├── .gitignore
├── CODEOWNERS
├── CODE_OF_CONDUCT.md
├── CONFIGURATION-GUIDE.md
├── CONTRIBUTING.md
├── LICENSE.txt
├── NOTICE.txt
├── README.md
├── create_transit_gateway
├── main.tf
├── outputs.tf
└── variables.tf
├── deploy
├── main.tf
├── terraform.tfvars
└── variables.tf
├── lambda_function.py
├── lambda_function.zip
├── main.tf
├── network-manager-cloudformation-template
└── aws-fsf-network-manager-cloudformation-template.json
├── outputs.tf
├── peer_transit_gateways
├── main.tf
├── outputs.tf
└── variables.tf
├── provider.tf
├── setup_workspace
├── variables.tf
└── workspace.tf
├── tests
└── transit_gateway_deployment_test
│ └── test_transit_gateway_outputs.tf
├── variables.tf
└── versions.tf
/.gitignore:
--------------------------------------------------------------------------------
1 | # Local .terraform directories
2 | .terraform
3 | **/.terraform/*
4 |
5 | # Local .DS_Store files
6 | *.DS_Store
7 | *.DS_Store.*
8 |
9 | # .tfstate files
10 | *.tfstate
11 | *.tfstate.*
12 |
13 | # Crash log files
14 | crash.log
15 |
16 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most
17 | # .tfvars files are managed as part of configuration and so should be included in
18 | # version control.
19 | #
20 | # example.tfvars
21 |
22 | # Ignore override files as they are usually used to override resources locally and so
23 | # are not checked in
24 | override.tf
25 | override.tf.json
26 | *_override.tf
27 | *_override.tf.json
28 |
29 | # Include override files you do wish to add to version control using negated pattern
30 | #
31 | # !example_override.tf
32 |
33 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
34 | # example: *tfplan*
35 | **/plan.out
36 | # Pycharm
37 |
38 | .idea
39 | .idea/
40 | .idea/workspace.xml
41 | .idea/vcs.xml
42 | .idea/modules.xml
43 | .idea/aws-financial-services-framework-amazon-transit-gateway-for-terraform.iml
44 | **/go.mod
45 | **/go.sum
--------------------------------------------------------------------------------
/CODEOWNERS:
--------------------------------------------------------------------------------
1 | * @tonynv @andrew-glenn @dR0ski
2 |
--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | ## Code of Conduct
2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
4 | opensource-codeofconduct@amazon.com with any additional questions or comments.
5 |
--------------------------------------------------------------------------------
/CONFIGURATION-GUIDE.md:
--------------------------------------------------------------------------------
1 | # Terraform AWS Global Network
2 | Terraform AWS Global Network is a system primarily written in Terraform that you use to deploy and automate the configuration of a transitive network on the AWS Cloud. You can deploy a single transit gateway in one AWS Region, multiple gateways in multiple Regions, or a globally meshed network of gateways in every Region. For more information about the configurations available and the system's components, see [README.md](README.md), also in this repository.
3 |
4 | Author: [Androski Spicer](mailto:androsks@amazon.com)
5 |
6 | ## Deploy Terraform AWS Global Network
7 |
8 | 1. Install Terraform. See [Install Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) for a tutorial.
9 | 2. Sign up and log into [Terraform Cloud](https://app.terraform.io/signup/account). There is a free tier available.
10 | 3. Generate a Terraform Cloud token.
11 |
12 | `terraform login`
13 |
14 | 4. Export the `TERRAFORM_CONFIG` variable.
15 | * Mac/Linux
16 |
17 | `export TERRAFORM_CONFIG="$HOME/.terraform.d/credentials.tfrc.json"`
18 |
19 | * Windows
20 |
21 | `export TERRAFORM_CONFIG="$HOME/AppData/Roaming/terraform.d/credentials.tfrc.json"`
22 |
23 | 5. Configure the AWS Command Line Interface (AWS CLI). For more information, see [Configuring the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html).
24 |
25 | 6. If you don't have git installed, [install git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git).
26 |
27 | 7. Clone the **aws-ia/terraform-aws-globalnetwork-1** repository.
28 |
29 | `git clone https://github.com/aws-ia/terraform-aws-globalnetwork-1.git`
30 |
31 | 8. Change to the module root directory.
32 |
33 | `cd terraform-aws-globalnetwork-1/`
34 |
35 | 9. Set up your Terraform cloud workspace.
36 |
37 | `cd setup_workspace`
38 | `terraform init`
39 | `terraform apply`
40 |
41 | 10. Change to the **deploy** directory.
42 |
43 | `cd ../deploy`
44 |
45 | 11. Initialize the **deploy** directory.
46 |
47 | `terraform init`.
48 |
49 | 12. Run `terraform apply` or `terraform apply -var-file="$HOME/.aws/terraform.tfvars"`
50 |
51 | **Note:** `terraform apply` runs remotely in the Terraform Cloud.
52 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contributing Guidelines
2 |
3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional
4 | documentation, we greatly value feedback and contributions from our community.
5 |
6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary
7 | information to effectively respond to your bug report or contribution.
8 |
9 |
10 | ## Reporting Bugs/Feature Requests
11 |
12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features.
13 |
14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already
15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful:
16 |
17 | * A reproducible test case or series of steps
18 | * The version of our code being used
19 | * Any modifications you've made relevant to the bug
20 | * Anything unusual about your environment or deployment
21 |
22 |
23 | ## Contributing via Pull Requests
24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that:
25 |
26 | 1. You are working against the latest source on the *master* branch.
27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already.
28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted.
29 |
30 | To send us a pull request, please:
31 |
32 | 1. Fork the repository.
33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change.
34 | 3. Ensure local tests pass.
35 | 4. Commit to your fork using clear commit messages.
36 | 5. Send us a pull request, answering any default questions in the pull request interface.
37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation.
38 |
39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and
40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/).
41 |
42 |
43 | ## Finding contributions to work on
44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start.
45 |
46 |
47 | ## Code of Conduct
48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
50 | opensource-codeofconduct@amazon.com with any additional questions or comments.
51 |
52 |
53 | ## Security issue notifications
54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue.
--------------------------------------------------------------------------------
/LICENSE.txt:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
178 | APPENDIX: How to apply the Apache License to your work.
179 |
180 | To apply the Apache License to your work, attach the following
181 | boilerplate notice, with the fields enclosed by brackets "{}"
182 | replaced with your own identifying information. (Don't include
183 | the brackets!) The text should be enclosed in the appropriate
184 | comment syntax for the file format. We also recommend that a
185 | file or class name and description of purpose be included on the
186 | same "printed page" as the copyright notice for easier
187 | identification within third-party archives.
188 |
189 | Copyright {yyyy} {name of copyright owner}
190 |
191 | Licensed under the Apache License, Version 2.0 (the "License");
192 | you may not use this file except in compliance with the License.
193 | You may obtain a copy of the License at
194 |
195 | http://www.apache.org/licenses/LICENSE-2.0
196 |
197 | Unless required by applicable law or agreed to in writing, software
198 | distributed under the License is distributed on an "AS IS" BASIS,
199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 | See the License for the specific language governing permissions and
201 | limitations under the License.
202 |
203 |
--------------------------------------------------------------------------------
/NOTICE.txt:
--------------------------------------------------------------------------------
1 | Copyright 2016-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 |
3 | Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at
4 |
5 | http://aws.amazon.com/apache2.0/
6 |
7 | or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
8 |
--------------------------------------------------------------------------------
/create_transit_gateway/main.tf:
--------------------------------------------------------------------------------
1 | # ---------------------------------------------------------------------------------------------------------------
2 | # Data source that extrapolates the Organizations ARN the account belongs to
3 | # ---------------------------------------------------------------------------------------------------------------
4 | data "aws_organizations_organization" "my_aws_organization" {}
5 |
6 |
7 | # ---------------------------------------------------------------------------------------------------------------
8 | # Object that contains a list of key value pairs that forms the tags added to a VPC on creation
9 | # ---------------------------------------------------------------------------------------------------------------
10 | locals {
11 | default_tags = {
12 | Name = join("-", [var.Application_Name, var.Environment_Type])
13 | Application_ID = var.Application_ID
14 | Application_Name = var.Application_Name
15 | Business_Unit = var.Business_Unit
16 | CostCenterCode = var.CostCenterCode
17 | CreatedBy = var.CreatedBy
18 | Manager = var.Manager
19 | Supported_Networks = var.Supported_Networks
20 | Environment_Type = var.Environment_Type
21 | Deployed_By = "HashiCorp-Terraform"
22 | }
23 | }
24 |
25 | # ---------------------------------------------------------------------------------------------------------------
26 | # Generates random alphanueric string for the preshared keys
27 | # ---------------------------------------------------------------------------------------------------------------
28 | resource "random_string" "alpha_numeric_value" {
29 | count = ( var.transit_gateway_deployment == true ? 2 :0 )
30 | length = 16
31 | special = false
32 | }
33 |
34 | # ---------------------------------------------------------------------------------------------------------------
35 | # Checks the preshared key variables and generates keys if they are empty
36 | # ---------------------------------------------------------------------------------------------------------------
37 | locals{
38 | tunnel_1_preshared_key = var.tunnel1_preshared_key== "" ? random_string.alpha_numeric_value[0].result : var.tunnel1_preshared_key
39 | tunnel_2_preshared_key = var.tunnel2_preshared_key== "" ? random_string.alpha_numeric_value[1].result : var.tunnel2_preshared_key
40 | }
41 |
42 | # ---------------------------------------------------------------------------------------------------------------
43 | # Generates random alphanueric string for the preshared keys
44 | # ---------------------------------------------------------------------------------------------------------------
45 | locals{
46 | tunnel_inside_cidrs = length(var.tunnel_inside_cidrs) == 0 ? var.tunnel_cidrs : var.tunnel_inside_cidrs
47 | }
48 |
49 | # ---------------------------------------------------------------------------------------------------------------
50 | # Transit Gateway Creation
51 | # ---------------------------------------------------------------------------------------------------------------
52 | resource "aws_ec2_transit_gateway" "transit_gateway" {
53 | count = (var.transit_gateway_deployment == true ? 1 : 0)
54 |
55 | amazon_side_asn = var.amazon_side_asn
56 | auto_accept_shared_attachments = var.auto_accept_shared_attachments
57 | default_route_table_association = var.default_route_table_association
58 | default_route_table_propagation = var.default_route_table_propagation
59 | dns_support = var.dns_support
60 | vpn_ecmp_support = var.vpn_ecmp_support
61 | tags = local.default_tags
62 | }
63 |
64 |
65 | # ---------------------------------------------------------------------------------------------------------------
66 | # AWS | Transit Gateway | --> Route Table Creation
67 | # ---------------------------------------------------------------------------------------------------------------
68 | resource "aws_ec2_transit_gateway_route_table" "shared_services_route_table" {
69 | transit_gateway_id = aws_ec2_transit_gateway.transit_gateway[0].id
70 | count = (var.route_tables.shared_services_route_table == true && var.enable_integration_with_network_deployer_solution == true) ? 1 : 0
71 | tags = {
72 | Name = "shared_services_route_table"
73 | }
74 | }
75 |
76 | resource "aws_ec2_transit_gateway_route_table" "north_south_route_table" {
77 | transit_gateway_id = aws_ec2_transit_gateway.transit_gateway[0].id
78 | count = (var.route_tables.shared_services_route_table == true && var.route_tables.north_south_route_table == true && var.enable_integration_with_network_deployer_solution == true) ? 1 : 0
79 | tags = {
80 | Name = "north_south_route_table"
81 | }
82 | }
83 |
84 | resource "aws_ec2_transit_gateway_route_table" "packet_inspection_route_table" {
85 | transit_gateway_id = aws_ec2_transit_gateway.transit_gateway[0].id
86 | count = (var.route_tables.shared_services_route_table == true && var.route_tables.packet_inspection_route_table == true && var.enable_integration_with_network_deployer_solution == true) ? 1 : 0
87 | tags = {
88 | Name = "packet_inspection_route_table"
89 | }
90 | }
91 |
92 |
93 | resource "aws_ec2_transit_gateway_route_table" "development_route_table" {
94 | transit_gateway_id = aws_ec2_transit_gateway.transit_gateway[0].id
95 | count = (var.route_tables.shared_services_route_table == true && var.route_tables.development_route_table == true && var.enable_integration_with_network_deployer_solution == true) ? 1 : 0
96 | tags = {
97 | Name = "development_inspection_route_table"
98 | }
99 | }
100 |
101 | resource "aws_ec2_transit_gateway_route_table" "production_route_table" {
102 | transit_gateway_id = aws_ec2_transit_gateway.transit_gateway[0].id
103 | count = (var.route_tables.shared_services_route_table == true && var.route_tables.production_route_table == true && var.enable_integration_with_network_deployer_solution == true) ? 1 : 0
104 | tags = {
105 | Name = "production_route_table"
106 | }
107 | }
108 |
109 | resource "aws_ec2_transit_gateway_route_table" "uat_route_table" {
110 | transit_gateway_id = aws_ec2_transit_gateway.transit_gateway[0].id
111 | count = (var.route_tables.shared_services_route_table == true && var.route_tables.uat_route_table == true && var.enable_integration_with_network_deployer_solution == true) ? 1 : 0
112 | tags = {
113 | Name = "uat_route_table"
114 | }
115 | }
116 |
117 | # ---------------------------------------------------------------------------------------------------------------
118 | # AWS | Resource Access Manager | --> Creation
119 | # ---------------------------------------------------------------------------------------------------------------
120 | resource "aws_ram_resource_share" "share" {
121 | name = var.ram_share_name
122 | allow_external_principals = var.allow_external_principals
123 | }
124 |
125 |
126 | # ---------------------------------------------------------------------------------------------------------------
127 | # AWS | Resource Access Manager | --> Principal Association with Resource Share
128 | # ---------------------------------------------------------------------------------------------------------------
129 | resource "aws_ram_principal_association" "share_principal_association" {
130 | principal = data.aws_organizations_organization.my_aws_organization.arn
131 | resource_share_arn = aws_ram_resource_share.share.arn
132 | }
133 |
134 |
135 | # ---------------------------------------------------------------------------------------------------------------
136 | # AWS | Resource Access Manager | --> Association with Resource Share
137 | # ---------------------------------------------------------------------------------------------------------------
138 | resource "aws_ram_resource_association" "share_transit_gateway" {
139 | resource_arn = aws_ec2_transit_gateway.transit_gateway[0].arn
140 | resource_share_arn = aws_ram_resource_share.share.arn
141 | }
142 |
143 |
144 | # ---------------------------------------------------------------------------------------------------------------
145 | # AWS | Resource Access Manager | --> Association with Resource Share
146 | # ---------------------------------------------------------------------------------------------------------------
147 | resource "aws_customer_gateway" "customer_gateway_1" {
148 | count = ( var.create_site_to_site_vpn == true ? 1 : 0 )
149 | bgp_asn = var.remote_site_asn
150 | ip_address = var.remote_site_public_ip
151 | type = var.vpn_type
152 | }
153 |
154 | resource "random_shuffle" "tunnel_cidr_ranges" {
155 | count = var.shuffle == true ? 2 : 0
156 | input = local.tunnel_inside_cidrs
157 | result_count = var.how_many_vpn_connections
158 | }
159 |
160 | resource "aws_vpn_connection" "aws_site_to_site_vpn_1" {
161 | count = ( var.create_site_to_site_vpn == true ? var.how_many_vpn_connections : 0 )
162 | customer_gateway_id = aws_customer_gateway.customer_gateway_1[0].id
163 | transit_gateway_id = aws_ec2_transit_gateway.transit_gateway[0].id
164 | type = aws_customer_gateway.customer_gateway_1[0].type
165 | enable_acceleration = var.enable_acceleration
166 | tunnel1_preshared_key = local.tunnel_1_preshared_key # var.tunnel1_preshared_key
167 | tunnel2_preshared_key = local.tunnel_2_preshared_key # var.tunnel2_preshared_key
168 | tunnel_inside_ip_version = var.tunnel_inside_ip_version
169 | tunnel1_inside_cidr = random_shuffle.tunnel_cidr_ranges[0].result[count.index]
170 | tunnel2_inside_cidr = random_shuffle.tunnel_cidr_ranges[1].result[count.index]
171 | tunnel1_dpd_timeout_action = var.tunnel1_dpd_timeout_action
172 | tunnel2_dpd_timeout_action = var.tunnel2_dpd_timeout_action
173 | tunnel1_dpd_timeout_seconds = var.tunnel1_dpd_timeout_seconds
174 | tunnel2_dpd_timeout_seconds = var.tunnel2_dpd_timeout_seconds
175 | tunnel1_ike_versions = var.tunnel1_ike_versions
176 | tunnel2_ike_versions = var.tunnel2_ike_versions
177 | tunnel1_phase1_dh_group_numbers = var.tunnel1_phase1_dh_group_numbers
178 | tunnel2_phase1_dh_group_numbers = var.tunnel2_phase1_dh_group_numbers
179 | tunnel1_phase1_encryption_algorithms = var.tunnel1_phase1_encryption_algorithms
180 | tunnel2_phase1_encryption_algorithms = var.tunnel2_phase1_encryption_algorithms
181 | tunnel1_phase1_integrity_algorithms = toset(var.tunnel1_phase1_integrity_algorithms)
182 | tunnel2_phase1_integrity_algorithms = toset(var.tunnel2_phase1_integrity_algorithms)
183 | tunnel1_phase1_lifetime_seconds = var.tunnel1_phase1_lifetime_seconds
184 | tunnel2_phase1_lifetime_seconds = var.tunnel2_phase1_lifetime_seconds
185 | tunnel1_phase2_dh_group_numbers = var.tunnel1_phase2_dh_group_numbers
186 | tunnel2_phase2_dh_group_numbers = var.tunnel2_phase2_dh_group_numbers
187 | tunnel1_phase2_encryption_algorithms = var.tunnel1_phase2_encryption_algorithms
188 | tunnel2_phase2_encryption_algorithms = var.tunnel2_phase2_encryption_algorithms
189 | tunnel1_phase2_integrity_algorithms = var.tunnel1_phase2_integrity_algorithms
190 | tunnel2_phase2_integrity_algorithms = var.tunnel2_phase2_integrity_algorithms
191 | tunnel1_phase2_lifetime_seconds = var.tunnel1_phase2_lifetime_seconds
192 | tunnel2_phase2_lifetime_seconds = var.tunnel2_phase2_lifetime_seconds
193 | tunnel1_rekey_fuzz_percentage = var.tunnel1_rekey_fuzz_percentage
194 | tunnel2_rekey_fuzz_percentage = var.tunnel2_rekey_fuzz_percentage
195 | tunnel1_rekey_margin_time_seconds = var.tunnel1_rekey_margin_time_seconds
196 | tunnel2_rekey_margin_time_seconds = var.tunnel2_rekey_margin_time_seconds
197 | tunnel1_replay_window_size = var.tunnel1_replay_window_size
198 | tunnel2_replay_window_size = var.tunnel2_replay_window_size
199 | tunnel1_startup_action = var.tunnel1_startup_action
200 | tunnel2_startup_action = var.tunnel2_startup_action
201 |
202 | }
203 |
204 |
205 | # ---------------------------------------------------------------------------------------------------------------
206 | # AWS Site-to-Site VPN | Propagation and Association with the North South Route Table
207 | # ---------------------------------------------------------------------------------------------------------------
208 |
209 | resource "aws_ec2_transit_gateway_route_table_association" "aws_site_to_site_vpn_1_assoc_with_north_south_rte_table" {
210 | count = ( var.create_site_to_site_vpn == true && var.enable_integration_with_network_deployer_solution == true && var.route_tables.north_south_route_table == true ? var.how_many_vpn_connections : 0 )
211 | transit_gateway_attachment_id = aws_vpn_connection.aws_site_to_site_vpn_1[count.index].transit_gateway_attachment_id
212 | transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.north_south_route_table[0].id
213 | }
214 |
215 | resource "aws_ec2_transit_gateway_route_table_propagation" "aws_site_to_site_vpn_1_propagation_north_south" {
216 | count = ( var.create_site_to_site_vpn == true && var.enable_integration_with_network_deployer_solution == true && var.route_tables.north_south_route_table == true ? var.how_many_vpn_connections : 0 )
217 | transit_gateway_attachment_id = aws_vpn_connection.aws_site_to_site_vpn_1[count.index].transit_gateway_attachment_id
218 | transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.north_south_route_table[0].id
219 | }
220 |
221 | # ---------------------------------------------------------------------------------------------------------------
222 | # AWS Site-to-Site VPN | Propagation to the Packet Inspection Route Table
223 | # ---------------------------------------------------------------------------------------------------------------
224 | resource "aws_ec2_transit_gateway_route_table_propagation" "aws_site_to_site_vpn_1_propagation_packet_inspection" {
225 | count = ( var.create_site_to_site_vpn == true && var.enable_integration_with_network_deployer_solution == true && var.route_tables.packet_inspection_route_table == true ? var.how_many_vpn_connections : 0 )
226 | transit_gateway_attachment_id = aws_vpn_connection.aws_site_to_site_vpn_1[count.index].transit_gateway_attachment_id
227 | transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.packet_inspection_route_table[0].id
228 | }
229 |
230 | # ---------------------------------------------------------------------------------------------------------------
231 | # AWS Site-to-Site VPN | Propagation without packet inspection enabled on the transit gateway network
232 | # ---------------------------------------------------------------------------------------------------------------
233 |
234 | resource "aws_ec2_transit_gateway_route_table_propagation" "aws_site_to_site_vpn_1_propagation_dev" {
235 | count = ( var.create_site_to_site_vpn == true && var.centralized_packet_inspection_enabled==false && var.enable_integration_with_network_deployer_solution == true && var.route_tables.development_route_table == true ? var.how_many_vpn_connections : 0 )
236 | transit_gateway_attachment_id = aws_vpn_connection.aws_site_to_site_vpn_1[count.index].transit_gateway_attachment_id
237 | transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.development_route_table[0].id
238 | }
239 |
240 | resource "aws_ec2_transit_gateway_route_table_propagation" "aws_site_to_site_vpn_1_propagation_uat" {
241 | count = ( var.create_site_to_site_vpn == true && var.centralized_packet_inspection_enabled==false && var.enable_integration_with_network_deployer_solution == true && var.route_tables.uat_route_table == true ? var.how_many_vpn_connections : 0 )
242 | transit_gateway_attachment_id = aws_vpn_connection.aws_site_to_site_vpn_1[count.index].transit_gateway_attachment_id
243 | transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.uat_route_table[0].id
244 | }
245 |
246 | resource "aws_ec2_transit_gateway_route_table_propagation" "aws_site_to_site_vpn_1_propagation_prod" {
247 | count = ( var.create_site_to_site_vpn == true && var.centralized_packet_inspection_enabled==false && var.enable_integration_with_network_deployer_solution == true && var.route_tables.production_route_table == true ? var.how_many_vpn_connections : 0 )
248 | transit_gateway_attachment_id = aws_vpn_connection.aws_site_to_site_vpn_1[count.index].transit_gateway_attachment_id
249 | transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.production_route_table[0].id
250 | }
251 |
252 | resource "aws_ec2_transit_gateway_route_table_propagation" "aws_site_to_site_vpn_1_propagation_shared_services" {
253 | count = ( var.create_site_to_site_vpn == true && var.centralized_packet_inspection_enabled==false && var.enable_integration_with_network_deployer_solution == true && var.route_tables.shared_services_route_table == true ? var.how_many_vpn_connections : 0 )
254 | transit_gateway_attachment_id = aws_vpn_connection.aws_site_to_site_vpn_1[count.index].transit_gateway_attachment_id
255 | transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.shared_services_route_table[0].id
256 | }
257 |
258 |
--------------------------------------------------------------------------------
/create_transit_gateway/outputs.tf:
--------------------------------------------------------------------------------
1 | output "transit_gateway_id" {
2 | value = concat(aws_ec2_transit_gateway.transit_gateway.*.id, [null])[0]
3 | }
4 |
5 | output "transit_gateway_arn" {
6 | value = concat(aws_ec2_transit_gateway.transit_gateway.*.arn, [null])[0]
7 | }
8 |
9 | output "transit_gateway_owner_id" {
10 | value = concat(aws_ec2_transit_gateway.transit_gateway.*.owner_id, [null])[0]
11 | }
12 |
13 |
14 | output "shared_services_route_table_id" {
15 | value = concat(aws_ec2_transit_gateway_route_table.shared_services_route_table.*.id, [null])[0]
16 | }
17 |
18 | output "north_south_route_table_id" {
19 | value = concat(aws_ec2_transit_gateway_route_table.north_south_route_table.*.id, [null])[0]
20 | }
21 |
22 | output "packet_inspection_route_table_id" {
23 | value = concat(aws_ec2_transit_gateway_route_table.packet_inspection_route_table.*.id, [null])[0]
24 | }
25 |
26 | output "development_route_table_id" {
27 | value = concat(aws_ec2_transit_gateway_route_table.development_route_table.*.id, [null])[0]
28 | }
29 |
30 | output "production_route_table_id" {
31 | value = concat(aws_ec2_transit_gateway_route_table.production_route_table.*.id, [null])[0]
32 | }
33 |
34 | output "uat_route_table_id" {
35 | value = concat(aws_ec2_transit_gateway_route_table.uat_route_table.*.id, [null])[0]
36 | }
37 |
38 |
--------------------------------------------------------------------------------
/create_transit_gateway/variables.tf:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------------------------------------------------
2 | # AWS Transit Gateway | ---> Enables the creation of a specific transit gateway route table
3 | #-----------------------------------------------------------------------------------------------------
4 | variable "route_tables" {
5 | type = map(bool)
6 | default = {
7 | shared_services_route_table = true
8 | north_south_route_table = true
9 | packet_inspection_route_table = true
10 | development_route_table = true
11 | production_route_table = true
12 | uat_route_table = true
13 | }
14 | }
15 |
16 | variable "enable_integration_with_network_deployer_solution" {
17 | default = false
18 | validation {
19 | condition = (var.enable_integration_with_network_deployer_solution == false || var.enable_integration_with_network_deployer_solution == true)
20 | error_message = "The variable enable_integration_with_network_deployer_solution can be either true or false."
