{"id":13623116,"url":"https://github.com/aws-samples/aws-network-hub-for-terraform","last_synced_at":"2025-04-15T14:32:01.506Z","repository":{"id":37848380,"uuid":"450443711","full_name":"aws-samples/aws-network-hub-for-terraform","owner":"aws-samples","description":"This repository demonstrates a scalable, segregated, secured AWS network hub for multi-account organizations using Terraform. ","archived":false,"fork":false,"pushed_at":"2024-06-11T14:55:42.000Z","size":1217,"stargazers_count":98,"open_issues_count":6,"forks_count":24,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-11-08T11:45:42.512Z","etag":null,"topics":["amazon-web-services","automation","aws","aws-orga","centralised-networking","example","hashicorp","iac","iam","infrastructure-as-code","network","network-firewall","network-hub","ram","route53","route53-resolver","terraform","transit-gateway","vpc-endpoints","vpc-flowlogs"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit-0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aws-samples.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-01-21T10:15:47.000Z","updated_at":"2024-09-21T03:02:24.000Z","dependencies_parsed_at":"2024-06-11T16:49:10.394Z","dependency_job_id":"81b6d376-0d6e-418f-b34f-51fc704ce6b5","html_url":"https://github.com/aws-samples/aws-network-hub-for-terraform","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-samples%2Faws-network-hub-for-terraform","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-samples%2Faws-network-hub-for-terraform/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-samples%2Faws-network-hub-for-terraform/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-samples%2Faws-network-hub-for-terraform/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aws-samples","download_url":"https://codeload.github.com/aws-samples/aws-network-hub-for-terraform/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249088911,"owners_count":21210881,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["amazon-web-services","automation","aws","aws-orga","centralised-networking","example","hashicorp","iac","iam","infrastructure-as-code","network","network-firewall","network-hub","ram","route53","route53-resolver","terraform","transit-gateway","vpc-endpoints","vpc-flowlogs"],"created_at":"2024-08-01T21:01:28.250Z","updated_at":"2025-04-15T14:32:00.925Z","avatar_url":"https://github.com/aws-samples.png","language":"HCL","funding_links":[],"categories":["HCL"],"sub_categories":[],"readme":"\u003c!-- markdownlint-disable MD033 MD024 --\u003e\n\n# Network Hub Account with Terraform\n\nThis repository demonstrates a **scalable, segregated, secured** AWS network for **multi-account organizations**.\nUsing Transit Gateway to separate production, non-production and shared services traffic,\nit deploys an advanced AWS networking pattern using centralized ingress and egress behind Network Firewall,\ncentralizes private VPC endpoints to share across all VPCs, and manages IP address allocation using Amazon VPC IPAM.\n\n- Perfect for a central networking hub account, potentially alongside Account Factory for Terraform\n- Solution itself can be deployed into nonprod, test and production deployments for safe iteration and testing.\n- Written using clean, composable modules: the solution is easily extended and customised.\n\n[Spoke VPCs for organization members can be created using the provided sister example in this repo.](/example-spoke-vpc/README.md)\n\nThe following resources will be deployed by this example:\n\n- VPC Transit Gateway\n- VPC Endpoints\n- AWS Network Firewall\n- Route 53 Resolver\n- Amazon VPC IP Address Manager\n\nThe resources deployed and the architectural pattern they follow are provided for demonstration and\ntesting purposes but are based on and inspired by AWS best practice and articles.\n\n## Table of Contents\n\n- [Overview](#overview)\n  - [Diagrams](#diagrams)\n  - [References](#references)\n- [Prerequisites](#prerequisites)\n  - [Variables](#variables)\n- [Quick Start](#quick-start)\n  - [Deploy from client machine](#deploy-from-client-machine)\n  - [Validate Deployment](#validate-deployment)\n  - [Tagging](#tagging)\n  - [clean Up](#clean-up)\n- [Terraform Docs](#terraform-docs)\n- [Security](#security)\n- [License](#license)\n\n## Overview\n\n### Diagrams\n\nSolution Diagram\n![diagram](images/diagram.png)\n\nTransit Gateway\n![tgw](images/tgw.png)\n\nVPC Endpoints\n![vpc_endpoints](images/vpce.png)\n\nNetwork Firewall\n![nfw](images/nfw.png)\n\nRoute 53 Resolver\n![dns](images/dns.png)\n\n### References\n\n- \u003chttps://aws.amazon.com/blogs/architecture/field-notes-how-to-scale-your-networks-on-amazon-web-services/\u003e\n- \u003chttps://aws.amazon.com/blogs/industries/defining-an-aws-multi-account-strategy-for-a-digital-bank/\u003e\n- \u003chttps://aws.amazon.com/blogs/security/protect-your-remote-workforce-by-using-a-managed-dns-firewall-and-network-firewall/\u003e\n- \u003chttps://aws.amazon.com/blogs/architecture/field-notes-working-with-route-tables-in-aws-transit-gateway/\u003e\n- \u003chttps://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-isolated-shared.html\u003e\n- \u003chttps://aws.amazon.com/blogs/security/simplify-dns-management-in-a-multiaccount-environment-with-route-53-resolver/\u003e\n\n---\n\n## Prerequisites\n\nMinimal tooling is required for this solution. However, there are hard requirements around\nAWS configuration.\n\n### Tooling\n\n- Terraform ~\u003e 1.1\n  - AWS provider \u003e= 4.4.0\n- AWS CLI\n- Git CLI\n\n### AWS account configuration\n\n- AWS Organization\n- Centralised network account\n- IAM role with required permissions\n- RAM sharing enabled for the Organisation\n\n```bash\naws ram enable-sharing-with-aws-organization\n```\n\n![ram](images/RAM_Enabled.png)\n\n**Troubleshooting tip**\n\nIf you experience any issue with the RAM share disable and re-enable RAM.\n\n```bash\naws organizations disable-aws-service-access --service-principal ram.amazonaws.com\n```\n\n- IPAM delegated from the master account to the Centralised network account\n\n```bash\naws ec2 enable-ipam-organization-admin-account \\\n    --delegated-admin-account-id \u003cNetwork-Account-ID\u003e\n```\n\n![ipam](images/IPAM_Delegated.png)\n\n### Customisation\n\nIf you do not define a remote backend Terraform will use the local directory to store the backend files\nincluding tfstate. Examples of how to customise the Terraform backend are included but commented out.\nUsual caveats around safe storage of Terraform state must be considered.\n\n![backend](images/backend.png)\n\nExample GitLab HTTP backend for use with GitLab CI.\n\n![http_backend](images/http_backend.png)\n\n### Variables\n\n| Type                           | Variable Name    | Description                                                      | Notes                                       |\n| ------------------------------ | ---------------- | ---------------------------------------------------------------- | ------------------------------------------- |\n| Global variables               | environment      | Environment to deploy into.                                      | Accepted values \\* dev, test, preprod, prod |\n|                                | aws_region       | Region to deploy in.                                             |                                             |\n|                                | vpc_endpoints    | List of centralised VPC endpoints to be deployed                 |                                             |\n| Environment specific variables | ipam_cidr        | CIDR to be allocated to the IP Address Manager                   |                                             |\n|                                | tgw_route_tables | Transit Gateway Router Tables to create                          |                                             |\n|                                | root_domain      | Root DNS domain to create private hosted zone and resolver rules |                                             |\n\n**Input Variable -** _config.auto.tfvars_\n\n```terraform\naws_region    = \"eu-west-2\"\nvpc_endpoints = [\"ec2\", \"rds\", \"sqs\", \"sns\", \"ssm\", \"logs\", \"ssmmessages\", \"ec2messages\", \"autoscaling\", \"ecs\", \"athena\"]\n\nenv_config = {\n  dev = {\n    ipam_cidr        = \"10.0.0.0/10\"\n    tgw_route_tables = [\"prod\", \"dev\", \"shared\"]\n    root_domain      = \"network-dev.internal\"\n  }\n  test = {\n    ipam_cidr        = \"10.64.0.0/10\"\n    tgw_route_tables = [\"prod\", \"dev\", \"shared\"]\n    root_domain      = \"network-test.internal\"\n  }\n  preprod = {\n    ipam_cidr        = \"10.128.0.0/10\"\n    tgw_route_tables = [\"prod\", \"dev\", \"shared\"]\n    root_domain      = \"network-preprod.internal\"\n  }\n  prod = {\n    ipam_cidr        = \"10.192.0.0/10\"\n    tgw_route_tables = [\"prod\", \"dev\", \"shared\"]\n    root_domain      = \"network-prod.internal\"\n  }\n}\n```\n\n---\n\n## Quick Start\n\n### Deploy from client machine\n\nWhen deploying from your local machine having configured the **TF Backend** in the code you need to ensure you have access to read and write to the backend - possible backends include HTTP, Consul, Postgres, Artifactory, S3 or S3 + DynamoDB. We initialise the Terraform, complete the validate and format. Review the plan and then apply.\n\n- `terraform init`\n- `terraform validate`\n- set environment for deployment\n  - `export TF_VAR_environment=\"$ENV\"`\n  - `Set-Item -Path env:TF_VAR_environment -Value \"$ENV\"`\n    (Possible $ENV values - `dev`, `test`, `preprod`, `prod`)\n- `terraform plan`\n- `terraform apply` **or** `terraform apply --auto-approve`\n\n---\n\n### Tagging\n\nTags are added to all AWS resources through use of the tag configuration of the AWS Provider.