Tag Transit Gateway attachments automatically using AWS Organizations - AWS Prescriptive Guidance
SummaryPrerequisites and limitationsArchitectureToolsEpicsRelated resources

Tag Transit Gateway attachments automatically using AWS Organizations

Created by Richard Milner-Watts (AWS), Haris Bin Ayub (AWS), and John Capps (AWS)

Code repository: Transit Gateway Attachment Tagger

Environment: Production

Technologies: Networking; Infrastructure; Management & governance; Operations

AWS services: AWS Step Functions; AWS Transit Gateway; Amazon VPC; AWS Lambda

Summary

On Amazon Web Services (AWS), you can use AWS Resource Access Manager to share AWS Transit Gateway across AWS account boundaries. When you create Transit Gateway attachments across account boundaries, however, the attachments are created without a Name tag. That can make identifying attachments time consuming. 

This solution provides an automated mechanism to gather information about each Transit Gateway attachment for accounts within an organization that is managed by AWS Organizations. The process includes looking up the Classless Inter-Domain Routing (CIDR) range from the Transit Gateway route table. The solution then applies a Name tag in the form of <CIDR-range>-<AccountName> to the attachment within the account that holds the transit gateway.

This solution can be used alongside a solution such as the Serverless Transit Network Orchestrator from the AWS Solutions Library. Serverless Transit Network Orchestrator enables the automated creation of Transit Gateway attachments at scale.

Prerequisites and limitations

Prerequisites 

  • An active AWS account

  • An AWS Organizations organization that contains all related accounts

  • Access to the organization management account, under the organization's root, to create the required AWS Identity and Access Management (IAM) role

  • A Shared Networking member account containing one or more transit gateways that are shared with the organization and have attachments

Architecture

The following screenshot of the AWS Management Console shows examples of Transit Gateway attachments with no associated Name tag and two Transit Gateway attachments with Name tags generated by this solution. The structure of the generated Name tag is <CIDR-range>-<AccountName>.

Console showing attachments without Name tags and two attachments with Name tags.

This solution uses AWS CloudFormation to deploy an AWS Step Functions workflow that manages the creation of Transit Gateway Name tags across all configured Regions. The workflow invokes AWS Lambda functions, which perform the underlying tasks.

After the solution has obtained the account names from AWS Organizations, the Step Functions state machine gets all Transit Gateway attachment IDs. These are processed in parallel by AWS Region. This processing includes looking up the CIDR range for each attachment. The CIDR range is obtained by searching the Transit Gateway route tables within the Region for a matching Transit Gateway attachment ID. If all the required information is available, the solution applies a Name tag to the attachment. The solution will not overwrite any existing Name tags.

The solution runs on a schedule controlled by an Amazon EventBridge event. The event initiates the solution each day at 6:00 AM UTC.

Target technology stack  

  • Amazon EventBridge

  • AWS Lambda

  • AWS Organizations

  • AWS Transit Gateway

  • Amazon Virtual Private Cloud (Amazon VPC)

  • AWS X-Ray

Target architecture 

The solution architecture and workflow are shown in the following diagram.

Nine-step process across shared networking and organization management accounts.

  1. The scheduled event initiates the rule.

  2. The EventBridge rule starts the Step Functions state machine.

  3. The state machine invokes the tgw-tagger-organizations-account-query Lambda function.

  4. The tgw-tagger-organizations-account-query Lambda function assumes the role in the organization management account.

  5. The tgw-tagger-organizations-account-query Lambda function calls the Organizations API to return AWS account metadata.

  6. The state machine invokes the tgw-tagger-attachment-query Lambda function.

  7. For each Region, in parallel, the state machine invokes tgw-tagger-rtb-query Lambda function to read the CIDR range for each attachment.

  8. For each Region, in parallel, the state machine invokes tgw-tagger-attachment-tagger Lambda function.

  9. Name tags are created for Transit Gateway attachments in the Shared Networking account.

Automation and scale

The solution processes each Region in parallel to reduce the total duration of the run.

Tools

AWS services

  • AWS CloudFormation – AWS CloudFormation provides a way to model a collection of related AWS and third-party resources, provision them quickly and consistently, and manage them throughout their lifecycles, by treating infrastructure as code.

  • Amazon EventBridge – Amazon EventBridge is a serverless event bus service that you can use to connect your applications with data from a variety of sources. EventBridge receives an event, an indicator of a change in environment, and applies a rule to route the event to a target. Rules match events to targets based on either the structure of the event, called an event pattern, or on a schedule.

  • AWS Lambda – AWS Lambda is a compute service that supports running code without provisioning or managing servers. Lambda runs your code only when needed and scales automatically, from a few requests each day to thousands each second. You pay only for the compute time that you consume. There is no charge when your code is not running.

  • AWS Organizations – AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources. Using AWS Organizations, you can programmatically create new AWS accounts and allocate resources, group accounts to organize your workflows, apply policies to accounts or groups for governance, and simplify billing by using a single payment method for all of your accounts.

