Introduction
I've decided to automate the deployment of a Transit Gateway using CloudFormation.I'll show you here how I did it, but be advised that it is currently not possible to do complex configurations on a TGW using CloudFormation. You will need to do some tasks manually, at least one which can only be done with the AWS CLI.
First, some caveats
Now there are a few caveats you need to be aware of before using CloudFormation to deploy a Transit Gateway:- At this time, there are no attributes whatsoever that can be extracted from GetAtt, which means you can't extract its ARN, default route table ID, and others and use them later in your template.
- Every (and I mean every) property change requires a replacement, which is a big deal.
- This means that doing something as simple as trying to change a tag on your Transit Gateway using CloudFormation will cause downtime, as it requires that you first remove any attachments and dependencies before being able to update the stack.
- It also means that the ID and ARN of the TGW itself will change once it is replaced, which requires lots of planning: any dependents that refer to these identifiers will need to be reconfigured.
tgw-main.yml : Deploying the Transit Gateway
Deploying a TGW is fairly straightforward:
Resources:
mytgw:
Type: 'AWS::EC2::TransitGateway'
Properties:
AutoAcceptSharedAttachments: enable
Tags:
- Key: Name
Value: "My Transit Gateway"
Outputs:
outmytgw:
Description: TGW ID
Value: !Ref mytgw
Export:
Name: "mytgw-id"
Resources:
mytgw:
Type: 'AWS::EC2::TransitGateway'
Properties:
AutoAcceptSharedAttachments: enable
Tags:
- Key: Name
Value: "My Transit Gateway"
Outputs:
outmytgw:
Description: TGW ID
Value: !Ref mytgw
Export:
Name: "mytgw-id"
I've set AutoAcceptSharedAttachments to enable to prevent having to accept VPC attachments manually, as they will be done later.
I've also added an output variable. It is set so that I can then reference the TGW ID from other stacks, namely the VPC-related stacks that will attach themselves to the TGW. I suggest you export it with the name !Sub "${AWS::StackName}-mytgw-id" if you prefer prefixing it with the stack name.
Caution: Whatever you do, be sure to understand all the properties of AWS::EC2::TransitGateway and their implications. As I said earlier, you cannot change any of them once it's deployed without replacing the TGW, and removing all the dependencies below (and possibly more).
tgw-ram.yml: Sharing the TGW across different accounts (optional)
If you need to attach to the TGW from a VPC in another account, you first need to use Resource Access Manager (RAM) to share it between your accounts.
This cannot be done in the previous stack (tgw-main.yml); sharing the TGW requires getting its ARN and as explained in the Caveats section, there is no way do to that from CloudFormation. To my knowledge, it's not available in the portal either. Therefore, you first need to extract the ARN using the AWS CLI:
$ aws ec2 describe-transit-gateways
$ aws ec2 describe-transit-gateways
This will show you the ARN, such as:
arn:aws:ec2:xx-xxxxx-x:yyyyyyyyyyy:transit-gateway/tgw-zzzzzzzzzzz
Where:
- xx-xxxx-x: The AWS region where the TGW is located
- yyyyyyyy: The account number that hosts the TGW
- tgw-zzzzz: The TGW ID.
Then, you can build your RAM template like this:
Resources:
sharemytgw:
Type: "AWS::RAM::ResourceShare"
Properties:
Name: "My TGW RAM Share"
ResourceArns: arn:aws:ec2:my-aws-region:my-aws-account:transit-gateway/tgw-my-tgw-id
Principals:
- "first_account_number"
- "second_account_number"
Tags:
- Key: "Name"
Value: "My TGW RAM Share"
Resources:
sharemytgw:
Type: "AWS::RAM::ResourceShare"
Properties:
Name: "My TGW RAM Share"
ResourceArns: arn:aws:ec2:my-aws-region:my-aws-account:transit-gateway/tgw-my-tgw-id
Principals:
- "first_account_number"
- "second_account_number"
Tags:
- Key: "Name"
Value: "My TGW RAM Share"
N.B. I actually use a parameter for ResourceArns, so I don't have to hardcode the ARN in there. I've left it out to keep things simple.