\n\nAs not all AWS resources support default tags passed from the provider (EC2 Auto-Scaling Group + Launch Template)\nWe pass the tags as a variable (Map(string) - these are defined in the root locals.tf file.\n\n![provider](images/provider.png)\n\n**Example Tags -** _locals.tf_\n\n```terraform\ntags = {\n  Product    = \"Network_Automation\"\n  Owner      = \"GitHub\"\n  Project_ID = \"12345\"\n}\n```\n\n### Clean Up\n\nRemember to clean up after your work is complete. You can do that by doing `terraform destroy`.\n\nNote that this command will delete all the resources previously created by Terraform.\n\n## Terraform Docs\n\n### Terraform Deployment\n\n\u003c!-- BEGIN_TF_DOCS --\u003e\n\n#### Requirements\n\n| Name | Version |\n|------|---------|\n| terraform | ~\u003e 1.1 |\n| aws | \u003e= 4.4.0 |\n\n#### Providers\n\n| Name | Version |\n|------|---------|\n| aws | 4.5.0 |\n\n#### Modules\n\n| Name | Source | Version |\n|------|--------|---------|\n| dns | ./modules/dns | n/a |\n| ipam | ./modules/ipam | n/a |\n| network_firewall_vpc | ./modules/network_firewall_vpc | n/a |\n| tgw | ./modules/tgw | n/a |\n| vpc_endpoints | ./modules/vpc_endpoints | n/a |\n\n#### Resources\n\n| Name | Type |\n|------|------|\n| [aws_iam_policy.central_network](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy_attachment.central_network](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |\n| [aws_iam_role.central_network](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role.flow_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role_policy.flow_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |\n| [aws_kms_key.log_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |\n| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |\n| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_iam_policy_document.policy_kms_logs_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_organizations_organization.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |\n\n#### Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| aws_region | AWS region being deployed to | `string` | n/a | yes |\n| env_config | Map of objects for per environment configuration | \u003cpre\u003emap(object({\u003cbr\u003e    ipam_cidr        = string\u003cbr\u003e    tgw_route_tables = list(string)\u003cbr\u003e    root_domain      = string\u003cbr\u003e  }))\u003c/pre\u003e | n/a | yes |\n| environment | Deployment environment passed as argument or environment variable | `string` | n/a | yes |\n| tags | Default tags to apply to all resources | `map(string)` | n/a | yes |\n| vpc_endpoints | Which VPC endpoints to use | `list(string)` | n/a | yes |\n\n#### Outputs\n\nNo outputs.\n\n\u003c!-- END_TF_DOCS --\u003e\n\n### TGW Module\n\n\u003c!-- BEGIN_TF_TGW_DOCS --\u003e\n\n#### Requirements\n\nNo requirements.\n\n#### Providers\n\n| Name | Version |\n|------|---------|\n| aws | n/a |\n\n#### Modules\n\nNo modules.\n\n#### Resources\n\n| Name | Type |\n|------|------|\n| [aws_ec2_transit_gateway.org_tgw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway) | resource |\n| [aws_ec2_transit_gateway_route.blackhole_route](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route) | resource |\n| [aws_ec2_transit_gateway_route.default_route](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route) | resource |\n| [aws_ec2_transit_gateway_route.default_route_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route) | resource |\n| [aws_ec2_transit_gateway_route_table.org_tgw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table) | resource |\n| [aws_ram_principal_association.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_principal_association) | resource |\n| [aws_ram_resource_association.tgw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_association) | resource |\n| [aws_ram_resource_share.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_share) | resource |\n\n#### Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| az_names | A list of the Availability Zone names available to the account | `list(string)` | n/a | yes |\n| cidr | Corporate CIDR range for use with blackholing traffic between production and development environments | `string` | n/a | yes |\n| environment | Deployment environment passed as argument or environment variable | `string` | n/a | yes |\n| inspection_attachment | Inspection VPC attachment for default route | `string` | n/a | yes |\n| org_arn | The ARN of the AWS Organization this account belongs to | `string` | n/a | yes |\n| tgw_route_tables | List of route tables to create for the transit gateway | `list(string)` | n/a | yes |\n\n#### Outputs\n\n| Name | Description |\n|------|-------------|\n| tgw | TGW ID for VPC attachments |\n| tgw_route_table | Map of route tables used for association and propagation |\n\n\u003c!