feature(core): 6.25 tgw inter region peering (#364)

* TGW inter-region peering
Co-authored-by: Naveen Kumar <nkoppula@amazon.com>

Author: nachundu-amzn

reference-artifacts/config.example.json

@@ -402,7 +402,85 @@
               "Default-route-table-propagation": false,
               "Auto-accept-sharing-attachments": true
             },
-            "route-tables": ["core", "segregated", "shared", "standalone"]
+            "route-tables": ["core", "segregated", "shared", "standalone"],
+            "tgw-routes": [
+              {
+                "name": "{TGW_ALL}",
+                "routes": [
+                  {
+                    "destination": "1.1.0.0/32",
+                    "target-tgw": "East"
+                  }
+                ]
+              },
+              {
+                "name": "segregated",
+                "routes": [
+                  {
+                    "destination": "1.0.4.0/32",
+                    "blackhole-route": true
+                  }
+                ]
+              },
+              {
+                "name": "shared",
+                "routes": [{
+                  "destination": "1.0.2.0/32",
+                  "target-vpc": "Dev"
+                }]
+              },
+              {
+                "name": "standalone",
+                "routes": [{
+                  "destination": "1.0.3.0/32",
+                  "target-vpn": {
+                    "name": "Perimeter_fw",
+                    "az": "b",
+                    "subnet": "Public"
+                  }
+                }]
+              }
+            ]
+          },
+          {
+            "name": "East",
+            "asn": 64526,
+            "region": "us-east-1",
+            "features": {
+              "DNS-support": true,
+              "VPN-ECMP-support": true,
+              "Default-route-table-association": false,
+              "Default-route-table-propagation": false,
+              "Auto-accept-sharing-attachments": true
+            },
+            "route-tables": ["core", "segregated", "shared", "standalone"],
+            "tgw-attach": {
+              "associate-to-tgw": "Main",
+              "account": "shared-network",
+              "region": "ca-central-1",
+              "tgw-rt-associate-local": ["core"],
+              "tgw-rt-associate-remote": ["core"]
+            },
+            "tgw-routes": [
+              {
+                "name": "core",
+                "routes": [
+                  {
+                    "destination": "1.1.0.0/32",
+                    "target-tgw": "Main"
+                  }
+                ]
+              },
+              {
+                "name": "segregated",
+                "routes": [
+                  {
+                    "destination": "1.1.1.0/32",
+                    "target-tgw": "Main"
+                  }
+                ]
+              }
+            ]
           }
         ]
       }

src/deployments/cdk/package.json

@@ -68,10 +68,12 @@
     "@aws-accelerator/common-outputs": "workspace:^0.0.1",
     "@aws-accelerator/common-types": "workspace:^0.0.1",
     "@aws-accelerator/cdk-constructs": "workspace:^0.0.1",
+    "@aws-accelerator/custom-resource-accept-tgw-peering-attachment": "workspace:^0.0.1",
     "@aws-accelerator/custom-resource-acm-import-certificate": "workspace:^0.0.1",
     "@aws-accelerator/custom-resource-cfn-sleep": "workspace:^0.0.1",
     "@aws-accelerator/custom-resource-cur-report-definition": "workspace:^0.0.1",
     "@aws-accelerator/custom-resource-cloud-trail": "workspace:^0.0.1",
+    "@aws-accelerator/custom-resource-create-tgw-peering-attachment": "workspace:^0.0.1",
     "@aws-accelerator/custom-resource-ds-log-subscription": "workspace:^0.0.1",
     "@aws-accelerator/custom-resource-ec2-ebs-default-encryption": "workspace:^0.0.1",
     "@aws-accelerator/custom-resource-ec2-image-finder": "workspace:^0.0.1",

src/deployments/cdk/src/apps/phase--1.ts

@@ -12,6 +12,8 @@ import * as globalRoles from '../deployments/iam';
  *   - Creating required roles for createSSMDocument custom resource
  *   - Creating required roles for createLogGroup custom resource
  *   - Creating required roles for CWLCentralLoggingSubscriptionFilterRole custom resource
+ *   - Creating required roles for TransitGatewayCreatePeeringAttachment custom resource
+ *   - Creating required roles for TransitGatewayAcceptPeeringAttachment custom resource
  *   - Creating required roles for createLogsMetricFilter custom resource
  *   - Creating required roles for SnsSubscriberLambda custom resource
  */
@@ -67,6 +69,17 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts }: Pha
     config: acceleratorConfig,
   });
 
+  // Creates roles for transit gateway create peering attachment custom resource
+  await globalRoles.createTgwPeeringRoles({
+    accountStacks,
+    config: acceleratorConfig,
+  });
+
+  // Creates roles for transit gateway accept peering attachment custom resource
+  await globalRoles.createTgwAcceptPeeringRoles({
+    accountStacks,
+    config: acceleratorConfig,
+  });
   // Creates role for createLogsMetricFilter custom resource
   await globalRoles.createLogsMetricFilterRole({
     accountStacks,

src/deployments/cdk/src/apps/phase-1.ts

@@ -33,6 +33,7 @@ import { PhaseInput } from './shared';
 import { getIamUserPasswordSecretValue } from '../deployments/iam';
 import * as cwlCentralLoggingToS3 from '../deployments/central-services/central-logging-s3';
 import * as vpcDeployment from '../deployments/vpc';
+import * as transitGateway from '../deployments/transit-gateway';
 import { DNS_LOGGING_LOG_GROUP_REGION } from '@aws-accelerator/common/src/util/constants';
 import { createR53LogGroupName } from '../common/r53-zones';
 import { LogGroup } from '@aws-accelerator/custom-resource-logs-log-group';
@@ -198,6 +199,7 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
           securityGroupName: name,
         }),
       ),
+      tgwAttachments: vpc.tgwAVpcAttachments,
     });
 
     return vpcStack.vpc;
@@ -453,6 +455,13 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
     accounts,
   });
 
+  await transitGateway.createPeeringAttachment({
+    accountStacks,
+    accounts,
+    config: acceleratorConfig,
+    outputs,
+  });
+
   /**
    * Code to create LogGroups required for DNS Logging
    */

src/deployments/cdk/src/apps/phase-2.ts

@@ -308,4 +308,11 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
     logBucket,
     outputs,
   });
+
+  await tgwDeployment.acceptPeeringAttachment({
+    accountStacks,
+    accounts,
+    config: acceleratorConfig,
+    outputs,
+  });
 }

src/deployments/cdk/src/apps/phase-3.ts

@@ -9,6 +9,7 @@ import { getStackJsonOutput } from '@aws-accelerator/common-outputs/src/stack-ou
 import { CentralBucketOutput, AccountBucketOutput } from '../deployments/defaults';
 import * as securityHub from '../deployments/security-hub';
 import * as macie from '../deployments/macie';
+import * as transitGateway from '../deployments/transit-gateway';
 
 export async function deploy({ acceleratorConfig, accountStacks, accounts, context, outputs }: PhaseInput) {
   /**
@@ -104,4 +105,11 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
     config: acceleratorConfig,
     outputs,
   });
+
+  await transitGateway.step3({
+    accountStacks,
+    accounts,
+    config: acceleratorConfig,
+    outputs,
+  });
 }

src/deployments/cdk/src/common/vpc.ts

@@ -60,6 +60,11 @@ export interface NameToIdMap {
   [key: string]: string;
 }
 
+export interface TgwAttachment {
+  name: string;
+  id: string;
+}
+
 /**
  * Auxiliary class that makes management and lookup of subnets easier.
  */
@@ -125,6 +130,8 @@ export class Vpc extends cdk.Construct implements constructs.Vpc {
   readonly securityGroup?: SecurityGroup;
   readonly routeTableNameToIdMap: NameToIdMap = {};
 
+  readonly tgwAttachments: TgwAttachment[] = [];
+
   constructor(scope: cdk.Construct, name: string, vpcProps: VpcProps) {
     super(scope, name);
 
@@ -320,6 +327,12 @@ export class Vpc extends cdk.Construct implements constructs.Vpc {
           transitGatewayId: tgw.tgwId,
         });
 
+        // TODO add VPC To TGW attachment output
+        this.tgwAttachments.push({
+          name: tgw.name,
+          id: tgwAttachment.transitGatewayAttachmentId,
+        });
+
         const ownerAccountId = getAccountId(accounts, tgwAttach.account);
         if (ownerAccountId) {
           // Add tags in the TGW owner account
@@ -531,6 +544,10 @@ export class Vpc extends cdk.Construct implements constructs.Vpc {
     return this.securityGroup?.securityGroups || [];
   }
 
