xdr-terraform-modules/base/_archive/cisco_vpn/quickstart-cisco-asav-ravpn/templates/quickstart-cisco-asav-ravpn-tgw.yaml

AWSTemplateFormatVersion: 2010-09-09
Description: The template creates the TGW resource to connect on-premises firewall with cloud (qs-1qp7e9toe)
Parameters:
  PrivateSubnet1ARouteTable:
    Type: String
    Description: Public Subnet 1 Route Table ID
  PrivateSubnet2ARouteTable:
    Type: String
    Description: Public Subnet 2 Route Table ID
  PrivateSubnet3ARouteTable:
    Type: String
    Default: 'null'
    Description: Public Subnet 3 Route Table ID
  PrivateSubnet4ARouteTable:
    Type: String
    Default: 'null'
    Description: Public Subnet 4 Route Table ID
  OnPremFirewallPublicIP:
    Description: Specify the Public IP of the on-premises ASAv/router
    Type: String
  OnPremFirewallASN:
    Description: Specify the BGP ASN of the on-premisis ASAv/router
    Type: String
  PreSharedKeyForVPNAttachment:
    Description: Specify the PreSharedKey of vEdgeCloud1. Must be 15 characters in length and cannot start with zero (0).
    Type: String
  AmazonSideAsn:
    Description: A private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is 64512 to 65534 for 16-bit ASNs and 4200000000 to 4294967294 for 32-bit ASNs.
    Type: String
  VPNTunnelCIDRs:
    Description: Specify the Tunnel InsideCIDRs for the on-premises firewall. You can use the default pre-filled CIDRs as well.
    Type: CommaDelimitedList
  VPCID:
    Type: AWS::EC2::VPC::Id
    Description: Select VPC which for VPC Attachment
  TGWSubnet1CIDR:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Description: CIDR block for TGW subnet 1 located in Availability Zone 1
    Type: String
  TGWSubnet2CIDR:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Description: CIDR block for TGW subnet 2 located in Availability Zone 1
    Type: String
  TGWSubnet3CIDR:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Description: CIDR block for TGW subnet 3 located in Availability Zone 1
    Type: String
  TGWSubnet4CIDR:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Description: CIDR block for TGW subnet 4 located in Availability Zone 1
    Type: String
  VPNPoolCIDR1:
    Description: CIDR block for the VPN pool 1
    Type: String
  VPNPoolCIDR2:
    Description: CIDR block for the VPN pool 2
    Type: String
  VPNPoolCIDR3:
    Description: CIDR block for the VPN pool 3
    Type: String
  VPNPoolCIDR4:
    Description: CIDR block for the VPN pool 4
    Type: String
  OnPremCIDR:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Description: CIDR block for the On-prem network
    Type: String
  AvailabilityZones:
    Description: >-
      List of Availability Zones to use for the subnets in the VPC. Note: The
      logical order is preserved and only 2 AZs are used for this deployment.
    Type: 'List<AWS::EC2::AvailabilityZone::Name>'
  NumberOfAZs:
    Description: >-
      Number of Availability Zones to use in the VPC. This must match your
      selections in the list of Availability Zones parameter.
    Type: String
  NumberOfASAv:
    Description: >-
      Number of ASAv Instances to be initiated.