21 | }
22 | }
23 |
24 | #-----------------------------------------------------------------------------------------------------
25 | # AWS Transit Gateway | ---> Manages VPN Attachment Association. True results in only the packet inspection table being populated with routes.
26 | #-----------------------------------------------------------------------------------------------------
27 | variable "centralized_packet_inspection_enabled" {
28 | default = false
29 | validation {
30 | condition = (var.centralized_packet_inspection_enabled == false || var.centralized_packet_inspection_enabled == true)
31 | error_message = "The variable Centralized_packet_inspection_enabled can be either true or false."
32 | }
33 | }
34 |
35 | #-----------------------------------------------------------------------------------------------------
36 | # AWS Transit Gateway | ---> Enables the deployment of a transit gateway in the specified region
37 | #-----------------------------------------------------------------------------------------------------
38 | variable "transit_gateway_deployment" {
39 | default = true
40 | validation {
41 | condition = (var.transit_gateway_deployment == false || var.transit_gateway_deployment == true)
42 | error_message = "Transit Gateway deployment must be either true or false."
43 | }
44 | }
45 |
46 | #-----------------------------------------------------------------------------------------------------
47 | # AWS Transit Gateway | ---> Transit Gateway Configuration Parameter
48 | #-----------------------------------------------------------------------------------------------------
49 | variable amazon_side_asn{
50 | default="64512"
51 | }
52 |
53 | variable "vpn_ecmp_support" {
54 | default = "enable"
55 | validation {
56 | condition = (var.vpn_ecmp_support == "enable" || var.vpn_ecmp_support == "disable" )
57 | error_message = "You have entered a value that is not accepted. This variable vpn_ecmp_support can either be enable or disable."
58 | }
59 | }
60 |
61 | variable "dns_support" {
62 | default = "disable"
63 | validation {
64 | condition = (var.dns_support == "enable" || var.dns_support == "disable")
65 | error_message = "You have entered a value that is not accepted. This variable dns_support can either be enable or disable."
66 | }
67 | }
68 |
69 | variable "default_route_table_propagation" {
70 | default = "disable"
71 | validation {
72 | condition = (var.default_route_table_propagation == "disable" || var.default_route_table_propagation == "enable")
73 | error_message = "Transit Gateway Attachments routes must not be automatically propagated to the default route table."
74 | }
75 | }
76 |
77 | variable "default_route_table_association" {
78 | default = "disable"
79 | validation {
80 | condition = (var.default_route_table_association == "disable" || var.default_route_table_association == "enable")
81 | error_message = "Attachments must not be automatically associated with the TGW Default route table."
82 | }
83 | }
84 |
85 | variable "auto_accept_shared_attachments" {
86 | default = "enable"
87 | validation {
88 | condition = (var.auto_accept_shared_attachments == "enable")
89 | error_message = "Auto acceptance of attachments must be enabled."
90 | }
91 | }
92 |
93 | variable "allow_external_principals" {
94 | default = false
95 | validation {
96 | condition = (var.allow_external_principals == false)
97 | error_message = "External Principals should not be allowed unless in the case of a merger."
98 | }
99 | }
100 |
101 | variable "ram_share_name" {
102 | default = "shared_networking_resources"
103 | }
104 |
105 |
106 | #-----------------------------------------------------------------------------------------------------
107 | # AWS Transit Gateway | ---> AWS Site-to-Site VPN Configuration
108 | # ----------------------------------------------------------------------------------------------------
109 |
110 | variable "create_site_to_site_vpn" {
111 | default = true
112 | validation {
113 | condition = (var.create_site_to_site_vpn == false || var.create_site_to_site_vpn == true)
114 | error_message = "Create site to site VPN must be either true or false."
115 | }
116 | }
117 |
118 | variable "remote_site_asn" {
119 | default = 65000
120 | }
121 |
122 | variable "remote_site_public_ip"{
123 | default = "127.0.0.1"
124 | }
125 |
126 | variable "vpn_type"{
127 | default = "ipsec.1"
128 | }
129 |
130 | variable "how_many_vpn_connections"{
131 | default = 1
132 | }
133 |
134 | variable "shuffle"{
135 | default = true
136 | }
137 |
138 | # -----------------------------------------------------------------------------------------------------
139 | # Advance VPN Configuration
140 | # -----------------------------------------------------------------------------------------------------
141 |
142 | # -----------------------------------------------------------------------------------------------------
143 | # Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
144 | # -----------------------------------------------------------------------------------------------------
145 | variable "enable_acceleration"{
146 | default = false
147 | validation {
148 | condition = (var.enable_acceleration == true || var.enable_acceleration == false)
149 | error_message = "The variable enable_acceleration accepts true or false."
150 | }
151 | }
152 |
153 | # -----------------------------------------------------------------------------------------------------
154 | # Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 | ipv6.
155 | # ipv6 Supports only EC2 Transit Gateway.
156 | # -----------------------------------------------------------------------------------------------------
157 | variable "tunnel_inside_ip_version" {
158 | default = "ipv4"
159 | validation {
160 | condition = (var.tunnel_inside_ip_version == "ipv4" || var.tunnel_inside_ip_version == "ipv6" )
161 | error_message = "The variable tunnel_inside_ip_version accepts ipv4 or ipv6."
162 | }
163 | }
164 |
165 | # -----------------------------------------------------------------------------------------------------
166 | # An array of possible inside tunnel cidrs. This array must have at least two cidrs at any given time.
167 | # -----------------------------------------------------------------------------------------------------
168 | variable "tunnel_inside_cidrs"{
169 | default = []
170 | }
171 |
172 | variable "tunnel_cidrs"{
173 | default = [
174 | "169.254.0.4/30", "169.254.0.8/30", "169.254.0.12/30", "169.254.0.16/30", "169.254.0.20/30",
175 | "169.254.0.24/30", "169.254.0.28/30", "169.254.0.32/30", "169.254.0.36/30", "169.254.0.40/30", "169.254.0.44/30",
176 | "169.254.0.48/30", "169.254.0.52/30", "169.254.0.56/30", "169.254.0.60/30", "169.254.0.64/30", "169.254.0.68/30",
177 | "169.254.0.72/30", "169.254.0.76/30", "169.254.0.80/30", "169.254.0.84/30", "169.254.0.88/30", "169.254.0.92/30",
178 | "169.254.0.96/30", "169.254.0.100/30", "169.254.0.104/30", "169.254.0.108/30", "169.254.0.112/30", "169.254.0.116/30",
179 | "169.254.0.120/30", "169.254.0.124/30", "169.254.0.128/30", "169.254.0.132/30", "169.254.0.136/30", "169.254.0.140/30",
180 | "169.254.0.144/30", "169.254.0.148/30", "169.254.0.152/30", "169.254.0.156/30", "169.254.0.160/30", "169.254.0.164/30",
181 | "169.254.0.168/30", "169.254.0.172/30", "169.254.0.176/30", "169.254.0.180/30", "169.254.0.184/30", "169.254.0.188/30",
182 | "169.254.0.192/30", "169.254.0.196/30", "169.254.0.200/30", "169.254.0.204/30", "169.254.0.208/30", "169.254.0.212/30",
183 | "169.254.0.216/30", "169.254.0.220/30", "169.254.0.224/30", "169.254.0.228/30", "169.254.0.232/30", "169.254.0.236/30",
184 | "169.254.0.240/30", "169.254.0.244/30", "169.254.0.248/30", "169.254.0.252/30", "169.254.1.4/30", "169.254.1.8/30",
185 | "169.254.1.12/30", "169.254.1.16/30", "169.254.1.20/30", "169.254.1.24/30", "169.254.1.28/30", "169.254.1.32/30",
186 | "169.254.1.36/30", "169.254.1.40/30", "169.254.1.44/30", "169.254.1.48/30", "169.254.1.52/30", "169.254.1.56/30",
187 | "169.254.1.60/30", "169.254.1.64/30", "169.254.1.68/30",
188 | "169.254.1.72/30", "169.254.1.76/30", "169.254.1.80/30", "169.254.1.84/30", "169.254.1.88/30", "169.254.1.92/30",
189 | "169.254.1.96/30", "169.254.1.100/30", "169.254.1.104/30", "169.254.1.108/30", "169.254.1.112/30", "169.254.1.116/30",
190 | "169.254.1.120/30", "169.254.1.124/30", "169.254.1.128/30", "169.254.1.132/30", "169.254.1.136/30", "169.254.1.140/30",
191 | "169.254.1.144/30", "169.254.1.148/30", "169.254.1.152/30", "169.254.1.156/30", "169.254.1.160/30", "169.254.1.164/30",
192 | "169.254.1.168/30", "169.254.1.172/30", "169.254.1.176/30", "169.254.1.180/30", "169.254.1.184/30", "169.254.1.188/30",
193 | "169.254.1.192/30", "169.254.1.196/30", "169.254.1.200/30", "169.254.1.204/30", "169.254.1.208/30", "169.254.1.212/30",
194 | "169.254.1.216/30", "169.254.1.220/30", "169.254.1.224/30", "169.254.1.228/30", "169.254.1.232/30", "169.254.1.236/30",
195 | "169.254.1.240/30", "169.254.1.244/30", "169.254.1.248/30", "169.254.1.252/30", "169.254.2.4/30", "169.254.2.8/30",
196 | "169.254.2.12/30", "169.254.2.16/30", "169.254.2.20/30",
197 | "169.254.2.24/30", "169.254.2.28/30", "169.254.2.32/30", "169.254.2.36/30", "169.254.2.40/30", "169.254.2.44/30",
198 | "169.254.2.48/30", "169.254.2.52/30", "169.254.2.56/30", "169.254.2.60/30", "169.254.2.64/30", "169.254.2.68/30",
199 | "169.254.2.72/30", "169.254.2.76/30", "169.254.2.80/30", "169.254.2.84/30", "169.254.2.88/30", "169.254.2.92/30",
200 | "169.254.2.96/30", "169.254.2.100/30", "169.254.2.104/30", "169.254.2.108/30", "169.254.2.112/30", "169.254.2.116/30",
201 | "169.254.2.120/30", "169.254.2.124/30", "169.254.2.128/30", "169.254.2.132/30", "169.254.2.136/30", "169.254.2.140/30",
202 | "169.254.2.144/30", "169.254.2.148/30", "169.254.2.152/30", "169.254.2.156/30", "169.254.2.160/30", "169.254.2.164/30",
203 | "169.254.2.168/30", "169.254.2.172/30", "169.254.2.176/30", "169.254.2.180/30", "169.254.2.184/30", "169.254.2.188/30",
204 | "169.254.2.192/30", "169.254.2.196/30", "169.254.2.200/30", "169.254.2.204/30", "169.254.2.208/30", "169.254.2.212/30",
205 | "169.254.2.216/30", "169.254.2.220/30", "169.254.2.224/30", "169.254.2.228/30", "169.254.2.232/30", "169.254.2.236/30",
206 | "169.254.2.240/30", "169.254.2.244/30", "169.254.2.248/30", "169.254.2.252/30", "169.254.3.4/30", "169.254.3.8/30",
207 | "169.254.3.12/30", "169.254.3.16/30", "169.254.3.20/30",
208 | "169.254.3.24/30", "169.254.3.28/30", "169.254.3.32/30", "169.254.3.36/30", "169.254.3.40/30", "169.254.3.44/30",
209 | "169.254.3.48/30", "169.254.3.52/30", "169.254.3.56/30", "169.254.3.60/30", "169.254.3.64/30", "169.254.3.68/30",
210 | "169.254.3.72/30", "169.254.3.76/30", "169.254.3.80/30", "169.254.3.84/30", "169.254.3.88/30", "169.254.3.92/30",
211 | "169.254.3.96/30", "169.254.3.100/30", "169.254.3.104/30", "169.254.3.108/30", "169.254.3.112/30", "169.254.3.116/30",
212 | "169.254.3.120/30", "169.254.3.124/30", "169.254.3.128/30", "169.254.3.132/30", "169.254.3.136/30", "169.254.3.140/30",
213 | "169.254.3.144/30", "169.254.3.148/30", "169.254.3.152/30", "169.254.3.156/30", "169.254.3.160/30", "169.254.3.164/30",
214 | "169.254.3.168/30", "169.254.3.172/30", "169.254.3.176/30", "169.254.3.180/30", "169.254.3.184/30", "169.254.3.188/30",
215 | "169.254.3.192/30", "169.254.3.196/30", "169.254.3.200/30", "169.254.3.204/30", "169.254.3.208/30", "169.254.3.212/30",
216 | "169.254.3.216/30", "169.254.3.220/30", "169.254.3.224/30", "169.254.3.228/30", "169.254.3.232/30", "169.254.3.236/30",
217 | "169.254.3.240/30", "169.254.3.244/30", "169.254.3.248/30", "169.254.3.252/30", "169.254.4.4/30", "169.254.4.8/30",
218 | "169.254.4.12/30", "169.254.4.16/30", "169.254.4.20/30",
219 | "169.254.4.24/30", "169.254.4.28/30", "169.254.4.32/30", "169.254.4.36/30", "169.254.4.40/30", "169.254.4.44/30",
220 | "169.254.4.48/30", "169.254.4.52/30", "169.254.4.56/30", "169.254.4.60/30", "169.254.4.64/30", "169.254.4.68/30",
221 | "169.254.4.72/30", "169.254.4.76/30", "169.254.4.80/30", "169.254.4.84/30", "169.254.4.88/30", "169.254.4.92/30",
222 | "169.254.4.96/30", "169.254.4.100/30", "169.254.4.104/30", "169.254.4.108/30", "169.254.4.112/30", "169.254.4.116/30",
223 | "169.254.4.120/30", "169.254.4.124/30", "169.254.4.128/30", "169.254.4.132/30", "169.254.4.136/30", "169.254.4.140/30",
224 | "169.254.4.144/30", "169.254.4.148/30", "169.254.4.152/30", "169.254.4.156/30", "169.254.4.160/30", "169.254.4.164/30",
225 | "169.254.4.168/30", "169.254.4.172/30", "169.254.4.176/30", "169.254.4.180/30", "169.254.4.184/30", "169.254.4.188/30",
226 | "169.254.4.192/30", "169.254.4.196/30", "169.254.4.200/30", "169.254.4.204/30", "169.254.4.208/30", "169.254.4.212/30",
227 | "169.254.4.216/30", "169.254.4.220/30", "169.254.4.224/30", "169.254.4.228/30", "169.254.4.232/30", "169.254.4.236/30",
228 | "169.254.4.240/30", "169.254.4.244/30", "169.254.4.248/30", "169.254.4.252/30","169.254.5.4/30", "169.254.5.8/30",
229 | "169.254.5.12/30", "169.254.5.16/30", "169.254.5.20/30",
230 | "169.254.5.24/30", "169.254.5.28/30", "169.254.5.32/30", "169.254.5.36/30", "169.254.5.40/30", "169.254.5.44/30",
231 | "169.254.5.48/30", "169.254.5.52/30", "169.254.5.56/30", "169.254.5.60/30", "169.254.5.64/30", "169.254.5.68/30",
232 | "169.254.5.72/30", "169.254.5.76/30", "169.254.5.80/30", "169.254.5.84/30", "169.254.5.88/30", "169.254.5.92/30",
233 | "169.254.5.96/30", "169.254.5.100/30", "169.254.5.104/30", "169.254.5.108/30", "169.254.5.112/30", "169.254.5.116/30",
234 | "169.254.5.120/30", "169.254.5.124/30", "169.254.5.128/30", "169.254.5.132/30", "169.254.5.136/30", "169.254.5.140/30",
235 | "169.254.5.144/30", "169.254.5.148/30", "169.254.5.152/30", "169.254.5.156/30", "169.254.5.160/30", "169.254.5.164/30",
236 | "169.254.5.168/30", "169.254.5.172/30", "169.254.5.176/30", "169.254.5.180/30", "169.254.5.184/30", "169.254.5.188/30",
237 | "169.254.5.192/30", "169.254.5.196/30", "169.254.5.200/30", "169.254.5.204/30", "169.254.5.208/30", "169.254.5.212/30",
238 | "169.254.5.216/30", "169.254.5.220/30", "169.254.5.224/30", "169.254.5.228/30", "169.254.5.232/30", "169.254.5.236/30",
239 | "169.254.5.240/30", "169.254.5.244/30", "169.254.5.248/30", "169.254.5.252/30", "169.254.6.4/30", "169.254.6.8/30",
240 | "169.254.6.12/30", "169.254.6.16/30", "169.254.6.20/30",
241 | "169.254.6.24/30", "169.254.6.28/30", "169.254.6.32/30", "169.254.6.36/30", "169.254.6.40/30", "169.254.6.44/30",
242 | "169.254.6.48/30", "169.254.6.52/30", "169.254.6.56/30", "169.254.6.60/30", "169.254.6.64/30", "169.254.6.68/30",
243 | "169.254.6.72/30", "169.254.6.76/30", "169.254.6.80/30", "169.254.6.84/30", "169.254.6.88/30", "169.254.6.92/30",
244 | "169.254.6.96/30", "169.254.6.100/30", "169.254.6.104/30", "169.254.6.108/30", "169.254.6.112/30", "169.254.6.116/30",
245 | "169.254.6.120/30", "169.254.6.124/30", "169.254.6.128/30", "169.254.6.132/30", "169.254.6.136/30", "169.254.6.140/30",
246 | "169.254.6.144/30", "169.254.6.148/30", "169.254.6.152/30", "169.254.6.156/30", "169.254.6.160/30", "169.254.6.164/30",
247 | "169.254.6.168/30", "169.254.6.172/30", "169.254.6.176/30", "169.254.6.180/30", "169.254.6.184/30", "169.254.6.188/30",
248 | "169.254.6.192/30", "169.254.6.196/30", "169.254.6.200/30", "169.254.6.204/30", "169.254.6.208/30", "169.254.6.212/30",
249 | "169.254.6.216/30", "169.254.6.220/30", "169.254.6.224/30", "169.254.6.228/30", "169.254.6.232/30", "169.254.6.236/30",
250 | "169.254.6.240/30", "169.254.6.244/30", "169.254.6.248/30", "169.254.6.252/30", "169.254.7.4/30", "169.254.7.8/30",
251 | "169.254.7.12/30", "169.254.7.16/30", "169.254.7.20/30",
252 | "169.254.7.24/30", "169.254.7.28/30", "169.254.7.32/30", "169.254.7.36/30", "169.254.7.40/30", "169.254.7.44/30",
253 | "169.254.7.48/30", "169.254.7.52/30", "169.254.7.56/30", "169.254.7.60/30", "169.254.7.64/30", "169.254.7.68/30",
254 | "169.254.7.72/30", "169.254.7.76/30", "169.254.7.80/30", "169.254.7.84/30", "169.254.7.88/30", "169.254.7.92/30",
255 | "169.254.7.96/30", "169.254.7.100/30", "169.254.7.104/30", "169.254.7.108/30", "169.254.7.112/30", "169.254.7.116/30",
256 | "169.254.7.120/30", "169.254.7.124/30", "169.254.7.128/30", "169.254.7.132/30", "169.254.7.136/30", "169.254.7.140/30",
257 | "169.254.7.144/30", "169.254.7.148/30", "169.254.7.152/30", "169.254.7.156/30", "169.254.7.160/30", "169.254.7.164/30",
258 | "169.254.7.168/30", "169.254.7.172/30", "169.254.7.176/30", "169.254.7.180/30", "169.254.7.184/30", "169.254.7.188/30",
259 | "169.254.7.192/30", "169.254.7.196/30", "169.254.7.200/30", "169.254.7.204/30", "169.254.7.208/30", "169.254.7.212/30",
260 | "169.254.7.216/30", "169.254.7.220/30", "169.254.7.224/30", "169.254.7.228/30", "169.254.7.232/30", "169.254.7.236/30",
261 | "169.254.7.240/30", "169.254.7.244/30", "169.254.7.248/30", "169.254.7.252/30", "169.254.8.4/30", "169.254.8.8/30",
262 | "169.254.8.12/30", "169.254.8.16/30", "169.254.8.20/30",
263 | "169.254.8.24/30", "169.254.8.28/30", "169.254.8.32/30", "169.254.8.36/30", "169.254.8.40/30", "169.254.8.44/30",
264 | "169.254.8.48/30", "169.254.8.52/30", "169.254.8.56/30", "169.254.8.60/30", "169.254.8.64/30", "169.254.8.68/30",
265 | "169.254.8.72/30", "169.254.8.76/30", "169.254.8.80/30", "169.254.8.84/30", "169.254.8.88/30", "169.254.8.92/30",
266 | "169.254.8.96/30", "169.254.8.100/30", "169.254.8.104/30", "169.254.8.108/30", "169.254.8.112/30", "169.254.8.116/30",
267 | "169.254.8.120/30", "169.254.8.124/30", "169.254.8.128/30", "169.254.8.132/30", "169.254.8.136/30", "169.254.8.140/30",
268 | "169.254.8.144/30", "169.254.8.148/30", "169.254.8.152/30", "169.254.8.156/30", "169.254.8.160/30", "169.254.8.164/30",
269 | "169.254.8.168/30", "169.254.8.172/30", "169.254.8.176/30", "169.254.8.180/30", "169.254.8.184/30", "169.254.8.188/30",
270 | "169.254.8.192/30", "169.254.8.196/30", "169.254.8.200/30", "169.254.8.204/30", "169.254.8.208/30", "169.254.8.212/30",
271 | "169.254.8.216/30", "169.254.8.220/30", "169.254.8.224/30", "169.254.8.228/30", "169.254.8.232/30", "169.254.8.236/30",
272 | "169.254.8.240/30", "169.254.8.244/30", "169.254.8.248/30", "169.254.8.252/30", "169.254.9.4/30", "169.254.9.8/30",
273 | "169.254.9.12/30", "169.254.9.16/30", "169.254.9.20/30",
274 | "169.254.9.24/30", "169.254.9.28/30", "169.254.9.32/30", "169.254.9.36/30", "169.254.9.40/30", "169.254.9.44/30",
275 | "169.254.9.48/30", "169.254.9.52/30", "169.254.9.56/30", "169.254.9.60/30", "169.254.9.64/30", "169.254.9.68/30",
276 | "169.254.9.72/30", "169.254.9.76/30", "169.254.9.80/30", "169.254.9.84/30", "169.254.9.88/30", "169.254.9.92/30",
277 | "169.254.9.96/30", "169.254.9.100/30", "169.254.9.104/30", "169.254.9.108/30", "169.254.9.112/30", "169.254.9.116/30",
278 | "169.254.9.120/30", "169.254.9.124/30", "169.254.9.128/30", "169.254.9.132/30", "169.254.9.136/30", "169.254.9.140/30",
279 | "169.254.9.144/30", "169.254.9.148/30", "169.254.9.152/30", "169.254.9.156/30", "169.254.9.160/30", "169.254.9.164/30",
280 | "169.254.9.168/30", "169.254.9.172/30", "169.254.9.176/30", "169.254.9.180/30", "169.254.9.184/30", "169.254.9.188/30",
281 | "169.254.9.192/30", "169.254.9.196/30", "169.254.9.200/30", "169.254.9.204/30", "169.254.9.208/30", "169.254.9.212/30",
282 | "169.254.9.216/30", "169.254.9.220/30", "169.254.9.224/30", "169.254.9.228/30", "169.254.9.232/30", "169.254.9.236/30",
283 | "169.254.9.240/30", "169.254.9.244/30", "169.254.9.248/30", "169.254.9.252/30", "169.254.10.4/30", "169.254.10.8/30",
284 | "169.254.10.12/30", "169.254.10.16/30", "169.254.10.20/30",
285 | "169.254.10.24/30", "169.254.10.28/30", "169.254.10.32/30", "169.254.10.36/30", "169.254.10.40/30", "169.254.10.44/30",
286 | "169.254.10.48/30", "169.254.10.52/30", "169.254.10.56/30", "169.254.10.60/30", "169.254.10.64/30", "169.254.10.68/30",
287 | "169.254.10.72/30", "169.254.10.76/30", "169.254.10.80/30", "169.254.10.84/30", "169.254.10.88/30", "169.254.10.92/30",
288 | "169.254.10.96/30", "169.254.10.100/30", "169.254.10.104/30", "169.254.10.108/30", "169.254.10.112/30", "169.254.10.116/30",
289 | "169.254.10.120/30", "169.254.10.124/30", "169.254.10.128/30", "169.254.10.132/30", "169.254.10.136/30", "169.254.10.140/30",
290 | "169.254.10.144/30", "169.254.10.148/30", "169.254.10.152/30", "169.254.10.156/30", "169.254.10.160/30", "169.254.10.164/30",
291 | "169.254.10.168/30", "169.254.10.172/30", "169.254.10.176/30", "169.254.10.180/30", "169.254.10.184/30", "169.254.10.188/30",
292 | "169.254.10.192/30", "169.254.10.196/30", "169.254.10.200/30", "169.254.10.204/30", "169.254.10.208/30", "169.254.10.212/30",