+  get tgwAVpcAttachments(): constructs.TgwAttachment[] {
+    return this.tgwAttachments;
+  }
+
   findSubnetByNameAndAvailabilityZone(name: string, az: string): constructs.Subnet {
     const subnet = this.tryFindSubnetByNameAndAvailabilityZone(name, az);
     if (!subnet) {

src/deployments/cdk/src/deployments/firewall/cluster/outputs.ts

@@ -2,6 +2,7 @@ import * as t from 'io-ts';
 import { optional } from '@aws-accelerator/common-types';
 import { createCfnStructuredOutput } from '../../../common/structured-output';
 import { createStructuredOutputFinder } from '@aws-accelerator/common-outputs/src/structured-output';
+import { StackOutput } from '@aws-accelerator/common-outputs/src/stack-output';
 
 export const FirewallInstanceOutput = t.interface(
   {
@@ -70,3 +71,33 @@ export type FirewallVpnConnectionOutput = t.TypeOf<typeof FirewallVpnConnectionO
 export const CfnFirewallVpnConnectionOutput = createCfnStructuredOutput(FirewallVpnConnectionOutput);
 
 export const FirewallVpnConnectionOutputFinder = createStructuredOutputFinder(FirewallVpnConnectionOutput, () => ({}));
+
+export const TgwVpnAttachment = t.interface({
+  subnet: t.string,
+  az: t.string,
+  id: t.string,
+});
+
+export type TgwVpnAttachment = t.TypeOf<typeof TgwVpnAttachment>;
+
+export const TgwVpnAttachmentsOutput = t.interface(
+  {
+    name: t.string,
+    attachments: t.array(TgwVpnAttachment),
+  },
+  'TgwVpnAttachmentsOutput',
+);
+
+export type TgwVpnAttachmentsOutput = t.TypeOf<typeof TgwVpnAttachmentsOutput>;
+
+export const CfnTgwVpnAttachmentsOutput = createCfnStructuredOutput(TgwVpnAttachmentsOutput);
+
+export const TgwVpnAttachmentsOutputFinder = createStructuredOutputFinder(TgwVpnAttachmentsOutput, finder => ({
+  tryFindOneByName: (props: { outputs: StackOutput[]; accountKey?: string; name: string; region?: string }) =>
+    finder.tryFindOne({
+      outputs: props.outputs,
+      accountKey: props.accountKey,
+      region: props.region,
+      predicate: o => o.name === props.name,
+    }),
+}));

src/deployments/cdk/src/deployments/firewall/cluster/step-2.ts

@@ -13,6 +13,8 @@ import {
   FirewallVpnConnection,
   CfnFirewallVpnConnectionOutput,
   FirewallPortOutputFinder,
+  TgwVpnAttachment,
+  CfnTgwVpnAttachmentsOutput,
 } from './outputs';
 
 export interface FirewallStep2Props {
@@ -109,6 +111,7 @@ async function createCustomerGateways(props: {
 
   const addTagsDependencies = [];
   const addTagsToResources: AddTagsToResource[] = [];
+  const tgwAttachments: TgwVpnAttachment[] = [];
 
   for (const [index, port] of Object.entries(firewallPorts)) {
     if (port.firewallName !== firewallConfig.name) {
@@ -153,6 +156,12 @@ async function createCustomerGateways(props: {
         tgwId: transitGateway.tgwId,
       });
 
+      tgwAttachments.push({
+        subnet: port.subnetName,
+        az: port.az,
+        id: attachments.getTransitGatewayAttachmentId(0),
+      });
+
       // Make sure to add the tags to the VPN attachments
       addTagsDependencies.push(attachments);
       addTagsToResources.push({
@@ -208,4 +217,9 @@ async function createCustomerGateways(props: {
 
   // Store the firewall VPN connections as outputs
   new CfnFirewallVpnConnectionOutput(scope, `FirewallVpnConnections${firewallConfig.name}`, vpnConnections);
+
+  new CfnTgwVpnAttachmentsOutput(scope, `TgwVpnAttachments${firewallConfig.name}`, {
+    name: firewallCgwName,
+    attachments: tgwAttachments,
+  });
 }

src/deployments/cdk/src/deployments/iam/index.ts

@@ -9,5 +9,7 @@ export * from './ssm-document-roles';
 export * from './log-group-role';
 export * from './cwl-central-logging-roles';
 export * from './cwl-add-subscription-filter-role';
+export * from './tgw-create-peering-roles';
+export * from './tgw-accept-peering-roles';
 export * from './logs-metric-filter-role';
 export * from './sns-subscriber-lambda-role';