diff --git a/docs/aws-transit-gateway/transit-gateway-network.drawio b/docs/aws-transit-gateway/transit-gateway-network.drawio
new file mode 100644
index 000000000..fab463255
--- /dev/null
+++ b/docs/aws-transit-gateway/transit-gateway-network.drawio
@@ -0,0 +1 @@
+7Vxtc6I6FP41fsRJCAT4aO22u3fm7nq3+/7lToSozCI4EGt7f/1N5D1BpYpWuzrTFkII5JznnOfknNgeGs6f7mOymP0deTTo6cB76qHbnq5DA9j8j2h5Tls03claprHvZb3Khgf/P5o1gqx16Xs0qXVkURQwf1FvdKMwpC6rtZE4jlb1bpMoqD91QaZUaXhwSaC2fvc9NktbbROU7e+pP53lT4YguzIneeesIZkRL1pVmtC7HhrGUcTSo/nTkAZCerlc0vvuNlwtXiymIWtzgzNzFj+/33/6tvpq4qcvo78sJ9R0nA7zSIJlNuNPoRg2pnP+59voYypblz8kJiyKs7mw51xAcbQMPSqeAXvoZjXzGX1YEFdcXXFM8LYZmwfZ5YkfBMMo4MOIe5FHqD1xeXvC4ug3rVzBrk3HE35FnWU28UcaM/pUacpmfU+jOWXxM++SX7X09JYMg9AGVtqwKjUKczXNKtrEWRvJQDQtxi7lzA8yUb9E7JYi9sH3h56OyVxILBwni/XcccDf5GbMpY6n4uhLTMLEZ9qUMLoiz2qHZaKtaMI0ffdYhJsGn5rL5T8Q7xtOYsL1sHTZMqZq98HDx7QjNjBAncJgMpnobiMMPDzGJu4GBoZt9M06ECxHV4FgmioQnKMBwVaAoIiWht5AeDJ+5gYkSfxUVCRmanNFyPTJZz8qxz/5MeASSM9uhVRAfvKcn3Arf/5RPancJU7L29Zn+X0b1ZNEy9ilLRwQn86UshYmQ72aw1bVXdGl2WDTeVtMA8L8x7qbb9Jv9oRR5PO5FWhC2JKcimnVx0innt1W9cvSSAaURwLSSKlslJHWgCsmfgAGHQWDa78vwZCbGasjLKaJ/x8ZrzsIFCzEG67f2bzpmbfCxwT+NBQA5big3KZvhLn6nF0H2YW573ni/puAjGlwQ9zf07UnqXsH/mkE2XaTkj1DESRkr1zj4SaPoYE+0pFd044GD4NP3iWaTBJ6FHUiXVHnIo687VyxnRvS+zv1+BRv8PiWMwZbXcoLPH7O6Znu+AfnFPBq1I9Ua+uM+ilppc4XUb3KR+dP9RAZdc1Dy24I+XAD0xfxe+eKz1/pz6V6S6V665e1+PBoR1owIth8jyka3Wn6WTE9RhI/O3BPpreRhEpbl8B2ZKY3cksqIZi5Fd54v8mxjCiN/XB6sQFBYXhdBAQ88EN1UukEZNINnUQH22zraOwDu2UfqKDu/NnHATL5nHKZ2ah19OdQzzbU71xk5sHZmVAPhFIECx1Lgkhb7oHIBnL6QxmsO/pp1ILxxtlnq+ldyedOMxUAiJUlJwI/CjUm1qKPC/eQheoubhl+uP287lnnO8gX+lYf9LkC7iDumHJOsdKV/QS3baBSTtN6x0JHohy1sNA15YC+mFFJO7CfX91AO/xkxJ0Jn58w/gMpBZoqpzRzDzwrTjGVakgenbyUUuSRdGC0S1xy7QpPX3TLHPXGVzYsCd0A1Epd/CAdslNnpZZovo34SODSCSk3zIMJidufbUtgOgyix2cgtdzSloE6Wt1sYSDzkhnIcuRca1OR9aQMpCZaX6Tro0Yb+JJ1DXVTPzdlw+NnV7naatEGQPl5+3ijXPr2TUOvLn95eA92LYDXZx2GMK0TssZZhTAQ2Fz6QFrN2pbdd2yn+Nj7RTUOcvo8kjEdAwILWYa04AItU7abY5yuKQ2qSd23EajAzvK2lxipQP0UDg3Cl7m0ivtKu1bdF/cne/ivjpdlTlufZp6XT0MO7jv1vQbQxmbfONylQaR4MSjx8Ot7MTVF/Ua8WG7Hf6YXU1N+bFcp6XO0ZDyaBl/WglEuz3kMLwSmxNXSwFosxtFS8croSWZkIQ65+kgQ0CCaxmQuMFNxRLVrFQ91ljG5kZcuCt/RsONBz8HY9U6XZt2rKcC1SXelb+J5Gpumak7evoZteYFtqSneEytYTZFdjfsoqsdSGfAMjFvNpF2N+4D0mWFI1t1QwDmxhtX82dW6j5JOQ0oq49WVr6vptKt5H5IxhWdn3/qmvBFhjLizOV0vEQrFpb87NPmp5otVWEgCLX1imo5/81CQNoGWtfvXQ4K6MeeKhBNwvi35BGi8OhLU5foVCScpqMlO4ZRQ0P759WwPbMP7MLy9wysS/jv42rBR+N1QNGj85xJ35UJpV65uYFXER/sqUKOIm3bl1g2iFPklfuOWwxpLMm/IWZxW5irVlTLWL1DGtgLrVxexyiGKXA8uXFX3/RVVql0lKwMZvUrJqih3HaXivs2p7ixO5anTcylOyblHw5DA07YUpcvRL5K/89DdHvRGDZxiW+pe4DRr0NwBy/0RaLRFoH1WCLRNKVY25e9ptv4SHsZ9AOqFVh1ZsO9YZaEVnxSTahq9e0waRWW/Xq3vHJp7l/O3hUi7q/ngrOAKdXk7pCHTbevivVL4QbLz3Rue/LT8/0Np9/LfOKF3/wM=
\ No newline at end of file
diff --git a/docs/aws-transit-gateway/transit-gateway-network.png b/docs/aws-transit-gateway/transit-gateway-network.png
new file mode 100644
index 000000000..44431fb25
Binary files /dev/null and b/docs/aws-transit-gateway/transit-gateway-network.png differ
diff --git a/tf-environments/infrastructure/aws/transit-gateway/_env_defaults/transit-gateway.tfvars b/tf-environments/infrastructure/aws/transit-gateway/_env_defaults/transit-gateway.tfvars
new file mode 100644
index 000000000..e3af077e5
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/_env_defaults/transit-gateway.tfvars
@@ -0,0 +1,7 @@
+# Infrastructure account:
+aws_first_access_key = ""
+aws_first_secret_key = ""
+
+# second account:
+aws_second_access_key = ""
+aws_second_secret_key = ""
diff --git a/tf-environments/infrastructure/aws/transit-gateway/terragrunt.hcl b/tf-environments/infrastructure/aws/transit-gateway/terragrunt.hcl
new file mode 100644
index 000000000..fa0df9c3c
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/terragrunt.hcl
@@ -0,0 +1,21 @@
+remote_state {
+ backend = "s3"
+ config = {
+ bucket = "kubernetes-ops-tf-state-${get_aws_account_id()}-transit-gateway"
+
+ key = "infrastructure/${path_relative_to_include()}/terraform.tfstate"
+ region = "us-east-1"
+ encrypt = true
+ dynamodb_table = "kubernetes-ops-lock-table"
+ }
+}
+
+terraform {
+ // extra_arguments "common_vars" {
+ // commands = get_terraform_commands_that_need_vars()
+ //
+ // arguments = [
+ // "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/gcp.tfvars",
+ // ]
+ // }
+}
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-east-1/_env_defaults/aws.tfvars b/tf-environments/infrastructure/aws/transit-gateway/us-east-1/_env_defaults/aws.tfvars
new file mode 100644
index 000000000..24b38726a
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-east-1/_env_defaults/aws.tfvars
@@ -0,0 +1,3 @@
+environment_name = "production-test-vpc"
+region = "us-east-1"
+vpc_cidr = "10.35.0.0/16"
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-east-1/add-tg-routes/production-test-vpc/terragrunt.hcl b/tf-environments/infrastructure/aws/transit-gateway/us-east-1/add-tg-routes/production-test-vpc/terragrunt.hcl
new file mode 100644
index 000000000..c116e4977
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-east-1/add-tg-routes/production-test-vpc/terragrunt.hcl
@@ -0,0 +1,32 @@
+include {
+ path = find_in_parent_folders()
+}
+
+terraform {
+ source = "../../../../../../../tf-modules/aws/networks/add-tg-routes/"
+
+ # extra_arguments "common_vars" {
+ # commands = get_terraform_commands_that_need_vars()
+
+ # arguments = [
+ # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars",
+ # ]
+ # }
+}
+
+inputs = {
+
+ aws_region = "us-east-1"
+
+ transit-gateway-id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_id", "--terragrunt-working-dir", "../../transit-gateway"))
+
+ # Routing table associated with the VPC subnets
+ route_table_id_list = ["rtb-0137cd69ffeeea89d", "rtb-0a568e7960813d48f"]
+
+ # External destination routes list CIDR
+ routes-list = ["10.36.0.0/16", "10.37.0.0/16"]
+}
+
+dependencies {
+ paths = ["../transit-gateway"]
+}
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-east-1/tg-internal-attach-vpc/dev-us/terragrunt.hcl b/tf-environments/infrastructure/aws/transit-gateway/us-east-1/tg-internal-attach-vpc/dev-us/terragrunt.hcl
new file mode 100644
index 000000000..2d9ecde4b
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-east-1/tg-internal-attach-vpc/dev-us/terragrunt.hcl
@@ -0,0 +1,55 @@
+include {
+ path = find_in_parent_folders()
+}
+
+terraform {
+ source = "../../../../../../../tf-modules/aws/networks/tg-external-attach-to-vpc/"
+
+ extra_arguments "common_vars" {
+ commands = get_terraform_commands_that_need_vars()
+
+ arguments = [
+ "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars",
+ # "-var-file=../../vpc/dev-us/vpc-tfvars",
+ ]
+ }
+}
+
+locals {
+ vpc_id_second = "vpc-0f13269709c9a4822"
+}
+
+
+inputs = {
+
+ aws_region = "us-east-1"
+
+ name-postfix = "dev-us"
+
+ tags = {
+ Environment = "dev-us",
+ Account = "infrastructure",
+ Group = "devops",
+ Region = "us-east-1"
+ managed_by = "Terraform"
+ purpose = "transit-gateway"
+ terraform_module = "tg-internal-attach-to-vpc"
+ terragrunt_dir = get_terragrunt_dir()
+ last_callers_identity = get_aws_caller_identity_arn()
+ last_callers_user_id = get_aws_caller_identity_user_id()
+ }
+
+ transit-gateway-arn = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_arn", "--terragrunt-working-dir", "../../transit-gateway"))
+ transit-gateway-id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_id", "--terragrunt-working-dir", "../../transit-gateway"))
+
+ # vpc_id_first = "Retrieved via the extra args command input"
+ vpc_id_second = "vpc-0f13269709c9a4822"
+
+ availability_zone = ["us-east-1a", "us-east-1b", "us-east-1c"]
+ # CIDR blocks per the .//cidr-ranges.md
+ subnets_cidr = ["172.17.104.16/28", "172.17.104.32/28", "172.17.104.48/28"]
+}
+
+dependencies {
+ paths = ["../../transit-gateway", "../../vpc/dev-us"]
+}
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-east-1/tg-internal-attach-vpc/production-test-vpc/terragrunt.hcl b/tf-environments/infrastructure/aws/transit-gateway/us-east-1/tg-internal-attach-vpc/production-test-vpc/terragrunt.hcl
new file mode 100644
index 000000000..169107740
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-east-1/tg-internal-attach-vpc/production-test-vpc/terragrunt.hcl
@@ -0,0 +1,47 @@
+include {
+ path = find_in_parent_folders()
+}
+
+terraform {
+ source = "../../../../../../../tf-modules/aws/networks/tg-internal-attach-to-vpc/"
+
+ extra_arguments "common_vars" {
+ commands = get_terraform_commands_that_need_vars()
+
+ arguments = [
+ "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars",
+ ]
+ }
+}
+
+inputs = {
+
+ aws_region = "us-east-1"
+
+ name-postfix = "production-test-vpc"
+
+ tags = {
+ Environment = "production-test-vpc",
+ Account = "infrastructure",
+ Group = "devops",
+ Region = "us-east-1"
+ managed_by = "Terraform"
+ purpose = "transit-gateway"
+ terraform_module = "tg-internal-attach-to-vpc"
+ terragrunt_dir = get_terragrunt_dir()
+ last_callers_identity = get_aws_caller_identity_arn()
+ last_callers_user_id = get_aws_caller_identity_user_id()
+ }
+
+ transit-gateway-arn = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_arn", "--terragrunt-working-dir", "../../transit-gateway"))
+ transit-gateway-id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_id", "--terragrunt-working-dir", "../../transit-gateway"))
+
+ vpc_id_first = trimspace(run_cmd("terragrunt", "output", "aws_vpc_id", "--terragrunt-working-dir", "../../vpc/production-test-vpc"))
+
+ availability_zone = ["us-east-1a", "us-east-1b", "us-east-1c"]
+ subnets_cidr = ["10.35.20.0/24", "10.35.21.0/24", "10.35.22.0/24"]
+}
+
+dependencies {
+ paths = ["../../transit-gateway", "../../vpc/production-test-vpc"]
+}
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-east-1/transit-gateway-route-table/us-east-2/production-test-vpc/terragrunt.hcl b/tf-environments/infrastructure/aws/transit-gateway/us-east-1/transit-gateway-route-table/us-east-2/production-test-vpc/terragrunt.hcl
new file mode 100644
index 000000000..6b389498f
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-east-1/transit-gateway-route-table/us-east-2/production-test-vpc/terragrunt.hcl
@@ -0,0 +1,36 @@
+include {
+ path = find_in_parent_folders()
+}
+
+terraform {
+ source = "../../../../../../../../tf-modules/aws/networks/transit-gateway-route-table/"
+
+ # This module uses AWS keys from the local shell's environment
+
+ # extra_arguments "common_vars" {
+ # commands = get_terraform_commands_that_need_vars()
+
+ # arguments = [
+ # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars",
+ # ]
+ # }
+}
+
+inputs = {
+
+ aws_region = "us-east-1"
+
+ destination_cidr_block_list = ["10.36.0.0/16"]
+
+ blackhole_list = ["false"]
+
+ # This is hardcoded right now b/c the transit-gateway to transit-gateway peering has to be done manually. Terraform has a PR open for this functionality but it has not landed yet.
+ transit_gateway_attachment_id = "tgw-attach-07ff6a0a0ca3ced71"
+
+ transit_gateway_route_table_id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_propagation_default_route_table_id", "--terragrunt-working-dir", "../../../transit-gateway"))
+
+}
+
+dependencies {
+ paths = ["../../../transit-gateway"]
+}
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-east-1/transit-gateway-route-table/us-west-2/production-test-vpc/terragrunt.hcl b/tf-environments/infrastructure/aws/transit-gateway/us-east-1/transit-gateway-route-table/us-west-2/production-test-vpc/terragrunt.hcl
new file mode 100644
index 000000000..bee1c2c70
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-east-1/transit-gateway-route-table/us-west-2/production-test-vpc/terragrunt.hcl
@@ -0,0 +1,36 @@
+include {
+ path = find_in_parent_folders()
+}
+
+terraform {
+ source = "../../../../../../../../tf-modules/aws/networks/transit-gateway-route-table/"
+
+ # This module uses AWS keys from the local shell's environment
+
+ # extra_arguments "common_vars" {
+ # commands = get_terraform_commands_that_need_vars()
+
+ # arguments = [
+ # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars",
+ # ]
+ # }
+}
+
+inputs = {
+
+ aws_region = "us-east-1"
+
+ destination_cidr_block_list = ["10.37.0.0/16"]
+
+ blackhole_list = ["false"]
+
+ # This is hardcoded right now b/c the transit-gateway to transit-gateway peering has to be done manually. Terraform has a PR open for this functionality but it has not landed yet.