293 | "169.254.10.216/30", "169.254.10.220/30", "169.254.10.224/30", "169.254.10.228/30", "169.254.10.232/30", "169.254.10.236/30",
294 | "169.254.10.240/30", "169.254.10.244/30", "169.254.10.248/30", "169.254.10.252/30", "169.254.11.4/30", "169.254.11.8/30",
295 | "169.254.11.12/30", "169.254.11.16/30", "169.254.11.20/30",
296 | "169.254.11.24/30", "169.254.11.28/30", "169.254.11.32/30", "169.254.11.36/30", "169.254.11.40/30", "169.254.11.44/30",
297 | "169.254.11.48/30", "169.254.11.52/30", "169.254.11.56/30", "169.254.11.60/30", "169.254.11.64/30", "169.254.11.68/30",
298 | "169.254.11.72/30", "169.254.11.76/30", "169.254.11.80/30", "169.254.11.84/30", "169.254.11.88/30", "169.254.11.92/30",
299 | "169.254.11.96/30", "169.254.11.100/30", "169.254.11.104/30", "169.254.11.108/30", "169.254.11.112/30", "169.254.11.116/30",
300 | "169.254.11.120/30", "169.254.11.124/30", "169.254.11.128/30", "169.254.11.132/30", "169.254.11.136/30", "169.254.11.140/30",
301 | "169.254.11.144/30", "169.254.11.148/30", "169.254.11.152/30", "169.254.11.156/30", "169.254.11.160/30", "169.254.11.164/30",
302 | "169.254.11.168/30", "169.254.11.172/30", "169.254.11.176/30", "169.254.11.180/30", "169.254.11.184/30", "169.254.11.188/30",
303 | "169.254.11.192/30", "169.254.11.196/30", "169.254.11.200/30", "169.254.11.204/30", "169.254.11.208/30", "169.254.11.212/30",
304 | "169.254.11.216/30", "169.254.11.220/30", "169.254.11.224/30", "169.254.11.228/30", "169.254.11.232/30", "169.254.11.236/30",
305 | "169.254.11.240/30", "169.254.11.244/30", "169.254.11.248/30", "169.254.11.252/30", "169.254.12.4/30", "169.254.12.8/30",
306 | "169.254.12.12/30", "169.254.12.16/30", "169.254.12.20/30",
307 | "169.254.12.24/30", "169.254.12.28/30", "169.254.12.32/30", "169.254.12.36/30", "169.254.12.40/30", "169.254.12.44/30",
308 | "169.254.12.48/30", "169.254.12.52/30", "169.254.12.56/30", "169.254.12.60/30", "169.254.12.64/30", "169.254.12.68/30",
309 | "169.254.12.72/30", "169.254.12.76/30", "169.254.12.80/30", "169.254.12.84/30", "169.254.12.88/30", "169.254.12.92/30",
310 | "169.254.12.96/30", "169.254.12.100/30", "169.254.12.104/30", "169.254.12.108/30", "169.254.12.112/30", "169.254.12.116/30",
311 | "169.254.12.120/30", "169.254.12.124/30", "169.254.12.128/30", "169.254.12.132/30", "169.254.12.136/30", "169.254.12.140/30",
312 | "169.254.12.144/30", "169.254.12.148/30", "169.254.12.152/30", "169.254.12.156/30", "169.254.12.160/30", "169.254.12.164/30",
313 | "169.254.12.168/30", "169.254.12.172/30", "169.254.12.176/30", "169.254.12.180/30", "169.254.12.184/30", "169.254.12.188/30",
314 | "169.254.12.192/30", "169.254.12.196/30", "169.254.12.200/30", "169.254.12.204/30", "169.254.12.208/30", "169.254.12.212/30",
315 | "169.254.12.216/30", "169.254.12.220/30", "169.254.12.224/30", "169.254.12.228/30", "169.254.12.232/30", "169.254.12.236/30",
316 | "169.254.12.240/30", "169.254.12.244/30", "169.254.12.248/30", "169.254.12.252/30", "169.254.13.4/30", "169.254.13.8/30",
317 | "169.254.13.12/30", "169.254.13.16/30", "169.254.13.20/30",
318 | "169.254.13.24/30", "169.254.13.28/30", "169.254.13.32/30", "169.254.13.36/30", "169.254.13.40/30", "169.254.13.44/30",
319 | "169.254.13.48/30", "169.254.13.52/30", "169.254.13.56/30", "169.254.13.60/30", "169.254.13.64/30", "169.254.13.68/30",
320 | "169.254.13.72/30", "169.254.13.76/30", "169.254.13.80/30", "169.254.13.84/30", "169.254.13.88/30", "169.254.13.92/30",
321 | "169.254.13.96/30", "169.254.13.100/30", "169.254.13.104/30", "169.254.13.108/30", "169.254.13.112/30", "169.254.13.116/30",
322 | "169.254.13.120/30", "169.254.13.124/30", "169.254.13.128/30", "169.254.13.132/30", "169.254.13.136/30", "169.254.13.140/30",
323 | "169.254.13.144/30", "169.254.13.148/30", "169.254.13.152/30", "169.254.13.156/30", "169.254.13.160/30", "169.254.13.164/30",
324 | "169.254.13.168/30", "169.254.13.172/30", "169.254.13.176/30", "169.254.13.180/30", "169.254.13.184/30", "169.254.13.188/30",
325 | "169.254.13.192/30", "169.254.13.196/30", "169.254.13.200/30", "169.254.13.204/30", "169.254.13.208/30", "169.254.13.212/30",
326 | "169.254.13.216/30", "169.254.13.220/30", "169.254.13.224/30", "169.254.13.228/30", "169.254.13.232/30", "169.254.13.236/30",
327 | "169.254.13.240/30", "169.254.13.244/30", "169.254.13.248/30", "169.254.13.252/30", "169.254.14.4/30", "169.254.14.8/30",
328 | "169.254.14.12/30", "169.254.14.16/30", "169.254.14.20/30",
329 | "169.254.14.24/30", "169.254.14.28/30", "169.254.14.32/30", "169.254.14.36/30", "169.254.14.40/30", "169.254.14.44/30",
330 | "169.254.14.48/30", "169.254.14.52/30", "169.254.14.56/30", "169.254.14.60/30", "169.254.14.64/30", "169.254.14.68/30",
331 | "169.254.14.72/30", "169.254.14.76/30", "169.254.14.80/30", "169.254.14.84/30", "169.254.14.88/30", "169.254.14.92/30",
332 | "169.254.14.96/30", "169.254.14.100/30", "169.254.14.104/30", "169.254.14.108/30", "169.254.14.112/30", "169.254.14.116/30",
333 | "169.254.14.120/30", "169.254.14.124/30", "169.254.14.128/30", "169.254.14.132/30", "169.254.14.136/30", "169.254.14.140/30",
334 | "169.254.14.144/30", "169.254.14.148/30", "169.254.14.152/30", "169.254.14.156/30", "169.254.14.160/30", "169.254.14.164/30",
335 | "169.254.14.168/30", "169.254.14.172/30", "169.254.14.176/30", "169.254.14.180/30", "169.254.14.184/30", "169.254.14.188/30",
336 | "169.254.14.192/30", "169.254.14.196/30", "169.254.14.200/30", "169.254.14.204/30", "169.254.14.208/30", "169.254.14.212/30",
337 | "169.254.14.216/30", "169.254.14.220/30", "169.254.14.224/30", "169.254.14.228/30", "169.254.14.232/30", "169.254.14.236/30",
338 | "169.254.14.240/30", "169.254.14.244/30", "169.254.14.248/30", "169.254.14.252/30", "169.254.15.4/30", "169.254.15.8/30", "169.254.15.12/30", "169.254.15.16/30", "169.254.15.20/30",
339 | "169.254.15.24/30", "169.254.15.28/30", "169.254.15.32/30", "169.254.15.36/30", "169.254.15.40/30", "169.254.15.44/30",
340 | "169.254.15.48/30", "169.254.15.52/30", "169.254.15.56/30", "169.254.15.60/30", "169.254.15.64/30", "169.254.15.68/30",
341 | "169.254.15.72/30", "169.254.15.76/30", "169.254.15.80/30", "169.254.15.84/30", "169.254.15.88/30", "169.254.15.92/30",
342 | "169.254.15.96/30", "169.254.15.100/30", "169.254.15.104/30", "169.254.15.108/30", "169.254.15.112/30", "169.254.15.116/30",
343 | "169.254.15.120/30", "169.254.15.124/30", "169.254.15.128/30", "169.254.15.132/30", "169.254.15.136/30", "169.254.15.140/30",
344 | "169.254.15.144/30", "169.254.15.148/30", "169.254.15.152/30", "169.254.15.156/30", "169.254.15.160/30", "169.254.15.164/30",
345 | "169.254.15.168/30", "169.254.15.172/30", "169.254.15.176/30", "169.254.15.180/30", "169.254.15.184/30", "169.254.15.188/30",
346 | "169.254.15.192/30", "169.254.15.196/30", "169.254.15.200/30", "169.254.15.204/30", "169.254.15.208/30", "169.254.15.212/30",
347 | "169.254.15.216/30", "169.254.15.220/30", "169.254.15.224/30", "169.254.15.228/30", "169.254.15.232/30", "169.254.15.236/30",
348 | "169.254.15.240/30", "169.254.15.244/30", "169.254.15.248/30", "169.254.15.252/30"
349 | ]
350 | }
351 |
352 | # -----------------------------------------------------------------------------------------------------
353 | # The preshared key of the first VPN tunnel.
354 | # The preshared key must be between 8 and 64 characters in length and cannot start with zero(0).
355 | # Allowed characters are alphanumeric characters, periods(.) and underscores(_).
356 | # -----------------------------------------------------------------------------------------------------
357 | variable "tunnel1_preshared_key"{
358 | default = "babablacksheep"
359 | }
360 |
361 | # -----------------------------------------------------------------------------------------------------
362 | # The preshared key of the second VPN tunnel.
363 | # The preshared key must be between 8 and 64 characters in length and cannot start with zero(0).
364 | # Allowed characters are alphanumeric characters, periods(.) and underscores(_).
365 | # -----------------------------------------------------------------------------------------------------
366 | variable "tunnel2_preshared_key"{
367 | default = "babablacksheep."
368 | }
369 |
370 |
371 | # -----------------------------------------------------------------------------------------------------
372 | # The action to take after DPD timeout occurs for the first VPN tunnel.
373 | # Specify restart to restart the IKE initiation.
374 | # Specify clear to end the IKE session. Valid values are clear | none | restart.
375 | # -----------------------------------------------------------------------------------------------------
376 | variable "tunnel1_dpd_timeout_action"{
377 | default = "clear"
378 | validation {
379 | condition = (var.tunnel1_dpd_timeout_action == "clear" || var.tunnel1_dpd_timeout_action == "none" || var.tunnel1_dpd_timeout_action == "restart" )
380 | error_message = "The variable tunnel1_dpd_timeout_action accepts clear, none or restart."
381 | }
382 | }
383 |
384 | # -----------------------------------------------------------------------------------------------------
385 | # The action to take after DPD timeout occurs for the first VPN tunnel.
386 | # Specify restart to restart the IKE initiation. Specify clear to end the IKE session.
387 | # Valid values are clear | none | restart.
388 | # -----------------------------------------------------------------------------------------------------
389 | variable "tunnel2_dpd_timeout_action"{
390 | default = "clear"
391 | validation {
392 | condition = (var.tunnel2_dpd_timeout_action == "clear" || var.tunnel2_dpd_timeout_action == "none" || var.tunnel2_dpd_timeout_action == "restart" )
393 | error_message = "The variable tunnel2_dpd_timeout_action accepts clear, none or restart."
394 | }
395 | }
396 |
397 | # -----------------------------------------------------------------------------------------------------
398 | # The number of seconds after which a DPD timeout occurs for the first VPN tunnel.
399 | # Valid value is equal or higher than 30.
400 | # -----------------------------------------------------------------------------------------------------
401 | variable "tunnel1_dpd_timeout_seconds"{
402 | default = 30
403 | }
404 |
405 | # The number of seconds after which a DPD timeout occurs for the second VPN tunnel.
406 | # Valid value is equal or higher than 30.
407 | variable "tunnel2_dpd_timeout_seconds"{
408 | default = 30
409 | }
410 |
411 | # The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2.
412 | variable "tunnel1_ike_versions"{
413 | default = ["ikev1","ikev2"]
414 | }
415 |
416 | # The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2.
417 | variable "tunnel2_ike_versions"{
418 | default = ["ikev1","ikev2"]
419 | }
420 |
421 |
422 | # List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations.
423 | # Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
424 | variable "tunnel1_phase1_dh_group_numbers"{
425 | default = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
426 | }
427 |
428 |
429 | # List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations.
430 | # Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
431 | variable "tunnel2_phase1_dh_group_numbers"{
432 | default = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
433 | }
434 |
435 |
436 | # List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations.
437 | # Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
438 | variable "tunnel1_phase1_encryption_algorithms"{
439 | default = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
440 | }
441 |
442 |
443 | # List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations.
444 | # Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
445 | variable "tunnel2_phase1_encryption_algorithms"{
446 | default = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
447 | }
448 |
449 | # One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations.
450 | # Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
451 |
452 | variable "tunnel1_phase1_integrity_algorithms"{
453 | default = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]
454 | }
455 |
456 | # One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations.
457 | # Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
458 | variable "tunnel2_phase1_integrity_algorithms"{
459 | default = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]
460 | }
461 |
462 |
463 | # The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds.
464 | # Valid value is between 900 and 28800.
465 | variable "tunnel1_phase1_lifetime_seconds"{
466 | default = 28800
467 | }
468 |
469 | # The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds.
470 | # Valid value is between 900 and 28800.
471 | variable "tunnel2_phase1_lifetime_seconds"{
472 | default = 28800
473 | }
474 |
475 |
476 | # List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations.
477 | # Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
478 | variable "tunnel1_phase2_dh_group_numbers"{
479 | default = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
480 | }
481 |
482 | # List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations.
483 | # Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
484 |
485 | variable "tunnel2_phase2_dh_group_numbers"{
486 | default = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
487 | }
488 |
489 | # List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations.
490 | # Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
491 | variable "tunnel1_phase2_encryption_algorithms"{
492 | default = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
493 | }
494 |
495 | # List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations
496 | # Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
497 | variable "tunnel2_phase2_encryption_algorithms"{
498 | default = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
499 | }
500 |
501 | # List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations.
502 | # Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
503 | variable "tunnel1_phase2_integrity_algorithms"{
504 | default = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]
505 | }
506 |
507 | # List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations.
508 | # Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
509 | variable "tunnel2_phase2_integrity_algorithms"{
510 | default = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]
511 | }
512 |
513 | # The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds.
514 | # Valid value is between 900 and 3600.
515 | variable "tunnel1_phase2_lifetime_seconds"{
516 | default = 3600
517 | }
518 |
519 | # The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds.
520 | # Valid value is between 900 and 3600.
521 | variable "tunnel2_phase2_lifetime_seconds"{
522 | default = 3600
523 | }
524 |
525 |
526 | # The percentage of the rekey window for the first VPN tunnel (determined by tunnel1_rekey_margin_time_seconds)
527 | # during which the rekey time is randomly selected. Valid value is between 0 and 100.
528 | variable "tunnel1_rekey_fuzz_percentage"{
529 | default = 100
530 | }
531 |
532 | # The percentage of the rekey window for the second VPN tunnel (determined by tunnel2_rekey_margin_time_seconds)
533 | # during which the rekey time is randomly selected. Valid value is between 0 and 100.
534 | variable "tunnel2_rekey_fuzz_percentage"{
535 | default = 100
536 | }
537 | # The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey.
538 | # The exact time of the rekey is randomly selected based on the value for tunnel1_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds.
539 | variable "tunnel1_rekey_margin_time_seconds"{
540 | default = 540
541 | }
542 |
543 | # The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey.
544 | # The exact time of the rekey is randomly selected based on the value for tunnel2_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds.
545 | variable "tunnel2_rekey_margin_time_seconds"{
546 | default = 540
547 | }
548 |
549 | # The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048.
550 | variable "tunnel1_replay_window_size"{
551 | default = 1024
552 | }
553 |
554 | # The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048.
555 | variable "tunnel2_replay_window_size"{
556 | default = 1024
557 | }
558 |
559 |
560 | # The action to take when the establishing the tunnel for the first VPN connection.
561 | # By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel.
562 | # Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
563 | variable "tunnel1_startup_action"{
564 | default = "add"
565 | validation {
566 | condition = (var.tunnel1_startup_action == "add" || var.tunnel1_startup_action == "start")
567 | error_message = "The variable tunnel1_startup_action accepts add or start."
568 | }
569 | }
570 |
571 | # The action to take when the establishing the tunnel for the second VPN connection.
572 | # By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel.
573 | # Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
574 | variable "tunnel2_startup_action"{
575 | default = "add"
576 | validation {
577 | condition = (var.tunnel2_startup_action == "add" || var.tunnel2_startup_action == "start")
578 | error_message = "The variable tunnel2_startup_action accepts add or start."
579 | }
580 | }
581 |
582 |
583 |
584 | #-----------------------------------------------------------------------------------------------------
585 | # Variables that makes up the AWS Tags assigned to the VPC on creation.
586 | # ---------------------------------------------------------------------------------------------------------------
587 |
588 | variable "Application_ID" {
589 | description = "The Application ID of the application that will be hosted inside this Amazon VPC."
590 | type = string
591 | default = "0000000"
592 | }
593 |
594 | variable "Application_Name" {
595 | description = "The name of the application. Max 10 characters. Allowed characters [0-9A-Za-z]."
596 | type = string
597 | default = "fsf-transit-gateway"
598 | }
599 |
600 | variable "Business_Unit" {
601 | description = "The business unit or line of business to which this application belongs."
602 | type = string
603 | default = "Commercial Banking (CB)"
604 | }
605 |
606 | variable "Environment_Type" {
607 | description = "The applications environment type. Possible values: LAB, SandBox, DEV, UAT, PROD."
608 | type = string
609 | default = "PRODUCTION"
610 | validation {
611 | condition = (var.Environment_Type == "PRODUCTION")
612 | error_message = "External Principals should not be allowed unless in the case of a merger."
613 | }
614 | }
615 |
616 | variable "Supported_Networks" {
617 | description = "The applications environment type. Possible values: LAB, SandBox, DEV, UAT, PROD."
618 | type = string
619 | default = "Spoke_VPCs_Under_This_Organization"
620 | validation {
621 | condition = (var.Supported_Networks == "Spoke_VPCs_Under_This_Organization")
622 | error_message = "External Principals should not be allowed unless in the case of a merger."
623 | }
624 | }
625 |
626 | variable "CostCenterCode" {
627 | description = "CSI Billing Profile Number associated with application to be hosted in this vpc."
628 | type = string
629 | default = "CB-0000000"
630 | }
631 |
632 | variable "CreatedBy" {
633 | description = "CSI Billing Profile Number associated with application to be hosted in this vpc."
634 | type = string
635 | default = "Androski_Spicer"
636 | }
637 |
638 | variable "Manager" {
639 | description = "CSI Billing Profile Number associated with application to be hosted in this vpc."
640 | type = string
641 | default = "KenJackson"
642 | }
643 |
644 |
645 | variable "deploy_transit_gateway_in_this_aws_region" {
646 | type = map(bool)
647 | default = {
648 | ohio = true
649 | n_virginia = true
650 | oregon = true
651 | n_california = true
652 | canada_east = true
653 | ireland = true
654 | london = true
655 | stockholm = true
656 | frankfurt = true
657 | paris = true
658 | tokyo = true
659 | seoul = true
660 | sydney = true
661 | mumbai = true
662 | singapore = true
663 | sao-paulo = true
664 | }
665 | }
--------------------------------------------------------------------------------
/deploy/main.tf:
--------------------------------------------------------------------------------
1 | ##################################################################################################################
2 | # This module deploys the transit gateway network that your business requires.
3 | # To do this, simply configure the variables outlined in the terraform.tfvars file.
