The purpose of this module is to provision the necessary resources to establish connectivity between a transit gateway and other VPCs, accounts, and on-premises networks, as well as provision a baseline for network topology and security. Currently this module can setup the requirement for
- Inspection VPC: provision the necessary resources and routing to inspect traffic between the transit gateway and spoke VPCs.
- Trusted Layout: here the routing is broken into two routing domains, trusted and untrusted. All traffic within the environment have the ability to route to the trusted domain attachments and back, but traffic between those networks located in the untrusted domain is forbidden.
- Egress VPC: using either one of the above, this module can setup the requirements for an egress VPC to route traffic to the internet.
- Ingress VPC: using either one of the above, this module can setup the requirements for an ingress VPC to route traffic from the internet, to the tenant VPCs.
module "example" {
source = "appvia/<NAME>/aws"
version = "0.0.1"
name = var.name
description = "The transit gateway fot all accounts within this region"
amazon_side_asn = var.asn
enable_dns_support = true
enable_external_principals = true
enable_multicast_support = true
enable_vpn_ecmp_support = true
tags = var.tags
connectivity_config = {
inspection = {
inspection_tgw_attachment_id = "tgw-attach-111111"
}
}
}
Currently the module supports the following layouts:
The inspection layout is intended to be used in collaboration with an Inspection VPC, filtering all traffic between the spokes, and depending if enabled, all traffic outbound to the internet or inbound via an ingress VPC.
module "connectivity" {
source = "appvia/connectivity/aws"
version = "0.1.7""
# insert variables here
connectivity_config = {
inspection = {
# The transit gateway attachment (naturally a chicken and egg problem here, so the attachment is optional)
attachment_id = module.firewall.attachment_id
# OR you can provision the vpc for the inspection vpc module to consume
network = {
availability_zones = 2
vpc_cidr = "100.64.0.0/23"
name = "inspection"
private_subnet_netmask = 24
public_subnet_netmask = 24
}
}
}
}
Note we do not deploy the inspection firewall via this repository; purely the networking, layout, routing required to make it happen. This is intentional as we view the firewall configuration is likely to fall under a different teams remit. This can be configured using the terraform-aws-firewall.
By adding the optional of egress, another VPC can be provisioned containing outbound nat gateways to route traffic to the internet.
module "connectivity" {
source = "appvia/connectivity/aws"
version = "0.0.2"
services = {
egress = {
network = {
availability_zones = 2
ipam_pool_id = module.ipam_pool.id
name = "egress"
vpc_netmask = 24
}
}
}
# insert variables here
connectivity_config = {
inspection = {
network = {
availability_zones = 2
vpc_cidr = "100.64.0.0/21"
name = "inspection"
private_netmask = 24
public_netmask = 24
}
}
}
}
Notes:
- The transit gateway must be configured so that the default association table is the
inbound
routing table; alls spokes are immediately connected to the inspection VPC. - The transit gateway must be configured so that the default propagation table is the
spokes
routing table; all traffic returning from the inspection VPC is routed to the correct spoke. - If egress is enabled, a default route is added to the
return
routing table to route traffic to the egress VPC. - If ingress is enabled, the spokes acts like any other spoke with all traffic being routed to the inspection VPC.
The trusted layout uses transit gateway routing tables to create two distinct routing domains:
- Trusted: can see all networks and can route traffic to and from them.
- Untrusted: can only see the trusted networks, and cannot route traffic to or from any other untrusted network.
The most common usage pattern here is to place resources such as CI, monitoring, logging, remote access within the trusted domain, with all other accounts falling into untrusted. Any other connectivity requirements between the accounts must use alternative methods to communicate; for example AWS Private Links
Notes:
- The transit gateway must be configured so that the default association table is
workloads
routing table, hence all new attachments are placed in the untrusted routing table. - The transit gateway must be configured so that the default propagation table is the
trusted
routing table, this ensures that all traffic has a route from trusted to untrusted. - Adding a new trusted requires manual intervention, i.e the network is automatically added to the untrusted routing table, manually deleted, and then the attachment id added to the trusted attachments variable.