+ transit_gateway_attachment_id = "tgw-attach-07ed65746271a3316"
+
+ transit_gateway_route_table_id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_propagation_default_route_table_id", "--terragrunt-working-dir", "../../../transit-gateway"))
+
+}
+
+dependencies {
+ paths = ["../../../transit-gateway"]
+}
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-east-1/transit-gateway/terragrunt.hcl b/tf-environments/infrastructure/aws/transit-gateway/us-east-1/transit-gateway/terragrunt.hcl
new file mode 100644
index 000000000..71b09b636
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-east-1/transit-gateway/terragrunt.hcl
@@ -0,0 +1,38 @@
+include {
+ path = find_in_parent_folders()
+}
+
+terraform {
+ source = "../../../../../tf-modules/aws/networks/transit-gateway/"
+
+
+ # This module uses AWS keys from the local shell's environment
+
+ # extra_arguments "common_vars" {
+ # commands = get_terraform_commands_that_need_vars()
+
+ # arguments = [
+ # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars",
+ # ]
+ # }
+}
+
+inputs = {
+
+ aws_region = "us-east-1"
+
+ amazon_side_asn = "64601"
+
+ tags = {
+ Name = "tg-production",
+ Environment = "tg-production",
+ Account = "infrastructure",
+ Group = "devops",
+ Region = "us-east-1"
+ managed_by = "Terraform"
+ purpose = "transit-gateway"
+ terragrunt_dir = get_terragrunt_dir()
+ last_callers_identity = get_aws_caller_identity_arn()
+ last_callers_user_id = get_aws_caller_identity_user_id()
+ }
+}
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-east-1/vpc/production-test-vpc/terragrunt.hcl b/tf-environments/infrastructure/aws/transit-gateway/us-east-1/vpc/production-test-vpc/terragrunt.hcl
new file mode 100644
index 000000000..5433c8a95
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-east-1/vpc/production-test-vpc/terragrunt.hcl
@@ -0,0 +1,39 @@
+include {
+ path = find_in_parent_folders()
+}
+
+terraform {
+ source = "../../../../../../../tf-modules/aws/vpc/"
+
+ extra_arguments "common_vars" {
+ commands = get_terraform_commands_that_need_vars()
+
+ arguments = [
+ "-var-file=${get_parent_terragrunt_dir()}/us-east-1/_env_defaults/aws.tfvars",
+ ]
+ }
+}
+
+inputs = {
+
+ region = "us-east-1"
+ availability_zones = ["us-east-1a"]
+
+ public_cidrs = ["10.35.10.0/24"]
+
+ private_cidrs = ["10.35.11.0/24"]
+
+ tags = {
+ Name = "production-test-vpc",
+ Environment = "production-test-vpc",
+ Account = "infrastructure",
+ Group = "devops",
+ Region = "us-east-1"
+ managed_by = "Terraform"
+ terraform_module = "vpc"
+ terragrunt_dir = get_terragrunt_dir()
+ last_callers_identity = get_aws_caller_identity_arn()
+ last_callers_user_id = get_aws_caller_identity_user_id()
+ }
+
+}
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-east-2/_env_defaults/aws.tfvars b/tf-environments/infrastructure/aws/transit-gateway/us-east-2/_env_defaults/aws.tfvars
new file mode 100644
index 000000000..30f0e59c7
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-east-2/_env_defaults/aws.tfvars
@@ -0,0 +1,3 @@
+environment_name = "production-test-vpc"
+region = "us-east-2"
+vpc_cidr = "10.36.0.0/16"
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-east-2/add-tg-routes/production-test-vpc/terragrunt.hcl b/tf-environments/infrastructure/aws/transit-gateway/us-east-2/add-tg-routes/production-test-vpc/terragrunt.hcl
new file mode 100644
index 000000000..1c16d287a
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-east-2/add-tg-routes/production-test-vpc/terragrunt.hcl
@@ -0,0 +1,34 @@
+include {
+ path = find_in_parent_folders()
+}
+
+terraform {
+ source = "../../../../../../../tf-modules/aws/networks/add-tg-routes/"
+
+ # This module uses AWS keys from the local shell's environment
+
+ # extra_arguments "common_vars" {
+ # commands = get_terraform_commands_that_need_vars()
+
+ # arguments = [
+ # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars",
+ # ]
+ # }
+}
+
+inputs = {
+
+ aws_region = "us-east-2"
+
+ transit-gateway-id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_id", "--terragrunt-working-dir", "../../transit-gateway"))
+
+ # Routing table associated with the VPC subnets
+ route_table_id_list = ["rtb-04b71b62aa6fb03d6", "rtb-0707cf615945ad25d"]
+
+ # External destination routes list CIDR
+ routes-list = ["10.35.0.0/16", "10.37.0.0/16", "10.38.0.0/16"]
+}
+
+dependencies {
+ paths = ["../../transit-gateway"]
+}
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-east-2/tg-internal-attach-vpc/production-test-vpc/terragrunt.hcl b/tf-environments/infrastructure/aws/transit-gateway/us-east-2/tg-internal-attach-vpc/production-test-vpc/terragrunt.hcl
new file mode 100644
index 000000000..b17eacd9e
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-east-2/tg-internal-attach-vpc/production-test-vpc/terragrunt.hcl
@@ -0,0 +1,47 @@
+include {
+ path = find_in_parent_folders()
+}
+
+terraform {
+ source = "../../../../../../../tf-modules/aws/networks/tg-internal-attach-to-vpc/"
+
+ extra_arguments "common_vars" {
+ commands = get_terraform_commands_that_need_vars()
+
+ arguments = [
+ "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars",
+ ]
+ }
+}
+
+inputs = {
+
+ aws_region = "us-east-2"
+
+ name-postfix = "production-test-vpc"
+
+ tags = {
+ Environment = "production-test-vpc",
+ Account = "infrastructure",
+ Group = "devops",
+ Region = "us-east-2"
+ managed_by = "Terraform"
+ purpose = "transit-gateway"
+ terraform_module = "tg-internal-attach-to-vpc"
+ terragrunt_dir = get_terragrunt_dir()
+ last_callers_identity = get_aws_caller_identity_arn()
+ last_callers_user_id = get_aws_caller_identity_user_id()
+ }
+
+ transit-gateway-arn = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_arn", "--terragrunt-working-dir", "../../transit-gateway"))
+ transit-gateway-id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_id", "--terragrunt-working-dir", "../../transit-gateway"))
+
+ vpc_id_first = trimspace(run_cmd("terragrunt", "output", "aws_vpc_id", "--terragrunt-working-dir", "../../vpc/production-test-vpc"))
+
+ availability_zone = ["us-east-2a", "us-east-2b", "us-east-2c"]
+ subnets_cidr = ["10.36.20.0/24", "10.36.21.0/24", "10.36.22.0/24"]
+}
+
+dependencies {
+ paths = ["../../transit-gateway", "../../vpc/production-test-vpc"]
+}
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-east-2/transit-gateway-route-table/us-east-1/terragrunt.hcl b/tf-environments/infrastructure/aws/transit-gateway/us-east-2/transit-gateway-route-table/us-east-1/terragrunt.hcl
new file mode 100644
index 000000000..d59667ab1
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-east-2/transit-gateway-route-table/us-east-1/terragrunt.hcl
@@ -0,0 +1,36 @@
+include {
+ path = find_in_parent_folders()
+}
+
+terraform {
+ source = "../../../../../../../tf-modules/aws/networks/transit-gateway-route-table/"
+
+ # This module uses AWS keys from the local shell's environment
+
+ # extra_arguments "common_vars" {
+ # commands = get_terraform_commands_that_need_vars()
+
+ # arguments = [
+ # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars",
+ # ]
+ # }
+}
+
+inputs = {
+
+ aws_region = "us-east-2"
+
+ destination_cidr_block_list = ["10.35.0.0/16", "10.37.0.0/16", "10.38.0.0/16"]
+
+ blackhole_list = ["false", "false", "false"]
+
+ # This is hardcoded right now b/c the transit-gateway to transit-gateway peering has to be done manually. Terraform has a PR open for this functionality but it has not landed yet.
+ transit_gateway_attachment_id = "tgw-attach-07ff6a0a0ca3ced71"
+
+ transit_gateway_route_table_id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_propagation_default_route_table_id", "--terragrunt-working-dir", "../../transit-gateway"))
+
+}
+
+dependencies {
+ paths = ["../../transit-gateway"]
+}
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-east-2/transit-gateway/terragrunt.hcl b/tf-environments/infrastructure/aws/transit-gateway/us-east-2/transit-gateway/terragrunt.hcl
new file mode 100644
index 000000000..1765c6163
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-east-2/transit-gateway/terragrunt.hcl
@@ -0,0 +1,37 @@
+include {
+ path = find_in_parent_folders()
+}
+
+terraform {
+ source = "../../../../../tf-modules/aws/networks/transit-gateway/"
+
+ # This module uses AWS keys from the local shell's environment
+
+ # extra_arguments "common_vars" {
+ # commands = get_terraform_commands_that_need_vars()
+
+ # arguments = [
+ # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars",
+ # ]
+ # }
+}
+
+inputs = {
+
+ aws_region = "us-east-2"
+
+ amazon_side_asn = "64602"
+
+ tags = {
+ Name = "tg-production",
+ Environment = "tg-production",
+ Account = "infrastructure",
+ Group = "devops",
+ Region = "us-east-2"
+ managed_by = "Terraform"
+ purpose = "transit-gateway"
+ terragrunt_dir = get_terragrunt_dir()
+ last_callers_identity = get_aws_caller_identity_arn()
+ last_callers_user_id = get_aws_caller_identity_user_id()
+ }
+}
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-east-2/vpc/production-test-vpc/terragrunt.hcl b/tf-environments/infrastructure/aws/transit-gateway/us-east-2/vpc/production-test-vpc/terragrunt.hcl
new file mode 100644
index 000000000..e80b21b59
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-east-2/vpc/production-test-vpc/terragrunt.hcl
@@ -0,0 +1,40 @@
+include {
+ path = find_in_parent_folders()
+}
+
+terraform {
+ source = "../../../../../../../tf-modules/aws/vpc/"
+
+ extra_arguments "common_vars" {
+ commands = get_terraform_commands_that_need_vars()
+
+ arguments = [
+ "-var-file=${get_parent_terragrunt_dir()}/us-east-2/_env_defaults/aws.tfvars",
+ ]
+ }
+}
+
+inputs = {
+
+ region = "us-east-2"
+ availability_zones = ["us-east-2a"]
+
+ public_cidrs = ["10.36.10.0/24"]
+
+ private_cidrs = ["10.36.11.0/24"]
+
+ tags = {
+ Name = "production-test-vpc",
+ Environment = "production-test-vpc",
+ Account = "infrastructure",
+ Group = "devops",
+ Region = "us-east-2"
+ managed_by = "Terraform"
+ terraform_module = "vpc"