4 | ##################################################################################################################
5 |
6 | module "deploy_aws_transit_gateway_network"{
7 | source = "../"
8 | ################################################################################################################
9 | # AWS TRANSIT GATEWAY CONFIGURATIONS
10 | ################################################################################################################
11 | ram_share_name = var.ram_share_name
12 | deploy_transit_gateway_in_this_aws_region = var.deploy_transit_gateway_in_this_aws_region
13 | transit_gateway_peering = var.transit_gateway_peering
14 | dns_support = var.dns_support
15 | network_manager_deployment = var.network_manager_deployment
16 | network_manager_name = var.network_manager_name
17 | network_manager_id = var.network_manager_id
18 | enable_integration_with_network_deployer_solution = var.enable_integration_with_network_deployer_solution
19 | default_route_table_propagation = var.default_route_table_propagation
20 | default_route_table_association = var.default_route_table_association
21 | vpn_ecmp_support = var.vpn_ecmp_support
22 | centralized_packet_inspection_enabled = var.centralized_packet_inspection_enabled
23 | ################################################################################################################
24 | # AWS SITE TO SITE VPN CONFIGURATION
25 | ################################################################################################################
26 | create_site_to_site_vpn = var.create_site_to_site_vpn
27 | remote_site_asn = var.remote_site_asn
28 | remote_site_public_ip = var.remote_site_public_ip
29 | how_many_vpn_connections = var.how_many_vpn_connections
30 | enable_acceleration = var.enable_acceleration
31 | tunnel_inside_ip_version = var.tunnel_inside_ip_version
32 | tunnel_inside_cidrs = var.tunnel_inside_cidrs
33 | tunnel1_preshared_key = var.tunnel1_preshared_key
34 | tunnel2_preshared_key = var.tunnel2_preshared_key
35 | tunnel1_dpd_timeout_action = var.tunnel1_dpd_timeout_action
36 | tunnel2_dpd_timeout_action = var.tunnel2_dpd_timeout_action
37 | tunnel1_dpd_timeout_seconds = var.tunnel1_dpd_timeout_seconds
38 | tunnel2_dpd_timeout_seconds = var.tunnel2_dpd_timeout_seconds
39 | tunnel1_ike_versions = var.tunnel1_ike_versions
40 | tunnel2_ike_versions = var.tunnel2_ike_versions
41 | tunnel1_phase1_dh_group_numbers = var.tunnel1_phase1_dh_group_numbers
42 | tunnel2_phase1_dh_group_numbers = var.tunnel2_phase1_dh_group_numbers
43 | tunnel1_phase1_encryption_algorithms = var.tunnel1_phase1_encryption_algorithms
44 | tunnel2_phase1_encryption_algorithms = var.tunnel2_phase1_encryption_algorithms
45 | tunnel1_phase1_integrity_algorithms = var.tunnel1_phase1_integrity_algorithms
46 | tunnel2_phase1_integrity_algorithms = var.tunnel2_phase1_integrity_algorithms
47 | tunnel1_phase1_lifetime_seconds = var.tunnel1_phase1_lifetime_seconds
48 | tunnel2_phase1_lifetime_seconds = var.tunnel2_phase1_lifetime_seconds
49 | tunnel1_phase2_dh_group_numbers = var.tunnel1_phase2_dh_group_numbers
50 | tunnel2_phase2_dh_group_numbers = var.tunnel2_phase2_dh_group_numbers
51 | tunnel1_phase2_encryption_algorithms = var.tunnel1_phase2_encryption_algorithms
52 | tunnel2_phase2_encryption_algorithms = var.tunnel2_phase2_encryption_algorithms
53 | tunnel1_phase2_integrity_algorithms = var.tunnel1_phase2_integrity_algorithms
54 | tunnel2_phase2_integrity_algorithms = var.tunnel2_phase2_integrity_algorithms
55 | tunnel1_phase2_lifetime_seconds = var.tunnel1_phase2_lifetime_seconds
56 | tunnel2_phase2_lifetime_seconds = var.tunnel2_phase2_lifetime_seconds
57 | tunnel1_rekey_fuzz_percentage = var.tunnel1_rekey_fuzz_percentage
58 | tunnel2_rekey_fuzz_percentage = var.tunnel2_rekey_fuzz_percentage
59 | tunnel1_rekey_margin_time_seconds = var.tunnel1_rekey_margin_time_seconds
60 | tunnel2_rekey_margin_time_seconds = var.tunnel2_rekey_margin_time_seconds
61 | tunnel1_replay_window_size = var.tunnel1_replay_window_size
62 | tunnel2_replay_window_size = var.tunnel2_replay_window_size
63 | tunnel1_startup_action = var.tunnel1_startup_action
64 | tunnel2_startup_action = var.tunnel2_startup_action
65 | ################################################################################################################
66 | # AWS TAGS
67 | ################################################################################################################
68 | Business_Unit = var.Business_Unit
69 | Environment_Type = var.Environment_Type
70 | Supported_Networks = var.Supported_Networks
71 | CostCenterCode = var.CostCenterCode
72 | CreatedBy = var.CreatedBy
73 | Manager = var.Manager
74 | }
75 |
76 |
--------------------------------------------------------------------------------
/deploy/terraform.tfvars:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------------------------------------------------
2 | # MANDATORY CONFIGURATION !!!!!!!
3 | #-----------------------------------------------------------------------------------------------------
4 |
5 | #-----------------------------------------------------------------------------------------------------
6 | # AWS Transit Gateway | ---> Transit Gateway Configuration Parameter
7 | #-----------------------------------------------------------------------------------------------------
8 | ram_share_name = "shared_networking_resources"
9 |
10 |
11 | #-----------------------------------------------------------------------------------------------------
12 | # AWS Transit Gateway | ---> Create Transit Gateway
13 | #-----------------------------------------------------------------------------------------------------
14 | # This variable controls the creation of a transit gateway in the region to the left.
15 | # Simply set true if you want to create or false if you dont want to create.
16 | # The option "all_aws_region" allows you to create a transit gateway in all AWS Region.
17 | # There's no need to specify true for individual regions if "all_aws_region" is set to true.
18 | #-----------------------------------------------------------------------------------------------------
19 | deploy_transit_gateway_in_this_aws_region = {
20 | all_aws_regions = false # false
21 | ohio = true # false
22 | n_virginia = false # false
23 | oregon = false # true
24 | n_california = false # true
25 | canada_east = false # true
26 | ireland = false # true
27 | london = false # true
28 | stockholm = false # true
29 | frankfurt = false # true
30 | paris = false # true
31 | tokyo = false # true
32 | seoul = false # true
33 | sydney = false # true
34 | mumbai = false # true
35 | singapore = false # true
36 | sao-paulo = false # true
37 | }
38 |
39 |
40 | #-----------------------------------------------------------------------------------------------------
41 | # AWS Transit Gateway | ---> Create Transit Gateway Peering Connection
42 | #-----------------------------------------------------------------------------------------------------
43 | # This variable controls the creation of a transit gateway peering between transit gateways deployed in different AWS Regions.
44 | # The option "build_complete_mesh" complements the "all_aws_region" in the variable "deploy_transit_gateway_in_this_aws_region"
45 | # Set "build_complete_mesh" to true if you have set "all_aws_region" to true AND you would like to build a completely globally meshed transit gateway network.
46 | #-----------------------------------------------------------------------------------------------------
47 | transit_gateway_peering = {
48 | build_complete_mesh = false # false
49 | ohio_n_virginia = false # true
50 | ohio_canada_east = false # true
51 | ohio_oregon = false # true
52 | ohio_n_california = false # true
53 | oregon_n_california = false # true
54 | oregon_canada_east = false # true
55 | oregon_n_virginia = false # true
56 | oregon_n_sao_paulo = false # true
57 | oregon_n_london = false # true
58 | # n_california_canada_east = false # true
59 | n_california_n_virginia = false # true
60 | n_virginia_canada_east = false # true
61 | n_virginia_n_london = false # true
62 | n_virginia_sao_paulo = false # true
63 | london_n_ireland = false # true
64 | london_n_paris = false # true
65 | london_n_frankfurt = false # true
66 | london_n_milan = false # true
67 | london_n_stockholm = false # true
68 | ireland_n_paris = false # true
69 | ireland_n_frankfurt = false # true
70 | ireland_n_stockholm = false # true
71 | frankfurt_n_stockholm = false # true
72 | frankfurt_n_paris = false # true
73 | stockholm_n_paris = false # true
74 | mumbai_n_frankfurt = false # true
75 | mumbai_n_sao_paulo = false # true
76 | mumbai_n_tokyo = false # true
77 | mumbai_n_seoul = false # true
78 | mumbai_n_singapore = false # true
79 | mumbai_n_sydney = false # true
80 | singapore_n_sydney = false # true
81 | singapore_n_tokyo = false # true
82 | singapore_n_sao_paulo = false # true
83 | singapore_n_seoul = false # true
84 | sydney_n_seoul = false # true
85 | sydney_n_tokyo = false # true
86 | sydney_n_sao_paulo = false # true
87 | tokyo_n_seoul = false # true
88 | tokyo_n_sao_paulo = false # true
89 | paris_n_sao_paulo = false # true
90 | }
91 |
92 |
93 | # -----------------------------------------------------------------------------------------------------
94 | # OPTIONAL CONFIGURATIONS !!!!!!!
95 | # -----------------------------------------------------------------------------------------------------
96 |
97 | dns_support = {
98 | hq = "disable"
99 | ohio = "disable"
100 | n_virginia = "disable"
101 | oregon = "disable"
102 | n_california = "disable"
103 | canada_east = "disable"
104 | ireland = "disable"
105 | london = "disable"
106 | stockholm = "disable"
107 | frankfurt = "disable"
108 | paris = "disable"
109 | tokyo = "disable"
110 | seoul = "disable"
111 | sydney = "disable"
112 | mumbai = "disable"
113 | singapore = "disable"
114 | sao_paulo = "disable"
115 | }
116 |
117 |
118 | #-----------------------------------------------------------------------------------------------------
119 | # AWS Transit Gateway | ---> Create Network Manager
120 | #-----------------------------------------------------------------------------------------------------
121 | # This variables tells the solution if an AWS Network Manager exist (true) or not (false).
122 | #-----------------------------------------------------------------------------------------------------
123 | network_manager_deployment = true
124 |
125 | #-----------------------------------------------------------------------------------------------------
126 | # This variables holds the name an AWS Network Manager
127 | #-----------------------------------------------------------------------------------------------------
128 | network_manager_name = "transit-gateway-network-manager-stack"
129 |
130 | # ----------------------------------------------------------------------------------------------------
131 | # Please update this variable if you have an AWS Network Manager deployed.
132 | # The full AWS ARN is required for your AWS Network Manager.
133 | # ----------------------------------------------------------------------------------------------------
134 | network_manager_id = "" # "your-global-network-id-here"
135 |
136 | # ----------------------------------------------------------------------------------------------------
137 | # TRANSIT GATEWAY ROUTE TABLE & ROUTING CONFIGURATIONS
138 | # ----------------------------------------------------------------------------------------------------
139 |
140 | #-----------------------------------------------------------------------------------------------------------------------
141 | # AWS Transit Gateway | ---> Creates AWS Transit Gateway route tables that are needed by the network deployer solution
142 | #-----------------------------------------------------------------------------------------------------------------------
143 | enable_integration_with_network_deployer_solution = {
144 | ohio = true
145 | n_virginia = false
146 | oregon = false
147 | n_california = false
148 | canada_east = false
149 | ireland = false
150 | london = false
151 | stockholm = false
152 | frankfurt = false
153 | paris = false
154 | tokyo = false
155 | seoul = false
156 | sydney = false
157 | mumbai = false
158 | singapore = false
159 | sao_paulo = false
160 | }
161 |
162 |
163 | # -----------------------------------------------------------------------------------------------------
164 | #
165 | # -----------------------------------------------------------------------------------------------------
166 | default_route_table_propagation = {
167 | hq = "disable"
168 | ohio = "disable"
169 | n_virginia = "disable"
170 | oregon = "disable"
171 | n_california = "disable"
172 | canada_east = "disable"
173 | ireland = "disable"
174 | london = "disable"
175 | stockholm = "disable"
176 | frankfurt = "disable"
177 | paris = "disable"
178 | tokyo = "disable"
179 | seoul = "disable"
180 | sydney = "disable"
181 | mumbai = "disable"
182 | singapore = "disable"
183 | sao_paulo = "disable"
184 | }
185 |
186 | # -----------------------------------------------------------------------------------------------------
187 | #
188 | # -----------------------------------------------------------------------------------------------------
189 | default_route_table_association = {
190 | hq = "disable"
191 | ohio = "disable"
192 | n_virginia = "disable"
193 | oregon = "disable"
194 | n_california = "disable"
195 | canada_east = "disable"
196 | ireland = "disable"
197 | london = "disable"
198 | stockholm = "disable"
199 | frankfurt = "disable"
200 | paris = "disable"
201 | tokyo = "disable"
202 | seoul = "disable"
203 | sydney = "disable"
204 | mumbai = "disable"
205 | singapore = "disable"
206 | sao_paulo = "disable"
207 | }
208 |
209 | # -----------------------------------------------------------------------------------------------------
210 | #
211 | # -----------------------------------------------------------------------------------------------------
212 | vpn_ecmp_support = {
213 | hq = "enable"
214 | ohio = "enable"
215 | n_virginia = "enable"
216 | oregon = "enable"
217 | n_california = "enable"
218 | canada_east = "enable"
219 | ireland = "enable"
220 | london = "enable"
221 | stockholm = "enable"
222 | frankfurt = "enable"
223 | paris = "enable"
224 | tokyo = "enable"
225 | seoul = "enable"
226 | sydney = "enable"
227 | mumbai = "enable"
228 | singapore = "enable"
229 | sao_paulo = "enable"
230 | }
231 |
232 | #-----------------------------------------------------------------------------------------------------
233 | # AWS Transit Gateway | ---> Manages VPN Attachment Association.
234 | # True results in only the packet inspection table being populated with routes.
235 | # False results in the addition of on-premises routes added to the dev, uat, prod, shared services, and packet inspection transit gateway route table.
236 | #-----------------------------------------------------------------------------------------------------
237 | centralized_packet_inspection_enabled = {
238 | ohio = false
239 | n_virginia = false
240 | oregon = false
241 | n_california = false
242 | canada_east = false
243 | ireland = false
244 | london = false
245 | stockholm = false
246 | frankfurt = false
247 | paris = false
248 | tokyo = false
249 | seoul = false
250 | sydney = false
251 | mumbai = false
252 | singapore = false
253 | sao_paulo = false
254 | }
255 |
256 |
257 |
258 | # -----------------------------------------------------------------------------------------------------
259 | # TRANSIT GATEWAY VPN ATTACHMENT | AWS SITE TO SITE VPN CONFIGURATION
260 | # -----------------------------------------------------------------------------------------------------
261 |
262 | #-----------------------------------------------------------------------------------------------------
263 | # This variables map tells the solution if it should create an AWS Site-to-Site VPN and which region
264 | # Simply set true for the region in which you would like to deploy
265 | #-----------------------------------------------------------------------------------------------------
266 | create_site_to_site_vpn = {
267 | ohio = true
268 | n_virginia = false
269 | oregon = false
270 | n_california = false
271 | canada_east = false
272 | ireland = false
273 | london = true
274 | stockholm = false
275 | frankfurt = false
276 | paris = false
277 | tokyo = false
278 | seoul = false
279 | sydney = false
280 | mumbai = false
281 | singapore = false
282 | sao_paulo = false
283 | }
284 |
285 |
286 | # -----------------------------------------------------------------------------------------------------
287 | #
288 | # -----------------------------------------------------------------------------------------------------
289 | remote_site_asn = {
290 | hq = 65000
291 | ohio = 65000
292 | n_virginia = 65000
293 | oregon = 65000
294 | n_california = 65000
295 | canada_east = 65000
296 | ireland = 65000
297 | london = 65000
298 | stockholm = 65000
299 | frankfurt = 65000
300 | paris = 65000
301 | tokyo = 65000
302 | seoul = 65000
303 | sydney = 65000
304 | mumbai = 65000
305 | singapore = 65000
306 | sao-paulo = 65000
307 | }
308 |
309 | # -----------------------------------------------------------------------------------------------------
310 | #
311 | # -----------------------------------------------------------------------------------------------------
312 | remote_site_public_ip ={
313 | hq = "127.0.0.1"
314 | ohio = "50.0.0.1"
315 | n_virginia = "127.0.0.1"
316 | oregon = "127.0.0.1"
317 | n_california = "127.0.0.1"
318 | canada_east = "127.0.0.1"
319 | ireland = "127.0.0.1"
320 | london = "51.0.0.1"
321 | stockholm = "127.0.0.1"
322 | frankfurt = "127.0.0.1"
323 | paris = "127.0.0.1"
324 | tokyo = "127.0.0.1"
325 | seoul = "127.0.0.1"
326 | sydney = "127.0.0.1"
327 | mumbai = "127.0.0.1"
328 | singapore = "127.0.0.1"
329 | sao-paulo = "127.0.0.1"
330 | }
331 |
332 | # -----------------------------------------------------------------------------------------------------
333 | #
334 | # -----------------------------------------------------------------------------------------------------
335 | how_many_vpn_connections = {
336 | hq = 0
337 | ohio = 0
338 | n_virginia = 0
339 | oregon = 0
340 | n_california = 0
341 | canada_east = 0
342 | ireland = 0
343 | london = 0
344 | stockholm = 0
345 | frankfurt = 0
346 | paris = 0
347 | tokyo = 0
348 | seoul = 0
349 | sydney = 0
350 | mumbai = 0
351 | singapore = 0
352 | sao-paulo = 0
353 | }
354 |
355 |
356 |
357 |
358 |
359 | # -----------------------------------------------------------------------------------------------------
360 | # Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
361 | # -----------------------------------------------------------------------------------------------------
362 | enable_acceleration = {
363 | ohio = false
364 | n_virginia = false
365 | oregon = false
366 | n_california = false
367 | canada_east = false
368 | ireland = false
369 | london = false
370 | stockholm = false
371 | frankfurt = false
372 | paris = false
373 | tokyo = false
374 | seoul = false
375 | sydney = false
376 | mumbai = false
377 | singapore = false
378 | sao_paulo = false
379 | }
380 |
381 |
382 | # ---------------------------------------------------------------------------------------------------------
383 | # ADVANCE IPSEC TUNNEL CONFIGURATIONS | ADD YOUR CUSTOM TUNNEL & ENCRYPTION CONFIGURATION BELOW (OPTIONAL)
384 | # ---------------------------------------------------------------------------------------------------------eiifccugvfevjkvndrhrftbervbvugffjfhdldrdhbvi
385 |
386 |
387 | # -----------------------------------------------------------------------------------------------------
388 | # Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 | ipv6.
389 | # ipv6 Supports only EC2 Transit Gateway.
390 | # -----------------------------------------------------------------------------------------------------
391 | tunnel_inside_ip_version = "ipv4"
392 |
393 |
394 | # -----------------------------------------------------------------------------------------------------
395 | #
396 | # -----------------------------------------------------------------------------------------------------
397 | tunnel_inside_cidrs = {
398 | ohio = []
399 | n_virginia = []
400 | oregon = []
401 | n_california = []
402 | canada_east = []
403 | ireland = []
404 | london = []
405 | stockholm = []
406 | frankfurt = []
407 | paris = []
408 | tokyo = []
409 | seoul = []
410 | sydney = []
411 | mumbai = []
412 | singapore = []
413 | sao-paulo = []
414 | }
415 |
416 |
417 | # -----------------------------------------------------------------------------------------------------
418 | # The preshared key of the first VPN tunnel.
419 | # The preshared key must be between 8 and 64 characters in length and cannot start with zero(0).
420 | # Allowed characters are alphanumeric characters, periods(.) and underscores(_).
421 | # -----------------------------------------------------------------------------------------------------
422 | tunnel1_preshared_key = {
423 | ohio = ""
424 | n_virginia = ""
425 | oregon = ""
426 | n_california = ""
427 | canada_east = ""
428 | ireland = ""
429 | london = ""
430 | stockholm = ""
431 | frankfurt = ""
432 | paris = ""
433 | tokyo = ""
434 | seoul = ""
435 | sydney = ""
436 | mumbai = ""
437 | singapore = ""
438 | sao-paulo = ""
439 | }
440 |
441 |
442 | # -----------------------------------------------------------------------------------------------------
443 | # The preshared key of the second VPN tunnel.
444 | # The preshared key must be between 8 and 64 characters in length and cannot start with zero(0).
445 | # Allowed characters are alphanumeric characters, periods(.) and underscores(_).
446 | # -----------------------------------------------------------------------------------------------------
447 | tunnel2_preshared_key = {
448 | ohio = ""
449 | n_virginia = ""
450 | oregon = ""
451 | n_california = ""
452 | canada_east = ""
453 | ireland = ""
454 | london = ""
455 | stockholm = ""
456 | frankfurt = ""
457 | paris = ""
458 | tokyo = ""
459 | seoul = ""
460 | sydney = ""
461 | mumbai = ""
462 | singapore = ""
463 | sao-paulo = ""
464 | }
465 |
466 | # -----------------------------------------------------------------------------------------------------
467 | # The action to take after DPD timeout occurs for the first VPN tunnel.
468 | # Specify restart to restart the IKE initiation.
469 | # Specify clear to end the IKE session. Valid values are clear | none | restart.
470 | # -----------------------------------------------------------------------------------------------------
471 | tunnel1_dpd_timeout_action = "clear"
472 |
473 |
474 | # -----------------------------------------------------------------------------------------------------
475 | # The action to take after DPD timeout occurs for the first VPN tunnel.
476 | # Specify restart to restart the IKE initiation. Specify clear to end the IKE session.
477 | # Valid values are clear | none | restart.
478 | # -----------------------------------------------------------------------------------------------------
479 | tunnel2_dpd_timeout_action= "clear"
480 |
481 |
482 | # -----------------------------------------------------------------------------------------------------
483 | # The number of seconds after which a DPD timeout occurs for the first VPN tunnel.
484 | # Valid value is equal or higher than 30.
485 | # -----------------------------------------------------------------------------------------------------
486 | tunnel1_dpd_timeout_seconds = 30
487 |
488 |
489 | # The number of seconds after which a DPD timeout occurs for the second VPN tunnel.
490 | # Valid value is equal or higher than 30.
491 | # -----------------------------------------------------------------------------------------------------
492 | tunnel2_dpd_timeout_seconds = 30
493 |
494 |
495 | # The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2.
496 | # -----------------------------------------------------------------------------------------------------
497 | tunnel1_ike_versions = ["ikev1","ikev2"]
498 |
499 |
500 | # The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2.
501 | tunnel2_ike_versions = ["ikev1","ikev2"]
502 |
503 |
504 |
505 | # List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations.
506 | # Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
507 | # -----------------------------------------------------------------------------------------------------
508 | tunnel1_phase1_dh_group_numbers = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
509 |
510 |
511 |
512 | # List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations.
513 | # Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
514 | # -----------------------------------------------------------------------------------------------------
515 | tunnel2_phase1_dh_group_numbers = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
516 |
517 |
518 |
519 | # List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations.
520 | # Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
521 | # -----------------------------------------------------------------------------------------------------
522 | tunnel1_phase1_encryption_algorithms= ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
523 |
524 |
525 |
526 | # List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations.
527 | # Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
528 | # -----------------------------------------------------------------------------------------------------
529 | tunnel2_phase1_encryption_algorithms = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
530 |
531 |
532 | # One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations.
533 | # Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
534 | # -----------------------------------------------------------------------------------------------------
535 | tunnel1_phase1_integrity_algorithms = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]
536 |
537 |
538 | # One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations.
539 | # Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
540 | # -----------------------------------------------------------------------------------------------------
541 | tunnel2_phase1_integrity_algorithms= ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]
542 |
543 |
544 |
545 | # The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds.
546 | # Valid value is between 900 and 28800.
547 | # -----------------------------------------------------------------------------------------------------
548 | tunnel1_phase1_lifetime_seconds = 28800
549 |
550 |
551 | # The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds.
552 | # Valid value is between 900 and 28800.
553 | # -----------------------------------------------------------------------------------------------------
554 | tunnel2_phase1_lifetime_seconds = 28800
555 |
556 |
557 |
558 | # List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations.
559 | # Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
560 | # -----------------------------------------------------------------------------------------------------
561 | tunnel1_phase2_dh_group_numbers= [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
562 |
563 |
564 | # List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations.