-- END_TF_TGW_DOCS --\u003e\n\n### IPAM Module\n\n\u003c!-- BEGIN_TF_IPAM_DOCS --\u003e\n\n#### Requirements\n\nNo requirements.\n\n#### Providers\n\n| Name | Version |\n|------|---------|\n| aws | n/a |\n\n#### Modules\n\nNo modules.\n\n#### Resources\n\n| Name | Type |\n|------|------|\n| [aws_ram_principal_association.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_principal_association) | resource |\n| [aws_ram_resource_association.ipam](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_association) | resource |\n| [aws_ram_resource_share.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_share) | resource |\n| [aws_ssm_parameter.ipam_pool_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |\n| [aws_vpc_ipam.org_ipam](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam) | resource |\n| [aws_vpc_ipam_pool.private_org_ipam_pool](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool) | resource |\n| [aws_vpc_ipam_pool_cidr.private_org_ipam_pool](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool_cidr) | resource |\n| [aws_vpc_ipam_scope.private_org_ipam_scope](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_scope) | resource |\n\n#### Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| aws_region | AWS region being deployed to | `string` | n/a | yes |\n| ipam_cidr | CIDR block assigned to IPAM pool | `string` | n/a | yes |\n| org_arn | The ARN of the AWS Organization this account belongs to | `string` | n/a | yes |\n\n#### Outputs\n\n| Name | Description |\n|------|-------------|\n| org_ipam | Org IPAM ID |\n| org_ipam_pool | Org IPAM pool ID |\n\n\u003c!-- END_TF_IPAM_DOCS --\u003e\n\n### VPC Endpoint Module\n\n\u003c!-- BEGIN_TF_VPCE_DOCS --\u003e\n\n#### Requirements\n\nNo requirements.\n\n#### Providers\n\n| Name | Version |\n|------|---------|\n| aws | n/a |\n\n#### Modules\n\nNo modules.\n\n#### Resources\n\n| Name | Type |\n|------|------|\n| [aws_cloudwatch_log_group.flow_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |\n| [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |\n| [aws_ec2_transit_gateway_route_table_association.shared](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource |\n| [aws_ec2_transit_gateway_route_table_propagation.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |\n| [aws_ec2_transit_gateway_vpc_attachment.vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment) | resource |\n| [aws_flow_log.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource |\n| [aws_route.default_route](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |\n| [aws_route.default_route_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |\n| [aws_route53_record.dev_ns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |\n| [aws_route53_zone.interface_phz](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |\n| [aws_route_table.endpoint_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |\n| [aws_route_table_association.attachment_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |\n| [aws_route_table_association.endpoint_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |\n| [aws_security_group.allow_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |\n| [aws_security_group_rule.org_cidr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |\n| [aws_subnet.attachment_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |\n| [aws_subnet.endpoint_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |\n| [aws_vpc.endpoint_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource |\n| [aws_vpc_dhcp_options.endpoint_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_dhcp_options) | resource |\n| [aws_vpc_dhcp_options_association.endpoint_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_dhcp_options_association) | resource |\n| [aws_vpc_endpoint.interface](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |\n\n#### Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| az_names | A list of the Availability Zone names available to the account | `list(string)` | n/a | yes |\n| cidr | Corporate CIDR range for use with blackholing traffic between production and development environments | `string` | n/a | yes |\n| environment | Deployment environment passed as argument or environment variable | `string` | n/a | yes |\n| iam_role_arn | IAM role to allow VPC Flow Logs to write to CloudWatch | `string` | n/a | yes |\n| interface_endpoints | Object representing the region and services to create interface endpoints for | `map(string)` | n/a | yes |\n| kms_key_id | VPC Flow Logs KMS key to encrypt logs | `string` | n/a | yes |\n| org_ipam_pool | IPAM pool ID to allocate CIDR space | `string` | n/a | yes |\n| tgw | TGW ID for VPC attachments | `string` | n/a | yes |\n| tgw_route_tables | TGW route tables for VPC association and propagation | `map(string)` | n/a | yes |\n\n#### Outputs\n\nNo outputs.