+ terragrunt_dir = get_terragrunt_dir()
+ last_callers_identity = get_aws_caller_identity_arn()
+ last_callers_user_id = get_aws_caller_identity_user_id()
+
+ }
+
+}
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-west-2/_env_defaults/aws.tfvars b/tf-environments/infrastructure/aws/transit-gateway/us-west-2/_env_defaults/aws.tfvars
new file mode 100644
index 000000000..93e8e5514
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-west-2/_env_defaults/aws.tfvars
@@ -0,0 +1,3 @@
+environment_name = "production-test-vpc"
+region = "us-west-2"
+vpc_cidr = "10.37.0.0/16"
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-west-2/add-tg-routes/production-test-vpc/terragrunt.hcl b/tf-environments/infrastructure/aws/transit-gateway/us-west-2/add-tg-routes/production-test-vpc/terragrunt.hcl
new file mode 100644
index 000000000..332b10311
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-west-2/add-tg-routes/production-test-vpc/terragrunt.hcl
@@ -0,0 +1,35 @@
+include {
+ path = find_in_parent_folders()
+}
+
+terraform {
+ source = "../../../../../../../tf-modules/aws/networks/add-tg-routes/"
+
+ # This module uses AWS keys from the local shell's environment
+
+ # extra_arguments "common_vars" {
+ # commands = get_terraform_commands_that_need_vars()
+
+ # arguments = [
+ # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars",
+ # ]
+ # }
+}
+
+inputs = {
+
+ aws_region = "us-west-2"
+
+ transit-gateway-id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_id", "--terragrunt-working-dir", "../../transit-gateway"))
+
+ # Routing table associated with the VPC subnets
+ route_table_id_list = ["rtb-09efef60458f61005", "rtb-0ab2a8c517e45a5e4"]
+
+ # External destination routes list CIDR
+ routes-list = ["10.35.0.0/16", "10.36.0.0/16", "10.38.0.0/16", "172.17.0.0/16"]
+
+}
+
+dependencies {
+ paths = ["../../transit-gateway"]
+}
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-west-2/tg-internal-attach-vpc/production-test-vpc/terragrunt.hcl b/tf-environments/infrastructure/aws/transit-gateway/us-west-2/tg-internal-attach-vpc/production-test-vpc/terragrunt.hcl
new file mode 100644
index 000000000..35012f0bf
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-west-2/tg-internal-attach-vpc/production-test-vpc/terragrunt.hcl
@@ -0,0 +1,47 @@
+include {
+ path = find_in_parent_folders()
+}
+
+terraform {
+ source = "../../../../../../../tf-modules/aws/networks/tg-internal-attach-to-vpc/"
+
+ extra_arguments "common_vars" {
+ commands = get_terraform_commands_that_need_vars()
+
+ arguments = [
+ "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars",
+ ]
+ }
+}
+
+inputs = {
+
+ aws_region = "us-west-2"
+
+ name-postfix = "production-test-vpc"
+
+ tags = {
+ Environment = "production-test-vpc",
+ Account = "infrastructure",
+ Group = "devops",
+ Region = "us-west-2"
+ managed_by = "Terraform"
+ purpose = "transit-gateway"
+ terraform_module = "tg-internal-attach-to-vpc"
+ terragrunt_dir = get_terragrunt_dir()
+ last_callers_identity = get_aws_caller_identity_arn()
+ last_callers_user_id = get_aws_caller_identity_user_id()
+ }
+
+ transit-gateway-arn = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_arn", "--terragrunt-working-dir", "../../transit-gateway"))
+ transit-gateway-id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_id", "--terragrunt-working-dir", "../../transit-gateway"))
+
+ vpc_id_first = trimspace(run_cmd("terragrunt", "output", "aws_vpc_id", "--terragrunt-working-dir", "../../vpc/production-test-vpc"))
+
+ availability_zone = ["us-west-2a", "us-west-2b", "us-west-2c"]
+ subnets_cidr = ["10.37.20.0/24", "10.37.21.0/24", "10.37.22.0/24"]
+}
+
+dependencies {
+ paths = ["../../transit-gateway", "../../vpc/production-test-vpc"]
+}
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-west-2/transit-gateway-route-table/us-east-1/terragrunt.hcl b/tf-environments/infrastructure/aws/transit-gateway/us-west-2/transit-gateway-route-table/us-east-1/terragrunt.hcl
new file mode 100644
index 000000000..68964cb0a
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-west-2/transit-gateway-route-table/us-east-1/terragrunt.hcl
@@ -0,0 +1,36 @@
+include {
+ path = find_in_parent_folders()
+}
+
+terraform {
+ source = "../../../../../../../tf-modules/aws/networks/transit-gateway-route-table/"
+
+ # This module uses AWS keys from the local shell's environment
+
+ # extra_arguments "common_vars" {
+ # commands = get_terraform_commands_that_need_vars()
+
+ # arguments = [
+ # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars",
+ # ]
+ # }
+}
+
+inputs = {
+
+ aws_region = "us-west-2"
+
+ destination_cidr_block_list = ["10.35.0.0/16", "10.36.0.0/16", "10.38.0.0/16", "172.17.0.0/16"]
+
+ blackhole_list = ["false", "false", "false", "false"]
+
+ # This is hardcoded right now b/c the transit-gateway to transit-gateway peering has to be done manually. Terraform has a PR open for this functionality but it has not landed yet.
+ transit_gateway_attachment_id = "tgw-attach-07ed65746271a3316"
+
+ transit_gateway_route_table_id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_propagation_default_route_table_id", "--terragrunt-working-dir", "../../transit-gateway"))
+
+}
+
+dependencies {
+ paths = ["../../transit-gateway"]
+}
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-west-2/transit-gateway/terragrunt.hcl b/tf-environments/infrastructure/aws/transit-gateway/us-west-2/transit-gateway/terragrunt.hcl
new file mode 100644
index 000000000..2c0725c61
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-west-2/transit-gateway/terragrunt.hcl
@@ -0,0 +1,37 @@
+include {
+ path = find_in_parent_folders()
+}
+
+terraform {
+ source = "../../../../../tf-modules/aws/networks/transit-gateway/"
+
+ # This module uses AWS keys from the local shell's environment
+
+ # extra_arguments "common_vars" {
+ # commands = get_terraform_commands_that_need_vars()
+
+ # arguments = [
+ # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars",
+ # ]
+ # }
+}
+
+inputs = {
+
+ aws_region = "us-west-2"
+
+ amazon_side_asn = "64603"
+
+ tags = {
+ Name = "tg-production",
+ Environment = "tg-production",
+ Account = "infrastructure",
+ Group = "devops",
+ Region = "us-west-2"
+ managed_by = "Terraform"
+ purpose = "transit-gateway"
+ terragrunt_dir = get_terragrunt_dir()
+ last_callers_identity = get_aws_caller_identity_arn()
+ last_callers_user_id = get_aws_caller_identity_user_id()
+ }
+}
diff --git a/tf-environments/infrastructure/aws/transit-gateway/us-west-2/vpc/production-test-vpc/terragrunt.hcl b/tf-environments/infrastructure/aws/transit-gateway/us-west-2/vpc/production-test-vpc/terragrunt.hcl
new file mode 100644
index 000000000..13a8d9655
--- /dev/null
+++ b/tf-environments/infrastructure/aws/transit-gateway/us-west-2/vpc/production-test-vpc/terragrunt.hcl
@@ -0,0 +1,39 @@
+include {
+ path = find_in_parent_folders()
+}
+
+terraform {
+ source = "../../../../../../../tf-modules/aws/vpc/"
+
+ extra_arguments "common_vars" {
+ commands = get_terraform_commands_that_need_vars()
+
+ arguments = [
+ "-var-file=${get_parent_terragrunt_dir()}/us-west-2/_env_defaults/aws.tfvars",
+ ]
+ }
+}
+
+inputs = {
+
+ region = "us-west-2"
+ availability_zones = ["us-west-2a"]
+
+ public_cidrs = ["10.37.10.0/24"]
+
+ private_cidrs = ["10.37.11.0/24"]
+
+ tags = {
+ Name = "production-test-vpc",
+ Environment = "production-test-vpc",
+ Account = "infrastructure",
+ Group = "devops",
+ Region = "us-west-2"
+ managed_by = "Terraform"
+ terraform_module = "vpc"
+ terragrunt_dir = get_terragrunt_dir()
+ last_callers_identity = get_aws_caller_identity_arn()
+ last_callers_user_id = get_aws_caller_identity_user_id()
+ }
+
+}
diff --git a/tf-modules/aws/networks/README.md b/tf-modules/aws/networks/README.md
new file mode 100644
index 000000000..8e722571c
--- /dev/null
+++ b/tf-modules/aws/networks/README.md
@@ -0,0 +1,154 @@
+AWS Networks
+=============
+
+This is a series of modules to help build a global AWS transit gateway network.
+
+# Creation flow:
+
+## [1] transit-gateway
+Creates a Transit Gateway
+
+## [2] VPC
+Create a VPC or use an exiting VPC that will connect up to the Transit Gateway
+
+## [3] tg-internal-attach-vpc / tg-external-attach-vpc
+The `internal` one uses one AWS account while the `external` one uses two AWS accounts.
+
+The `external` module uses the `./_env_defaults/transit-gateway.tfvars` credential file to handle orchestrating resources in two accounts. The first AWS account owns the Transit Gateway and the second AWS account is where you want to attach the Transit Gateway to. This module will share the Transit Gateway from the first AWS account with the second AWS account and then accept it on both sides. Then it will set it up to connect to the second's AWS account's VPC.
+
+It will create:
+* 3 subnets created so that the transit gateway can route into
+* the TG needs to be in all subnets/zones if you want to route there
+* transit gateway attachment to the test-vpc
+* routes in the vpc route table associated with these subnets
+
+## [4] transit-gateway-route-table
+* This route table should be owned by the infrastructure AWS account
+* These are all of the routes routing through the Transit Gateway
+* The individual sub accounts should not have to add this step because they do not control the global Transit Network routing
+
+## [5] add-tg-routes
+ -These are individual routes that goes into the VPC route table
+ -This should go into the local env where the VPC lives and that AWS account should launch this since they own the routes to their own VPC.
+
+### This holds
+The input variables for the `route_table_id_list` and the `routes-list` are the destination routes from the perspective of the subnet(s) this VPC route-table is associated with wants to route to.
+
+It will set these routes and then set the destination to the Transit Gateway.
+
+## [6] A full example
+There is a full example of the network it can create in the diagram in the next section.