565 | # Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
566 | # -----------------------------------------------------------------------------------------------------
567 | tunnel2_phase2_dh_group_numbers = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
568 |
569 |
570 | # List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations.
571 | # Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
572 | # -----------------------------------------------------------------------------------------------------
573 | tunnel1_phase2_encryption_algorithms = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
574 |
575 |
576 | # List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations
577 | # Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
578 | # -----------------------------------------------------------------------------------------------------
579 | tunnel2_phase2_encryption_algorithms = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
580 |
581 |
582 | # List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations.
583 | # Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
584 | # -----------------------------------------------------------------------------------------------------
585 | tunnel1_phase2_integrity_algorithms = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]
586 |
587 |
588 | # List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations.
589 | # Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
590 | # -----------------------------------------------------------------------------------------------------
591 | tunnel2_phase2_integrity_algorithms = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]
592 |
593 |
594 | # The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds.
595 | # Valid value is between 900 and 3600.
596 | # -----------------------------------------------------------------------------------------------------
597 | tunnel1_phase2_lifetime_seconds = 3600
598 |
599 |
600 | # The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds.
601 | # Valid value is between 900 and 3600.
602 | # -----------------------------------------------------------------------------------------------------
603 | tunnel2_phase2_lifetime_seconds = 3600
604 |
605 |
606 |
607 | # The percentage of the rekey window for the first VPN tunnel (determined by tunnel1_rekey_margin_time_seconds)
608 | # during which the rekey time is randomly selected. Valid value is between 0 and 100.
609 | # -----------------------------------------------------------------------------------------------------
610 | tunnel1_rekey_fuzz_percentage = 100
611 |
612 |
613 | # The percentage of the rekey window for the second VPN tunnel (determined by tunnel2_rekey_margin_time_seconds)
614 | # during which the rekey time is randomly selected. Valid value is between 0 and 100.
615 | # -----------------------------------------------------------------------------------------------------
616 | tunnel2_rekey_fuzz_percentage = 100
617 |
618 |
619 | # The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey.
620 | # The exact time of the rekey is randomly selected based on the value for tunnel1_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds.
621 | # -----------------------------------------------------------------------------------------------------
622 | tunnel1_rekey_margin_time_seconds = 540
623 |
624 |
625 | # The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey.
626 | # The exact time of the rekey is randomly selected based on the value for tunnel2_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds.
627 | # -----------------------------------------------------------------------------------------------------
628 | tunnel2_rekey_margin_time_seconds = 540
629 |
630 |
631 | # The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048.
632 | # -----------------------------------------------------------------------------------------------------
633 | tunnel1_replay_window_size = 1024
634 |
635 |
636 | # The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048.
637 | tunnel2_replay_window_size = 1024
638 |
639 |
640 |
641 | # The action to take when the establishing the tunnel for the first VPN connection.
642 | # By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel.
643 | # Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
644 | # -----------------------------------------------------------------------------------------------------
645 | tunnel1_startup_action = "add"
646 |
647 |
648 | # The action to take when the establishing the tunnel for the second VPN connection.
649 | # By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel.
650 | # Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
651 | # -----------------------------------------------------------------------------------------------------
652 | tunnel2_startup_action = "add"
653 |
654 |
655 | #-----------------------------------------------------------------------------------------------------
656 | # TAGS | -------> Exposes a uniform system of tagging.
657 | #-----------------------------------------------------------------------------------------------------
658 | # Variables that makes up the AWS Tags assigned to the VPC on creation.
659 | # ----------------------------------------------------------------------------------------------------
660 | Application_ID = "transit-gateway-builder-v0" # do not change this value
661 | Application_Name = "aws-fsf-transit-gateway-builder" # do not change this value
662 | Business_Unit = "YourBusinessUnitName"
663 | Environment_Type = "PRODUCTION" # do not change this value
664 | Supported_Networks = "Spoke_VPCs_Under_This_Organization" # do not change this value
665 | CostCenterCode = "YourCostCenterCode"
666 | CreatedBy = "YourName"
667 | Manager = "YourManagerName"
668 |
669 |
670 |
--------------------------------------------------------------------------------
/lambda_function.py:
--------------------------------------------------------------------------------
1 | import json
2 | import boto3
3 | import os
4 |
5 | #Network Manager API only works with request to us-west-2 See: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/networkmanager.html#NetworkManager.Client.register_transit_gateway
6 | region='us-west-2'
7 |
8 | def lambda_handler(event, context):
9 |
10 | nm_client = boto3.client('networkmanager',region_name=region)
11 |
12 | #Get Global Network Id from enviroment variable
13 | globalnetwork_id = os.environ.get('GlobalNetworkId')
14 |
15 | #Get TransitGatewayARN from lambda execution
16 | tgw_arn=event['tgw_arn']
17 | print(event['tgw_arn'])
18 | print(globalnetwork_id)
19 |
20 | try:
21 | response = nm_client.register_transit_gateway(
22 | GlobalNetworkId=globalnetwork_id,
23 | TransitGatewayArn=tgw_arn
24 | )
25 | except:
26 | #This will happen when running terraform destroy since the lambda is trigger again for the already registered TGW.
27 | response = {"errorMessage": tgw_arn+" has already been registered or is in the process of being registered/deregistered."}
28 | print("Log: Registation failed")
29 | return response
30 |
--------------------------------------------------------------------------------
/lambda_function.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-ia/terraform-aws-globalnetwork/7711628cb11375ebc094481053d4ee13f57989a2/lambda_function.zip
--------------------------------------------------------------------------------
/network-manager-cloudformation-template/aws-fsf-network-manager-cloudformation-template.json:
--------------------------------------------------------------------------------
1 | {
2 | "Resources" : {
3 | "myGlobalNetwork": {
4 | "Type": "AWS::NetworkManager::GlobalNetwork",
5 | "Properties": {
6 | "Description": "Global Network",
7 | "Tags": [{
8 | "Key": "Name",
9 | "Value": "aws-fsf-global-network"
10 | }]
11 | }
12 | }
13 | },
14 | "Outputs" : {
15 | "GlobalNetworkId" : {
16 | "Description" : "Global Network ID",
17 | "Value" : { "Fn::GetAtt" : [ "myGlobalNetwork", "Id" ]}
18 | }
19 | }
20 | }
--------------------------------------------------------------------------------
/outputs.tf:
--------------------------------------------------------------------------------
1 | # -----------------------------------------------------------------------------------------------------
2 | # Account Number
3 | # -----------------------------------------------------------------------------------------------------
4 | output "transit_gateway_owner_id" {
5 | value = data.aws_caller_identity.first.account_id
6 |
7 | }
8 |
9 | # -----------------------------------------------------------------------------------------------------
10 | # AWS Transit Gateway ID per AWS Region
11 | # -----------------------------------------------------------------------------------------------------
12 |
13 | output "n_virginia_transit_gateway_id"{
14 | value = concat(module.terraform-aws-fsf-tgw-deployment-n_virginia.*.transit_gateway_id, [null])[0]
15 |
16 | }
17 |
18 | output "ohio_transit_gateway_id"{
19 | value = concat(module.terraform-aws-fsf-tgw-deployment-ohio.*.transit_gateway_id, [null])[0]
20 | }
21 |
22 | output "canada_montreal_transit_gateway_id"{
23 | value = concat(module.terraform-aws-fsf-tgw-deployment-canada-montreal.*.transit_gateway_id, [null])[0]
24 | }
25 |
26 | output "source_transit_gateway_id"{
27 | value = concat(module.terraform-aws-fsf-tgw-deployment-ohio.*.transit_gateway_id, [null])[0]
28 | }
29 |
30 | output "oregon_transit_gateway_id"{
31 | value = concat(module.terraform-aws-fsf-tgw-deployment-oregon.*.transit_gateway_id, [null])[0]
32 | }
33 |
34 | output "n_california_transit_gateway_id"{
35 | value = concat(module.terraform-aws-fsf-tgw-deployment-n_california.*.transit_gateway_id, [null])[0]
36 | }
37 |
38 | output "paris_transit_gateway_id"{
39 | value = concat(module.terraform-aws-fsf-tgw-deployment-paris.*.transit_gateway_id, [null])[0]
40 | }
41 |
42 | output "ireland_transit_gateway_id"{
43 | value = concat(module.terraform-aws-fsf-tgw-deployment-ireland.*.transit_gateway_id, [null])[0]
44 | }
45 |
46 | output "london_transit_gateway_id"{
47 | value = concat(module.terraform-aws-fsf-tgw-deployment-london.*.transit_gateway_id, [null])[0]
48 | }
49 |
50 | output "frankfurt_transit_gateway_id"{
51 | value = concat(module.terraform-aws-fsf-tgw-deployment-frankfurt.*.transit_gateway_id, [null])[0]
52 | }
53 |
54 | output "stockholm_transit_gateway_id"{
55 | value = concat(module.terraform-aws-fsf-tgw-deployment-stockholm.*.transit_gateway_id, [null])[0]
56 | }
57 |
58 | output "tokyo_transit_gateway_id"{
59 | value = concat(module.terraform-aws-fsf-tgw-deployment-tokyo.*.transit_gateway_id, [null])[0]
60 | }
61 |
62 | output "singapore_transit_gateway_id"{
63 | value = concat(module.terraform-aws-fsf-tgw-deployment-singapore.*.transit_gateway_id, [null])[0]
64 | }
65 |
66 | output "seoul_transit_gateway_id"{
67 | value = concat(module.terraform-aws-fsf-tgw-deployment-seoul.*.transit_gateway_id, [null])[0]
68 | }
69 |
70 | output "sydney_transit_gateway_id"{
71 | value = concat(module.terraform-aws-fsf-tgw-deployment-sydney.*.transit_gateway_id, [null])[0]
72 | }
73 |
74 | output "mumbai_transit_gateway_id"{
75 | value = concat(module.terraform-aws-fsf-tgw-deployment-mumbai.*.transit_gateway_id, [null])[0]
76 | }
77 |
78 | output "sao_paulo_transit_gateway_id"{
79 | value = concat(module.terraform-aws-fsf-tgw-deployment-sao-paulo.*.transit_gateway_id, [null])[0]
80 | }
81 |
82 | # -----------------------------------------------------------------------------------------------------
83 | # AWS Route Table ID per AWS Region
84 | # -----------------------------------------------------------------------------------------------------
85 |
86 | # AWS Northern Virginia Region
87 | # -----------------------------------------------------------------------------------------------------
88 | output "n_virginia_tgw_shared_services_route_table_id" {
89 | value = concat(module.terraform-aws-fsf-tgw-deployment-n_virginia.*.shared_services_route_table_id, [null])[0]
90 | }
91 |
92 | output "n_virginia_tgw_north_south_route_table_id" {
93 | value = concat(module.terraform-aws-fsf-tgw-deployment-n_virginia.*.north_south_route_table_id, [null])[0]
94 | }
95 |
96 | output "n_virginia_tgw_packet_inspection_route_table_id" {
97 | value = concat(module.terraform-aws-fsf-tgw-deployment-n_virginia.*.packet_inspection_route_table_id, [null])[0]
98 | }
99 |
100 | output "n_virginia_tgw_development_route_table_id" {
101 | value = concat(module.terraform-aws-fsf-tgw-deployment-n_virginia.*.development_route_table_id, [null])[0]
102 | }
103 |
104 | output "n_virginia_tgw_production_route_table_id" {
105 | value = concat(module.terraform-aws-fsf-tgw-deployment-n_virginia.*.production_route_table_id, [null])[0]
106 | }
107 |
108 | output "n_virginia_tgw_uat_route_table_id" {
109 | value = concat(module.terraform-aws-fsf-tgw-deployment-n_virginia.*.uat_route_table_id, [null])[0]
110 | }
111 |
112 |
113 | # AWS Ohio Region
114 | # -----------------------------------------------------------------------------------------------------
115 | output "ohio_tgw_shared_services_route_table_id" {
116 | value = concat(module.terraform-aws-fsf-tgw-deployment-ohio.*.shared_services_route_table_id, [null])[0]
117 | }
118 |
119 | output "ohio_tgw_north_south_route_table_id" {
120 | value = concat(module.terraform-aws-fsf-tgw-deployment-ohio.*.north_south_route_table_id, [null])[0]
121 | }
122 |
123 | output "ohio_tgw_packet_inspection_route_table_id" {
124 | value = concat(module.terraform-aws-fsf-tgw-deployment-ohio.*.packet_inspection_route_table_id, [null])[0]
125 | }
126 |
127 | output "ohio_tgw_development_route_table_id" {
128 | value = concat(module.terraform-aws-fsf-tgw-deployment-ohio.*.development_route_table_id, [null])[0]
129 | }
130 |
131 | output "ohio_tgw_production_route_table_id" {
132 | value = concat(module.terraform-aws-fsf-tgw-deployment-ohio.*.production_route_table_id, [null])[0]
133 | }
134 |
135 | output "ohio_tgw_uat_route_table_id" {
136 | value = concat(module.terraform-aws-fsf-tgw-deployment-ohio.*.uat_route_table_id, [null])[0]
137 | }
138 |
139 | # AWS Canada-Montreal Region
140 | # -----------------------------------------------------------------------------------------------------
141 | output "canada-montreal_tgw_shared_services_route_table_id" {
142 | value = concat(module.terraform-aws-fsf-tgw-deployment-canada-montreal.*.shared_services_route_table_id, [null])[0]
143 | }
144 |
145 | output "canada-montreal_tgw_north_south_route_table_id" {
146 | value = concat(module.terraform-aws-fsf-tgw-deployment-canada-montreal.*.north_south_route_table_id, [null])[0]
147 | }
148 |
149 | output "canada-montreal_tgw_packet_inspection_route_table_id" {
150 | value = concat(module.terraform-aws-fsf-tgw-deployment-canada-montreal.*.packet_inspection_route_table_id, [null])[0]
151 | }
152 |
153 | output "canada-montreal_tgw_development_route_table_id" {
154 | value = concat(module.terraform-aws-fsf-tgw-deployment-canada-montreal.*.development_route_table_id, [null])[0]
155 | }
156 |
157 | output "canada-montreal_tgw_production_route_table_id" {
158 | value = concat(module.terraform-aws-fsf-tgw-deployment-canada-montreal.*.production_route_table_id, [null])[0]
159 | }
160 |
161 | output "canada-montreal_tgw_uat_route_table_id" {
162 | value = concat(module.terraform-aws-fsf-tgw-deployment-canada-montreal.*.uat_route_table_id, [null])[0]
163 | }
164 |
165 |
166 | # AWS Northern California Region
167 | # -----------------------------------------------------------------------------------------------------
168 | output "n_california_tgw_shared_services_route_table_id" {
169 | value = concat(module.terraform-aws-fsf-tgw-deployment-n_california.*.shared_services_route_table_id, [null])[0]
170 | # concat(, [null])[0]
171 | }
172 |
173 | output "n_california_tgw_north_south_route_table_id" {
174 | value = concat(module.terraform-aws-fsf-tgw-deployment-n_california.*.north_south_route_table_id, [null])[0]
175 | }
176 |
177 | output "n_california_tgw_packet_inspection_route_table_id" {
178 | value = concat(module.terraform-aws-fsf-tgw-deployment-n_california.*.packet_inspection_route_table_id, [null])[0]
179 | }
180 |
181 | output "n_california_tgw_development_route_table_id" {
182 | value = concat(module.terraform-aws-fsf-tgw-deployment-n_california.*.development_route_table_id, [null])[0]
183 | }
184 |
185 | output "n_california_tgw_production_route_table_id" {
186 | value = concat(module.terraform-aws-fsf-tgw-deployment-n_california.*.production_route_table_id, [null])[0]
187 | }
188 |
189 | output "n_california_tgw_uat_route_table_id" {
190 | value = concat(module.terraform-aws-fsf-tgw-deployment-n_california.*.uat_route_table_id, [null])[0]
191 | }
192 |
193 | # AWS Oregon Region
194 | # -----------------------------------------------------------------------------------------------------
195 |
196 | output "oregon_tgw_shared_services_route_table_id" {
197 | value = concat(module.terraform-aws-fsf-tgw-deployment-oregon.*.shared_services_route_table_id, [null])[0]
198 | # concat(, [null])[0]
199 | }
200 |
201 | output "oregon_tgw_north_south_route_table_id" {
202 | value = concat(module.terraform-aws-fsf-tgw-deployment-oregon.*.north_south_route_table_id, [null])[0]
203 | }
204 |
205 | output "oregon_tgw_packet_inspection_route_table_id" {
206 | value = concat(module.terraform-aws-fsf-tgw-deployment-oregon.*.packet_inspection_route_table_id, [null])[0]
207 | }
208 |
209 | output "oregon_tgw_development_route_table_id" {
210 | value = concat(module.terraform-aws-fsf-tgw-deployment-oregon.*.development_route_table_id, [null])[0]
211 | }
212 |
213 | output "oregon_tgw_production_route_table_id" {
214 | value = concat(module.terraform-aws-fsf-tgw-deployment-oregon.*.production_route_table_id, [null])[0]
215 | }
216 |
217 | output "oregon_tgw_uat_route_table_id" {
218 | value = concat(module.terraform-aws-fsf-tgw-deployment-oregon.*.uat_route_table_id, [null])[0]
219 | }
220 |
221 |
222 | # AWS Ireland Region
223 | # -----------------------------------------------------------------------------------------------------
224 |
225 | output "ireland_tgw_shared_services_route_table_id" {
226 | value = concat( module.terraform-aws-fsf-tgw-deployment-ireland.*.shared_services_route_table_id, [null])[0]
227 | }
228 |
229 | output "ireland_tgw_north_south_route_table_id" {
230 | value = concat(module.terraform-aws-fsf-tgw-deployment-ireland.*.north_south_route_table_id, [null])[0]
231 | }
232 |
233 | output "ireland_tgw_packet_inspection_route_table_id" {
234 | value = concat(module.terraform-aws-fsf-tgw-deployment-ireland.*.packet_inspection_route_table_id, [null])[0]
235 | }
236 |
237 | output "ireland_tgw_development_route_table_id" {
238 | value = concat(module.terraform-aws-fsf-tgw-deployment-ireland.*.development_route_table_id, [null])[0]
239 | }
240 |
241 | output "ireland_tgw_production_route_table_id" {
242 | value = concat(module.terraform-aws-fsf-tgw-deployment-ireland.*.production_route_table_id, [null])[0]
243 | }
244 |
245 | output "ireland_tgw_uat_route_table_id" {
246 | value = concat(module.terraform-aws-fsf-tgw-deployment-ireland.*.uat_route_table_id, [null])[0]
247 | }
248 |
249 | # AWS London Region
250 | # -----------------------------------------------------------------------------------------------------
251 | output "london_tgw_shared_services_route_table_id" {
252 | value = concat(module.terraform-aws-fsf-tgw-deployment-london.*.shared_services_route_table_id, [null])[0]
253 | }
254 |
255 | output "london_tgw_north_south_route_table_id" {
256 | value = concat(module.terraform-aws-fsf-tgw-deployment-london.*.north_south_route_table_id, [null])[0]
257 | }
258 |
259 | output "london_tgw_packet_inspection_route_table_id" {
260 | value = concat(module.terraform-aws-fsf-tgw-deployment-london.*.packet_inspection_route_table_id, [null])[0]
261 | }
262 |
263 | output "london_tgw_development_route_table_id" {
264 | value = concat(module.terraform-aws-fsf-tgw-deployment-london.*.development_route_table_id, [null])[0]
265 | }
266 |
267 | output "london_tgw_production_route_table_id" {
268 | value = concat(module.terraform-aws-fsf-tgw-deployment-london.*.production_route_table_id, [null])[0]
269 | }
270 |
271 | output "london_tgw_uat_route_table_id" {
272 | value = concat(module.terraform-aws-fsf-tgw-deployment-london.*.uat_route_table_id, [null])[0]
273 | }
274 |
275 | # AWS Frankfurt Region
276 | # -----------------------------------------------------------------------------------------------------
277 | output "frankfurt_tgw_shared_services_route_table_id" {
278 | value = concat(module.terraform-aws-fsf-tgw-deployment-frankfurt.*.shared_services_route_table_id, [null])[0]
279 | }
280 |
281 | output "frankfurt_tgw_north_south_route_table_id" {
282 | value = concat(module.terraform-aws-fsf-tgw-deployment-frankfurt.*.north_south_route_table_id, [null])[0]
283 | }
284 |
285 | output "frankfurt_tgw_packet_inspection_route_table_id" {
286 | value = concat(module.terraform-aws-fsf-tgw-deployment-frankfurt.*.packet_inspection_route_table_id, [null])[0]
287 | }
288 |
289 | output "frankfurt_tgw_development_route_table_id" {
290 | value = concat(module.terraform-aws-fsf-tgw-deployment-frankfurt.*.development_route_table_id, [null])[0]
291 | }
292 |
293 | output "frankfurt_tgw_production_route_table_id" {
294 | value = concat(module.terraform-aws-fsf-tgw-deployment-frankfurt.*.production_route_table_id, [null])[0]
295 | }
296 |
297 | output "frankfurt_tgw_uat_route_table_id" {
298 | value = concat(module.terraform-aws-fsf-tgw-deployment-frankfurt.*.uat_route_table_id, [null])[0]
299 | }
300 |
301 | # AWS Paris Region
302 | # -----------------------------------------------------------------------------------------------------
303 | output "paris_tgw_shared_services_route_table_id" {
304 | value = concat(module.terraform-aws-fsf-tgw-deployment-paris.*.shared_services_route_table_id, [null])[0]
305 | }
306 |
307 | output "paris_tgw_north_south_route_table_id" {
308 | value = concat(module.terraform-aws-fsf-tgw-deployment-paris.*.north_south_route_table_id, [null])[0]
309 | }
310 |
311 | output "paris_tgw_packet_inspection_route_table_id" {
312 | value = concat(module.terraform-aws-fsf-tgw-deployment-paris.*.packet_inspection_route_table_id, [null])[0]
313 | }
314 |
315 | output "paris_tgw_development_route_table_id" {
316 | value = concat(module.terraform-aws-fsf-tgw-deployment-paris.*.development_route_table_id, [null])[0]
317 | }
318 |
319 | output "paris_tgw_production_route_table_id" {
320 | value = concat(module.terraform-aws-fsf-tgw-deployment-paris.*.production_route_table_id, [null])[0]
321 | }
322 |
323 | output "paris_tgw_uat_route_table_id" {
324 | value = concat(module.terraform-aws-fsf-tgw-deployment-paris.*.uat_route_table_id, [null])[0]
325 | }
326 |
327 | # AWS Stockholm Region
328 | # -----------------------------------------------------------------------------------------------------
329 | output "stockholm_tgw_shared_services_route_table_id" {
330 | value = concat(module.terraform-aws-fsf-tgw-deployment-stockholm.*.shared_services_route_table_id, [null])[0]
331 | }
332 |
333 | output "stockholm_tgw_north_south_route_table_id" {
334 | value = concat(module.terraform-aws-fsf-tgw-deployment-stockholm.*.north_south_route_table_id, [null])[0]
335 | }
336 |
337 | output "stockholm_tgw_packet_inspection_route_table_id" {
338 | value = concat(module.terraform-aws-fsf-tgw-deployment-stockholm.*.packet_inspection_route_table_id, [null])[0]
339 | }
340 |
