AWS Transit Gateway VPC Network

• This terraform plan builds an AWS Network Environment using Transit Gateway and FortiGate NGFW

Network Structure

Hub-Spoke Design utilizing Transit Gateway

• firewall Virtual Private Cloud
• protected Virtual Private Cloud
• management Virtual Private Cloud
• public Virtual Private Cloud
• dmz Virtual Private Cloud

Instructions

• define region, supernet cidr, network prefix, transit gateway options, firewall options and vpc names for network in the terraform.tfvars file
• Use of this module will require setting up Terraform AWS Provider & AWS-CLI (along w/credentials setup etc) before running terraform init

Resources

Name	Type
aws_ami.fortigate	data source
aws_availability_zones.available	data source
aws_iam_policy_document.assume_role	data source
aws_iam_policy_document.flow_logs	data source
aws_cloudwatch_log_group.flow_logs	resource
aws_ec2_transit_gateway.main	resource
aws_ec2_transit_gateway_route.firewall_to_spoke_subnets	resource
aws_ec2_transit_gateway_route.fw_outside_null_route	resource
aws_ec2_transit_gateway_route.spoke_null_route	resource
aws_ec2_transit_gateway_route.spoke_to_firewall	resource
aws_ec2_transit_gateway_route_table.main	resource
aws_ec2_transit_gateway_route_table_association.firewall	resource
aws_ec2_transit_gateway_route_table_association.spoke	resource
aws_ec2_transit_gateway_vpc_attachment.firewall	resource
aws_ec2_transit_gateway_vpc_attachment.spoke	resource
aws_eip.firewall	resource
aws_eip.outside_extra	resource
aws_flow_log.cloud_watch_firewall	resource
aws_flow_log.cloud_watch_spoke	resource
aws_flow_log.firewall	resource
aws_flow_log.spoke	resource
aws_iam_instance_profile.api_call_profile	resource
aws_iam_policy.api_call_policy	resource
aws_iam_policy_attachment.api_call_attach	resource
aws_iam_role.api_call_role	resource
aws_iam_role.flow_logs	resource
aws_iam_role_policy.flow_logs	resource
aws_instance.fortigate	resource
aws_internet_gateway.main	resource
aws_internet_gateway_attachment.main	resource
aws_network_acl.main	resource
aws_network_acl_association.main	resource
aws_network_interface.firewall	resource
aws_route.firewall	resource
aws_route.spoke	resource
aws_route.tgw_spoke	resource
aws_route.tgw_to_fw_inside	resource
aws_route_table.firewall	resource
aws_route_table.spoke	resource
aws_route_table_association.firewall	resource
aws_route_table_association.spoke	resource
aws_s3_bucket.flow_logs	resource
aws_security_group.firewall	resource
aws_subnet.firewall	resource
aws_subnet.spoke	resource
aws_vpc.firewall	resource
aws_vpc.spoke	resource
aws_subnets.spoke_vpc	data source
template_file.init	data source

Inputs

Name	Description	Type	Default	Required
cloud_watch_params	values for cloudwatch logging	object({ cloud_watch_on = bool retention_in_days = number })	n/a	yes
firewall_defaults	default subnet and interface values for firewall	object({ subnets = list(string) rt_tables = list(string) instance_type = string })	n/a	yes
firewall_params	options for fortigate firewall instance	object({ firewall_name = string outside_extra_public_ips = number inside_extra_private_ips = number })	n/a	yes
network_prefix	prefix to prepend on all resource names within the network	string	n/a	yes
region_aws	AWS Region	string	n/a	yes
spoke_vpc_params	parameters for spoke VPCs	map(object({ cidr_block = string subnets = list(string) }))	n/a	yes
supernet_cidr	cidr block for entire datacenter, must be /16	string	n/a	yes
transit_gateway_defaults	values for the transit gateway default option values	object({ amazon_side_asn = number auto_accept_shared_attachments = string default_route_table_association = string default_route_table_propagation = string multicast_support = string dns_support = string vpn_ecmp_support = string })	n/a	yes

Outputs

Name	Description
eips	n/a
subnets	n/a
transit_gateway	n/a
vpcs	n/a