+
+The example is in: `/tf-environments/aws/infrastructure/aws/transit-gateway`
+
+# A detailed walk through on how to troubleshoot a routing path through the AWS Transit Gateway
+Troubleshooting a path through the transit gateway can seem like a hard task since you won't have visibility into every single piece of networking that the packet will go through. By following a systematic approach you can make sure that everything that is needed to be able to route successfully from an EC2 host in one VPC in a region going through a transit gateway to another region and back down to another EC2 host in that VPC is setup correctly.
+
+Im not going to lie. This is a very tedious troubleshooting scenario. If the IDs for each piece don't match up or if the CIDR range is no correct for a route table, trying to reach the other side via a ping or opening a connection to the other host will just fail silently. We don't have visibility into AWS's routers to see where it is failing on this path.
+
+In the following diagram we are going to map out how `EC2-1` will reach `EC2-2` and trace out the path.
+
+
+
+As you can see, to make this setup work, there are a bunch of components to it. The main items to look at are the correct routing tables associated with each components and are the correct routes in there?
+
+Lets start.
+
+## [1] Transit Gateway Configuration (us-west-2)
+The first thing to check is to make sure the Transit Gateway is setup correctly. Without this, you will not be able to add the routes to the EC2's instances routing tables.
+
+In the AWS console go to: VPC->Transit Gateway
+
+
+
+You should have a Transit Gateway here =)
+
+### Attachments
+The Transit Gateway has a bunch of functionality and ways you can use it and it is just a resource. You have to attach this resource to something.
+
+
+
+I have highlighted the second row (we'll talk about the first row later on). This is a Transit Gateway attachment to a VPC. This binds the transit gateway to the VPC where our `EC2-1` host lives.
+
+Another important thing is to note the `Subnet IDs` in this page. These are not the subnets that our `EC2-1` host is in but these are subnets in the same VPC. For the Transit Gateway to route properly, it has to be in all of the AWS Availability Zones that you want it to route into for that VPC. There are 3 subnets here because we are in 3 different availability zones. This is a side fact that you will just have to remember on how the Transit Gateway works.
+
+## [2] EC2-1 Instance Configuration (us-west-2)
+
+We have the instance named `EC2-1` which is in the us-west-2 region:
+
+
+
+There two things we want to check in here.
+
+Note: You will notice that this subnet is not in the list of subnets in the Transit Gateway Attachments. It doesn't have to be.
+
+### Check is the EC2-1's security group
+The first thing to check is the `EC2-1`'s security group:
+
+
+
+Make sure that it is allowing network traffic in. This is showing it is allowing everything in.
+
+### The EC2-1's subnet settings
+The second thing is to click on the `Subnet ID`. When you get on that page, you can click on the `Route Table` tab and it will show you the following:
+
+
+
+The following is the route table that is associated with this subnet and the routing configurations for it. It lists out destination CIDR ranges where traffic to go and where it should send that traffic via the `Target` location.
+
+Per our network above, the `EC2-2` host we are trying to reach is on the `10.35.0.0/16` network. This route table don't have all of the information on how to get there but it knows the next hop on where it should go. Also per our network diagram above, the next hop would be the Transit Gateway in this region that is attached to this VPC. In this case, the transit gateway ID is `tgw-065a441dc990254ca`. You can also see that this is the only transit gateway in this region for us which means that all othe routes to the other parts of the network will go through this transit gateway also. You will notice that the other routes point to the same transit gateway. That is because to get traffic to those networks, we just have to push the packets to this transit gateway and this transit gateway will handle forwarding it onward for us (per it's own configurations which we will go through below).
+
+If you don't have the proper routes here you can click on the `Route Table` link (`rtb-09efef60458f61005 | production-test-vpc`) and that will bring you to the routing table's configuration. From here, you can click on the `Routes` tab and add the destination CIDR and to which Transit Gateway should be the next hop.
+
+
+
+## [3] Transit Gateway Peering Attachment (us-west-2)
+Earlier we looked at the VPC attachment. The following hightlights the peering attachment. This attachment peers this Transit Gateway with another Transit Gateway. In this case, it is peered with a Transit Gateway in `us-east-1`.
+
+
+
+We will need this peering attachment active to continue to push traffic through to the other side.
+
+## [4] Transit Gateway Route Table (us-west-2)
+The Transit Gateway routing table is similar to the previous VPC routing table we were looking at. It basicially needs the same information but the next hop is the peering connection. The reason we have yet another routing table is becuase a Transit Gateway is a hub and spoke device. This Transit Gateway can be connected up to multiple Transit Gateway or other devices like a VPN or a router. This then mean that you need to know where to route traffic to and at which endpoint to send that traffic to.
+
+
+
+In this setup it is fairly simple since there is only one other Transit Gateway and our VPC. We have the `10.37.0.0/16` route pointed to our VPC and the route to `EC2-2` (10.35.0.0/16) pointed to the only peering connection we have in this setup.
+
+## [5] Transit Gateway Configuration (us-east-1)
+Now we start to look on the other side in `us-east-1`'s configuration to make sure it is correct. This configuration is essentially the same as what we have gone through above. We will go through the same sequence but with `us-east-1'`s configs. I will only point out the differences here and not repeat what was sadi above.
+
+Again, here we have a Transit Gateway (no picture). The Transit Gateway itself don't have much configurations. The interesting bits to it are in it's attachments.
+
+## [6] Transit Gateway Attachments (us-east-1)
+This Transit Gateway attchement is a little bit more interesting than the one in the other region because this is the "hub". Both us-west-2 and us-east-2 peers with this Transit Gateway. It just has more attachments and the configuration is about the same.
+
+
+
+We want to make sure the VPC where the `EC2-2` instance is located in is attached here and for this particular troubleshooting exercise we only care about the peering with `us-west-2` is active.
+
+## [7] EC2-2 Instance configuration (us-east-1)
+Let's jump over to the `EC2-2`'s configuration and start there.
+
+
+
+We want to check the same thing as we did before. The security group and then click on the `Subnet ID`.
+
+### VPC route table
+This route table is the same as the other sides. We just want to make sure everything is correct in here.
+
+
+
+We want to make sure there is a route to the `10.37.0.0/16` subnet through the Transit Gateway. Since we only have one Transit Gateway in each region for this example scenario, it is pretty hard to get this wrong but if you have more than one Transit Gateway in a region, make sure the IDs matches up to the correct one. If you don't the packets wouldn't get to the final destination and it would basically silently fail here or at any other point where the IDs don't match up.
+
+## [8] Transit Gateway Route Table (us-east-1)
+Same thing here as above. This is the Transit Gateway's route table with basically the same info as the VPC route table but just on another level.
+
+
+
+What we want to note here is that the destination route for this side we want to get to is `10.37.0.0/16` and that the route table points this destination CIDR to the correct Transit Gateway peer. Rememer in this region this Transit Gateway is the hub connecting two different regions to it.
+
+# Conclusion
+Yes, this is tedious. I wish it wasn't so. You have to maticulously go through the path and make sure that each route table is in place and that the IDs that it is using is the correct one. There isn't such great visiblity into the networking and this is the only way I found that is effective. If there is a routing problem, I first make sure everything is in the correct place. Then expand my troubleshooting efforts out from there.
+
diff --git a/tf-modules/aws/networks/add-tg-routes/README.md b/tf-modules/aws/networks/add-tg-routes/README.md
new file mode 100644
index 000000000..f26992846
--- /dev/null
+++ b/tf-modules/aws/networks/add-tg-routes/README.md
@@ -0,0 +1,17 @@
+add-tg-routes
+===============
+
+This module adds transit gateway routes to a VPC routing table
+
+## AWS credentials
+
+This module uses the local shell's environment to get the AWS credentials.
+
+(not from the `./_env_defaults/transit-gateway.tfvars`)
+
+If you are exporting the AWS credentials to your environment, you need at the minimum:
+
+```
+AWS_SECRET_ACCESS_KEY=xxxx
+AWS_ACCESS_KEY_ID=xxxx
+```
\ No newline at end of file
diff --git a/tf-modules/aws/networks/add-tg-routes/main.tf b/tf-modules/aws/networks/add-tg-routes/main.tf
new file mode 100644
index 000000000..909abf3e7
--- /dev/null
+++ b/tf-modules/aws/networks/add-tg-routes/main.tf
@@ -0,0 +1,19 @@
+terraform {
+ backend "s3" {
+ }
+}
+
+provider "aws" {
+ alias = "first"
+
+ region = "${var.aws_region}"
+}
+
+resource "aws_route" "route-first" {
+ provider = "aws.first"
+ count = length(var.route_table_id_list) * length(var.routes-list)
+
+ route_table_id = var.route_table_id_list[floor(count.index / length(var.routes-list))]
+ destination_cidr_block = var.routes-list[count.index % length(var.routes-list)]
+ transit_gateway_id = var.transit-gateway-id
+}
diff --git a/tf-modules/aws/networks/add-tg-routes/vars.tf b/tf-modules/aws/networks/add-tg-routes/vars.tf
new file mode 100644
index 000000000..ec846ce75
--- /dev/null
+++ b/tf-modules/aws/networks/add-tg-routes/vars.tf
@@ -0,0 +1,17 @@
+variable "aws_region" {}
+
+variable "route_table_id_list" {
+ type = list(string)
+ description = "route table ID to add route to"
+}
+
+variable "transit-gateway-id" {
+ description = "Transit gateway ID for the route"
+}
+
+variable "routes-list" {
+ type = list(string)
+ description = "Route list for the first AWS account. A list of destination CIDRs to route to via the this transit gateway id."
