From d4618e184a6c809c36f7241e23c58578a5b8577f Mon Sep 17 00:00:00 2001
From: Matt Wilder <me@partcyb.org>
Date: Tue, 16 Jul 2024 16:30:34 -0700
Subject: [PATCH] feat: Allow specifying additional TGW routes in attached VPCs

Adds parameter `tgw_additional_vpc_cidrs` to the `vpc_attachments` map that enables adding additional `aws_route` resources that send traffic across the TGW peering connection.

Changes the name of the existing `aws_route` resource from `this` since there are now more than one in the state file.
---
 README.md                      |  5 +++--
 examples/multi-account/main.tf |  3 ++-
 main.tf                        | 32 +++++++++++++++++++++++++++++++-
 versions.tf                    |  2 +-
 4 files changed, 37 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 3cf845d..39bcb81 100644
--- a/README.md
+++ b/README.md
@@ -68,7 +68,7 @@ module "vpc" {
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.1 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.4 |
 
 ## Providers
@@ -96,7 +96,8 @@ No modules.
 | [aws_ram_resource_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_association) | resource |
 | [aws_ram_resource_share.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_share) | resource |
 | [aws_ram_resource_share_accepter.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_share_accepter) | resource |
-| [aws_route.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
+| [aws_route.additional_cidrs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
+| [aws_route.destination_cidr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
 
 ## Inputs
 
diff --git a/examples/multi-account/main.tf b/examples/multi-account/main.tf
index 56e0b70..e7392fb 100644
--- a/examples/multi-account/main.tf
+++ b/examples/multi-account/main.tf
@@ -105,7 +105,8 @@ module "tgw_peer" {
       transit_gateway_default_route_table_propagation = false
 
       vpc_route_table_ids  = module.vpc1.private_route_table_ids
-      tgw_destination_cidr = "0.0.0.0/0"
+      tgw_destination_cidr = "10.0.0.0/8"
+      tgw_additional_cidrs = ["172.0.0/12"]
 
       tgw_routes = [
         {
diff --git a/main.tf b/main.tf
index 0f642b9..b9c373c 100644
--- a/main.tf
+++ b/main.tf
@@ -19,6 +19,18 @@ locals {
       }
     ]
   ])
+
+  vpc_route_table_additional_cidrs = flatten([
+    for k, v in var.vpc_attachments : [
+      for rtb_id in try(v.vpc_route_table_ids, []) : [
+        for cidr in try(v.tgw_additional_cidrs, []) : {
+          rtb_id = rtb_id
+          cidr   = cidr
+          tgw_id = var.create_tgw ? aws_ec2_transit_gateway.this[0].id : v.tgw_id
+        }
+      ]
+    ]
+  ])
 }
 
 ################################################################################
@@ -110,7 +122,7 @@ resource "aws_ec2_transit_gateway_route" "this" {
   transit_gateway_attachment_id  = tobool(try(local.vpc_attachments_with_routes[count.index][1].blackhole, false)) == false ? aws_ec2_transit_gateway_vpc_attachment.this[local.vpc_attachments_with_routes[count.index][0].key].id : null
 }
 
-resource "aws_route" "this" {
+resource "aws_route" "destination_cidr" {
   for_each = { for x in local.vpc_route_table_destination_cidr : x.rtb_id => {
     cidr   = x.cidr,
     tgw_id = x.tgw_id
@@ -122,6 +134,24 @@ resource "aws_route" "this" {
   transit_gateway_id          = each.value["tgw_id"]
 }
 
+moved {
+  from = aws_route.this
+  to   = aws_route.destination_cidr
+}
+
+resource "aws_route" "additional_cidrs" {
+  for_each = { for x in local.vpc_route_table_additional_cidrs : "${x.rtb_id}_${x.cidr}" => {
+    cidr   = x.cidr
+    rtb_id = x.rtb_id
+    tgw_id = x.tgw_id
+  } }
+
+  route_table_id              = each.value["rtb_id"]
+  destination_cidr_block      = try(each.value.ipv6_support, false) ? null : each.value["cidr"]
+  destination_ipv6_cidr_block = try(each.value.ipv6_support, false) ? each.value["cidr"] : null
+  transit_gateway_id          = each.value["tgw_id"]
+}
+
 resource "aws_ec2_transit_gateway_route_table_association" "this" {
   for_each = {
     for k, v in var.vpc_attachments : k => v if var.create_tgw && var.create_tgw_routes && try(v.transit_gateway_default_route_table_association, true) != true
diff --git a/versions.tf b/versions.tf
index 03533eb..fed690e 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.1"
 
   required_providers {
     aws = {