diff --git a/modules/trusted/README.md b/modules/trusted/README.md
index 253d340..aa65f78 100644
--- a/modules/trusted/README.md
+++ b/modules/trusted/README.md
@@ -16,11 +16,13 @@
| [enable\_dns\_support](#input\_enable\_dns\_support) | Whether DNS support is enabled. | `bool` | `true` | no |
| [enable\_external\_principals](#input\_enable\_external\_principals) | Whether to enable external principals in the RAM share. | `bool` | `true` | no |
| [enable\_multicast\_support](#input\_enable\_multicast\_support) | Whether multicast support is enabled. | `bool` | `false` | no |
+| [enable\_ssm\_sharing](#input\_enable\_ssm\_sharing) | Whether to create and share the SSM parameter for the transit gateway ID. | `bool` | `false` | no |
| [enable\_vpn\_ecmp\_support](#input\_enable\_vpn\_ecmp\_support) | Whether VPN Equal Cost Multipath Protocol support is enabled. | `bool` | `false` | no |
| [name](#input\_name) | The name of the transit gateway to provision. | `string` | `"tgw"` | no |
| [ram\_share\_name](#input\_ram\_share\_name) | The name of the RAM share to create for the transit gateway. | `string` | `"tgw-ram-share"` | no |
| [ram\_share\_principals](#input\_ram\_share\_principals) | The list of organizational units or accounts to share the transit gateway with. | `list(string)` | `[]` | no |
| [services](#input\_services) | A collection of features and services associated with this connectivity domain. | object({
egress = optional(object({
network = object({
# Defines the configuration for an egress network.
availability_zones = optional(number, 2)
# The number of availablity zones to use for the egress network. Defaults to 2.
ipam_pool_id = optional(string, null)
# The ID of the IPAM pool to use for the egress network. Defaults to null.
name = optional(string, "egress")
# The name of the egress network. Defaults to 'egress'.
private_netmask = optional(number, 28)
# The netmask to use for the private network. Defaults to 28.
public_netmask = optional(number, 28)
# The netmask to use for the public network. Defaults to 28.
transit_gateway_routes = optional(map(string), {
private = "10.0.0.0/8"
public = "10.0.0.0/8"
})
# The transit gateway route tables entries for the egress network.
vpc_cidr = optional(string, null)
# The CIDR block to use for the VPC. Defaults to null, required when not using IPAM
vpc_netmask = optional(string, null)
# The netmask to use for the VPC. Defaults to null, required when using IPAM
})
}), null)
dns = optional(object({
# The list of organizational units or accounts to share the domain rule with.
resolver_name = optional(string, "dns-resolver")
# Defines the configuration for the endpoints network.
network = object({
# Defines the configuration for the endpoints network.
availability_zones = optional(number, 2)
# The number of availablity zones to use for the endpoints network. Defaults to 2.
ipam_pool_id = optional(string, null)
# The ID of the IPAM pool to use for the endpoints network. Defaults to null.
name = optional(string, "central-dns")
# The name of the endpoints network. Defaults to 'endpoints'.
private_netmask = optional(number, 24)
# The netmask to use for the private network. Defaults to 24, ensure space for enough aws services.
vpc_cidr = optional(string, null)
# The CIDR block to use for the VPC. Defaults to null, required when not using IPAM
vpc_netmask = optional(string, null)
# The netmask to use for the VPC. Defaults to null, required when using IPAM
}),
domain_rules = optional(list(object({
ram_share_name = optional(string, "central-dns")
# The name of the domain rule - this is mapped to the resource share name
ram_principals = optional(map(string), {})
# The name of the resolver to use. Defaults to 'dns-resolver'.
rules = list(object({
name = string
# The name of the rule - the ram share name is domain.name + "-" + rule.name
# The list of domain rules to apply to the domain.
domain = string
# The domain to apply the rule to.
targets = optional(list(string), [])
# The list of targets to apply the rule to - defaults to local resolver.
}))
})), [])
}), null)
## Centralized DNS, used to house central DNS resolvers and rules
endpoints = optional(object({
# Defines the configuration for the endpoints network.
network = object({
# Defines the configuration for the endpoints network.
availability_zones = optional(number, 2)
# The number of availablity zones to use for the endpoints network. Defaults to 2.
ipam_pool_id = optional(string, null)
# The ID of the IPAM pool to use for the endpoints network. Defaults to null.
name = optional(string, "endpoints")
# The name of the endpoints network. Defaults to 'endpoints'.
private_netmask = optional(number, 24)
# The netmask to use for the private network. Defaults to 24, ensure space for enough aws services.
vpc_cidr = optional(string, null)
# The CIDR block to use for the VPC. Defaults to null, required when not using IPAM
vpc_netmask = optional(string, null)
# The netmask to use for the VPC. Defaults to null, required when using IPAM
})
resolver_rules = optional(object({
# Defines the configuration for the sharing network via AWS RAM
principals = optional(list(string), [])