+
+ default = []
+}
diff --git a/tf-modules/aws/networks/add-tg-routes/versions.tf b/tf-modules/aws/networks/add-tg-routes/versions.tf
new file mode 100644
index 000000000..ac97c6ac8
--- /dev/null
+++ b/tf-modules/aws/networks/add-tg-routes/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+ required_version = ">= 0.12"
+}
diff --git a/tf-modules/aws/networks/diagrams/ec2-1-instance.png b/tf-modules/aws/networks/diagrams/ec2-1-instance.png
new file mode 100644
index 000000000..fc44734de
Binary files /dev/null and b/tf-modules/aws/networks/diagrams/ec2-1-instance.png differ
diff --git a/tf-modules/aws/networks/diagrams/ec2-1-security-group.png b/tf-modules/aws/networks/diagrams/ec2-1-security-group.png
new file mode 100644
index 000000000..e7e3ea0c3
Binary files /dev/null and b/tf-modules/aws/networks/diagrams/ec2-1-security-group.png differ
diff --git a/tf-modules/aws/networks/diagrams/ec2-1-subnet.png b/tf-modules/aws/networks/diagrams/ec2-1-subnet.png
new file mode 100644
index 000000000..2ee89a85f
Binary files /dev/null and b/tf-modules/aws/networks/diagrams/ec2-1-subnet.png differ
diff --git a/tf-modules/aws/networks/diagrams/ec2-1-vpc-route-table.png b/tf-modules/aws/networks/diagrams/ec2-1-vpc-route-table.png
new file mode 100644
index 000000000..e47a46d72
Binary files /dev/null and b/tf-modules/aws/networks/diagrams/ec2-1-vpc-route-table.png differ
diff --git a/tf-modules/aws/networks/diagrams/ec2-2-instance.png b/tf-modules/aws/networks/diagrams/ec2-2-instance.png
new file mode 100644
index 000000000..acf53a0fc
Binary files /dev/null and b/tf-modules/aws/networks/diagrams/ec2-2-instance.png differ
diff --git a/tf-modules/aws/networks/diagrams/ec2-2-vpc-route-table.png b/tf-modules/aws/networks/diagrams/ec2-2-vpc-route-table.png
new file mode 100644
index 000000000..8b8cc1a8f
Binary files /dev/null and b/tf-modules/aws/networks/diagrams/ec2-2-vpc-route-table.png differ
diff --git a/tf-modules/aws/networks/diagrams/transit-gateway-diagram.png b/tf-modules/aws/networks/diagrams/transit-gateway-diagram.png
new file mode 100644
index 000000000..23d6acdef
Binary files /dev/null and b/tf-modules/aws/networks/diagrams/transit-gateway-diagram.png differ
diff --git a/tf-modules/aws/networks/diagrams/us-east-1-tg-attachments.png b/tf-modules/aws/networks/diagrams/us-east-1-tg-attachments.png
new file mode 100644
index 000000000..4440f6a0f
Binary files /dev/null and b/tf-modules/aws/networks/diagrams/us-east-1-tg-attachments.png differ
diff --git a/tf-modules/aws/networks/diagrams/us-east-1-tg-route-table.png b/tf-modules/aws/networks/diagrams/us-east-1-tg-route-table.png
new file mode 100644
index 000000000..a8f20117e
Binary files /dev/null and b/tf-modules/aws/networks/diagrams/us-east-1-tg-route-table.png differ
diff --git a/tf-modules/aws/networks/diagrams/us-west-2-tg-attachment-peering.png b/tf-modules/aws/networks/diagrams/us-west-2-tg-attachment-peering.png
new file mode 100644
index 000000000..6a9aab417
Binary files /dev/null and b/tf-modules/aws/networks/diagrams/us-west-2-tg-attachment-peering.png differ
diff --git a/tf-modules/aws/networks/diagrams/us-west-2-tg-attachments.png b/tf-modules/aws/networks/diagrams/us-west-2-tg-attachments.png
new file mode 100644
index 000000000..0cbcc93d3
Binary files /dev/null and b/tf-modules/aws/networks/diagrams/us-west-2-tg-attachments.png differ
diff --git a/tf-modules/aws/networks/diagrams/us-west-2-tg-route-table.png b/tf-modules/aws/networks/diagrams/us-west-2-tg-route-table.png
new file mode 100644
index 000000000..48e29fac0
Binary files /dev/null and b/tf-modules/aws/networks/diagrams/us-west-2-tg-route-table.png differ
diff --git a/tf-modules/aws/networks/diagrams/us-west-2-transit-gateway.png b/tf-modules/aws/networks/diagrams/us-west-2-transit-gateway.png
new file mode 100644
index 000000000..330ed9353
Binary files /dev/null and b/tf-modules/aws/networks/diagrams/us-west-2-transit-gateway.png differ
diff --git a/tf-modules/aws/networks/peer-transit-gateway-internal/README.md b/tf-modules/aws/networks/peer-transit-gateway-internal/README.md
new file mode 100644
index 000000000..1ea5ead63
--- /dev/null
+++ b/tf-modules/aws/networks/peer-transit-gateway-internal/README.md
@@ -0,0 +1,13 @@
+# peer-transit-gateway-internal
+
+This module uses one AWS accounts (#1).
+
+It will peer two transit gateways together
+
+## Assumptions
+
+- AWS account #1 owns both of the Transit Gateway and it is already created.
+
+## This module will:
+
+-
diff --git a/tf-modules/aws/networks/peer-transit-gateway-internal/main.tf b/tf-modules/aws/networks/peer-transit-gateway-internal/main.tf
new file mode 100644
index 000000000..4da1b5635
--- /dev/null
+++ b/tf-modules/aws/networks/peer-transit-gateway-internal/main.tf
@@ -0,0 +1,32 @@
+terraform {
+ backend "s3" {
+ }
+}
+
+// First account owns the transit gateway and accepts the VPC attachment.
+provider "aws" {
+ alias = "first"
+
+ region = var.aws_region
+ access_key = var.aws_first_access_key
+ secret_key = var.aws_first_secret_key
+}
+
+// Create the transit gateway attachment in the second account...
+resource "aws_ec2_transit_gateway_vpc_attachment" "transit-gateway" {
+ provider = "aws.first"
+
+ subnet_ids = [
+ for item in aws_subnet.transit-gateway:
+ item.id
+ ]
+ transit_gateway_id = var.transit-gateway-id
+ vpc_id = data.aws_vpc.transit-gateway.id
+
+ tags = merge(
+ {
+ "Name" = format("%s-%s", "tg-att", var.name-postfix)
+ },
+ var.tags,
+ )
+}
diff --git a/tf-modules/aws/networks/peer-transit-gateway-internal/vars.tf b/tf-modules/aws/networks/peer-transit-gateway-internal/vars.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/tf-modules/aws/networks/tg-external-attach-to-vpc/README.md b/tf-modules/aws/networks/tg-external-attach-to-vpc/README.md
new file mode 100644
index 000000000..bbdeb83b6
--- /dev/null
+++ b/tf-modules/aws/networks/tg-external-attach-to-vpc/README.md
@@ -0,0 +1,34 @@
+# tg-external-attach-to-vpc
+
+This module uses two AWS accounts (#1 and #2).
+
+You need to have access to both AWS accounts.
+
+## Assumptions
+
+- AWS account #1 owns the Transit Gateway and it is already created. The transit gateway's ARN and ID will be passed into this module.
+- AWS account #2 has a VPC already created and the VPC ID will be passed into this module.
+
+## This module will:
+
+- AWS account #1 shares the Transit Gateway with AWS account #2
+- AWS account #2 accepts the share invite
+- AWS account #2 attaches the VPC's subnet(s) to the transit gateway
+
+## AWS credentials
+
+This module uses the credentials from the `./_env_defaults/transit-gateway.tfvars` file or it needs these parameters:
+
+```
+# AWS Account #1:
+aws_first_access_key = "xxx"
+aws_first_secret_key = "xxx"
+
+# AWS Account #2
+# aws_second_access_key = "xxx"
+# aws_second_secret_key = "xxx"
+```
+
+The reason this needs two accounts is to support the external account setting when attaching a VPC to an external Transit Gateway
+that belongs in another account. While the `internal` one doesn't need this and hence it only needs one account, making this module
+and the `external` module work in a similar fashion should make it easier to use both.
diff --git a/tf-modules/aws/networks/tg-external-attach-to-vpc/main.tf b/tf-modules/aws/networks/tg-external-attach-to-vpc/main.tf
new file mode 100644
index 000000000..a9d10e8cf
--- /dev/null
+++ b/tf-modules/aws/networks/tg-external-attach-to-vpc/main.tf
@@ -0,0 +1,143 @@
+terraform {
+ backend "s3" {
+ }
+}
+
+// First account owns the transit gateway and accepts the VPC attachment.
+provider "aws" {
+ alias = "first"
+
+ region = var.aws_region
+ access_key = var.aws_first_access_key
+ secret_key = var.aws_first_secret_key
+}
+
+// Second account owns the VPC and creates the VPC attachment.