  • AWS Step Functions – AWS Step Functions is a low-code visual workflow service used to orchestrate AWS services, automate business processes, and build serverless applications. Workflows manage failures, retries, parallelization, service integrations, and observability so developers can focus on higher-value business logic.

  • AWS Transit Gateway – AWS Transit Gateway connects VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router, so that each new connection is made only one time.

  • Amazon VPC – Amazon Virtual Private Cloud (Amazon VPC) is a service for launching AWS resources in a logically isolated virtual network that you define.

  • AWS X-Ray – AWS X-Ray collects data about requests that your application serves, and provides tools that    you can use to view, filter, and gain insights into that data to identify issues and opportunities for optimization.

Code 

The source code for this solution is available in the Transit Gateway Attachment Tagger GitHub repository. The repository includes the following files:

  • tgw-attachment-tagger-main-stack.yaml creates all the resources to support this solution within the Shared Networking account.

  • tgw-attachment-tagger-organizations-stack.yaml creates a role in the management account of the organization.

Epics

TaskDescriptionSkills required

Gather required prerequisite information.

To configure cross-account access from the Lambda function to the AWS Organizations API, you need the account ID for the organization's management account.

Note: The order in which the two CloudFormation stacks are created matters. You must deploy resources into the Shared Networking account first. The role in the Shared Networking account must already exist before deploying resources into the organization's management account. For more information, see the AWS documentation.

DevOps engineer

Launch the CloudFormation template for the main solution stack.

The template for the main solution stack will deploy the IAM roles, Step Functions workflow, Lambda functions, and the CloudWatch event.

Open the AWS Management console for the Shared Networking account, and then open the CloudFormation console.  Create the stack by using the  tgw-attachment-tagger-main-stack.yaml template and the following values:  

  • Stack nametgw-attachment-tagger-main-stack  

  • awsOrganizationsRootAccountId – Account ID for the organization's management account

  • TGWRegions parameter – AWS Regions for the solution, entered as a comma-delimited string

  • TGWList parameter – Transit gateway IDs to be excluded from the solution, entered in a comma-delimited string

For more information about launching a CloudFormation stack, see the AWS documentation.

DevOps engineer

Verify that the solution has launched successfully.

Wait for the CloudFormation stack to reach a status of CREATE_COMPLETE. This should take less than one minute.

Open the Step Functions console, and verify that a new state machine has been created with the name tgw-attachment-tagger-state-machine.

DevOps engineer
TaskDescriptionSkills required

Gather required prerequisite information.

To configure cross-account access from the Lambda function to the AWS Organizations API, you need the account ID for the Shared Networking account.

DevOps engineer

Launch the CloudFormation template for the Organizations stack

The template for the AWS Organizations stack will deploy the IAM role in the organization's management account. 

Access the AWS console for the organization's management account.  and then open the CloudFormation console.  Create the stack by using the  tgw-attachment-tagger-organizations-stack.yaml template and the following values:

  • Stack nametgw-attachment-tagger-organizations-stack

  • NetworkingAccountId parameter – Account ID for the Shared Networking account 

For the other stack creation options, use the defaults.

DevOps engineer

Verify that the solution has launched successfully.

Wait for the CloudFormation stack to reach a status of CREATE_COMPLETE. This should take less than one minute.

Open the Identity and Access Management (IAM) console, and verify that a new role has been created with the name tgw-attachment-tagger-organization-query-role.

DevOps engineer
TaskDescriptionSkills required

Run the state machine.

Open the Step Functions console for the Shared Networking account, and choose State machines in the navigation pane.

Select the state machine tgw-attachment-tagger-state-machine, and choose Start Execution.  

Because the input to this state machine is not used by the solution, you can use the default value.

{
    "Comment": "Insert your JSON here"
}

Choose Start Execution.

DevOps engineer

Watch the state machine until completion.

On the new page that opens, you can watch the state machine run. The duration will depend on the number of Transit Gateway attachments to process.

On this page, you can examine each step of the state machine. You can view the various tasks within the state machine and follow links to the CloudWatch logs for the Lambda functions. For the tasks that run in parallel within the map, you can use the Index dropdown list to view the specific implementations for each Region.

DevOps engineer

Verify the Transit Gateway attachment tags.

Open the VPC console for the Shared Networking account, and choose Transit Gateway Attachments.  On the console, a Name tag is provided for attachments that met the criteria (the attachment is propagated to a Transit Gateway route table, and the resource owner is a member of the organization).

DevOps engineer

Verify the CloudWatch event initiation.

Wait for the CloudWatch event to initiate. This is scheduled for 06:00 UTC. 

Then open the Step Functions console for the Shared Networking account, and choose State machines in the navigation pane.

Select the state machine tgw-attachment-tagger-state-machine. Verify that the solution ran at 06:00 UTC.

DevOps engineer

Related resources