terraform-aviatrix-mc-transit
Description
Deploys a VPC/VNET/VCN and Aviatrix Transit gateways.
Compatibility
| Module version | Terraform version | Controller version | Terraform provider version |
|---|---|---|---|
| v2.5.4 | >= 1.3.0 | >= 7.1 | ~>3.1.0 |
Check release notes for more details. Check Compatibility list for older versions.
Warning: Upgrading from v1.x to v2.x has breaking changes! This was done to provide compatibility with the mc-firenet module. Check release notes for more details.
Usage Examples
See examples
Variables
The following variables are required:
| key | value |
|---|---|
| cloud | Cloud where this is deployed. Valid values: "AWS", "Azure", "ALI", "OCI", "GCP" |
| region | Cloud region to deploy this VPC/VNET/VCN in |
| cidr | What ip CIDR to use for this VPC/VNET/VCN |
| account | The account name as known by the Aviatrix controller |
The following variables are optional:
= AWS, 
= Azure, 
= GCP, 
= OCI, 
= Alibaba
| Key | Supported_CSP's | Default value | Description |
|---|---|---|---|
| allocate_new_eip | |
null | When value is false, reuse an idle address in Elastic IP pool for this gateway. Otherwise, allocate a new Elastic IP and use it for this gateway. |
| approved_learned_cidrs | |
A set of approved learned CIDRs. Only valid when enable_learned_cidrs_approval is set to true. Example: ["10.250.0.0/16", "10.251.0.0/16"] | |
| availability_domain | |
Availability domain in OCI. | |
| az_support | |
true | Set to false if the region does not support Availability Zones. (Automatically set to false for gov and dod regions) |
| azure_eip_name_resource_group | |
null | Name of public IP Address resource and its resource group in Azure to be assigned to the Transit Gateway instance. |
| az1 | |
a az-1 b |
Concatenates with region to form az names. e.g. eu-central-1a. Only used for insane mode and AWS GWLB. |
| az2 | |
b az-2 c |
Concatenates with region to form az names. e.g. eu-central-1b. Only used for insane mode and AWS GWLB. If az1 and az2 are equal. Single AZ mode (deploy everyting in 1 AZ) is triggered. |
| bgp_ecmp | |
false | Enable Equal Cost Multi Path (ECMP) routing for the next hop |
| bgp_hold_time | |
180 | Set the BGP Hold time. |
| bgp_lan_interfaces | |
A list of interfaces to run BGP protocol on top of the ethernet interface List of objects with structure here. |
|
| bgp_lan_interfaces_count | |
Number of interfaces that will be created for BGP over LAN enabled Azure transit. | |
| bgp_manual_spoke_advertise_cidrs | |
Intended CIDR list to advertise via BGP. Example: "10.2.0.0/16,10.4.0.0/16" | |
| bgp_polling_time | |
50 | BGP route polling time. Unit is in seconds |
| connected_transit | |
true | Set to false to disable connected_transit |
| customized_transit_vpc_routes | |
A list of CIDRs to be customized for the transit VPC routes. | |
| customer_managed_keys | |
Customer managed key ID for EBS Volume encryption. | |
| eip | |
null | Required when allocate_new_eip is false. It uses the specified EIP for this gateway. |
| enable_active_standby | |
false | Enables Active-Standby Mode. Available only with HA enabled. |
| enable_active_standby_preemptive | |
false | Enables Preemptive Mode for Active-Standby. Available only with BGP enabled, HA enabled and Active-Standby enabled. |
| enable_advertise_transit_cidr | |
false | Switch to enable/disable advertise transit VPC network CIDR for a VGW connection |
| enable_bgp_over_lan | |
false | Enable BGP over LAN. Creates interface for integration with SDWAN or other BGP peerings over LAN. |
| enable_egress_transit_firenet | |
false | Enable Egress Transit FireNet |
| enable_encrypt_volume | |
false | Set to true to enable EBS volume encryption for Gateway. |
| enable_firenet | |
false | Sign of readiness for FireNet connection with TGW |
| enable_gateway_load_balancer | |
false | Enable FireNet interfaces with AWS Gateway Load Balancer. |
| enable_gro_gso | |
true | Enable GRO/GSO for this transit gateway. |
| enable_monitor_gateway_subnets | |
false | If set to true, the Monitor Gateway Subnets feature in AWS is enabled. |
| enable_multi_tier_transit | |
false | Switch to enable multi tier transit |
| enable_s2c_rx_balancing | |
false | Allows to toggle the S2C receive packet CPU re-balancing on transit gateway. |
| enable_segmentation | |
false | Switch to true to enable transit segmentation |
| enable_transit_firenet | |
false | Sign of readiness for Transit FireNet connection |
| enable_transit_summarize_cidr_to_tgw | |
false | Enable summarize CIDR to TGW. |
| enable_preserve_as_path | |
false | Enable preserve as_path when advertising manual summary cidrs on BGP transit gateway. |
| enable_vpc_dns_server | |
null | Enable VPC DNS Server for Gateway. |