341 | output "stockholm_tgw_development_route_table_id" {
342 | value = concat(module.terraform-aws-fsf-tgw-deployment-stockholm.*.development_route_table_id, [null])[0]
343 | }
344 |
345 | output "stockholm_tgw_production_route_table_id" {
346 | value = concat(module.terraform-aws-fsf-tgw-deployment-stockholm.*.production_route_table_id, [null])[0]
347 | }
348 |
349 | output "stockholm_tgw_uat_route_table_id" {
350 | value = concat(module.terraform-aws-fsf-tgw-deployment-stockholm.*.uat_route_table_id, [null])[0]
351 | }
352 |
353 | # AWS SAO PAULO Region
354 | # -----------------------------------------------------------------------------------------------------
355 | output "sao-paulo_tgw_shared_services_route_table_id" {
356 | value = concat(module.terraform-aws-fsf-tgw-deployment-sao-paulo.*.shared_services_route_table_id, [null])[0]
357 | }
358 |
359 | output "sao-paulo_tgw_north_south_route_table_id" {
360 | value = concat(module.terraform-aws-fsf-tgw-deployment-sao-paulo.*.north_south_route_table_id, [null])[0]
361 | }
362 |
363 | output "sao-paulo_tgw_packet_inspection_route_table_id" {
364 | value = concat(module.terraform-aws-fsf-tgw-deployment-sao-paulo.*.packet_inspection_route_table_id, [null])[0]
365 | }
366 |
367 | output "sao-paulo_tgw_development_route_table_id" {
368 | value = concat(module.terraform-aws-fsf-tgw-deployment-sao-paulo.*.development_route_table_id, [null])[0]
369 | }
370 |
371 | output "sao-paulo_tgw_production_route_table_id" {
372 | value = concat(module.terraform-aws-fsf-tgw-deployment-sao-paulo.*.production_route_table_id, [null])[0]
373 | }
374 |
375 | output "sao-paulo_tgw_uat_route_table_id" {
376 | value = concat(module.terraform-aws-fsf-tgw-deployment-sao-paulo.*.uat_route_table_id, [null])[0]
377 | }
378 |
379 | # AWS Tokyo Region
380 | # -----------------------------------------------------------------------------------------------------
381 | output "tokyo_tgw_shared_services_route_table_id" {
382 | value = concat(module.terraform-aws-fsf-tgw-deployment-tokyo.*.shared_services_route_table_id, [null])[0]
383 | }
384 |
385 | output "tokyo_tgw_north_south_route_table_id" {
386 | value = concat(module.terraform-aws-fsf-tgw-deployment-tokyo.*.north_south_route_table_id, [null])[0]
387 | }
388 |
389 | output "tokyo_tgw_packet_inspection_route_table_id" {
390 | value = concat(module.terraform-aws-fsf-tgw-deployment-tokyo.*.packet_inspection_route_table_id, [null])[0]
391 | }
392 |
393 | output "tokyo_tgw_development_route_table_id" {
394 | value = concat(module.terraform-aws-fsf-tgw-deployment-tokyo.*.development_route_table_id, [null])[0]
395 | }
396 |
397 | output "tokyo_tgw_production_route_table_id" {
398 | value = concat(module.terraform-aws-fsf-tgw-deployment-tokyo.*.production_route_table_id, [null])[0]
399 | }
400 |
401 | output "tokyo_tgw_uat_route_table_id" {
402 | value = concat(module.terraform-aws-fsf-tgw-deployment-tokyo.*.uat_route_table_id, [null])[0]
403 | }
404 |
405 |
406 | # AWS Singapore Region
407 | # -----------------------------------------------------------------------------------------------------
408 | output "singapore_tgw_shared_services_route_table_id" {
409 | value = concat(module.terraform-aws-fsf-tgw-deployment-singapore.*.shared_services_route_table_id, [null])[0]
410 | }
411 |
412 | output "singapore_tgw_north_south_route_table_id" {
413 | value = concat(module.terraform-aws-fsf-tgw-deployment-singapore.*.north_south_route_table_id, [null])[0]
414 | }
415 |
416 | output "singapore_tgw_packet_inspection_route_table_id" {
417 | value = concat(module.terraform-aws-fsf-tgw-deployment-singapore.*.packet_inspection_route_table_id, [null])[0]
418 | }
419 |
420 | output "singapore_tgw_development_route_table_id" {
421 | value = concat(module.terraform-aws-fsf-tgw-deployment-singapore.*.development_route_table_id, [null])[0]
422 | }
423 |
424 | output "singapore_tgw_production_route_table_id" {
425 | value = concat(module.terraform-aws-fsf-tgw-deployment-singapore.*.production_route_table_id, [null])[0]
426 | }
427 |
428 | output "singapore_tgw_uat_route_table_id" {
429 | value = concat(module.terraform-aws-fsf-tgw-deployment-singapore.*.uat_route_table_id, [null])[0]
430 | }
431 |
432 |
433 |
434 | # AWS Sydney Region
435 | # -----------------------------------------------------------------------------------------------------
436 | output "sydney_tgw_shared_services_route_table_id" {
437 | value = concat(module.terraform-aws-fsf-tgw-deployment-sydney.*.shared_services_route_table_id, [null])[0]
438 | }
439 |
440 | output "sydney_tgw_north_south_route_table_id" {
441 | value = concat(module.terraform-aws-fsf-tgw-deployment-sydney.*.north_south_route_table_id, [null])[0]
442 | }
443 |
444 | output "sydney_tgw_packet_inspection_route_table_id" {
445 | value = concat(module.terraform-aws-fsf-tgw-deployment-sydney.*.packet_inspection_route_table_id, [null])[0]
446 | }
447 |
448 | output "sydney_tgw_development_route_table_id" {
449 | value = concat(module.terraform-aws-fsf-tgw-deployment-sydney.*.development_route_table_id, [null])[0]
450 | }
451 |
452 | output "sydney_tgw_production_route_table_id" {
453 | value = concat(module.terraform-aws-fsf-tgw-deployment-sydney.*.production_route_table_id, [null])[0]
454 | }
455 |
456 | output "sydney_tgw_uat_route_table_id" {
457 | value = concat(module.terraform-aws-fsf-tgw-deployment-sydney.*.uat_route_table_id, [null])[0]
458 | }
459 |
460 |
461 | # AWS Mumbai Region
462 | # -----------------------------------------------------------------------------------------------------
463 | output "mumbai_tgw_shared_services_route_table_id" {
464 | value = concat(module.terraform-aws-fsf-tgw-deployment-mumbai.*.shared_services_route_table_id, [null])[0]
465 | }
466 |
467 | output "mumbai_tgw_north_south_route_table_id" {
468 | value = concat(module.terraform-aws-fsf-tgw-deployment-mumbai.*.north_south_route_table_id, [null])[0]
469 | }
470 |
471 | output "mumbai_tgw_packet_inspection_route_table_id" {
472 | value = concat(module.terraform-aws-fsf-tgw-deployment-mumbai.*.packet_inspection_route_table_id, [null])[0]
473 | }
474 |
475 | output "mumbai_tgw_development_route_table_id" {
476 | value = concat(module.terraform-aws-fsf-tgw-deployment-mumbai.*.development_route_table_id, [null])[0]
477 | }
478 |
479 | output "mumbai_tgw_production_route_table_id" {
480 | value = concat(module.terraform-aws-fsf-tgw-deployment-mumbai.*.production_route_table_id, [null])[0]
481 | }
482 |
483 | output "mumbai_tgw_uat_route_table_id" {
484 | value = concat(module.terraform-aws-fsf-tgw-deployment-mumbai.*.uat_route_table_id, [null])[0]
485 | }
486 |
487 | # -----------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------
/peer_transit_gateways/main.tf:
--------------------------------------------------------------------------------
1 | # ---------------------------------------------------------------------------------------------------------------
2 | #
3 | # ---------------------------------------------------------------------------------------------------------------
4 |
5 |
6 |
7 | # Object that contains a list of key value pairs that forms the tags added to a VPC on creation
8 | # ---------------------------------------------------------------------------------------------------------------
9 | locals {
10 | default_tags = {
11 | Name = join("-", [var.Application_Name, var.Environment_Type])
12 | Application_ID = var.Application_ID
13 | Application_Name = var.Application_Name
14 | Business_Unit = var.Business_Unit
15 | CostCenterCode = var.CostCenterCode
16 | CreatedBy = var.CreatedBy
17 | Manager = var.Manager
18 | Supported_Networks = var.Supported_Networks
19 | Environment_Type = var.Environment_Type
20 | }
21 | }
22 |
23 | resource "aws_ec2_transit_gateway_peering_attachment" "transit_gateway_peering_request" {
24 | count = (var.transit_gateway_deployment == true && var.transit_gateway_peering_enabled == true ? 1 : 0)
25 |
26 | peer_account_id = var.peer_account_id
27 | peer_region = var.peer_region
28 | peer_transit_gateway_id = var.peer_transit_gateway_id
29 | transit_gateway_id = var.transit_gateway_id
30 |
31 | tags = local.default_tags
32 |
33 | }
34 |
35 |
36 |
37 |
--------------------------------------------------------------------------------
/peer_transit_gateways/outputs.tf:
--------------------------------------------------------------------------------
1 |
2 | output "transit_gateway_peering_attachment_id" {
3 | value = concat(aws_ec2_transit_gateway_peering_attachment.transit_gateway_peering_request.*.id, [null])[0]
4 | }
5 |
--------------------------------------------------------------------------------
/peer_transit_gateways/variables.tf:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------------------------------------------------
2 | # AWS Transit Gateway | ---> Enables the deployment of a transit gateway in the specified region
3 | #-----------------------------------------------------------------------------------------------------
4 | variable "transit_gateway_deployment" {
5 | default = true
6 | validation {
7 | condition = (var.transit_gateway_deployment == false || var.transit_gateway_deployment == true)
8 | error_message = "Transit Gateway deployment must be either true or false."
9 | }
10 | }
11 |
12 | variable "transit_gateway_peering_enabled" {
13 | default = true
14 | validation {
15 | condition = (var.transit_gateway_peering_enabled == false || var.transit_gateway_peering_enabled == true)
16 | error_message = "Transit Gateway Peering enabled must be either true or false."
17 | }
18 | }
19 |
20 | #-----------------------------------------------------------------------------------------------------
21 | # AWS Transit Gateway | ---> Transit Gateway Configuration Parameter
22 | #-----------------------------------------------------------------------------------------------------
23 |
24 | variable "peer_account_id" {}
25 | variable "peer_region" {}
26 | variable "peer_transit_gateway_id" {}
27 | variable "transit_gateway_id" {}
28 |
29 | #-----------------------------------------------------------------------------------------------------
30 | # Variables that makes up the AWS Tags assigned to the VPC on creation.
31 | # ---------------------------------------------------------------------------------------------------------------
32 |
33 | variable "Application_ID" {
34 | description = "The Application ID of the application that will be hosted inside this Amazon VPC."
35 | type = string
36 | default = "0000000"
37 | }
38 |
39 | variable "Application_Name" {
40 | description = "The name of the application. Max 10 characters. Allowed characters [0-9A-Za-z]."
41 | type = string
42 | default = "fsf-spoke-vpc"
43 | }
44 |
45 | variable "Business_Unit" {
46 | description = "The business unit or line of business to which this application belongs."
47 | type = string
48 | default = "Commercial Banking (CB)"
49 | }
50 |
51 | variable "Environment_Type" {
52 | description = "The applications environment type. Possible values: LAB, SandBox, DEV, UAT, PROD."
53 | type = string
54 | default = "PRODUCTION"
55 | validation {
56 | condition = (var.Environment_Type == "PRODUCTION")
57 | error_message = "External Principals should not be allowed unless in the case of a merger."
58 | }
59 | }
60 |
61 | variable "Supported_Networks" {
62 | description = "The applications environment type. Possible values: LAB, SandBox, DEV, UAT, PROD."
63 | type = string
64 | default = "Spoke_VPCs_Under_This_Organization"
65 | validation {
66 | condition = (var.Supported_Networks == "Spoke_VPCs_Under_This_Organization")
67 | error_message = "External Principals should not be allowed unless in the case of a merger."
68 | }
69 | }
70 |
71 | variable "CostCenterCode" {
72 | description = "CSI Billing Profile Number associated with application to be hosted in this vpc."
73 | type = string
74 | default = "CB-0000000"
75 | }
76 |
77 | variable "CreatedBy" {
78 | description = "CSI Billing Profile Number associated with application to be hosted in this vpc."
79 | type = string
80 | default = "Androski_Spicer"
81 | }
82 |
83 | variable "Manager" {
84 | description = "CSI Billing Profile Number associated with application to be hosted in this vpc."
85 | type = string
86 | default = "KenJackson"
87 | }
--------------------------------------------------------------------------------
/provider.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = "us-east-1"
3 | }
4 |
5 | # NORTHERN VIRGINIA : us-east-1
6 | provider "aws" {
7 | region = "us-east-1"
8 | alias = "n_virginia"
9 | }
10 |
11 | # OHIO : us-east-2
12 | provider "aws" {
13 | region = "us-east-2"
14 | alias = "ohio"
15 | }
16 |
17 | # NORTHERN CALIFORNIA : us-west-1
18 | provider "aws" {
19 | region = "us-west-1"
20 | alias = "n_california"
21 | }
22 |
23 | # OREGON : us-west-2
24 | provider "aws" {
25 | region = "us-west-2"
26 | alias = "oregon"
27 | }
28 |
29 | # CANADA : ca-central-1
30 | provider "aws" {
31 | region = "ca-central-1"
32 | alias = "canada_east"
33 | }
34 |
35 | //# SOUTH AFRICA : af-south-1
36 | //provider "aws" {
37 | // region = "af-south-1"
38 | // alias = "south_africa"
39 | //}
40 |
41 | //# HONG KONG : ap-east-1
42 | //provider "aws" {
43 | // region = "ap-east-1"
44 | // alias = "hong_kong"
45 | //}
46 |
47 | # MUMBAI : ap-south-1
48 | provider "aws" {
49 | region = "ap-south-1"
50 | alias = "mumbai"
51 | }
52 |
53 | //# OSAKA_LOCAL : ap-northeast-3
54 | //provider "aws" {
55 | // region = "ap-northeast-3"
56 | // alias = "osaka_local"
57 | //}
58 |
59 |
60 | # SEOUL : ap-northeast-2
61 | provider "aws" {
62 | region = "ap-northeast-2"
63 | alias = "seoul"
64 | }
65 |
66 |
67 | # SINGAPORE : ap-southeast-1
68 | provider "aws" {
69 | region = "ap-southeast-1"
70 | alias = "singapore"
71 | }
72 |
73 |
74 | # SYDNEY : ap-southeast-2
75 | provider "aws" {
76 | region = "ap-southeast-2"
77 | alias = "sydney"
78 | }
79 |
80 |
81 | # TOKYO : ap-northeast-1
82 | provider "aws" {
83 | region = "ap-northeast-1"
84 | alias = "tokyo"
85 | }
86 |
87 |
88 | # FRANKFHURT : eu-central-1
89 | provider "aws" {
90 | region = "eu-central-1"
91 | alias = "frankfurt"
92 | }
93 |
94 |
95 | # IRELAND : eu-west-1
96 | provider "aws" {
97 | region = "eu-west-1"
98 | alias = "ireland"
99 | }
100 |
101 |
102 | # LONDON : eu-west-2
103 | provider "aws" {
104 | region = "eu-west-2"
105 | alias = "london"
106 | }
107 |
108 |
109 | //# MILAN : eu-south-1
110 | //provider "aws" {
111 | // region = "eu-south-1"
112 | // alias = "milan"
113 | //}
114 |
115 |
116 | # PARIS : eu-west-3
117 | provider "aws" {
118 | region = "eu-west-3"
119 | alias = "paris"
120 | }
121 |
122 |
123 | # STOCKHOLM : eu-north-1
124 | provider "aws" {
125 | region = "eu-north-1"
126 | alias = "stockholm"
127 | }
128 |
129 |
130 | //# MIDDLE EAST: me-south-1
131 | //provider "aws" {
132 | // region = "me-south-1"
133 | // alias = "middle_east"
134 | //}
135 |
136 |
137 | # SAO PAULO : sa-east-1
138 | provider "aws" {
139 | region = "sa-east-1"
140 | alias = "sao_paulo"
141 | }
142 |
143 |
144 |
145 |
146 |
--------------------------------------------------------------------------------
/setup_workspace/variables.tf:
--------------------------------------------------------------------------------
1 | variable "AWS_ACCESS_KEY_ID" {
2 | type = string
3 | }
4 | variable "AWS_SECRET_ACCESS_KEY" {
5 | type = string
6 | }
7 | variable "AWS_SESSION_TOKEN" {
8 | type = string
9 | default = ""
10 | }
11 | variable "tfe_organization" {
12 | type = string
13 | }
14 | variable "tfe_workspace" {
15 | type = string
16 | default = ""
17 | }
18 | variable "tfe_email" {
19 | type = string
20 | default = "someone@somewhere.resource"
21 | }
22 | variable "working_directory" {
23 | type = string
24 | default = "/deploy"
25 | }
26 | variable "region" {
27 | type = string
28 | default = "us-east-2"
29 | }
--------------------------------------------------------------------------------
/setup_workspace/workspace.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.15.1"
3 | }
4 |
5 | resource "random_pet" "name" {
6 | prefix = "tfm-aws"
7 | length = 1
8 | }
9 |
10 | # Generate new terraform org and workspace
11 |
12 | module "tfc_workspace" {
13 | source = "aws-ia/cloud_workspace/hashicorp"
14 | version = "0.0.1"
15 | tfe_email = var.tfe_email
16 | tfe_organization = var.tfe_organization
17 | tfe_workspace = var.tfe_workspace
18 | AWS_ACCESS_KEY_ID = var.AWS_ACCESS_KEY_ID
19 | AWS_SECRET_ACCESS_KEY = var.AWS_SECRET_ACCESS_KEY
20 | AWS_SESSION_TOKEN = var.AWS_SESSION_TOKEN
21 | working_directory = var.working_directory
22 | region = var.region
23 | }
24 |
25 |
26 | resource "null_resource" "setup_backend_file" {
27 | depends_on = [module.tfc_workspace]
28 | provisioner "local-exec" {
29 | command = "mv backend.hcl ../deploy"
30 | }
31 | }
32 |
33 |
34 | resource "null_resource" "remote_init" {
35 | depends_on = [null_resource.setup_backend_file]
36 | provisioner "local-exec" {
37 | working_dir = "../deploy"
38 | command = "terraform init -backend-config=backend.hcl"
39 | }
40 | }
41 |
42 | output "user_instructions" {
43 | value = < Create Transit Gateway
21 | #-----------------------------------------------------------------------------------------------------
22 | # This variable controls the creation of a transit gateway in the region to the left.
23 | # Simply set true if you want to create or false if you dont want to create.
24 | # The option "all_aws_region" allows you to create a transit gateway in all AWS Region.
25 | # There's no need to specify true for individual regions if "all_aws_region" is set to true.
26 | #-----------------------------------------------------------------------------------------------------
27 | deploy_transit_gateway_in_this_aws_region = {
28 | all_aws_regions = true # false
29 | ohio = false # false
30 | n_virginia = false # false
31 | oregon = false # true
32 | n_california = false # true
33 | canada_east = false # true
34 | ireland = false # true
35 | london = false # true
36 | stockholm = false # true
37 | frankfurt = false # true
38 | paris = false # true
39 | tokyo = false # true
40 | seoul = false # true
41 | sydney = false # true
42 | mumbai = false # true
43 | singapore = false # true
44 | sao-paulo = false # true
45 | }
46 | }
47 |
48 | /*
49 | ----------------------------------------------------------------------------
50 | It important to note the following:
51 | ----------------------------------------------------------------------------
52 | 1. A transit gateway can be deployed in any region. This solution allows you
53 | to deploy a transit gateway in a region by changing the boolean flag in the
54 | variable "deploy_transit_gateway_in_this_aws_region" to true.
55 | 2. That said, for testing purposes, ensure that local.transit_gateway_id
56 | is set to the region where your transit gateway is deployed.
57 |
58 | For example.
59 | --------------
60 | if your test is being conducted for a transit gateway deployment in the AWS Ohio Region
61 | then the locals configuration would be as follows:
62 |
63 | locals {
64 | transit_gateway_id = module.main.ohio_transit_gateway_id
65 | }
66 | ----------------------------------------------------------------------------
67 | */
68 |
69 | locals {
70 | ohio_transit_gateway_id = module.main.ohio_transit_gateway_id
71 | n_virginia_transit_gateway_id = module.main.n_virginia_transit_gateway_id
72 | oregon_transit_gateway_id = module.main.oregon_transit_gateway_id
73 | n_california_transit_gateway_id = module.main.n_california_transit_gateway_id
74 | canada_east_transit_gateway_id = module.main.canada_montreal_transit_gateway_id
75 | ireland_transit_gateway_id = module.main.ireland_transit_gateway_id
76 | london_transit_gateway_id = module.main.london_transit_gateway_id
77 | stockholm_transit_gateway_id = module.main.stockholm_transit_gateway_id
78 | frankfurt_transit_gateway_id = module.main.frankfurt_transit_gateway_id
79 | paris_transit_gateway_id = module.main.paris_transit_gateway_id
80 | tokyo_transit_gateway_id = module.main.tokyo_transit_gateway_id
81 | seoul_transit_gateway_id = module.main.seoul_transit_gateway_id
82 | sydney_transit_gateway_id = module.main.sydney_transit_gateway_id
83 | mumbai_transit_gateway_id = module.main.mumbai_transit_gateway_id
84 | singapore_transit_gateway_id = module.main.singapore_transit_gateway_id
85 | sao-paulo_transit_gateway_id = module.main.sao_paulo_transit_gateway_id
86 | }
87 |
88 |
89 |
90 | # ----------------------------------------------------------------------------
91 | # This Assertion checks that the transit gateway id prefix is correct and
92 | # aligns with the AWS standard for AWS Transit Gateways
93 | # ----------------------------------------------------------------------------
94 | resource "test_assertions" "testing_transit_gateway_id_compliance_in_ohio" {
95 | # "component" is an unique identifier for this
96 | # particular set of assertions in the test results.
97 | component = "transit_gateway_id"
98 |
99 | equal "scheme" {
100 | description = "Default scheme is tgw-"
101 | got = local.ohio_transit_gateway_id
102 | want = "tgw-"
103 | }
104 |
105 | check "transit_gateway_id_prefix" {
106 | description = "Check for transit gateway id prefix alignment."
107 | condition = can(regex("^tgw-", local.ohio_transit_gateway_id))
108 | }
109 | }
110 |
111 | # ----------------------------------------------------------------------------
112 | # This Assertion checks that the transit gateway id prefix is correct and
113 | # aligns with the AWS standard for AWS Transit Gateways
114 | # ----------------------------------------------------------------------------
115 | resource "test_assertions" "testing_transit_gateway_id_compliance_in_n_virginia" {
116 | # "component" is an unique identifier for this
117 | # particular set of assertions in the test results.
118 | component = "transit_gateway_id"
119 |
120 | equal "scheme" {
121 | description = "Default scheme is tgw-"
122 | got = local.n_virginia_transit_gateway_id
123 | want = "tgw-"
124 | }
125 |
126 | check "transit_gateway_id_prefix" {
127 | description = "Check for transit gateway id prefix alignment."
128 | condition = can(regex("^tgw-", local.n_virginia_transit_gateway_id))
129 | }
130 | }
131 |
132 | # ----------------------------------------------------------------------------
133 | # This Assertion checks that the transit gateway id prefix is correct and
134 | # aligns with the AWS standard for AWS Transit Gateways
135 | # ----------------------------------------------------------------------------
136 | resource "test_assertions" "testing_transit_gateway_id_compliance_in_n_california" {
137 | # "component" is an unique identifier for this
138 | # particular set of assertions in the test results.
139 | component = "transit_gateway_id"
140 |
141 | equal "scheme" {
142 | description = "Default scheme is tgw-"
143 | got = local.n_california_transit_gateway_id
144 | want = "tgw-"
145 | }
146 |
147 | check "transit_gateway_id_prefix" {
148 | description = "Check for transit gateway id prefix alignment."
149 | condition = can(regex("^tgw-", local.n_california_transit_gateway_id))
150 | }
151 | }
152 |
153 | # ----------------------------------------------------------------------------
154 | # This Assertion checks that the transit gateway id prefix is correct and
155 | # aligns with the AWS standard for AWS Transit Gateways
156 | # ----------------------------------------------------------------------------
157 | resource "test_assertions" "testing_transit_gateway_id_compliance_in_oregon" {
158 | # "component" is an unique identifier for this
159 | # particular set of assertions in the test results.
