OpenTofu Module: vpc-spoke-tgw

This OpenTofu module provisions foundational networking infrastructure in spoke VPCs that host business applications or workloads. It helps to quickly set up basic networking required by workloads in a multi-account hub-spoke network topology on AWS, where all ingress and egress traffic to/from the workload VPC passes through a hub VPC (in another AWS account) via a Transit Gateway (TGW).

Features

• Provisions the following network infrastructure in a spoke AWS account:
  • A VPC with subnets
  • TGW share acceptance and TGW attachments
  • Route tables with local and TGW-bound routes
  • DHCP options set with custom DNS settings
  • Security Groups for workloads
• Leverages the cloudposse terraform-null-label module to assign standardized names to provisioned resources.
• Applies tags consistently to provisioned resources.

Prerequisites

• The TGW set up in the network services AWS account must be shared with the workload AWS account via Resource Access Manager (RAM) and the TGW share ARN must be made available. Ideally, if the TGW share is automated via OpenTofu, then the ARN may be accessed from OpenTofu state.
• The TGW ID must be made available. Ideally, if the TGW provisioning is automated via OpenTofu, then the TGW ID may be accessed from OpenTofu state.

Example Usage

Refer to the sales-spoke-vpc example for a complete example of how to use this module.

NOTE: The sales-spoke-vpc example links the module via relative paths, but you can also link the module via the module registry as shown below.

module "sales-spoke-vpc" {
  source = "git::https://github.com/cybergavin/terraform-aws-vpc-spoke-tgw.git?ref=<COMMIT_HASH>" # commit hash for required version
  # insert the required variables here
}

Requirements

Name	Version
terraform	~> 1.0, >= 1.8
aws	~> 5.0

Providers

Name	Version
aws	~> 5.0

Modules

Name	Source	Version
networking_base_label	git::https://github.com/cloudposse/terraform-null-label.git	488ab91e34a24a86957e397d9f7262ec5925586a
networking_dop_label	git::https://github.com/cloudposse/terraform-null-label.git	488ab91e34a24a86957e397d9f7262ec5925586a
networking_rtb_label	git::https://github.com/cloudposse/terraform-null-label.git	488ab91e34a24a86957e397d9f7262ec5925586a
networking_sg_label	git::https://github.com/cloudposse/terraform-null-label.git	488ab91e34a24a86957e397d9f7262ec5925586a
networking_subnet_label	git::https://github.com/cloudposse/terraform-null-label.git	488ab91e34a24a86957e397d9f7262ec5925586a
networking_tgw_attachment_label	git::https://github.com/cloudposse/terraform-null-label.git	488ab91e34a24a86957e397d9f7262ec5925586a
networking_vpc_label	git::https://github.com/cloudposse/terraform-null-label.git	488ab91e34a24a86957e397d9f7262ec5925586a

Resources

Name	Type
aws_default_security_group.this	resource
aws_ec2_transit_gateway_vpc_attachment.this	resource
aws_ram_resource_share_accepter.this	resource
aws_route.tgw_route	resource
aws_route_table.this	resource
aws_route_table_association.this	resource
aws_security_group.this	resource
aws_subnet.this	resource
aws_vpc.this	resource
aws_vpc_dhcp_options.this	resource
aws_vpc_dhcp_options_association.this	resource
aws_vpc_security_group_egress_rule.this	resource
aws_vpc_security_group_ingress_rule.this	resource
aws_availability_zones.current	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
app_id	The universally unique application ID for the service. Only alphanumeric characters are valid, with a string length from 3 to 8 characters.	string	"appid"	no
dns_domain	Domain name for DHCP option set	string	""	no
dns_servers	List of custom DNS servers to use	list(string)	[]	no
environment	A valid Infrastructure Environment	string	"poc"	no
global_tags	A map of global tags to apply to all resources.	map(string)	{}	no
org	A name or abbreviation for the Organization. Only alphanumeric characters and hyphens are valid, with a string length from 3 to 8 characters.	string	"acme-it"	no
security_groups	List of security groups with associated ingress and egress rules	list(object({ alias = string description = string ingress = optional(list(object({ description = string cidr_ipv4 = optional(string) # Optional for source CIDR source_sg_alias = optional(string) # Optional for source SG ip_protocol = string from_port = optional(number) # Optional for cases like -1 protocol to_port = optional(number) # Optional for cases like -1 protocol }))) egress = optional(list(object({ description = string cidr_ipv4 = optional(string) # Optional for destination CIDR destination_sg_alias = optional(string) # Optional for destination SG ip_protocol = string from_port = optional(number) # Optional for cases like -1 protocol to_port = optional(number) # Optional for cases like -1 protocol }))) }))	n/a	yes
shared_transit_gateway_arn	The ARN of the Ingress network account's shared Transit Gateway.	string	n/a	yes
subnet_cidrs	A map of subnet aliases and their associated list of CIDR blocks across multiple AZs, with an alias length from 3 to 8 lowercase alphanumeric characters and valid CIDR blocks.	map(list(string))	{}	no
tgw_sharing_enabled	Enable or disable the Transit Gateway sharing and attachment resources. Set to true to create the resources.	bool	false	no
transit_gateway_id	Transit Gateway ID for the peering connection. TBD: Obtain output from another tofu module.	string	n/a	yes
vpc_cidr	The CIDR block for the VPC	string	n/a	yes

Outputs

Name	Description
security_groups	Map of security groups
subnets	Map of subnets
vpc_id	VPC ID