feat: Add support for optional Transit Gateway subnets in AWS VPC module, including new variables, resources, and outputs for subnet and route table IDs

Author: Arnel Jan Sarmiento

.github/dependabot.yml

@@ -1,7 +1,7 @@
 version: 2
 updates:
   - package-ecosystem: "terraform"
-    directory: "/" 
+    directory: "/"
     schedule:
       interval: daily
       time: "13:00"

modules/aws/vpc/main.tf

@@ -16,6 +16,8 @@ locals {
   nat_az_keys = var.enable_nat_gateway ? (
     var.single_nat_gateway ? { (var.availability_zones[0]) = 0 } : local.az_keys
   ) : {}
+
+  tgw_az_keys = length(var.transit_gateway_subnet_cidrs) > 0 ? local.az_keys : {}
 }
 
 # ------------------------------------------------------------------------------
@@ -115,6 +117,39 @@ resource "aws_route_table_association" "private" {
   route_table_id = aws_route_table.private[each.key].id
 }
 
+# ------------------------------------------------------------------------------
+# Transit Gateway Subnets (optional)
+# ------------------------------------------------------------------------------
+
+resource "aws_subnet" "transit_gateway" {
+  for_each = local.tgw_az_keys
+
+  vpc_id            = aws_vpc.this.id
+  cidr_block        = var.transit_gateway_subnet_cidrs[each.value]
+  availability_zone = each.key
+
+  tags = {
+    Name = "${var.name}-tgw-${each.key}"
+  }
+}
+
+resource "aws_route_table" "transit_gateway" {
+  for_each = local.tgw_az_keys
+
+  vpc_id = aws_vpc.this.id
+
+  tags = {
+    Name = "${var.name}-tgw-${each.key}"
+  }
+}
+
+resource "aws_route_table_association" "transit_gateway" {
+  for_each = aws_subnet.transit_gateway
+
+  subnet_id      = each.value.id
+  route_table_id = aws_route_table.transit_gateway[each.key].id
+}
+
 # ------------------------------------------------------------------------------
 # NAT Gateway (optional)
 # ------------------------------------------------------------------------------

modules/aws/vpc/outputs.tf

@@ -48,6 +48,16 @@ output "private_route_table_ids" {
   value       = [for rt in aws_route_table.private : rt.id]
 }
 
+output "transit_gateway_subnet_ids" {
+  description = "List of transit gateway subnet IDs. Empty when transit_gateway_subnet_cidrs is not provided."
+  value       = [for s in aws_subnet.transit_gateway : s.id]
+}
+
+output "transit_gateway_route_table_ids" {
+  description = "List of transit gateway route table IDs. Empty when transit_gateway_subnet_cidrs is not provided."
+  value       = [for rt in aws_route_table.transit_gateway : rt.id]
+}
+
 output "flow_log_id" {
   description = "ID of the VPC flow log."
   value       = aws_flow_log.this.id

modules/aws/vpc/variables.tf

@@ -52,3 +52,9 @@ variable "flow_log_retention_days" {
   type        = number
   default     = 30
 }
+
+variable "transit_gateway_subnet_cidrs" {
+  description = "CIDR blocks for transit gateway subnets, one per availability zone. Leave empty to skip creation."
+  type        = list(string)
+  default     = []
+}

workspaces/root/organizations/main.tf

@@ -33,10 +33,13 @@ resource "aws_organizations_organization" "this" {
   enabled_policy_types = ["SERVICE_CONTROL_POLICY"]
 
   aws_service_access_principals = [
+    "ram.amazonaws.com",
     "sso.amazonaws.com",
   ]
 }
 
+resource "aws_ram_sharing_with_organization" "this" {}
+
 resource "aws_organizations_account" "accounts" {
   for_each = local.member_accounts