    Type: String  
  NetworkInterfaceId1ASAv1:
    Type: String
    Default: 'null'
    Description: NetworkInterfaceId of ASAv1 for 1 ASAv deployment
  NetworkInterfaceId1ASAv2:
    Type: String
    Default: 'null'
    Description: NetworkInterfaceId of ASAv1 for 2 ASAv deployment
  NetworkInterfaceId2ASAv2:
    Type: String
    Default: 'null'
    Description: NetworkInterfaceId of ASAv2 for 2 ASAv deployment
  NetworkInterfaceId1ASAv3:
    Type: String
    Default: 'null'
    Description: NetworkInterfaceId of ASAv1 for 3 ASAv deployment
  NetworkInterfaceId2ASAv3:
    Type: String
    Default: 'null'
    Description: NetworkInterfaceId of ASAv2 for 3 ASAv deployment
  NetworkInterfaceId3ASAv3:
    Type: String
    Default: 'null'
    Description: NetworkInterfaceId of ASAv3 for 3 ASAv deployment
  NetworkInterfaceId1ASAv4:
    Type: String
    Default: 'null'
    Description: NetworkInterfaceId of ASAv1 for 4 ASAv deployment
  NetworkInterfaceId2ASAv4:
    Type: String
    Default: 'null'
    Description: NetworkInterfaceId of ASAv2 for 4 ASAv deployment
  NetworkInterfaceId3ASAv4:
    Type: String
    Default: 'null'
    Description: NetworkInterfaceId of ASAv3 for 4 ASAv deployment
  NetworkInterfaceId4ASAv4:
    Type: String
    Default: 'null'
    Description: NetworkInterfaceId of ASAv4 for 4 ASAv deployment
  QSS3BucketName:
    AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$"
    ConstraintDescription: >-
      Quick Start bucket name can include numbers, lowercase letters, uppercase
      letters, and hyphens (-). It cannot start or end with a hyphen (-).
    Description: >-
      S3 bucket name for the Quick Start assets. Quick Start bucket name can
      include numbers, lowercase letters, uppercase letters, and hyphens (-). It
      cannot start or end with a hyphen (-).
    Type: String
  QSS3KeyPrefix:
    AllowedPattern: "^[0-9a-zA-Z-/]*$"
    ConstraintDescription: >-
      Quick Start key prefix can include numbers, lowercase letters, uppercase
      letters, hyphens (-), and forward slash (/).
    Description: >-
      S3 key prefix for the Quick Start assets. Quick Start key prefix can
      include numbers, lowercase letters, uppercase letters, hyphens (-), and
      forward slash (/).
    Type: String
  QSS3BucketRegion:
    Description: >-
      The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted.
      When using your own bucket, you must specify this value.
    Type: String
Conditions:
  UsingDefaultBucket: !Equals 
    - !Ref QSS3BucketName
    - aws-quickstart
  1AZCondition: !Equals
    - !Ref 'NumberOfAZs'
    - '1'
  2AZCondition: !Equals
    - !Ref 'NumberOfAZs'
    - '2'
  3AZCondition: !Equals
    - !Ref 'NumberOfAZs'
    - '3'
  4AZCondition: !Equals
    - !Ref 'NumberOfAZs'
    - '4'
  #Subnet conditions to specifically handle TGW Subnet Resource constraints
  1SubnetCondition: !Or
    - !Equals
      - !Ref 'NumberOfAZs'
      - '1'
    - !Condition 2SubnetCondition
    - !Condition 3SubnetCondition
    - !Condition 4SubnetCondition
  2SubnetCondition: !Or
    - !Equals
      - !Ref 'NumberOfAZs'
      - '2'
    - !Condition 3SubnetCondition
    - !Condition 4SubnetCondition
  3SubnetCondition: !Or
    - !Equals
      - !Ref 'NumberOfAZs'
      - '3'
    - !Condition 4SubnetCondition
  4SubnetCondition: !Equals
    - !Ref 'NumberOfAZs'
    - '4'
  1ASAvCondition: !Equals
    - !Ref 'NumberOfASAv'
    - '1'
  2ASAvCondition: !Equals
    - !Ref 'NumberOfASAv'
    - '2'