| excluded_advertised_spoke_routes | |
null | A list of comma-separated CIDRs to be advertised to on-prem as 'Excluded CIDR List'. |
| fault_domain | |
Fault domain in OCI. | |
| filtered_spoke_vpc_routes | |
A list of comma separated CIDRs to be filtered from the spoke VPC route table. | |
| gw_name | |
Name for the transit gateway. | |
| gw_subnet | |
Subnet CIDR, for using an existing VPC. Required when use_existing_vpc is enabled. Make sure this is a public subnet. | |
| ha_availability_domain | |
Availability domain in OCI for HA GW. | |
| ha_azure_eip_name_resource_group | |
null | Name of public IP Address resource and its resource group in Azure to be assigned to the Transit Gateway instance. |
| ha_bgp_lan_interfaces | |
A list of interfaces to run BGP protocol on top of the ethernet interface List of objects with structure here. |
|
| ha_cidr | |
The IP CIDR to be used to create ha_region spoke subnet. Only required when ha_region is set. | |
| ha_eip | |
null | Required when allocate_new_eip is false. It uses the specified EIP for this gateway. |
| ha_fault_domain | |
Fault domain in OCI for HA GW. | |
| ha_gw | |
true | Set to false if you only want to deploy a single Aviatrix spoke gateway |
| ha_region | |
Region for multi region HA. HA is multi-az single region by default, but will become multi region when this is set. | |
| hagw_subnet | |
Subnet CIDR, for using an existing VPC. Required when use_existing_vpc is enabled and ha_gw is true. Make sure this is a public subnet. | |
| hybrid_connection | |
false | Sign of readiness for TGW connection |
| insane_mode | |
false | Set to true to enable insane mode encryption |
| instance_size (insane mode/firenet) | |
c5n.xlarge Standard_D3_v2 n1-highcpu-4 VM.Standard2.4 |
The size of the Aviatrix transit gateways when insane mode or Transit Firenet is enabled. |
| instance_size | |
t3.medium Standard_B1ms n1-standard-1 VM.Standard2.2 ecs.g5ne.large |
The size of the Aviatrix transit gateways. |
| lan_cidr | |
CIDR For LAN VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true. | |
| learned_cidr_approval | |
false | Switch to true to enable learned CIDR approval |
| learned_cidrs_approval_mode | |
Learned cidrs approval mode. Defaults to Gateway. Valid values: gateway, connection | |
| local_as_number | |
Changes the Aviatrix Transit Gateway ASN number before you setup Aviatrix Transit Gateway connection configurations. | |
| name | |
avx-\<region>-transit | Name for this Transit VPC/VNET/VCN and it's gateways. Gateway name can be overridden with gw_name. |
| private_mode_lb_vpc_id | |
VPC ID of Private Mode load balancer. Required when Private Mode is enabled on the Controller. | |
| private_mode_subnets | |
Switch to only launch private subnets. Only available when Private Mode is enabled on the Controller. | |
| resource_group | |
Specify existing resource group to deploy transit resources into. | |
| rx_queue_size | |
Gateway ethernet interface RX queue size. Once set, can't be deleted or disabled. | |
| single_az_ha | |
true | Set to false if Controller managed Gateway HA is desired |
| single_ip_snat | |
false | Specify whether to enable Source NAT feature in single_ip mode on the gateway or not. Please disable AWS NAT instance before enabling this feature. Currently only supports AWS(1) and AZURE(8) |
| tags | |
Map of tags to assign to the gateway. | |
| tunnel_detection_time | |
The IPsec tunnel down detection time for the Spoke Gateway in seconds. Must be a number in the range [20-600]. Default is 60. | |
| use_existing_vpc | |
false | Set to true to use existing VPC. |
| vpc_id | |
VPC ID, for using an existing VPC. |
GCP BGP over LAN interface object
The bgp_lan_interfaces and ha_bgp_lan_interfaces accept lists of objects with the following structure.
| key | optional | default | description |
|---|---|---|---|
| vpc_id | true | avx-\<region>-transit-bgp-\<bgp interface index> avx-\<region>-transit-ha-bgp-\<bgp interface index> |
Name of the VPC for the interface(s). Required if the VPC/subnet exists. |
| subnet | false | subnet CIDR of the subnet to use. | |
| create_vpc | true | true if vpc_id is empty. false if vpc_id is populated. |
Create the BGP over LAN VPC. Required as true if specifying the VPC name. |
Outputs
This module will return the following outputs:
| key | description |
|---|---|
| vpc | The created VPC as an object with all of it's attributes (when use_existing_vpc is false). This was created using the aviatrix_vpc resource. |
| transit_gateway | The created Aviatrix transit gateway as an object with all of it's attributes. |
| mc_firenet_details | Outputs specific for composing with mc-firenet module |
| module_metadata | Information about the module, like module version. |