarely used, not included by default). A customer identifier, indicating who this instance of a resource is for
Required: No

Default value: null

Outputs

ram_resource_share_id

RAM resource share ID

subnet_route_ids

Subnet route identifiers combined with destinations

transit_gateway_arn

Transit Gateway ARN

transit_gateway_association_default_route_table_id

Transit Gateway association default route table ID

transit_gateway_id

Transit Gateway ID

transit_gateway_propagation_default_route_table_id

Transit Gateway propagation default route table ID

transit_gateway_route_ids

Transit Gateway route identifiers combined with destinations

transit_gateway_route_table_id

Transit Gateway route table ID

transit_gateway_vpc_attachment_ids

Transit Gateway VPC attachment IDs

Dependencies

Requirements

  • terraform, version: >= 1.3
  • aws, version: >= 5.69.0

Providers

  • aws, version: >= 5.69.0

Modules

NameVersionSourceDescription
subnet_routelatest./modules/subnet_routeCreate routes in the subnets' route tables to route traffic from subnets to the Transit Gateway VPC attachments Only route to VPCs of the environments defined in route_to attribute
this0.25.0cloudposse/label/nulln/a
transit_gateway_routelatest./modules/transit_gateway_routeStatic Transit Gateway routes Static routes have a higher precedence than propagated routes https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html https://docs.aws.amazon.com/vpc/latest/tgw/tgw-route-tables.html

Resources

The following resources are used by this module:

Data Sources

The following data sources are used by this module: