| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556 |
- locals {
- # We want to share with:
- # * The other accounts in our partition and environment
- # * The common accounts
- # * But not ourselves
- remote_accounts = toset([
- for account in concat(local.account_map[var.environment], local.account_map["common"]) :
- account if account != var.aws_account_id
- ])
- }
- data "aws_availability_zones" "available" {
- state = "available"
- }
- resource "aws_ec2_transit_gateway" "tgw" {
- description = "Transit gateway for ${var.environment} in ${var.aws_partition}."
- amazon_side_asn = var.asn # may not need, but AWS recommends it for future proofing
- auto_accept_shared_attachments = "enable" # if we grant them access, they can attach.
- default_route_table_association = "enable"
- default_route_table_propagation = "enable"
- dns_support = "enable"
- tags = merge(
- { "Name" = var.name },
- var.tags,
- local.standard_tags)
- }
- # We require a RAM to share the resource
- resource "aws_ram_resource_share" "share_tgw" {
- name = var.name
- allow_external_principals = true # IMPORTANT
- tags = merge(
- { "Name" = var.name },
- var.tags,
- local.standard_tags
- )
- }
- # Share the tgw
- resource "aws_ram_resource_association" "share_tgw" {
- resource_arn = aws_ec2_transit_gateway.tgw.arn
- resource_share_arn = aws_ram_resource_share.share_tgw.id
- }
- # ... with each other account
- resource "aws_ram_principal_association" "share_with_accounts" {
- for_each = local.remote_accounts
- principal = each.value
- resource_share_arn = aws_ram_resource_share.share_tgw.id
- }
|
