TGW with VPCs from other accounts

[Bredoxon]

Hi, thanks for this module, looks awesome!

Question, does this module support creating the TGW in one account and attaching the VPCs from different accounts?

I've been trying to do that by following the multi account example but I can't seem to figure how to achieve this. For example:

provider "aws" {
  region = var.aws_region

  # Only these AWS Account IDs may be operated on by this template
  allowed_account_ids = [var.aws_account_id]
}

terraform {
  backend "s3" {}

  required_version = "= 0.13.7"

  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "~> 3.26"
    }
  }
}

provider "aws" {
  alias  = "dev"

  region = var.aws_region

  assume_role {
    role_arn     = "arn:aws:iam::xxxxxxxx:role/allow-full-access-from-other-accounts"
  }
}

provider "aws" {
  alias  = "staging"

  region = var.aws_region

  assume_role {
    role_arn     = "arn:aws:iam::zzzzzz:role/allow-full-access-from-other-accounts"
  }
}

provider "aws" {
  alias  = "prod"

  region = var.aws_region

  assume_role {
    role_arn     = "arn:aws:iam::wwwww:role/allow-full-access-from-other-accounts"
  }
}


module "tgw" {
  source  = "terraform-aws-modules/transit-gateway/aws"
  version = "2.1.0"

  create_tgw  = true
  name        = var.name
  description = var.description

  enable_default_route_table_association = var.enable_default_route_table_association
  enable_default_route_table_propagation = var.enable_default_route_table_propagation
  enable_auto_accept_shared_attachments = var.enable_auto_accept_shared_attachments
  enable_vpn_ecmp_support = var.enable_vpn_ecmp_support
  enable_dns_support = var.enable_dns_support

  tags = var.tags
}

module "tgw_dev" {
  source  = "terraform-aws-modules/transit-gateway/aws"
  version = "2.1.0"

  providers = {
    aws = aws.dev
  }

  name        = "${var.name}-tgw-dev"
  description = "${var.description} Dev attachment"

  share_tgw   = true
  create_tgw  = false
  ram_resource_share_arn = module.tgw.ram_resource_share_id
  enable_auto_accept_shared_attachments = var.enable_auto_accept_shared_attachments

  enable_dns_support = var.enable_dns_support

  enable_default_route_table_association = var.enable_default_route_table_association
  enable_default_route_table_propagation = var.enable_default_route_table_propagation
  enable_vpn_ecmp_support = var.enable_vpn_ecmp_support

  ram_allow_external_principals = var.ram_allow_external_principals
  ram_principals = var.ram_principals

  vpc_attachments = {
    dev_vpc = {
      tgw_id       = module.tgw.ec2_transit_gateway_id
      vpc_id       = var.dev_vpc_id
      subnet_ids   = var.dev_vpc_private_app_subnet_ids
      dns_support  = true
      ipv6_support = false
      transit_gateway_default_route_table_association = false
      transit_gateway_default_route_table_propagation = false

      tgw_routes = [
        {
          destination_cidr_block = var.dev_destination_cidr_block
        },
      ]
    }
  }
}

[tfhartmann]

Hi @Bredoxon I think the facility your looking for can be found in the examples https://github.com/terraform-aws-modules/terraform-aws-transit-gateway#examples You'll need to use Resource Access Manager (RAM) to share the TransitGW with the client account. Your config will include something like this

I hope that helps!

[Bredoxon]

Hi @tfhartmann thanks for getting back, and sorry for my late response! For the records, I've ended up building my own custom module as couldn't find anything that suit the particular user case I had. 👍

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.