- Any trusted attachments are automatically added to the untrusted routing table, to ensure bi-directional routing.
By adding a var.connectivity_config.egress
object, the module will provision the necessary resources to route traffic to the internet via a shared egress VPC. Routing within the choose network layout (inspection, or trusted) is automatically provisioned accordingly.
module "connectivity" {
source = "appvia/connectivity/aws"
version = "0.0.2"
connectivity_config = {
egress = {
network = {
availability_zones = 2
ipam_pool_id = var.ipam_pool_id
name = "egress"
private_netmask = 28
vpc_netmask = 24
}
}
}
}
By adding a var.connectivity_config.ingress
object, the module will provision the necessary resources to route traffic from the internet to the tenant VPCs. Routing within the choose network layout (inspection, or trusted) is automatically provisioned accordingly. Note, this module does not provisioned the load balancers and or WAF devices depicted in the diagram; purely the VPC and connectivity.
module "connectivity" {
source = "appvia/connectivity/aws"
version = "0.0.2"
connectivity_config = {
ingress = {
network = {
availability_zones = 2
ipam_pool_id = var.ipam_pool_id
name = "ingress"
private_netmask = 24
public_netmask = 22
vpc_netmask = 21
}
}
}
}
Ensuring all traffic is private and does not traverse the internet is a common requirement. By adding the var.connectivity_config.endpoints
object, the module will provision the necessary resources to route traffic to the internet via a shared endpoints VPC. Routing within the choose network layout (inspection, or trusted) is automatically provisioned accordingly.
Take a look at the endpoints module to see how it works, and the prerequisites required on the consumer side i.e associating the resolvers rule sets with the spoke vpc.
module "connectivity" {
source = "appvia/connectivity/aws"
version = "0.0.2"
connectivity_config = {
endpoints = {
# A collection of private endpoints to provision
services = {
ec2 = {
service = "ec2"
},
ec2messages = {
service = "ec2messages"
},
ssm = {
service = "ssm"
},
ssmmessages = {
service = "ssmmessages"
},
logs = {
service = "logs"
},
kms = {
service = "kms"
},
secretsmanager = {
service = "secretsmanager"
},
s3 = {
service = "s3"
},
}
# Configuration for sharing the resolver rule sets with the spoke vpcs
sharing = {
ram_principals = var.ram_principals
}
# Configuration for the endpoints vpc
network = {
availability_zones = 2
ipam_pool_id = var.ipam_pool_id
name = "endpoints"
private_netmask = 24
public_netmask = 22
vpc_netmask = 21
}
}
}
}
The following permissions are required by the module
module "network_transit_gateway_admin" {
count = var.repositories.connectivity != null ? 1 : 0
source = "appvia/oidc/aws//modules/role"
version = "1.3.6"
name = var.repositories.connectivity.role_name
description = "Deployment role used to deploy the Transit Gateway"
permission_boundary_arn = aws_iam_policy.default_permissions_boundary_network[0].arn
repository = var.repositories.connectivity.url
tags = var.tags
read_only_policy_arns = [
"arn:aws:iam::aws:policy/AWSResourceAccessManagerReadOnlyAccess",
"arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
"arn:aws:iam::aws:policy/ReadOnlyAccess",
]
read_write_policy_arns = [
"arn:aws:iam::${local.network_account_id}:policy/${aws_iam_policy.ipam_admin[0].name}",
"arn:aws:iam::aws:policy/AWSResourceAccessManagerFullAccess",
"arn:aws:iam::aws:policy/ReadOnlyAccess",
"arn:aws:iam::aws:policy/job-function/NetworkAdministrator",
"arn:aws:iam::aws:policy/AmazonEC2FullAccess",
]
read_write_inline_policies = {
"endpoints" = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"route53resolver:Associate*",
"route53resolver:Create*",
"route53resolver:Delete*",
"route53resolver:Disassociate*",
"route53resolver:Get*",
"route53resolver:List*",
"route53resolver:Tag*",
"route53resolver:Update*",
"Route53resolver:UnTag*"
]
Effect = "Allow"
Resource = "*"
}
]
})
}
# We can share our state with the firewall module
shared_repositories = var.repositories.firewall != null ? [var.repositories.firewall.url] : []
providers = {
aws = aws.network
}
}
The terraform-docs
utility is used to generate this README. Follow the below steps to update:
- Make changes to the
.terraform-docs.yml
file - Fetch the
terraform-docs
binary (https://terraform-docs.io/user-guide/installation/) - Run
terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .
Name | Version |
---|---|
aws | >= 5.0.0 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
amazon_side_asn | The ASN for the transit gateway. | number |
n/a | yes |
connectivity_config | The type of connectivity options for the transit gateway. | object({ |
n/a | yes |
description | The description of the transit gateway to provision. | string |
n/a | yes |
tags | A map of tags to add to all resources. | map(string) |
n/a | yes |
enable_dns_support | Whether DNS support is enabled. | bool |
true |
no |
enable_external_principals | Whether to enable external principals in the RAM share. | bool |
true |
no |
enable_multicast_support | Whether multicast support is enabled. | bool |
false |
no |
enable_vpn_ecmp_support | Whether VPN Equal Cost Multipath Protocol support is enabled. | bool |
false |
no |
name | The name of the transit gateway to provision. | string |
"tgw" |
no |
prefix_lists | Provides the ability to provision prefix lists, and share them with other accounts. | list(object({ |
[] |
no |
prefix_ram_principals | The list of organizational units or accounts to share the prefix lists with. | list(string) |
[] |
no |
ram_share_name | The name of the RAM share to create for the transit gateway. | string |
"tgw-ram-share" |
no |
ram_share_principals | The list of organizational units or accounts to share the transit gateway with. | list(string) |
[] |
no |
services | A collection of features and services associated with this connectivity domain. | object({ |
{} |
no |
Name | Description |
---|---|
account_id | The AWS account ID. |
connectivity_type | The type of connectivity for the transit gateway. |
egress_vpc_id | The ID of the VPC that is used for egress traffic. |
egress_vpc_id_rt_attributes_by_type_by_az | The route table attributes of the egress VPC. |
egress_vpc_private_subnet_attributes_by_az | The attributes of the egress VPC. |
egress_vpc_public_subnet_attributes_by_az | The attributes of the egress VPC. |
endpoints_vpc_id | The ID of the VPC that is used for endpoint traffic. |
endpoints_vpc_id_rt_attributes_by_type_by_az | The route table attributes of the endpoints VPC. |
endpoints_vpc_private_subnet_attributes_by_az | The attributes of the endpoints VPC. |
ingress_vpc_id | The ID of the VPC that is used for ingress traffic. |
ingress_vpc_id_rt_attributes_by_type_by_az | The route table attributes of the ingress VPC. |
ingress_vpc_private_subnet_attributes_by_az | The attributes of the ingress VPC. |
ingress_vpc_public_subnet_attributes_by_az | The attributes of the ingress VPC. |
inspection_route_inbound_table_id | The ID of the inbound route table for inspection. |
inspection_vpc_id | The ID of the VPC that is used for inspection traffic. |
inspection_vpc_id_rt_attributes_by_type_by_az | The route table attributes of the inspection VPC. |
inspection_vpc_private_subnet_attributes_by_az | The attributes of the inspection VPC. |
inspection_vpc_public_subnet_attributes_by_az | The attributes of the inspection VPC. |
region | The AWS region in which the resources are created. |
transit_gateway_id | The ID of the transit gateway. |
trusted_core_route_table_id | The ID of the trusted core route table. |
trusted_route_table_id | The ID of the trusted route table. |
workloads_route_table_id | The ID of the workloads route table. |