My first bit of code for my new employer was help to setup a “security VPC” that hosts a pair of Palo-Alto firewalls to inspect traffic from other AWS accounts (AKA “hub and spoke”). This work was based (loosely) on repos found here and here…these repos build a similar environment but within a single AWS account. My team’s goal was to use separate AWS accounts to align with best practices. The design can be seen below.
The setup requires the use of Resource Access Manager (RAM) to share the Transit Gateway across the accounts. The TGW needs to be set to “appliance mode” and we also learned that the transit_gateway_default_route_table_association and transit_gateway_default_route_table_propagation need to be set to “false” (default behavior is “true”). This then requires your code to setup the needed route tables, route table associations and the routes. The strange thing is, we could never figure out was why Terraform could not add the routes we needed. Our work around was to use a null_resource and have a local-exec call the AWS cli to add the route. We run the local-exec for each route needed passing the params needed at run time. Like the following:
resource "null_resource" "add_dev_route_sec_rtb" {
provisioner "local-exec" {
environment = {
AWS_SHARED_CREDENTIALS_FILE = "../credentials"
}
command = "aws ec2 create-transit-gateway-route --destination-cidr-block ${var.dev_cidr} --transit-gateway-route-table-id ${module.sec-tgw-rtb.id} --transit-gateway-attachment-id ${module.dev.tgw-attach-id} --profile slalom-master --region us-east-1"
}
depends_on = [ module.sec-tgw-rtb-assc ]
}A note on the RAM sharing…I was not able to get the RAM portion work on a new account/environment until after I manually created a shared object. So a bit of manual setup is needed.
Happy building,
D