Once this template is run, you need to go manually inside each account and accept the Resource Access Manager invite. There is no way, to my knowledge, of doing this within CloudFormation.
tgw-vpc-attach.yml: Attaching a VPC to the TGW
Assuming you already have a CloudFormation Template to deploy your VPCs, it is then a matter of adding this code to have them attach to the TGW:
Resources:
vpctgwattach:
Type: 'AWS::EC2::TransitGatewayAttachment'
Properties:
TransitGatewayId:
Fn::ImportValue:
!Sub "mytgw-id"
VpcId: !Ref myvpc
SubnetIds:
- !Ref mysubnetAZ1
- !Ref mysubnetAZ2
Tags:
- Key: Name
Value: "VPC TGW attachment"
Outputs:
outvpctgwattach:
Description: VPC TGW Attachment ID
Value: !Ref vpctgwattach
Export:
Name: "vpctgwattach-id"
Resources:
vpctgwattach:
Type: 'AWS::EC2::TransitGatewayAttachment'
Properties:
TransitGatewayId:
Fn::ImportValue:
!Sub "mytgw-id"
VpcId: !Ref myvpc
SubnetIds:
- !Ref mysubnetAZ1
- !Ref mysubnetAZ2
Tags:
- Key: Name
Value: "VPC TGW attachment"
Outputs:
outvpctgwattach:
Description: VPC TGW Attachment ID
Value: !Ref vpctgwattach
Export:
Name: "vpctgwattach-id"
See here that I refer to the output variable defined previously in tgw-main.yml in order to get the ID of the TGW (without the stack name, but this is up to you).
This is for a VPC located in the same account as the TGW; note that referencing CloudFormation output variables doesn't work across accounts, the TGW ID can then be hardcoded. There are workarounds, but from what I've seen, they involve Lambda functions and I prefer avoiding this for the moment.
The TGW needs to be attached to a subnet in each of the AZs that your VPC spans to. It doesn't matter which subnet you pick these AZs, but you need one. The attachment creates a "secret" endpoint that consumes an IP address in each subnet and all packets that go to the TGW will be routed through it.
This is for a VPC located in the same account as the TGW; note that referencing CloudFormation output variables doesn't work across accounts, the TGW ID can then be hardcoded. There are workarounds, but from what I've seen, they involve Lambda functions and I prefer avoiding this for the moment.
The TGW needs to be attached to a subnet in each of the AZs that your VPC spans to. It doesn't matter which subnet you pick these AZs, but you need one. The attachment creates a "secret" endpoint that consumes an IP address in each subnet and all packets that go to the TGW will be routed through it.
While it could be possible to attach to that VPC directly from tgw-main.yml, I've decided not to do this, as I prefer not having to modify the main TGW template when adding new VPCs. It must also be done from within the account that owns the VPC, so I prefer keeping the attachment business out of the main template.
tgw-defaultroutetable.yml: Adding entries to the default route table
There is no way to extract the ID of the default route table from CloudFormation, so you first need to extract it using the CLI or the Portal. The value is labeled as tgw-rtb-xxxxxx where xxxxxx is the Transit Gateway ID.
Then, adding a new route is a matter of invoking AWS::EC2::TransitGatewayRoute while referring to the route table ID. I suggest you use a parameter for the route table ID, to your leisure.
Resources:
tgwdefaultroutetableentry1:
Type: AWS::EC2::TransitGatewayRoute
Properties:
DestinationCidrBlock: 0.0.0.0/0
TransitGatewayAttachmentId:
Fn::ImportValue:
!Sub "mytgw-id"
TransitGatewayRouteTableId: "tgw-rtb-xxxxxxxxxxxxx"
Notice here that I've used the export variable mytgw-id to identify my transit gateway.
Resources:
tgwdefaultroutetableentry1:
Type: AWS::EC2::TransitGatewayRoute
Properties:
DestinationCidrBlock: 0.0.0.0/0
TransitGatewayAttachmentId:
Fn::ImportValue:
!Sub "mytgw-id"
TransitGatewayRouteTableId: "tgw-rtb-xxxxxxxxxxxxx"
Notice here that I've used the export variable mytgw-id to identify my transit gateway.
Wrapping it all up
Deploying a TGW using CloudFormation and sharing it across accounts is a multi-step process:
- Deploy the TGW using tgw-main.yml
- Get the ARN manually using the AWS CLI (or some other way), then share it with with other accounts using tgw-share.yml
- Go into each account and accept the share invitation.
- Create a template to attach the VPCs named tgw-vpc-attach.yml or better, add the code of that template in your current VPC template(s).
- Get the default route table ID using the portal (or some other way) and add route entries to the TGW using yet another template named tgw-routetable.yml
That's about it.