  3ASAvCondition: !Equals
    - !Ref 'NumberOfASAv'
    - '3'
  4ASAvCondition: !Equals
    - !Ref 'NumberOfASAv'
    - '4'
Resources:
#------------------ TGW Subnets and Routes -------------------------------------------
  TGWSubnet1:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref 'VPCID'
      CidrBlock: !Ref 'TGWSubnet1CIDR'
      AvailabilityZone: !Select
        - '0'
        - !Ref 'AvailabilityZones'
      Tags:
        - Key: Name
          Value: TGW subnet 1
  TGWSubnet2:
    Condition: 2SubnetCondition
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref 'VPCID'
      CidrBlock: !Ref 'TGWSubnet2CIDR'
      AvailabilityZone: !Select
        - '1'
        - !Ref 'AvailabilityZones'
      Tags:
        - Key: Name
          Value: TGW subnet 2
  TGWSubnet3:
    Condition: 3SubnetCondition
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref 'VPCID'
      CidrBlock: !Ref 'TGWSubnet3CIDR'
      AvailabilityZone: !Select
        - '2'
        - !Ref 'AvailabilityZones'
      Tags:
        - Key: Name
          Value: TGW subnet 3
  TGWSubnet4:
    Condition: 4AZCondition
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref 'VPCID'
      CidrBlock: !Ref 'TGWSubnet4CIDR'
      AvailabilityZone: !Select
        - '3'
        - !Ref 'AvailabilityZones'
      Tags:
        - Key: Name
          Value: TGW subnet 4
  TGWSubnetRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref 'VPCID'
      Tags:
        - Key: Name
          Value: TGW subnets route table
  TGWSubnet1Route:
    Condition: 1ASAvCondition
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref 'TGWSubnetRouteTable'
      DestinationCidrBlock: !Ref VPNPoolCIDR1
      NetworkInterfaceId: !Ref NetworkInterfaceId1ASAv1
  TGWSubnet1Route2ASAv:
    Condition: 2ASAvCondition
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref 'TGWSubnetRouteTable'
      DestinationCidrBlock: !Ref VPNPoolCIDR1
      NetworkInterfaceId: !Ref NetworkInterfaceId1ASAv2
  TGWSubnet1Route3ASAv:
    Condition: 3ASAvCondition
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref 'TGWSubnetRouteTable'
      DestinationCidrBlock: !Ref VPNPoolCIDR1
      NetworkInterfaceId: !Ref NetworkInterfaceId1ASAv3
  TGWSubnet1Route4ASAv:
    Condition: 4ASAvCondition
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref 'TGWSubnetRouteTable'
      DestinationCidrBlock: !Ref VPNPoolCIDR1
      NetworkInterfaceId: !Ref NetworkInterfaceId1ASAv4 
  TGWSubnet1AZRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref 'TGWSubnet1'
      RouteTableId: !Ref 'TGWSubnetRouteTable'
  TGWSubnet2Route:
    Condition: 2ASAvCondition
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref 'TGWSubnetRouteTable'
      DestinationCidrBlock: !Ref VPNPoolCIDR2
      NetworkInterfaceId: !Ref NetworkInterfaceId2ASAv2
  TGWSubnet2Route3ASAv:
    Condition: 3ASAvCondition
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref 'TGWSubnetRouteTable'
      DestinationCidrBlock: !Ref VPNPoolCIDR2
      NetworkInterfaceId: !Ref NetworkInterfaceId2ASAv3
  TGWSubnet2Route4ASAv:
    Condition: 4ASAvCondition
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref 'TGWSubnetRouteTable'
      DestinationCidrBlock: !Ref VPNPoolCIDR2
      NetworkInterfaceId: !Ref NetworkInterfaceId2ASAv4
  TGWSubnet2AZRouteTableAssociation:
    Condition: 2SubnetCondition
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref 'TGWSubnet2'
      RouteTableId: !Ref 'TGWSubnetRouteTable'
  TGWSubnet3Route:
    Condition: 3ASAvCondition
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref 'TGWSubnetRouteTable'
      DestinationCidrBlock: !Ref VPNPoolCIDR3
      NetworkInterfaceId: !Ref NetworkInterfaceId3ASAv3
  TGWSubnet3Route4ASAv:
    Condition: 4ASAvCondition
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref 'TGWSubnetRouteTable'
      DestinationCidrBlock: !Ref VPNPoolCIDR3
      NetworkInterfaceId: !Ref NetworkInterfaceId3ASAv4
  TGWSubnet3AZRouteTableAssociation:
    Condition: 3SubnetCondition
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref 'TGWSubnet3'
      RouteTableId: !Ref 'TGWSubnetRouteTable'
  TGWSubnet4Route:
    Condition: 4ASAvCondition
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref 'TGWSubnetRouteTable'
      DestinationCidrBlock: !Ref VPNPoolCIDR4
      NetworkInterfaceId: !Ref NetworkInterfaceId4ASAv4
  TGWSubnet4AZRouteTableAssociation:
    Condition: 4SubnetCondition
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref 'TGWSubnet4'
      RouteTableId: !Ref 'TGWSubnetRouteTable'
#------------------ Transit Gateway -------------------------------------------
  TransitGateway:
    Type: "AWS::EC2::TransitGateway"
    Properties:
      AmazonSideAsn: !Ref AmazonSideAsn
      AutoAcceptSharedAttachments: enable
      DefaultRouteTableAssociation: disable
      DefaultRouteTablePropagation: disable
      Description: A transit gateway connect onpremsised with AWS 
      Tags: 
      - Key: Name
        Value: !Sub ${AWS::StackName}-TGW
#------------------ Copy lambda stack into local S3 bucket ------------------------------------------------
  CopyLambdaStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      #TemplateURL: !Sub "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/copy-lambdas.yaml"
      TemplateURL: !Sub 
        - >-
          https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/copy-lambdas.yaml
        - S3Region: !If 
            - UsingDefaultBucket
            - !Ref 'AWS::Region'
            - !Ref QSS3BucketRegion
          S3Bucket: !If 
            - UsingDefaultBucket
            - !Sub '${QSS3BucketName}-${AWS::Region}'
            - !Ref QSS3BucketName
      Parameters:
        QSS3BucketName: !Ref QSS3BucketName
        QSS3KeyPrefix: !Ref QSS3KeyPrefix
##------------------ Custom Resource lambda to get the various TGW properties needed -------------------------------------------
  LambdaBasicExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
        - Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
          Action: sts:AssumeRole
          Condition: {}
      Path: /
      Policies:
        - PolicyName: !Sub ${AWS::StackName}-tgwDescribe
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: !Sub arn:${AWS::Partition}:logs:*:*:*
              - Effect: Allow
                Action:
                  - ec2:DescribeVpnConnections
                  - ec2:DescribeTransitGatewayRouteTables
                  - ec2:DescribeTransitGatewayAttachments
                Resource: "*"
  TransitGatewayProperties:
    Type: Custom::TransitGatewayProperty
    Properties:
      ServiceToken: !GetAtt 'TransitGatewayLambda.Arn'
      vpn_id: !Ref VPNAttachment
      stackName: !Ref "AWS::StackName"
  TransitGatewayLambda:
    Type: AWS::Lambda::Function
    Properties:
      Handler: getTgwProperties/lambda_function.lambda_handler
      Timeout: 60
      Role: !GetAtt 'LambdaBasicExecutionRole.Arn'
      Runtime: python3.6
      Code:
        S3Bucket: !GetAtt 'CopyLambdaStack.Outputs.LambdaZipsBucket'
        S3Key: !Sub "${QSS3KeyPrefix}functions/packages/lambda.zip"
      MemorySize: 3008
#------------------ TGW Route Tables and Routes -------------------------------------------
  TransitGatewaySecurityRouteTable:
    Type: "AWS::EC2::TransitGatewayRouteTable"
    Properties:
      Tags: 
      - Key: Name
        Value: !Sub ${AWS::StackName}-Securityrtb
      TransitGatewayId: !Ref TransitGateway
  TransitGatewayVPNRoute:
    Type: AWS::EC2::TransitGatewayRoute
    Properties: 
      DestinationCidrBlock: !Ref OnPremCIDR
      TransitGatewayAttachmentId: !GetAtt TransitGatewayProperties.vpn1_tgw_attachment_id
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  TransitGatewayVPNPoolRoute1:
    Condition: 1ASAvCondition
    Type: AWS::EC2::TransitGatewayRoute
    Properties: 
      DestinationCidrBlock: !Ref VPNPoolCIDR1
      TransitGatewayAttachmentId: !Ref VPCAttachment1AZ
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  TransitGatewayVPNPoolRoute2a:
    Condition: 2ASAvCondition
    Type: AWS::EC2::TransitGatewayRoute
    Properties: 
      DestinationCidrBlock: !Ref VPNPoolCIDR1
      TransitGatewayAttachmentId: !Ref VPCAttachment2AZ
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  TransitGatewayVPNPoolRoute2b:
    Condition: 2ASAvCondition
    Type: AWS::EC2::TransitGatewayRoute
    Properties: 
      DestinationCidrBlock: !Ref VPNPoolCIDR2
      TransitGatewayAttachmentId: !Ref VPCAttachment2AZ
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  TransitGatewayVPNPoolRoute3a:
    Condition: 3ASAvCondition
    Type: AWS::EC2::TransitGatewayRoute
    Properties: 
      DestinationCidrBlock: !Ref VPNPoolCIDR1
      TransitGatewayAttachmentId: !Ref VPCAttachment3AZ
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  TransitGatewayVPNPoolRoute3b:
    Condition: 3ASAvCondition
    Type: AWS::EC2::TransitGatewayRoute
    Properties: 
      DestinationCidrBlock: !Ref VPNPoolCIDR2
      TransitGatewayAttachmentId: !Ref VPCAttachment3AZ
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  TransitGatewayVPNPoolRoute3c:
    Condition: 3ASAvCondition
    Type: AWS::EC2::TransitGatewayRoute
    Properties: 
      DestinationCidrBlock: !Ref VPNPoolCIDR3
      TransitGatewayAttachmentId: !Ref VPCAttachment3AZ
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  TransitGatewayVPNPoolRoute4a:
    Condition: 4ASAvCondition
    Type: AWS::EC2::TransitGatewayRoute
    Properties: 
      DestinationCidrBlock: !Ref VPNPoolCIDR1
      TransitGatewayAttachmentId: !Ref VPCAttachment4AZ
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  TransitGatewayVPNPoolRoute4b:
    Condition: 4ASAvCondition
    Type: AWS::EC2::TransitGatewayRoute
    Properties: 
      DestinationCidrBlock: !Ref VPNPoolCIDR2
      TransitGatewayAttachmentId: !Ref VPCAttachment4AZ
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  TransitGatewayVPNPoolRoute4c:
    Condition: 4ASAvCondition
    Type: AWS::EC2::TransitGatewayRoute
    Properties: 
      DestinationCidrBlock: !Ref VPNPoolCIDR3
      TransitGatewayAttachmentId: !Ref VPCAttachment4AZ
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  TransitGatewayVPNPoolRoute4d:
    Condition: 4ASAvCondition
    Type: AWS::EC2::TransitGatewayRoute
    Properties: 
      DestinationCidrBlock: !Ref VPNPoolCIDR4
      TransitGatewayAttachmentId: !Ref VPCAttachment4AZ
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  TransitGatewaySpokeRouteTable:
    Type: "AWS::EC2::TransitGatewayRouteTable"
    Properties:
      Tags: 
      - Key: Name
        Value: !Sub ${AWS::StackName}-Spokertb
      TransitGatewayId: !Ref TransitGateway
#------------------ TGW VPN attachment -------------------------------------------
  CustomerGateway: 
    Type: AWS::EC2::CustomerGateway
    Properties: 
      Type: ipsec.1
      BgpAsn: !Ref OnPremFirewallASN
      IpAddress: !Ref OnPremFirewallPublicIP
      Tags:
      - Key: Name
        Value: !Sub "${AWS::StackName}-On-Premgateway"
  VPNAttachment:
    Type: AWS::EC2::VPNConnection
    Properties: 
      CustomerGatewayId: !Ref CustomerGateway
      TransitGatewayId: !Ref TransitGateway
      Type: ipsec.1
      VpnTunnelOptionsSpecifications: 
        - PreSharedKey: !Ref PreSharedKeyForVPNAttachment
          TunnelInsideCidr: !Select [0, !Ref VPNTunnelCIDRs] 
        - PreSharedKey: !Ref PreSharedKeyForVPNAttachment
          TunnelInsideCidr: !Select [1, !Ref VPNTunnelCIDRs]
      Tags:
      - Key: Name
        Value: !Sub "${AWS::StackName}-VPNAttachment"
#------------------ TGW VPC attachments -------------------------------------------
  VPCAttachment1AZ:
    Condition: 1AZCondition
    Type: AWS::EC2::TransitGatewayAttachment
    Properties: 
      SubnetIds: 
        - !Ref TGWSubnet1
      Tags:
      - Key: Name
        Value: !Sub "${AWS::StackName}-VPCAttachment"
      TransitGatewayId: !Ref TransitGateway
      VpcId: !Ref VPCID
  VPCAttachment2AZ:
    Condition: 2AZCondition
    Type: AWS::EC2::TransitGatewayAttachment
    Properties: 
      SubnetIds: 
        - !Ref TGWSubnet1
        - !Ref TGWSubnet2
      Tags:
      - Key: Name
        Value: !Sub "${AWS::StackName}-VPCAttachment"
      TransitGatewayId: !Ref TransitGateway
      VpcId: !Ref VPCID
  VPCAttachment3AZ:
    Condition: 3AZCondition
    Type: AWS::EC2::TransitGatewayAttachment
    Properties: 
      SubnetIds: 
        - !Ref TGWSubnet1
        - !Ref TGWSubnet2
        - !Ref TGWSubnet3
      Tags:
      - Key: Name
        Value: !Sub "${AWS::StackName}-VPCAttachment"
      TransitGatewayId: !Ref TransitGateway
      VpcId: !Ref VPCID
  VPCAttachment4AZ:
    Condition: 4AZCondition
    Type: AWS::EC2::TransitGatewayAttachment
    Properties: 
      SubnetIds: 
        - !Ref TGWSubnet1
        - !Ref TGWSubnet2
        - !Ref TGWSubnet3
        - !Ref TGWSubnet4
      Tags:
      - Key: Name
        Value: !Sub "${AWS::StackName}-VPCAttachment"
      TransitGatewayId: !Ref TransitGateway
      VpcId: !Ref VPCID
#------------------ TGW route table associations -------------------------------------------
  CustomerGatewayTransitGatewayAssociation:
    Type: "AWS::EC2::TransitGatewayRouteTableAssociation"
    Properties:
      TransitGatewayAttachmentId: !GetAtt TransitGatewayProperties.vpn1_tgw_attachment_id
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  #The VPC association works
  VPCTransitGatewayAssociation1AZ:
    Condition: 1AZCondition
    Type: "AWS::EC2::TransitGatewayRouteTableAssociation"
    Properties:
      TransitGatewayAttachmentId: !Ref VPCAttachment1AZ
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  VPCTransitGatewayAssociation2AZ:
    Condition: 2AZCondition
    Type: "AWS::EC2::TransitGatewayRouteTableAssociation"
    Properties:
      TransitGatewayAttachmentId: !Ref VPCAttachment2AZ
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  VPCTransitGatewayAssociation3AZ:
    Condition: 3AZCondition