\n\n\u003c!-- END_TF_VPCE_DOCS --\u003e\n\n### DNS Module\n\n\u003c!-- BEGIN_TF_DNS_DOCS --\u003e\n\n#### Requirements\n\nNo requirements.\n\n#### Providers\n\n| Name | Version |\n|------|---------|\n| aws | n/a |\n\n#### Modules\n\nNo modules.\n\n#### Resources\n\n| Name | Type |\n|------|------|\n| [aws_cloudwatch_log_group.flow_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |\n| [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |\n| [aws_ec2_transit_gateway_route_table_association.shared](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource |\n| [aws_ec2_transit_gateway_route_table_propagation.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |\n| [aws_ec2_transit_gateway_vpc_attachment.vpc_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment) | resource |\n| [aws_flow_log.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource |\n| [aws_ram_principal_association.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_principal_association) | resource |\n| [aws_ram_resource_association.r53r](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_association) | resource |\n| [aws_ram_resource_share.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_share) | resource |\n| [aws_route.default_route](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |\n| [aws_route.default_route_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |\n| [aws_route53_resolver_endpoint.inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_endpoint) | resource |\n| [aws_route53_resolver_endpoint.outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_endpoint) | resource |\n| [aws_route53_resolver_rule.fwd](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule) | resource |\n| [aws_route53_resolver_rule_association.org_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource |\n| [aws_route53_zone.root_private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |\n| [aws_route_table.dns_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |\n| [aws_route_table_association.attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |\n| [aws_route_table_association.privatesubnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |\n| [aws_security_group.allow_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |\n| [aws_security_group_rule.dns_tcp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |\n| [aws_subnet.attachment_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |\n| [aws_subnet.endpoint_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |\n| [aws_vpc.dns_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource |\n| [aws_vpc_dhcp_options.dns_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_dhcp_options) | resource |\n| [aws_vpc_dhcp_options_association.dns_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_dhcp_options_association) | resource |\n\n#### Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| az_names | A list of the Availability Zone names available to the account | `list(string)` | n/a | yes |\n| cidr | Corporate CIDR range for use with blackholing traffic between production and development environments | `string` | n/a | yes |\n| environment | Deployment environment passed as argument or environment variable | `string` | n/a | yes |\n| iam_role_arn | IAM role to allow VPC Flow Logs to write to CloudWatch | `string` | n/a | yes |\n| interface_endpoints | Object representing the region and services to create interface endpoints for | `map(string)` | n/a | yes |\n| kms_key_id | VPC Flow Logs KMS key to encrypt logs | `string` | n/a | yes |\n| org_arn | The ARN of the AWS Organization this account belongs to | `string` | n/a | yes |\n| org_ipam_pool | IPAM pool ID to allocate CIDR space | `string` | n/a | yes |\n| root_domain | Root domain for private hosted zone delegation | `string` | n/a | yes |\n| tgw | TGW ID for VPC attachments | `string` | n/a | yes |\n| tgw_route_tables | TGW route tables for VPC association and propagation | `map(string)` | n/a | yes |\n\n#### Outputs\n\nNo outputs.\n\n\u003c!-- END_TF_DNS_DOCS --\u003e\n\n### Network Firewall Module\n\n\u003c!-- BEGIN_TF_NFW_DOCS --\u003e\n\n#### Requirements\n\nNo requirements.\n\n#### Providers\n\n| Name | Version |\n|------|---------|\n| aws | n/a |\n\n#### Modules\n\nNo modules.\n\n#### Resources\n\n| Name | Type |\n|------|------|\n| [aws_cloudwatch_log_group.flow_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |\n| [aws_cloudwatch_log_group.network_firewall_alert_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |\n| [aws_cloudwatch_log_group.network_firewall_flow_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |\n| [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |\n| [aws_ec2_transit_gateway_route_table_association.shared](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource |\n| [aws_ec2_transit_gateway_route_table_propagation.