# The list of organizational units or accounts to share the endpoints resolvers rules with. Defaults to an empty list.
}), null)
resolver = optional(object({
enable = optional(bool, false)
# Whether to enable the resolver. Defaults to false.
}), null)
services = optional(map(object({
# Whether private DNS is enabled. Defaults to true.
service_type = optional(string, "Interface")
# The type of service, i.e. Gateway or Interface. Defaults to 'Interface'
service = string
# The name of the service i.e. ec2, ec2messages, ssm, ssmmessages, logs, kms, secretsmanager, s3.awsamazon.com
policy = optional(string, null)
# An optional IAM policy to use for the endpoint. Defaults to null.
})), {
ec2messages = {
service = "ec2messages"
},
ssm = {
service = "ssm"
},
ssmmessages = {
service = "ssmmessages"
},
})
}), null)
## Centralized private endpoints, using route53 resolver rules instead of private hosted zones
ingress = optional(object({
# Defines the configuration for the ingress network.
network = object({
# Defines the configuration for the ingress network.
availability_zones = optional(number, 2)
# The number of availablity zones to use for the ingress network. Defaults to 2.
ipam_pool_id = optional(string, null)
# The ID of the IPAM pool to use for the ingress network. Defaults to null.
name = optional(string, "ingress")
# The name of the ingress network. Defaults to 'ingress'.
private_netmask = number
# The netmask to use for the private network. Required, ensure space for enough aws services.
public_netmask = number
# The netmask to use for the public network. Required, ensure space for enough aws services.
transit_gateway_routes = optional(map(string), {
private = "10.0.0.0/8"
public = "10.0.0.0/8"
})
# The transit gateway route tables entries for the ingress network.
vpc_cidr = optional(string, null)
# The CIDR block to use for the VPC. Defaults to null, required when not using IPAM
vpc_netmask = optional(string, null)
# The netmask to use for the VPC. Defaults to null, required when using IPAM
})
}), null)
## Centralized ingress network, used to house all the ingress endpoints
}) | `{}` | no |
+| [transit\_ssm\_parameter\_name](#input\_transit\_ssm\_parameter\_name) | The name of the SSM parameter to create for the transit gateway ID. | `string` | `"/landing-zone/%s/transit-gateway/id"` | no |
## Outputs
diff --git a/modules/trusted/ssm.tf b/modules/trusted/ssm.tf
new file mode 100644
index 0000000..269cd92
--- /dev/null
+++ b/modules/trusted/ssm.tf
@@ -0,0 +1,39 @@
+
+## SSM Parameters for VPC and Transit Gateway IDs
+resource "aws_ssm_parameter" "transit_gateway_id" {
+ count = var.enable_ssm_sharing ? 1 : 0
+
+ name = format("%s/%s/id", var.transit_ssm_parameter_prefix, local.region)
+ description = "Contains the Transit Gateway ID for region ${local.region}"
+ type = "String"
+ value = module.tgw.ec2_transit_gateway_id
+ tags = var.tags
+}
+
+resource "aws_ssm_parameter" "transit_gateway_arn" {
+ count = var.enable_ssm_sharing ? 1 : 0
+
+ name = format("%s/%s/arn", var.transit_ssm_parameter_prefix, local.region)
+ description = "Contains the Transit Gateway ARN for region ${local.region}"
+ type = "String"
+ value = module.tgw.ec2_transit_gateway_arn
+ tags = var.tags
+}
+
+## Share the SSM Parameter using RAM
+module "transit_gateway_ssm_share" {
+ count = var.enable_ssm_sharing ? 1 : 0
+ source = "appvia/ram/aws"
+ version = "0.0.1"
+
+ allow_external_principals = false
+ name = format("transit-gateway-ssm-%s", local.region)
+ principals = var.ram_share_principals
+ tags = var.tags
+
+ resource_arns = [
+ aws_ssm_parameter.transit_gateway_arn.arn,
+ aws_ssm_parameter.transit_gateway_id.arn,
+ ]
+}
+
diff --git a/modules/trusted/variables.tf b/modules/trusted/variables.tf
index a489743..06c1047 100644
--- a/modules/trusted/variables.tf
+++ b/modules/trusted/variables.tf
@@ -200,6 +200,18 @@ variable "enable_vpn_ecmp_support" {
default = false
}
+variable "transit_ssm_parameter_prefix" {
+ description = "The name of the SSM parameter to create for the transit gateway ID."
+ type = string
+ default = "/landing-zone"
+}
+
+variable "enable_ssm_sharing" {
+ description = "Whether to create and share the SSM parameter for the transit gateway ID."
+ type = bool
+ default = false
+}
+
variable "name" {
description = "The name of the transit gateway to provision."
type = string