    Type: "AWS::EC2::TransitGatewayRouteTableAssociation"
    Properties:
      TransitGatewayAttachmentId: !Ref VPCAttachment3AZ
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  VPCTransitGatewayAssociation4AZ:
    Condition: 4AZCondition
    Type: "AWS::EC2::TransitGatewayRouteTableAssociation"
    Properties:
      TransitGatewayAttachmentId: !Ref VPCAttachment4AZ
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
#------------------ TGW route table propagations -------------------------------------------
  EdgeRouteTablePropagation1AZ:
    Condition: 1AZCondition
    Type: "AWS::EC2::TransitGatewayRouteTablePropagation"
    Properties:
      TransitGatewayAttachmentId: !Ref VPCAttachment1AZ
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  EdgeRouteTablePropagation2AZ:
    Condition: 2AZCondition
    Type: "AWS::EC2::TransitGatewayRouteTablePropagation"
    Properties:
      TransitGatewayAttachmentId: !Ref VPCAttachment2AZ
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  EdgeRouteTablePropagation3AZ:
    Condition: 3AZCondition
    Type: "AWS::EC2::TransitGatewayRouteTablePropagation"
    Properties:
      TransitGatewayAttachmentId: !Ref VPCAttachment3AZ
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  EdgeRouteTablePropagation4AZ:
    Condition: 4AZCondition
    Type: "AWS::EC2::TransitGatewayRouteTablePropagation"
    Properties:
      TransitGatewayAttachmentId: !Ref VPCAttachment4AZ
      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
  RouteTableEntryPrivate1:
    Type: AWS::EC2::Route
    DependsOn: TransitGatewayVPNRoute
    Properties: 
      DestinationCidrBlock: !Ref OnPremCIDR
      RouteTableId: !Ref PrivateSubnet1ARouteTable
      TransitGatewayId: !Ref TransitGateway
  RouteTableEntryPrivate2:
    Condition: 2SubnetCondition
    Type: AWS::EC2::Route
    DependsOn: TransitGatewayVPNRoute
    #DependsOn: VPCAttachment2AZ
    Properties: 
      DestinationCidrBlock: !Ref OnPremCIDR
      RouteTableId: !Ref PrivateSubnet2ARouteTable
      TransitGatewayId: !Ref TransitGateway
  RouteTableEntryPrivate3:
    Condition: 3SubnetCondition
    DependsOn: TransitGatewayVPNRoute
    #DependsOn: VPCAttachment3AZ
    Type: AWS::EC2::Route
    Properties: 
      DestinationCidrBlock: !Ref OnPremCIDR
      RouteTableId: !Ref PrivateSubnet3ARouteTable
      TransitGatewayId: !Ref TransitGateway
  RouteTableEntryPrivate4:
    Condition: 4SubnetCondition
    Type: AWS::EC2::Route
    DependsOn: TransitGatewayVPNRoute
    #DependsOn: VPCAttachment4AZ
    Properties: 
      DestinationCidrBlock: !Ref OnPremCIDR
      RouteTableId: !Ref PrivateSubnet4ARouteTable
      TransitGatewayId: !Ref TransitGateway
Outputs:
  TransitGateway:
    Value: !Ref TransitGateway
    Export: 
      Name: !Sub ${AWS::StackName}-TransitGateway
  AmazonSideAsn:
    Description: "Amazon side ASN for the BGP session"
    Value: !Ref AmazonSideAsn
  VPNTunnelInsideCIDRs:
    Description: "VPN  Tunnel CIDRs"
    Value: !Join
      - ','
      - !Ref VPNTunnelCIDRs
    Export: 
      Name: !Sub ${AWS::StackName}-VPNTunnelInsideCIDRs
  VPNTunnelOutsideIPs:
    Description: "VPN Tunnel Outside IP"
    Value: !Join
      - ','
      - !GetAtt TransitGatewayProperties.vpn0OutsideIps
    Export: 
      Name: !Sub ${AWS::StackName}-VPNTunnelOutsideIPs
  VPNPreSharedKey:
    Description: "VPN IPsec PreSharedKey"
    Value: !Ref PreSharedKeyForVPNAttachment
    Export: 
      Name: !Sub ${AWS::StackName}-PreSharedKey