160 | component = "transit_gateway_id"
161 |
162 | equal "scheme" {
163 | description = "Default scheme is tgw-"
164 | got = local.oregon_transit_gateway_id
165 | want = "tgw-"
166 | }
167 |
168 | check "transit_gateway_id_prefix" {
169 | description = "Check for transit gateway id prefix alignment."
170 | condition = can(regex("^tgw-", local.oregon_transit_gateway_id))
171 | }
172 | }
173 |
174 | # ----------------------------------------------------------------------------
175 | # This Assertion checks that the transit gateway id prefix is correct and
176 | # aligns with the AWS standard for AWS Transit Gateways
177 | # ----------------------------------------------------------------------------
178 | resource "test_assertions" "testing_transit_gateway_id_compliance_in_canada_east" {
179 | # "component" is an unique identifier for this
180 | # particular set of assertions in the test results.
181 | component = "transit_gateway_id"
182 |
183 | equal "scheme" {
184 | description = "Default scheme is tgw-"
185 | got = local.canada_east_transit_gateway_id
186 | want = "tgw-"
187 | }
188 |
189 | check "transit_gateway_id_prefix" {
190 | description = "Check for transit gateway id prefix alignment."
191 | condition = can(regex("^tgw-", local.canada_east_transit_gateway_id))
192 | }
193 | }
194 |
195 | # ----------------------------------------------------------------------------
196 | # This Assertion checks that the transit gateway id prefix is correct and
197 | # aligns with the AWS standard for AWS Transit Gateways
198 | # ----------------------------------------------------------------------------
199 | resource "test_assertions" "testing_transit_gateway_id_compliance_in_ireland" {
200 | # "component" is an unique identifier for this
201 | # particular set of assertions in the test results.
202 | component = "transit_gateway_id"
203 |
204 | equal "scheme" {
205 | description = "Default scheme is tgw-"
206 | got = local.ireland_transit_gateway_id
207 | want = "tgw-"
208 | }
209 |
210 | check "transit_gateway_id_prefix" {
211 | description = "Check for transit gateway id prefix alignment."
212 | condition = can(regex("^tgw-", local.ireland_transit_gateway_id))
213 | }
214 | }
215 |
216 | # ----------------------------------------------------------------------------
217 | # This Assertion checks that the transit gateway id prefix is correct and
218 | # aligns with the AWS standard for AWS Transit Gateways
219 | # ----------------------------------------------------------------------------
220 | resource "test_assertions" "testing_transit_gateway_id_compliance_in_london" {
221 | # "component" is an unique identifier for this
222 | # particular set of assertions in the test results.
223 | component = "transit_gateway_id"
224 |
225 | equal "scheme" {
226 | description = "Default scheme is tgw-"
227 | got = local.london_transit_gateway_id
228 | want = "tgw-"
229 | }
230 |
231 | check "transit_gateway_id_prefix" {
232 | description = "Check for transit gateway id prefix alignment."
233 | condition = can(regex("^tgw-", local.london_transit_gateway_id))
234 | }
235 | }
236 |
237 |
238 | # ----------------------------------------------------------------------------
239 | # This Assertion checks that the transit gateway id prefix is correct and
240 | # aligns with the AWS standard for AWS Transit Gateways
241 | # ----------------------------------------------------------------------------
242 | resource "test_assertions" "testing_transit_gateway_id_compliance_in_stockholm" {
243 | # "component" is an unique identifier for this
244 | # particular set of assertions in the test results.
245 | component = "transit_gateway_id"
246 |
247 | equal "scheme" {
248 | description = "Default scheme is tgw-"
249 | got = local.stockholm_transit_gateway_id
250 | want = "tgw-"
251 | }
252 |
253 | check "transit_gateway_id_prefix" {
254 | description = "Check for transit gateway id prefix alignment."
255 | condition = can(regex("^tgw-", local.stockholm_transit_gateway_id))
256 | }
257 | }
258 |
259 |
260 | # ----------------------------------------------------------------------------
261 | # This Assertion checks that the transit gateway id prefix is correct and
262 | # aligns with the AWS standard for AWS Transit Gateways
263 | # ----------------------------------------------------------------------------
264 | resource "test_assertions" "testing_transit_gateway_id_compliance_in_frankfurt" {
265 | # "component" is an unique identifier for this
266 | # particular set of assertions in the test results.
267 | component = "transit_gateway_id"
268 |
269 | equal "scheme" {
270 | description = "Default scheme is tgw-"
271 | got = local.frankfurt_transit_gateway_id
272 | want = "tgw-"
273 | }
274 |
275 | check "transit_gateway_id_prefix" {
276 | description = "Check for transit gateway id prefix alignment."
277 | condition = can(regex("^tgw-", local.frankfurt_transit_gateway_id))
278 | }
279 | }
280 |
281 |
282 | # ----------------------------------------------------------------------------
283 | # This Assertion checks that the transit gateway id prefix is correct and
284 | # aligns with the AWS standard for AWS Transit Gateways
285 | # ----------------------------------------------------------------------------
286 | resource "test_assertions" "testing_transit_gateway_id_compliance_in_paris" {
287 | # "component" is an unique identifier for this
288 | # particular set of assertions in the test results.
289 | component = "transit_gateway_id"
290 |
291 | equal "scheme" {
292 | description = "Default scheme is tgw-"
293 | got = local.paris_transit_gateway_id
294 | want = "tgw-"
295 | }
296 |
297 | check "transit_gateway_id_prefix" {
298 | description = "Check for transit gateway id prefix alignment."
299 | condition = can(regex("^tgw-", local.paris_transit_gateway_id))
300 | }
301 | }
302 |
303 |
304 | # ----------------------------------------------------------------------------
305 | # This Assertion checks that the transit gateway id prefix is correct and
306 | # aligns with the AWS standard for AWS Transit Gateways
307 | # ----------------------------------------------------------------------------
308 | resource "test_assertions" "testing_transit_gateway_id_compliance_in_tokyo" {
309 | # "component" is an unique identifier for this
310 | # particular set of assertions in the test results.
311 | component = "transit_gateway_id"
312 |
313 | equal "scheme" {
314 | description = "Default scheme is tgw-"
315 | got = local.tokyo_transit_gateway_id
316 | want = "tgw-"
317 | }
318 |
319 | check "transit_gateway_id_prefix" {
320 | description = "Check for transit gateway id prefix alignment."
321 | condition = can(regex("^tgw-", local.tokyo_transit_gateway_id))
322 | }
323 | }
324 |
325 |
326 | # ----------------------------------------------------------------------------
327 | # This Assertion checks that the transit gateway id prefix is correct and
328 | # aligns with the AWS standard for AWS Transit Gateways
329 | # ----------------------------------------------------------------------------
330 | resource "test_assertions" "testing_transit_gateway_id_compliance_in_seoul" {
331 | # "component" is an unique identifier for this
332 | # particular set of assertions in the test results.
333 | component = "transit_gateway_id"
334 |
335 | equal "scheme" {
336 | description = "Default scheme is tgw-"
337 | got = local.seoul_transit_gateway_id
338 | want = "tgw-"
339 | }
340 |
341 | check "transit_gateway_id_prefix" {
342 | description = "Check for transit gateway id prefix alignment."
343 | condition = can(regex("^tgw-", local.seoul_transit_gateway_id))
344 | }
345 | }
346 |
347 | # ----------------------------------------------------------------------------
348 | # This Assertion checks that the transit gateway id prefix is correct and
349 | # aligns with the AWS standard for AWS Transit Gateways
350 | # ----------------------------------------------------------------------------
351 | resource "test_assertions" "testing_transit_gateway_id_compliance_in_singapore" {
352 | # "component" is an unique identifier for this
353 | # particular set of assertions in the test results.
354 | component = "transit_gateway_id"
355 |
356 | equal "scheme" {
357 | description = "Default scheme is tgw-"
358 | got = local.singapore_transit_gateway_id
359 | want = "tgw-"
360 | }
361 |
362 | check "transit_gateway_id_prefix" {
363 | description = "Check for transit gateway id prefix alignment."
364 | condition = can(regex("^tgw-", local.singapore_transit_gateway_id))
365 | }
366 | }
367 |
368 | # ----------------------------------------------------------------------------
369 | # This Assertion checks that the transit gateway id prefix is correct and
370 | # aligns with the AWS standard for AWS Transit Gateways
371 | # ----------------------------------------------------------------------------
372 | resource "test_assertions" "testing_transit_gateway_id_compliance_in_mumbai" {
373 | # "component" is an unique identifier for this
374 | # particular set of assertions in the test results.
375 | component = "transit_gateway_id"
376 |
377 | equal "scheme" {
378 | description = "Default scheme is tgw-"
379 | got = local.mumbai_transit_gateway_id
380 | want = "tgw-"
381 | }
382 |
383 | check "transit_gateway_id_prefix" {
384 | description = "Check for transit gateway id prefix alignment."
385 | condition = can(regex("^tgw-", local.mumbai_transit_gateway_id))
386 | }
387 | }
388 |
389 | # ----------------------------------------------------------------------------
390 | # This Assertion checks that the transit gateway id prefix is correct and
391 | # aligns with the AWS standard for AWS Transit Gateways
392 | # ----------------------------------------------------------------------------
393 | resource "test_assertions" "testing_transit_gateway_id_compliance_in_sydney" {
394 | # "component" is an unique identifier for this
395 | # particular set of assertions in the test results.
396 | component = "transit_gateway_id"
397 |
398 | equal "scheme" {
399 | description = "Default scheme is tgw-"
400 | got = local.sydney_transit_gateway_id
401 | want = "tgw-"
402 | }
403 |
404 | check "transit_gateway_id_prefix" {
405 | description = "Check for transit gateway id prefix alignment."
406 | condition = can(regex("^tgw-", local.sydney_transit_gateway_id))
407 | }
408 | }
409 |
410 | # ----------------------------------------------------------------------------
411 | # This Assertion checks that the transit gateway id prefix is correct and
412 | # aligns with the AWS standard for AWS Transit Gateways
413 | # ----------------------------------------------------------------------------
414 | resource "test_assertions" "testing_transit_gateway_id_compliance_in_sao_paulo" {
415 | # "component" is an unique identifier for this
416 | # particular set of assertions in the test results.
417 | component = "transit_gateway_id"
418 |
419 | equal "scheme" {
420 | description = "Default scheme is tgw-"
421 | got = local.sao-paulo_transit_gateway_id
422 | want = "tgw-"
423 | }
424 |
425 | check "transit_gateway_id_prefix" {
426 | description = "Check for transit gateway id prefix alignment."
427 | condition = can(regex("^tgw-", local.sao-paulo_transit_gateway_id))
428 | }
429 | }
430 |
--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------------------------------------------------------------------
2 | # AWS Transit Gateway | ---> Creates AWS Transit Gateway route tables that are needed by the network deployer solution
3 | #-----------------------------------------------------------------------------------------------------------------------
4 | variable "enable_integration_with_network_deployer_solution" {
5 | type = map(bool)
6 | default = {
7 | ohio = false
8 | n_virginia = false
9 | oregon = false
10 | n_california = false
11 | canada_east = false
12 | ireland = false
13 | london = false
14 | stockholm = false
15 | frankfurt = false
16 | paris = false
17 | tokyo = false
18 | seoul = false
19 | sydney = false
20 | mumbai = false
21 | singapore = false
22 | sao_paulo = false
23 | }
24 | }
25 |
26 | variable "default_route_table_propagation" {
27 | type = map(string)
28 | default = {
29 | hq = "disable"
30 | ohio = "disable"
31 | n_virginia = "disable"
32 | oregon = "disable"
33 | n_california = "disable"
34 | canada_east = "disable"
35 | ireland = "disable"
36 | london = "disable"
37 | stockholm = "disable"
38 | frankfurt = "disable"
39 | paris = "disable"
40 | tokyo = "disable"
41 | seoul = "disable"
42 | sydney = "disable"
43 | mumbai = "disable"
44 | singapore = "disable"
45 | sao_paulo = "disable"
46 | }
47 | }
48 |
49 | variable "default_route_table_association" {
50 | type = map(string)
51 | default = {
52 | hq = "disable"
53 | ohio = "disable"
54 | n_virginia = "disable"
55 | oregon = "disable"
56 | n_california = "disable"
57 | canada_east = "disable"
58 | ireland = "disable"
59 | london = "disable"
60 | stockholm = "disable"
61 | frankfurt = "disable"
62 | paris = "disable"
63 | tokyo = "disable"
64 | seoul = "disable"
65 | sydney = "disable"
66 | mumbai = "disable"
67 | singapore = "disable"
68 | sao_paulo = "disable"
69 | }
70 | }
71 |
72 | variable "vpn_ecmp_support" {
73 | type = map(string)
74 | default = {
75 | hq = "enable"
76 | ohio = "enable"
77 | n_virginia = "enable"
78 | oregon = "enable"
79 | n_california = "enable"
80 | canada_east = "enable"
81 | ireland = "enable"
82 | london = "enable"
83 | stockholm = "enable"
84 | frankfurt = "enable"
85 | paris = "enable"
86 | tokyo = "enable"
87 | seoul = "enable"
88 | sydney = "enable"
89 | mumbai = "enable"
90 | singapore = "enable"
91 | sao_paulo = "enable"
92 | }
93 | }
94 |
95 | variable "dns_support" {
96 | type = map(string)
97 | default = {
98 | hq = "disable"
99 | ohio = "disable"
100 | n_virginia = "disable"
101 | oregon = "disable"
102 | n_california = "disable"
103 | canada_east = "disable"
104 | ireland = "disable"
105 | london = "disable"
106 | stockholm = "disable"
107 | frankfurt = "disable"
108 | paris = "disable"
109 | tokyo = "disable"
110 | seoul = "disable"
111 | sydney = "disable"
112 | mumbai = "disable"
113 | singapore = "disable"
114 | sao_paulo = "disable"
115 | }
116 | }
117 |
118 |
119 | #-----------------------------------------------------------------------------------------------------
120 | # AWS Transit Gateway | ---> Create Network Manager
121 | #-----------------------------------------------------------------------------------------------------
122 | # This variables tells the solution if an AWS Network Manager exist (true) or not (false).
123 | #-----------------------------------------------------------------------------------------------------
124 | variable "network_manager_deployment" {
125 | default = false
126 | validation {
127 | condition = (var.network_manager_deployment == false || var.network_manager_deployment == true)
128 | error_message = "AWS Network Manager deployment must be either true or false."
129 | }
130 | }
131 |
132 | #-----------------------------------------------------------------------------------------------------
133 | # This variables holds the name an AWS Network Manager
134 | #-----------------------------------------------------------------------------------------------------
135 | variable "network_manager_name"{
136 | default = "transit-gateway-network-manager-stack"
137 | }
138 |
139 | # ----------------------------------------------------------------------------------------------------
140 | # Please update this variable if you have an AWS Network Manager deployed.
141 | # The full AWS ARN is required for your AWS Network Manager.
142 | # ----------------------------------------------------------------------------------------------------
143 | variable "network_manager_id"{
144 | default = "your-global-network-id-here"
145 | }
146 |
147 |
148 | #-----------------------------------------------------------------------------------------------------
149 | # AWS Transit Gateway | ---> Manages VPN Attachment Association.
150 | # True results in only the packet inspection table being populated with routes.
151 | # False results in the addition of on-premises routes added to the dev, uat, prod, shared services, and packet inspection transit gateway route table.
152 | #-----------------------------------------------------------------------------------------------------
153 | variable "centralized_packet_inspection_enabled" {
154 | type = map(bool)
155 | default = {
156 | ohio = false
157 | n_virginia = false
158 | oregon = false
159 | n_california = false
160 | canada_east = false
161 | ireland = false
162 | london = false
163 | stockholm = false
164 | frankfurt = false
165 | paris = false
166 | tokyo = false
167 | seoul = false
168 | sydney = false
169 | mumbai = false
170 | singapore = false
171 | sao_paulo = false
172 | }
173 | }
174 |
175 | #-----------------------------------------------------------------------------------------------------
176 | # AWS Transit Gateway | ---> AWS Site-to-Site
177 | #-----------------------------------------------------------------------------------------------------
178 | # This variables map tells the solution if it should create an AWS Site-to-Site VPN and which region
179 | # Simply set true for the region in which you would like to deploy
180 | #-----------------------------------------------------------------------------------------------------
181 | variable "create_site_to_site_vpn" {
182 | type = map(bool)
183 | default = {
184 | ohio = false
185 | n_virginia = false
186 | oregon = false
187 | n_california = false
188 | canada_east = false
189 | ireland = false
190 | london = false
191 | stockholm = false
192 | frankfurt = false
193 | paris = false
194 | tokyo = false
195 | seoul = false
196 | sydney = false
197 | mumbai = false
198 | singapore = false
199 | sao_paulo = false
200 | }
201 | }
202 |
203 | #-----------------------------------------------------------------------------------------------------
204 | # AWS Transit Gateway | ---> Create Transit Gateway
205 | #-----------------------------------------------------------------------------------------------------
206 | # This variable controls the creation of a transit gateway in the region to the left.
207 | # Simply set true if you want to create or false if you dont want to create.
208 | # The option "all_aws_region" allows you to create a transit gateway in all AWS Region.
209 | # There's no need to specify true for individual regions if "all_aws_region" is set to true.
210 | #-----------------------------------------------------------------------------------------------------
211 | variable "deploy_transit_gateway_in_this_aws_region" {
212 | type = map(bool)
213 | default = {
214 | all_aws_regions = false # true
215 | ohio = false # false
216 | n_virginia = false # false
217 | oregon = false # true
218 | n_california = false # true
219 | canada_east = false # true
220 | ireland = false # true
221 | london = false # true
222 | stockholm = false # true
223 | frankfurt = false # true
224 | paris = false # true
225 | tokyo = false # true
226 | seoul = false # true
227 | sydney = false # true
228 | mumbai = false # true
229 | singapore = false # true
230 | sao-paulo = false # true
231 | }
232 | }
233 |
234 | #-----------------------------------------------------------------------------------------------------
235 | # AWS Transit Gateway | ---> Create Transit Gateway Peering Connection
236 | #-----------------------------------------------------------------------------------------------------
237 | # This variable controls the creation of a transit gateway peering between transit gateways deployed in different AWS Regions.
238 | # The option "build_complete_mesh" complements the "all_aws_region" in the variable "deploy_transit_gateway_in_this_aws_region"
239 | # Set "build_complete_mesh" to true if you have set "all_aws_region" to true AND you would like to build a completely globally meshed transit gateway network.
240 | #-----------------------------------------------------------------------------------------------------
241 | variable "transit_gateway_peering" {
242 | type = map(bool)
243 | default = {
244 | build_complete_mesh = false # true
245 | ohio_n_virginia = false # true
246 | ohio_canada_east = false # true
247 | ohio_oregon = false # true
248 | ohio_n_california = false # true
249 | oregon_n_california = false # true
250 | oregon_canada_east = false # true
251 | oregon_n_virginia = false # true
252 | oregon_n_sao_paulo = false # true
253 | oregon_n_london = false # true
254 | # n_california_canada_east = false # true
255 | n_california_n_virginia = false # true
256 | n_virginia_canada_east = false # true
257 | n_virginia_n_london = false # true
258 | n_virginia_sao_paulo = false # true
259 | london_n_ireland = false # true
260 | london_n_paris = false # true
261 | london_n_frankfurt = false # true
262 | london_n_milan = false # true
263 | london_n_stockholm = false # true
264 | ireland_n_paris = false # true
265 | ireland_n_frankfurt = false # true
266 | ireland_n_stockholm = false # true
267 | frankfurt_n_stockholm = false # true
268 | frankfurt_n_paris = false # true
269 | stockholm_n_paris = false # true
270 | mumbai_n_frankfurt = false # true
271 | mumbai_n_sao_paulo = false # true
272 | mumbai_n_tokyo = false # true
273 | mumbai_n_seoul = false # true
274 | mumbai_n_singapore = false # true
275 | mumbai_n_sydney = false # true
276 | singapore_n_sydney = false # true
277 | singapore_n_tokyo = false # true
278 | singapore_n_sao_paulo = false # true
279 | singapore_n_seoul = false # true
280 | sydney_n_seoul = false # true
281 | sydney_n_tokyo = false # true
282 | sydney_n_sao_paulo = false # true
283 | tokyo_n_seoul = false # true
284 | tokyo_n_sao_paulo = false # true
285 | paris_n_sao_paulo = false # true
286 | }
287 | }
288 |
289 |
290 | #-----------------------------------------------------------------------------------------------------
291 | # AWS Transit Gateway | ---> Transit Gateway Configuration Parameter
292 | #-----------------------------------------------------------------------------------------------------
293 | variable "ram_share_name" {
294 | default = "shared_networking_resources"
295 | }
296 |
297 |
298 | variable "remote_site_asn" {
299 | type = map(number)
300 | default = {
301 | hq = 65000
302 | ohio = 65000
303 | n_virginia = 65000
304 | oregon = 65000
305 | n_california = 65000
306 | canada_east = 65000
307 | ireland = 65000
308 | london = 65000
309 | stockholm = 65000
310 | frankfurt = 65000
311 | paris = 65000
312 | tokyo = 65000
313 | seoul = 65000
314 | sydney = 65000
315 | mumbai = 65000
316 | singapore = 65000
317 | sao-paulo = 65000
318 | }
319 | }
320 |
321 |
322 | variable "remote_site_public_ip"{
323 | type = map(string)
324 | default = {
325 | hq = "127.0.0.1"
326 | ohio = "127.0.0.1"
327 | n_virginia = "127.0.0.1"
328 | oregon = "127.0.0.1"
329 | n_california = "127.0.0.1"
330 | canada_east = "127.0.0.1"
331 | ireland = "127.0.0.1"
332 | london = "127.0.0.1"
333 | stockholm = "127.0.0.1"
334 | frankfurt = "127.0.0.1"
335 | paris = "127.0.0.1"
336 | tokyo = "127.0.0.1"
337 | seoul = "127.0.0.1"
338 | sydney = "127.0.0.1"
339 | mumbai = "127.0.0.1"
340 | singapore = "127.0.0.1"
341 | sao-paulo = "127.0.0.1"
342 | }
343 | }
344 |
345 |
346 | variable "how_many_vpn_connections"{
347 | type = map(number)
348 | default = {
349 | hq = 0
350 | ohio = 1
351 | n_virginia = 0
352 | oregon = 0
353 | n_california = 0
354 | canada_east = 0
355 | ireland = 0
356 | london = 0
357 | stockholm = 0
358 | frankfurt = 0
359 | paris = 0
360 | tokyo = 0
361 | seoul = 0
362 | sydney = 0
363 | mumbai = 0
364 | singapore = 0
365 | sao-paulo = 0
366 | }
367 | }
368 |
369 |
370 |
371 | # -----------------------------------------------------------------------------------------------------
372 | # Advance VPN Configuration
373 | # -----------------------------------------------------------------------------------------------------
374 |
375 | # -----------------------------------------------------------------------------------------------------
376 | # Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
377 | # -----------------------------------------------------------------------------------------------------
378 | variable "enable_acceleration"{
379 | type = map(bool)
380 | default = {
381 | ohio = false
382 | n_virginia = false
383 | oregon = false
384 | n_california = false
385 | canada_east = false
386 | ireland = false
387 | london = false
388 | stockholm = false
389 | frankfurt = false
390 | paris = false
391 | tokyo = false
392 | seoul = false
393 | sydney = false
394 | mumbai = false
395 | singapore = false
396 | sao_paulo = false
397 | }
398 |
399 | }
400 |
401 | # -----------------------------------------------------------------------------------------------------
402 | # Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 | ipv6.
403 | # ipv6 Supports only EC2 Transit Gateway.