+provider "aws" {
+ alias = "second"
+
+ region = var.aws_region
+ access_key = var.aws_second_access_key
+ secret_key = var.aws_second_secret_key
+}
+
+data "aws_availability_zones" "available" {
+ provider = "aws.second"
+
+ state = "available"
+}
+
+data "aws_caller_identity" "second" {
+ provider = "aws.second"
+}
+
+resource "aws_ram_resource_share" "resource-share" {
+ provider = aws.first
+ name = "tgw-share-us-west-2-mock"
+ allow_external_principals = true
+
+ tags = merge(
+ {
+ "Name" = format("%s-%s", "tg-share", var.name-postfix)
+ },
+ var.tags,
+ )
+}
+
+resource "aws_ram_resource_association" "tgw" {
+ provider = aws.first
+ resource_arn = var.transit-gateway-arn
+ resource_share_arn = aws_ram_resource_share.resource-share.arn
+}
+
+resource "aws_ram_principal_association" "principal-association" {
+ provider = aws.first
+ principal = data.aws_caller_identity.second.account_id
+ resource_share_arn = aws_ram_resource_share.resource-share.arn
+}
+
+# account #2
+resource "aws_ram_resource_share_accepter" "resource-share-accepter" {
+ provider = aws.second
+ share_arn = aws_ram_principal_association.principal-association.resource_share_arn
+}
+
+data "aws_vpc" "transit-gateway" {
+ provider = "aws.second"
+ id = var.vpc_id_second
+}
+
+resource "aws_subnet" "transit-gateway" {
+ provider = "aws.second"
+
+ count = length(var.subnets_cidr)
+
+ availability_zone = var.availability_zone[count.index]
+ cidr_block = var.subnets_cidr[count.index]
+ vpc_id = data.aws_vpc.transit-gateway.id
+
+ tags = merge(
+ {
+ "Name" = format("%s-%s", "tg-subnet", var.name-postfix)
+ },
+ var.tags,
+ )
+}
+
+resource "aws_route_table" "route-table" {
+ provider = "aws.second"
+
+ vpc_id = var.vpc_id_second
+
+ tags = merge(
+ {
+ "Name" = format("%s-%s", "tg-routes", var.name-postfix)
+ },
+ var.tags,
+ )
+}
+
+resource "aws_route_table_association" "route-table-association" {
+ provider = "aws.second"
+
+ count = length(var.subnets_cidr)
+
+ subnet_id = aws_subnet.transit-gateway[count.index].id
+ route_table_id = aws_route_table.route-table.id
+}
+
+// Create the VPC attachment in the second account...
+resource "aws_ec2_transit_gateway_vpc_attachment" "transit-gateway" {
+ provider = "aws.second"
+
+ depends_on = [aws_ram_principal_association.principal-association, aws_ram_resource_association.tgw, aws_ram_resource_share_accepter.resource-share-accepter]
+
+ subnet_ids = [
+ for num in aws_subnet.transit-gateway:
+ num.id
+ ]
+ transit_gateway_id = var.transit-gateway-id
+ vpc_id = data.aws_vpc.transit-gateway.id
+
+ tags = merge(
+ {
+ "Name" = format("%s-%s", "tg-att", var.name-postfix)
+ },
+ var.tags,
+ )
+}
+
+resource "aws_ec2_transit_gateway_vpc_attachment_accepter" "transit-gateway" {
+ provider = "aws.first"
+
+ depends_on = [aws_ec2_transit_gateway_vpc_attachment.transit-gateway]
+
+ transit_gateway_attachment_id = "${aws_ec2_transit_gateway_vpc_attachment.transit-gateway.id}"
+
+ tags = merge(
+ {
+ "Name" = format("%s-%s", "tg-accepter", var.name-postfix)
+ },
+ var.tags,
+ )
+}
\ No newline at end of file
diff --git a/tf-modules/aws/networks/tg-external-attach-to-vpc/outputs.tf b/tf-modules/aws/networks/tg-external-attach-to-vpc/outputs.tf
new file mode 100644
index 000000000..9b6ef343c
--- /dev/null
+++ b/tf-modules/aws/networks/tg-external-attach-to-vpc/outputs.tf
@@ -0,0 +1,3 @@
+output "aws_route_table_id" {
+ value = aws_route_table.route-table.id
+}
diff --git a/tf-modules/aws/networks/tg-external-attach-to-vpc/vars.tf b/tf-modules/aws/networks/tg-external-attach-to-vpc/vars.tf
new file mode 100644
index 000000000..fcfa1c9bc
--- /dev/null
+++ b/tf-modules/aws/networks/tg-external-attach-to-vpc/vars.tf
@@ -0,0 +1,50 @@
+variable "name-postfix" {
+ default = ""
+}
+
+variable "tags" {
+ type = map(string)
+
+ default = {
+ Name = "dev"
+ Environment = "env"
+ Account = "dev"
+ Group = "devops"
+ Region = "us-east-1"
+ managed_by = "Terraform"
+ }
+}
+
+variable "aws_first_access_key" {}
+
+variable "aws_first_secret_key" {}
+
+variable "aws_second_access_key" {}
+
+variable "aws_second_secret_key" {}
+
+variable "aws_region" {}
+
+variable "transit-gateway-arn" {
+ description = "The transit gateways arn to attach to"
+}
+
+variable "transit-gateway-id" {
+ description = "The transit gateways id to attach to"
+}
+
+variable "vpc_id_second" {
+ description = "The VPC to create and attach the transit gateway to"
+}
+
+variable "subnets_cidr" {
+ type = list(string)
+
+ default = ["192.168.1.0/24", "192.168.2.0/24", "192.168.3.0/24"]
+}
+
+variable "availability_zone" {
+ type = list(string)
+
+ default = ["us-west-2a", "us-west-2b", "us-west-2c"]
+}
diff --git a/tf-modules/aws/networks/tg-external-attach-to-vpc/versions.tf b/tf-modules/aws/networks/tg-external-attach-to-vpc/versions.tf
new file mode 100644
index 000000000..ac97c6ac8
--- /dev/null
+++ b/tf-modules/aws/networks/tg-external-attach-to-vpc/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+ required_version = ">= 0.12"
+}
diff --git a/tf-modules/aws/networks/tg-internal-attach-to-vpc/README.md b/tf-modules/aws/networks/tg-internal-attach-to-vpc/README.md
new file mode 100644
index 000000000..fde31850a
--- /dev/null
+++ b/tf-modules/aws/networks/tg-internal-attach-to-vpc/README.md
@@ -0,0 +1,30 @@
+# tg-external-attach-to-vpc
+
+This module uses one AWS accounts (#1).
+
+## Assumptions
+
+- AWS account #1 owns the Transit Gateway and it is already created. The transit gateway's ARN and ID will be passed into this module.
+- AWS account #1 has a VPC already created and the VPC ID will be passed into this module.
+
+## This module will:
+
+- AWS account #1 attaches the VPC's subnet(s) to the transit gateway
+
+## AWS credentials
+
+This module uses the credentials from the `./_env_defaults/transit-gateway.tfvars` file or it needs these parameters:
+
+```
+# AWS Account #1:
+aws_first_access_key = "xxx"
+aws_first_secret_key = "xxx"
+
+# AWS Account #2
+# aws_second_access_key = "xxx"
+# aws_second_secret_key = "xxx"
+```
+
+The reason this needs two accounts is to support the external account setting when attaching a VPC to an external Transit Gateway
+that belongs in another account. While the `internal` one doesn't need this and hence it only needs one account, making this module
+and the `external` module work in a similar fashion should make it easier to use both.
diff --git a/tf-modules/aws/networks/tg-internal-attach-to-vpc/main.tf b/tf-modules/aws/networks/tg-internal-attach-to-vpc/main.tf
new file mode 100644
index 000000000..eba18d56f
--- /dev/null
+++ b/tf-modules/aws/networks/tg-internal-attach-to-vpc/main.tf
@@ -0,0 +1,80 @@
+terraform {
+ backend "s3" {
+ }
+}
+
+// First account owns the transit gateway and accepts the VPC attachment.
+provider "aws" {
+ alias = "first"
+
+ region = var.aws_region
+ access_key = var.aws_first_access_key
+ secret_key = var.aws_first_secret_key
+}
+
+data "aws_caller_identity" "second" {
+ provider = "aws.first"
+}
+
+data "aws_vpc" "transit-gateway" {
+ provider = "aws.first"
+ id = var.vpc_id_first
+}
+
+resource "aws_subnet" "transit-gateway" {
+ provider = "aws.first"
+
+ count = length(var.subnets_cidr)
+
+ availability_zone = var.availability_zone[count.index]
+ cidr_block = var.subnets_cidr[count.index]
+ vpc_id = data.aws_vpc.transit-gateway.id
+
+ tags = merge(
+ {
+ "Name" = format("%s-%s", "tg-subnet", var.name-postfix)
+ },
+ var.tags,
+ )
+}
+
+resource "aws_route_table" "route-table" {
+ provider = "aws.first"
+
+ vpc_id = var.vpc_id_first
+
+ tags = merge(
+ {
+ "Name" = format("%s-%s", "tg-routes", var.name-postfix)
+ },
+ var.tags,
+ )
+}
+
+resource "aws_route_table_association" "route-table-association" {
+ provider = "aws.first"
+
+ count = length(var.subnets_cidr)
+
+ subnet_id = aws_subnet.transit-gateway[count.index].id
+ route_table_id = aws_route_table.route-table.id
+}
+
+// Create the VPC attachment in the second account...
