This project builds a global network architecture using AWS Transit Gateway spanning multiple regions. The infrastructure is managed using Terraform modules with environment-specific configurations.
In our first iteration, we will build a Global Network based on the diagram below:
A full-mesh Transit Gateway network across 4 regions (eu-west-2, eu-west-1, us-west-2, us-east-1) with prod and dev VPC cells in each region, connected via 6 TGW peering attachments.
- Getting Started — prerequisites, clone, backend config, dev workflow
- Deployment Guide — deploy.py phases, CLI reference, destroy, verification
├── docs/
│ ├── design/ # Architecture and design decisions
│ └── dev/ # Developer guides and operational docs
│ ├── connectivity/ # Connectivity test results
│ └── tools/ # CI/CD and development tool guides
├── envs/ # Environment-specific Terraform configurations
│ ├── dev/ # Development environment (cells per region)
│ ├── prod/ # Production environment (cells per region)
│ └── networking/ # TGWs, TGW-VPC attachments, TGW peering
├── modules/ # Reusable Terraform modules
│ ├── create-ec2/ # Bastion and private EC2 instances
│ ├── create-key-pair/ # RSA key pair generation and AWS registration
│ ├── create-tgw/ # Transit Gateway with prod/dev/wan route tables
│ ├── create-tgw-vpc-attachment/ # TGW-VPC attachment and route propagation
│ ├── create-vpc/ # VPC with public/private subnets, NAT, IPv6
│ └── security/ # Security groups and network ACLs
├── scripts/ # Python deployment orchestration scripts
├── specs/ # Feature planning and implementation history
├── vars/ # Shared variable definitions
└── resources/ # Documentation assets
- Network Design — IP allocation, TGW topology, ASNs, naming conventions
- Transit Gateways — TGW modules, route tables, peering architecture
- TGW VPC Attachments — attachment module reference
- IPv6 Assignment — dual-stack subnet CIDR strategy
- Tagging Strategy — required tags, naming patterns, compliance
- Terraform Standards — code style, variable rules, module conventions
- Getting Started — prerequisites, setup, development workflow
- Deployment — full deploy/destroy reference, CLI flags, manual steps
- SSH Key Pairs — key generation, SSH access, troubleshooting
- NAT Gateway Timeout — AWSCC provider race condition workaround
- Connectivity Results — 32/32 PASS across 4 regions
- Checkov — static security scanning
- Infracost — cost estimation on PRs
- Prek — pre-commit hooks
- terraform-docs — auto-generated module documentation
- tf-validate — parallel Terraform validate with timing output
- tflint — Terraform linter
- uv — Python dependency management
- smoke-test — automated inter-region connectivity smoke tests
The project includes a GitHub Actions pipeline (pipeline.yml) that runs on pushes to main and pull requests. Pipeline jobs include Terraform validate, tflint, terraform-docs, Checkov security scanning, and Infracost cost estimation with PR comments.
See CI Pipeline for a full job breakdown, Mermaid diagram, and AWS OIDC authentication details.
| Module | Description |
|---|---|
| create-ec2 | Bastion (public) and private EC2 instances using Ubuntu 24.04 LTS |
| create-key-pair | RSA 4096-bit key pair generation and AWS EC2 registration |
| create-tgw | Transit Gateway with prod, dev, and wan route tables |
| create-tgw-vpc-attachment | TGW-VPC attachment, route table association, and supernet route propagation |
| create-vpc | VPC with public/private subnets, Internet Gateway, NAT Gateway, and IPv6 egress |
| security | Security groups and network ACLs for bastion and private instances |