404 | # -----------------------------------------------------------------------------------------------------
405 | variable "tunnel_inside_ip_version" {
406 | default = "ipv4"
407 | validation {
408 | condition = (var.tunnel_inside_ip_version == "ipv4" || var.tunnel_inside_ip_version == "ipv6" )
409 | error_message = "The variable tunnel_inside_ip_version accepts ipv4 or ipv6."
410 | }
411 | }
412 |
413 |
414 | variable "tunnel_inside_cidrs"{
415 | type = map(list(string))
416 | default = {
417 | ohio = []
418 | n_virginia = []
419 | oregon = []
420 | n_california = []
421 | canada_east = []
422 | ireland = []
423 | london = []
424 | stockholm = []
425 | frankfurt = []
426 | paris = []
427 | tokyo = []
428 | seoul = []
429 | sydney = []
430 | mumbai = []
431 | singapore = []
432 | sao-paulo = []
433 | }
434 | }
435 |
436 |
437 | # -----------------------------------------------------------------------------------------------------
438 | # The preshared key of the first VPN tunnel.
439 | # The preshared key must be between 8 and 64 characters in length and cannot start with zero(0).
440 | # Allowed characters are alphanumeric characters, periods(.) and underscores(_).
441 | # -----------------------------------------------------------------------------------------------------
442 | variable "tunnel1_preshared_key"{
443 | type = map(string)
444 | default = {
445 | ohio = ""
446 | n_virginia = ""
447 | oregon = ""
448 | n_california = ""
449 | canada_east = ""
450 | ireland = ""
451 | london = ""
452 | stockholm = ""
453 | frankfurt = ""
454 | paris = ""
455 | tokyo = ""
456 | seoul = ""
457 | sydney = ""
458 | mumbai = ""
459 | singapore = ""
460 | sao-paulo = ""
461 | }
462 | }
463 |
464 |
465 | # -----------------------------------------------------------------------------------------------------
466 | # The preshared key of the second VPN tunnel.
467 | # The preshared key must be between 8 and 64 characters in length and cannot start with zero(0).
468 | # Allowed characters are alphanumeric characters, periods(.) and underscores(_).
469 | # -----------------------------------------------------------------------------------------------------
470 | variable "tunnel2_preshared_key"{
471 | default = {
472 | ohio = ""
473 | n_virginia = ""
474 | oregon = ""
475 | n_california = ""
476 | canada_east = ""
477 | ireland = ""
478 | london = ""
479 | stockholm = ""
480 | frankfurt = ""
481 | paris = ""
482 | tokyo = ""
483 | seoul = ""
484 | sydney = ""
485 | mumbai = ""
486 | singapore = ""
487 | sao-paulo = ""
488 | }
489 | }
490 |
491 | # -----------------------------------------------------------------------------------------------------
492 | # The action to take after DPD timeout occurs for the first VPN tunnel.
493 | # Specify restart to restart the IKE initiation.
494 | # Specify clear to end the IKE session. Valid values are clear | none | restart.
495 | # -----------------------------------------------------------------------------------------------------
496 | variable "tunnel1_dpd_timeout_action"{
497 | default = "clear"
498 | validation {
499 | condition = (var.tunnel1_dpd_timeout_action == "clear" || var.tunnel1_dpd_timeout_action == "none" || var.tunnel1_dpd_timeout_action == "restart" )
500 | error_message = "The variable tunnel1_dpd_timeout_action accepts clear, none or restart."
501 | }
502 | }
503 |
504 | # -----------------------------------------------------------------------------------------------------
505 | # The action to take after DPD timeout occurs for the first VPN tunnel.
506 | # Specify restart to restart the IKE initiation. Specify clear to end the IKE session.
507 | # Valid values are clear | none | restart.
508 | # -----------------------------------------------------------------------------------------------------
509 | variable "tunnel2_dpd_timeout_action"{
510 | default = "clear"
511 | validation {
512 | condition = (var.tunnel2_dpd_timeout_action == "clear" || var.tunnel2_dpd_timeout_action == "none" || var.tunnel2_dpd_timeout_action == "restart" )
513 | error_message = "The variable tunnel2_dpd_timeout_action accepts clear, none or restart."
514 | }
515 | }
516 |
517 | # -----------------------------------------------------------------------------------------------------
518 | # The number of seconds after which a DPD timeout occurs for the first VPN tunnel.
519 | # Valid value is equal or higher than 30.
520 | # -----------------------------------------------------------------------------------------------------
521 | variable "tunnel1_dpd_timeout_seconds"{
522 | default = 30
523 | validation {
524 | condition = (var.tunnel1_dpd_timeout_seconds>= 30)
525 | error_message = "Valid value is equal or higher than 30."
526 | }
527 | }
528 |
529 | # The number of seconds after which a DPD timeout occurs for the second VPN tunnel.
530 | # Valid value is equal or higher than 30.
531 | variable "tunnel2_dpd_timeout_seconds"{
532 | default = 30
533 | validation {
534 | condition = (var.tunnel2_dpd_timeout_seconds>= 30)
535 | error_message = "Valid value is equal or higher than 30."
536 | }
537 | }
538 |
539 | # The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2.
540 | variable "tunnel1_ike_versions"{
541 | default = ["ikev1","ikev2"]
542 | validation {
543 | condition = alltrue([for o in var.tunnel1_ike_versions : contains(["ikev1","ikev2"], o)])
544 | error_message = "Valid value is equal to ikev1 or ikev2."
545 | }
546 | }
547 |
548 | # The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2.
549 | variable "tunnel2_ike_versions"{
550 | default = ["ikev1","ikev2"]
551 | validation {
552 | condition = alltrue([for o in var.tunnel2_ike_versions : contains(["ikev1","ikev2"], o)])
553 | error_message = "Valid value is equal to ikev1 or ikev2."
554 | }
555 | }
556 |
557 |
558 | # List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations.
559 | # Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
560 | variable "tunnel1_phase1_dh_group_numbers"{
561 | default = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
562 | validation {
563 | condition = alltrue([for o in var.tunnel1_phase1_dh_group_numbers : contains([2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24], o)])
564 | error_message = "Valid value is equal to 2 or 14 or 15 or 16 or 17 or 18 or 19 or 20 or 21 or 22 or 23 or 24."
565 | }
566 | }
567 |
568 |
569 | # List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations.
570 | # Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
571 | variable "tunnel2_phase1_dh_group_numbers"{
572 | default = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
573 | validation {
574 | condition = alltrue([for o in var.tunnel2_phase1_dh_group_numbers : contains([2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24], o)])
575 | error_message = "Valid value is equal to 2 or 14 or 15 or 16 or 17 or 18 or 19 or 20 or 21 or 22 or 23 or 24."
576 | }
577 | }
578 |
579 |
580 | # List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations.
581 | # Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
582 | variable "tunnel1_phase1_encryption_algorithms"{
583 | default = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
584 | validation {
585 | condition = alltrue([for o in var.tunnel1_phase1_encryption_algorithms : contains(["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"], o)])
586 | error_message = "Valid value is equal to 2 or 14 or 15 or 16 or 17 or 18 or 19 or 20 or 21 or 22 or 23 or 24."
587 | }
588 | }
589 |
590 |
591 | # List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations.
592 | # Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
593 | variable "tunnel2_phase1_encryption_algorithms"{
594 | default = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
595 | validation {
596 | condition = alltrue([for o in var.tunnel2_phase1_encryption_algorithms : contains(["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"], o)])
597 | error_message = "Valid value are AES128, AES256, AES128-GCM-16, AES256-GCM-16."
598 | }
599 | }
600 |
601 | # One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations.
602 | # Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
603 |
604 | variable "tunnel1_phase1_integrity_algorithms"{
605 | default = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]
606 | validation {
607 | condition = alltrue([for o in var.tunnel1_phase1_integrity_algorithms : contains(["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"], o)])
608 | error_message = "Valid value are SHA1, SHA2-256, SHA2-384, SHA2-512."
609 | }
610 | }
611 |
612 | # One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations.
613 | # Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
614 | variable "tunnel2_phase1_integrity_algorithms"{
615 | default = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]
616 | validation {
617 | condition = alltrue([for o in var.tunnel2_phase1_integrity_algorithms : contains(["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"], o)])
618 | error_message = "Valid value are SHA1, SHA2-256, SHA2-384, SHA2-512."
619 | }
620 | }
621 |
622 |
623 | # The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds.
624 | # Valid value is between 900 and 28800.
625 | variable "tunnel1_phase1_lifetime_seconds"{
626 | default = 28800
627 | validation {
628 | condition = (
629 | contains(range(900, 1024), var.tunnel1_phase1_lifetime_seconds) ||
630 | contains(range(1024, 2048), var.tunnel1_phase1_lifetime_seconds) ||
631 | contains(range(2048, 3072), var.tunnel1_phase1_lifetime_seconds) ||
632 | contains(range(3072, 4096), var.tunnel1_phase1_lifetime_seconds) ||
633 | contains(range(4096, 5120), var.tunnel1_phase1_lifetime_seconds) ||
634 | contains(range(5120, 6144), var.tunnel1_phase1_lifetime_seconds) ||
635 | contains(range(6144, 7168), var.tunnel1_phase1_lifetime_seconds) ||
636 | contains(range(7168, 8192), var.tunnel1_phase1_lifetime_seconds) ||
637 | contains(range(8192, 9216), var.tunnel1_phase1_lifetime_seconds) ||
638 | contains(range(9216, 10240), var.tunnel1_phase1_lifetime_seconds) ||
639 | contains(range(10240, 11264), var.tunnel1_phase1_lifetime_seconds) ||
640 | contains(range(11264, 12288), var.tunnel1_phase1_lifetime_seconds) ||
641 | contains(range(12288, 13312), var.tunnel1_phase1_lifetime_seconds) ||
642 | contains(range(13312, 14336), var.tunnel1_phase1_lifetime_seconds) ||
643 | contains(range(14336, 15360), var.tunnel1_phase1_lifetime_seconds) ||
644 | contains(range(15360, 16384), var.tunnel1_phase1_lifetime_seconds) ||
645 | contains(range(16384, 17408), var.tunnel1_phase1_lifetime_seconds) ||
646 | contains(range(17408, 18432), var.tunnel1_phase1_lifetime_seconds) ||
647 | contains(range(18432, 19456), var.tunnel1_phase1_lifetime_seconds) ||
648 | contains(range(19456, 20480), var.tunnel1_phase1_lifetime_seconds) ||
649 | contains(range(20480, 21504), var.tunnel1_phase1_lifetime_seconds) ||
650 | contains(range(21504, 22526), var.tunnel1_phase1_lifetime_seconds) ||
651 | contains(range(22526, 23550), var.tunnel1_phase1_lifetime_seconds) ||
652 | contains(range(23550, 24574), var.tunnel1_phase1_lifetime_seconds) ||
653 | contains(range(24574, 25598), var.tunnel1_phase1_lifetime_seconds) ||
654 | contains(range(25598, 26622), var.tunnel1_phase1_lifetime_seconds) ||
655 | contains(range(26622, 27646), var.tunnel1_phase1_lifetime_seconds) ||
656 | contains(range(27646, 28670), var.tunnel1_phase1_lifetime_seconds) ||
657 | contains(range(28670, 28801), var.tunnel1_phase1_lifetime_seconds))
658 | error_message = "Valid value falls within the range of 900 and 28800."
659 | }
660 | }
661 |
662 | # The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds.
663 | # Valid value is between 900 and 28800.
664 | variable "tunnel2_phase1_lifetime_seconds"{
665 | default = 28800
666 | validation {
667 | condition = (
668 | contains(range(900, 1024), var.tunnel2_phase1_lifetime_seconds) ||
669 | contains(range(1024, 2048), var.tunnel2_phase1_lifetime_seconds) ||
670 | contains(range(2048, 3072), var.tunnel2_phase1_lifetime_seconds) ||
671 | contains(range(3072, 4096), var.tunnel2_phase1_lifetime_seconds) ||
672 | contains(range(4096, 5120), var.tunnel2_phase1_lifetime_seconds) ||
673 | contains(range(5120, 6144), var.tunnel2_phase1_lifetime_seconds) ||
674 | contains(range(6144, 7168), var.tunnel2_phase1_lifetime_seconds) ||
675 | contains(range(7168, 8192), var.tunnel2_phase1_lifetime_seconds) ||
676 | contains(range(8192, 9216), var.tunnel2_phase1_lifetime_seconds) ||
677 | contains(range(9216, 10240), var.tunnel2_phase1_lifetime_seconds) ||
678 | contains(range(10240, 11264), var.tunnel2_phase1_lifetime_seconds) ||
679 | contains(range(11264, 12288), var.tunnel2_phase1_lifetime_seconds) ||
680 | contains(range(12288, 13312), var.tunnel2_phase1_lifetime_seconds) ||
681 | contains(range(13312, 14336), var.tunnel2_phase1_lifetime_seconds) ||
682 | contains(range(14336, 15360), var.tunnel2_phase1_lifetime_seconds) ||
683 | contains(range(15360, 16384), var.tunnel2_phase1_lifetime_seconds) ||
684 | contains(range(16384, 17408), var.tunnel2_phase1_lifetime_seconds) ||
685 | contains(range(17408, 18432), var.tunnel2_phase1_lifetime_seconds) ||
686 | contains(range(18432, 19456), var.tunnel2_phase1_lifetime_seconds) ||
687 | contains(range(19456, 20480), var.tunnel2_phase1_lifetime_seconds) ||
688 | contains(range(20480, 21504), var.tunnel2_phase1_lifetime_seconds) ||
689 | contains(range(21504, 22526), var.tunnel2_phase1_lifetime_seconds) ||
690 | contains(range(22526, 23550), var.tunnel2_phase1_lifetime_seconds) ||
691 | contains(range(23550, 24574), var.tunnel2_phase1_lifetime_seconds) ||
692 | contains(range(24574, 25598), var.tunnel2_phase1_lifetime_seconds) ||
693 | contains(range(25598, 26622), var.tunnel2_phase1_lifetime_seconds) ||
694 | contains(range(26622, 27646), var.tunnel2_phase1_lifetime_seconds) ||
695 | contains(range(27646, 28670), var.tunnel2_phase1_lifetime_seconds) ||
696 | contains(range(28670, 28801), var.tunnel2_phase1_lifetime_seconds)
697 |
698 | )
699 | error_message = "Valid value falls within the range of 900 and 28800."
700 | }
701 | }
702 |
703 | # List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations.
704 | # Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
705 | variable "tunnel1_phase2_dh_group_numbers"{
706 | default = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
707 | validation {
708 | condition = alltrue([for o in var.tunnel1_phase2_dh_group_numbers : contains([2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24], o)])
709 | error_message = "Valid value is equal to 2 or 14 or 15 or 16 or 17 or 18 or 19 or 20 or 21 or 22 or 23 or 24."
710 | }
711 | }
712 |
713 | # List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations.
714 | # Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
715 |
716 | variable "tunnel2_phase2_dh_group_numbers"{
717 | default = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
718 | validation {
719 | condition = alltrue([for o in var.tunnel2_phase2_dh_group_numbers : contains([2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24], o)])
720 | error_message = "Valid value is equal to 2 or 14 or 15 or 16 or 17 or 18 or 19 or 20 or 21 or 22 or 23 or 24."
721 | }
722 | }
723 |
724 | # List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations.
725 | # Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
726 | variable "tunnel1_phase2_encryption_algorithms"{
727 | default = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
728 | validation {
729 | condition = alltrue([for o in var.tunnel1_phase2_encryption_algorithms : contains(["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"], o)])
730 | error_message = "Valid value is equal to AES128 or AES256 or AES128-GCM-16 or AES256-GCM-16."
731 | }
732 | }
733 |
734 | # List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations
735 | # Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
736 | variable "tunnel2_phase2_encryption_algorithms"{
737 | default = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
738 | validation {
739 | condition = alltrue([for o in var.tunnel2_phase2_encryption_algorithms : contains(["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"], o)])
740 | error_message = "Valid value is equal to AES128 or AES256 or AES128-GCM-16 or AES256-GCM-16."
741 | }
742 | }
743 |
744 |
745 | # List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations.
746 | # Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
747 | variable "tunnel1_phase2_integrity_algorithms"{
748 | default = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]
749 | validation {
750 | condition = alltrue([for o in var.tunnel1_phase2_integrity_algorithms : contains(["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"], o)])
751 | # contains(["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"], var.tunnel1_phase2_integrity_algorithms)
752 | error_message = "Valid value is equal to SHA1 or SHA2-256 or SHA2-384 or SHA2-512."
753 | }
754 | }
755 |
756 |
757 | # List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations.
758 | # Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
759 | variable "tunnel2_phase2_integrity_algorithms"{
760 | default = ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"]
761 | validation {
762 | condition = alltrue([for o in var.tunnel2_phase2_integrity_algorithms : contains(["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"], o)])
763 | error_message = "Valid value is equal to SHA1 or SHA2-256 or SHA2-384 or SHA2-512."
764 | }
765 | }
766 |
767 | # The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds.
768 | # Valid value is between 900 and 3600.
769 | variable "tunnel1_phase2_lifetime_seconds"{
770 | default = 3600
771 | validation {
772 | condition = (contains(range(900, 1024), var.tunnel1_phase2_lifetime_seconds) || contains(range(1024, 2048), var.tunnel1_phase2_lifetime_seconds) || contains(range(2048, 3072), var.tunnel1_phase2_lifetime_seconds) || contains(range(3072, 3601), var.tunnel1_phase2_lifetime_seconds))
773 | error_message = "Valid value falls within the range of 900 and 3600."
774 | }
775 | }
776 |
777 | # The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds.
778 | # Valid value is between 900 and 3600.
779 | variable "tunnel2_phase2_lifetime_seconds"{
780 | default = 3600
781 | validation {
782 | condition = (contains(range(900, 1024), var.tunnel2_phase2_lifetime_seconds) || contains(range(1024, 2048), var.tunnel2_phase2_lifetime_seconds) || contains(range(2048, 3072), var.tunnel2_phase2_lifetime_seconds) || contains(range(3072, 3601), var.tunnel2_phase2_lifetime_seconds))
783 | error_message = "Valid value falls within the range of 900 and 3600."
784 | }
785 | }
786 |
787 |
788 | # The percentage of the rekey window for the first VPN tunnel (determined by tunnel1_rekey_margin_time_seconds)
789 | # during which the rekey time is randomly selected. Valid value is between 0 and 100.
790 | variable "tunnel1_rekey_fuzz_percentage"{
791 | default = 100
792 | validation {
793 | condition = contains(range(0, 101), var.tunnel1_rekey_fuzz_percentage)
794 | error_message = "Valid value falls within the range of 0 and 100."
795 | }
796 | }
797 |
798 | # The percentage of the rekey window for the second VPN tunnel (determined by tunnel2_rekey_margin_time_seconds)
799 | # during which the rekey time is randomly selected. Valid value is between 0 and 100.
800 | variable "tunnel2_rekey_fuzz_percentage"{
801 | default = 100
802 | validation {
803 | condition = contains(range(0, 101), var.tunnel2_rekey_fuzz_percentage)
804 | error_message = "Valid value falls within the range of 0 and 100."
805 | }
806 | }
807 | # The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey.
808 | # The exact time of the rekey is randomly selected based on the value for tunnel1_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds.
809 | variable "tunnel1_rekey_margin_time_seconds"{
810 | default = 540
811 | validation {
812 | condition = (contains(range(60, 1024), var.tunnel1_rekey_margin_time_seconds) || contains(range(1024, 1801), var.tunnel1_rekey_margin_time_seconds))
813 | error_message = "Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds."
814 | }
815 | }
816 |
817 | # The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey.
818 | # The exact time of the rekey is randomly selected based on the value for tunnel2_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds.
819 | variable "tunnel2_rekey_margin_time_seconds"{
820 | default = 540
821 | validation {
822 | condition = (contains(range(60, 1024), var.tunnel2_rekey_margin_time_seconds) || contains(range(1024, 1801), var.tunnel2_rekey_margin_time_seconds))
823 | error_message = "Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds."
824 | }
825 | }
826 |
827 | # The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048.
828 | variable "tunnel1_replay_window_size"{
829 | default = 1024
830 | validation {
831 | condition = (contains(range(64, 1024), var.tunnel1_replay_window_size) || contains(range(1024, 2048), var.tunnel1_replay_window_size) || contains(range(2048, 2049), var.tunnel1_replay_window_size))
832 | error_message = "Valid value is between 64 and 2048."
833 | }
834 | }
835 |
836 | # The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048.
837 | variable "tunnel2_replay_window_size"{
838 | default = 1024
839 | validation {
840 | condition = (contains(range(64, 1024), var.tunnel2_replay_window_size) || contains(range(1024, 2048), var.tunnel2_replay_window_size) || contains(range(2048, 2049), var.tunnel2_replay_window_size))
841 | error_message = "Valid value is between 64 and 2048."
842 | }
843 | }
844 |
845 |
846 | # The action to take when the establishing the tunnel for the first VPN connection.
847 | # By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel.
848 | # Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
849 | variable "tunnel1_startup_action"{
850 | default = "add"
851 | validation {
852 | condition = (var.tunnel1_startup_action == "add" || var.tunnel1_startup_action == "start")
853 | error_message = "The variable tunnel1_startup_action accepts add or start."
854 | }
855 | }
856 |
857 | # The action to take when the establishing the tunnel for the second VPN connection.
858 | # By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel.
859 | # Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
860 | variable "tunnel2_startup_action"{
861 | default = "add"
862 | validation {
863 | condition = (var.tunnel2_startup_action == "add" || var.tunnel2_startup_action == "start")
864 | error_message = "The variable tunnel2_startup_action accepts add or start."
865 | }
866 | }
867 |
868 |
869 | #-----------------------------------------------------------------------------------------------------
870 | # TAGS | -------> Exposes a uniform system of tagging.
871 | #-----------------------------------------------------------------------------------------------------
872 | # Variables that makes up the AWS Tags assigned to the VPC on creation.
873 | # ----------------------------------------------------------------------------------------------------
874 | variable "Application_ID" {
875 | description = "The Application ID for this application built by AWS."
876 | type = string
877 | default = "transit-gateway-builder-v0"
878 | }
879 |
880 | variable "Application_Name" {
881 | description = "The name of this application."
882 | type = string
883 | default = "aws-fsf-transit-gateway-builder"
884 | }
885 |
886 | variable "Business_Unit" {
887 | description = "Your business unit or line of business name"
888 | type = string
889 | default = "YourBusinessUnitName"
890 | }
891 |
892 | variable "Environment_Type" {
893 | description = "The environment type defaults to PRODUCTION and cannot be changed"
894 | type = string
895 | default = "PRODUCTION"
896 | validation {
897 | condition = (var.Environment_Type == "PRODUCTION")
898 | error_message = "External Principals should not be allowed unless in the case of a merger."
899 | }
900 | }
901 |
902 | variable "Supported_Networks" {
903 | description = "Administrative use only and should not be changed"
904 | type = string
905 | default = "Spoke_VPCs_Under_This_Organization"
906 | validation {
907 | condition = (var.Supported_Networks == "Spoke_VPCs_Under_This_Organization")
908 | error_message = "Spoke_VPCs_Under_This_Organization is the only supported value."
909 | }
910 | }
911 |
912 | variable "CostCenterCode" {
913 | description = "Your cost center code for billing purposes"
914 | type = string
915 | default = "YourCostCenterCode"
916 | }
917 |
918 | variable "CreatedBy" {
919 | description = "CSI Billing Profile Number associated with application to be hosted in this vpc."
920 | type = string
921 | default = "YourName"
922 | }
923 |
924 | variable "Manager" {
925 | description = "CSI Billing Profile Number associated with application to be hosted in this vpc."
926 | type = string
927 | default = "YourManagerName"
928 | }
929 |
930 |
--------------------------------------------------------------------------------
/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_providers {
3 | aws = {
4 | source = "hashicorp/aws"
5 | version = "~> 3.0"
6 | }
7 | }
8 | }
--------------------------------------------------------------------------------