+resource "aws_ec2_transit_gateway_vpc_attachment" "transit-gateway" {
+ provider = "aws.first"
+
+ subnet_ids = [
+ for item in aws_subnet.transit-gateway:
+ item.id
+ ]
+ transit_gateway_id = var.transit-gateway-id
+ vpc_id = data.aws_vpc.transit-gateway.id
+
+ tags = merge(
+ {
+ "Name" = format("%s-%s", "tg-att", var.name-postfix)
+ },
+ var.tags,
+ )
+}
diff --git a/tf-modules/aws/networks/tg-internal-attach-to-vpc/outputs.tf b/tf-modules/aws/networks/tg-internal-attach-to-vpc/outputs.tf
new file mode 100644
index 000000000..c018132f2
--- /dev/null
+++ b/tf-modules/aws/networks/tg-internal-attach-to-vpc/outputs.tf
@@ -0,0 +1,11 @@
+output "aws_route_table_id" {
+ value = aws_route_table.route-table.id
+}
+
+output "aws_ec2_transit_gateway_vpc_attachment_id" {
+ value = aws_ec2_transit_gateway_vpc_attachment.transit-gateway.id
+}
+
+output "aws_ec2_transit_gateway_vpc_attachment_vpc_owner_id" {
+ value = aws_ec2_transit_gateway_vpc_attachment.transit-gateway.vpc_owner_id
+}
diff --git a/tf-modules/aws/networks/tg-internal-attach-to-vpc/vars.tf b/tf-modules/aws/networks/tg-internal-attach-to-vpc/vars.tf
new file mode 100644
index 000000000..159d1f2df
--- /dev/null
+++ b/tf-modules/aws/networks/tg-internal-attach-to-vpc/vars.tf
@@ -0,0 +1,46 @@
+variable "name-postfix" {
+ default = ""
+}
+
+variable "tags" {
+ type = map(string)
+
+ default = {
+ Name = "dev"
+ Environment = "env"
+ Account = "dev"
+ Group = "devops"
+ Region = "us-east-1"
+ managed_by = "Terraform"
+ }
+}
+
+variable "aws_first_access_key" {}
+
+variable "aws_first_secret_key" {}
+
+variable "aws_region" {}
+
+variable "transit-gateway-arn" {
+ description = "The transit gateways arn to attach to"
+}
+
+variable "transit-gateway-id" {
+ description = "The transit gateways id to attach to"
+}
+
+variable "vpc_id_first" {
+ description = "The VPC to create and attach the transit gateway to"
+}
+
+variable "subnets_cidr" {
+ type = list(string)
+
+ default = ["192.168.1.0/24", "192.168.2.0/24", "192.168.3.0/24"]
+}
+
+variable "availability_zone" {
+ type = list(string)
+
+ default = ["us-west-2a", "us-west-2b", "us-west-2c"]
+}
diff --git a/tf-modules/aws/networks/tg-internal-attach-to-vpc/versions.tf b/tf-modules/aws/networks/tg-internal-attach-to-vpc/versions.tf
new file mode 100644
index 000000000..ac97c6ac8
--- /dev/null
+++ b/tf-modules/aws/networks/tg-internal-attach-to-vpc/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+ required_version = ">= 0.12"
+}
diff --git a/tf-modules/aws/networks/transit-gateway-route-table/README.md b/tf-modules/aws/networks/transit-gateway-route-table/README.md
new file mode 100644
index 000000000..a05d30219
--- /dev/null
+++ b/tf-modules/aws/networks/transit-gateway-route-table/README.md
@@ -0,0 +1,19 @@
+transit-gateway-route-table
+===========================
+
+This module adds routes into the Transit Gateway's Route table for all of the destination routes this side will want to reach on the remote Transit Gateways.
+
+If this region wants to reach any other subnets via the Transit Gateways going through this Transit Gateway then the CIDR blocks of the destinations needs to be in this list or it won't route it through this Transit Gateway.
+
+## AWS credentials
+
+This module uses the local shell's environment to get the AWS credentials.
+
+(not from the `./_env_defaults/transit-gateway.tfvars`)
+
+If you are exporting the AWS credentials to your environment, you need at the minimum:
+
+```
+AWS_SECRET_ACCESS_KEY=xxxx
+AWS_ACCESS_KEY_ID=xxxx
+```
\ No newline at end of file
diff --git a/tf-modules/aws/networks/transit-gateway-route-table/main.tf b/tf-modules/aws/networks/transit-gateway-route-table/main.tf
new file mode 100644
index 000000000..b45f0ffb0
--- /dev/null
+++ b/tf-modules/aws/networks/transit-gateway-route-table/main.tf
@@ -0,0 +1,19 @@
+terraform {
+ backend "s3" {
+ }
+}
+
+provider "aws" {
+ alias = "first"
+
+ region = "${var.aws_region}"
+}
+
+resource "aws_ec2_transit_gateway_route" "tg-route" {
+ provider = aws.first
+ count = length(var.destination_cidr_block_list)
+ destination_cidr_block = var.destination_cidr_block_list[count.index]
+ blackhole = var.blackhole_list[count.index]
+ transit_gateway_attachment_id = var.transit_gateway_attachment_id
+ transit_gateway_route_table_id = var.transit_gateway_route_table_id
+}
diff --git a/tf-modules/aws/networks/transit-gateway-route-table/outputs.tf b/tf-modules/aws/networks/transit-gateway-route-table/outputs.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/tf-modules/aws/networks/transit-gateway-route-table/vars.tf b/tf-modules/aws/networks/transit-gateway-route-table/vars.tf
new file mode 100644
index 000000000..22d7fefa9
--- /dev/null
+++ b/tf-modules/aws/networks/transit-gateway-route-table/vars.tf
@@ -0,0 +1,25 @@
+variable "aws_region" {}
+
+variable "destination_cidr_block_list" {
+ type = list(string)
+ description = "Route list for the first AWS account. A list of CIDRs."
+
+ default = []
+}
+
+variable "blackhole_list" {
+ type = list(string)
+ description = "Route list for the first AWS account to black hole. A list of CIDRs."
+
+ default = []
+}
+
+variable "transit_gateway_attachment_id" {
+ description = "The transit gateway for the routes"
+ type = string
+}
+
+variable "transit_gateway_route_table_id" {
+ description = "The transit gateway route table id"
+ type = string
+}
diff --git a/tf-modules/aws/networks/transit-gateway/README.md b/tf-modules/aws/networks/transit-gateway/README.md
new file mode 100644
index 000000000..2cb11d8c9
--- /dev/null
+++ b/tf-modules/aws/networks/transit-gateway/README.md
@@ -0,0 +1,17 @@
+transit-gateway
+===========================
+
+This module creates a Transit Gateway in the specified region.
+
+## AWS credentials
+
+This module uses the local shell's environment to get the AWS credentials.
+
+(not from the `./_env_defaults/transit-gateway.tfvars`)
+
+If you are exporting the AWS credentials to your environment, you need at the minimum:
+
+```
+AWS_SECRET_ACCESS_KEY=xxxx
+AWS_ACCESS_KEY_ID=xxxx
+```
\ No newline at end of file
diff --git a/tf-modules/aws/networks/transit-gateway/main.tf b/tf-modules/aws/networks/transit-gateway/main.tf
new file mode 100644
index 000000000..16f94f94f
--- /dev/null
+++ b/tf-modules/aws/networks/transit-gateway/main.tf
@@ -0,0 +1,24 @@
+terraform {
+ backend "s3" {
+ }
+}
+
+// First account owns the transit gateway and accepts the VPC attachment.
+provider "aws" {
+ alias = "first"
+
+ region = "${var.aws_region}"
+}
+
+# account #1
+resource "aws_ec2_transit_gateway" "transit-gateway" {
+ provider = aws.first
+
+ amazon_side_asn = var.amazon_side_asn
+ auto_accept_shared_attachments = var.auto_accept_shared_attachments
+ description = var.description
+ dns_support = var.dns_support
+ vpn_ecmp_support = var.vpn_ecmp_support
+
+ tags = var.tags
+}
diff --git a/tf-modules/aws/networks/transit-gateway/outputs.tf b/tf-modules/aws/networks/transit-gateway/outputs.tf
new file mode 100644
index 000000000..99c6bf9fa
--- /dev/null
+++ b/tf-modules/aws/networks/transit-gateway/outputs.tf
@@ -0,0 +1,15 @@
+output "aws_ec2_transit_gateway_arn" {
+ value = aws_ec2_transit_gateway.transit-gateway.arn
+}
+
+output "aws_ec2_transit_gateway_id" {
+ value = aws_ec2_transit_gateway.transit-gateway.id
+}
+
+output "aws_ec2_transit_gateway_association_default_route_table_id" {
+ value = aws_ec2_transit_gateway.transit-gateway.association_default_route_table_id
+}
+
+output "aws_ec2_transit_gateway_propagation_default_route_table_id" {
+ value = aws_ec2_transit_gateway.transit-gateway.propagation_default_route_table_id
+}
diff --git a/tf-modules/aws/networks/transit-gateway/vars.tf b/tf-modules/aws/networks/transit-gateway/vars.tf
new file mode 100644
index 000000000..bc49ce6ce
--- /dev/null
+++ b/tf-modules/aws/networks/transit-gateway/vars.tf
@@ -0,0 +1,34 @@
+variable "tags" {
+ type = map(string)
+
+ default = {
+ Name = "dev"
+ Environment = "env"
+ Account = "dev"
+ Group = "devops"
+ Region = "us-east-1"
+ managed_by = "Terraform"
+ }
+}
+
+variable "aws_region" {}
+
+variable "amazon_side_asn" {
+ default = "64512"
+}
+
+variable "auto_accept_shared_attachments" {
+ default = "disable"
+}
+
+variable "description" {
+ default = "Transit gateway created via Terraform"
+}
+
+variable "dns_support" {
+ default = "enable"
+}
+
+variable "vpn_ecmp_support" {
+ default = "enable"
+}
diff --git a/tf-modules/aws/networks/transit-gateway/versions.tf b/tf-modules/aws/networks/transit-gateway/versions.tf
new file mode 100644
index 000000000..ac97c6ac8
--- /dev/null
+++ b/tf-modules/aws/networks/transit-gateway/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+ required_version = ">= 0.12"
+}