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |\n| [aws_ec2_transit_gateway_vpc_attachment.vpc_inspection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment) | resource |\n| [aws_egress_only_internet_gateway.eigw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/egress_only_internet_gateway) | resource |\n| [aws_eip.internet_vpc_nat](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |\n| [aws_flow_log.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource |\n| [aws_internet_gateway.igw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource |\n| [aws_nat_gateway.internet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |\n| [aws_networkfirewall_firewall.inspection_vpc_network_firewall](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall) | resource |\n| [aws_networkfirewall_firewall_policy.anfw_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy) | resource |\n| [aws_networkfirewall_logging_configuration.network_firewall_alert_logging_configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_logging_configuration) | resource |\n| [aws_networkfirewall_rule_group.block_domains](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |\n| [aws_route.default_route](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |\n| [aws_route.default_route_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |\n| [aws_route.egress_route](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |\n| [aws_route.egress_route_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |\n| [aws_route.ingress_route](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |\n| [aws_route.inspection_route](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |\n| [aws_route.inspection_route_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |\n| [aws_route.inspection_route_natgw_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |\n| [aws_route.internal_route](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |\n| [aws_route_table.attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |\n| [aws_route_table.inspection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |\n| [aws_route_table.internet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |\n| [aws_route_table_association.attachment_subnet_rt_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |\n| [aws_route_table_association.inspection_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |\n| [aws_route_table_association.internet_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |\n| [aws_subnet.attachment_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |\n| [aws_subnet.inspection_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |\n| [aws_subnet.internet_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |\n| [aws_vpc.inspection_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource |\n| [aws_vpc_dhcp_options.inspection_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_dhcp_options) | resource |\n| [aws_vpc_dhcp_options_association.inspection_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_dhcp_options_association) | resource |\n\n#### Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| aws_region | AWS region being deployed to | `string` | n/a | yes |\n| az_names | A list of the Availability Zone names available to the account | `list(string)` | n/a | yes |\n| cidr | Corporate CIDR range for use with blackholing traffic between production and development environments | `string` | n/a | yes |\n| environment | Deployment environment passed as argument or environment variable | `string` | n/a | yes |\n| iam_role_arn | IAM role to allow VPC Flow Logs to write to CloudWatch | `string` | n/a | yes |\n| kms_key_id | VPC Flow Logs KMS key to encrypt logs | `string` | n/a | yes |\n| org_ipam_pool | IPAM pool ID to allocate CIDR space | `string` | n/a | yes |\n| tgw | TGW ID for VPC attachments | `string` | n/a | yes |\n| tgw_route_tables | TGW route tables for VPC association and propagation | `map(string)` | n/a | yes |\n\n#### Outputs\n\n| Name | Description |\n|------|-------------|\n| eni_map | Output ENI map |\n| firewall_info | Info of network firewall for routing |\n| inspection_attachment | Inspection TGW attachment ID for default route in TGW |\n| route_table | Output route tables used for NFW |\n| rt_map | Output RT map |\n\n\u003c!-- END_TF_NFW_DOCS --\u003e\n\n## Security\n\nSee [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information.\n\n## License\n\nThis library is licensed under the MIT-0 License. See the LICENSE file.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faws-samples%2Faws-network-hub-for-terraform","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faws-samples%2Faws-network-hub-for-terraform","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faws-samples%2Faws-network-hub-for-terraform/lists"}