global:
  # ** Replace with overall organizational ID and Account ID owning the organization **
  # Uncomment below  if you'd like to use RAM Sharing
  # organizationId: o-REPLACEME
  # organizationMainAccountId: 123456789012
  stackNamePrefix: sample-complex
  ssmPrefix: /sample-complex/network
  region: us-east-1
  availabilityZones:
    - us-east-1a
    - us-east-1b
  tags:
    - aws-vpc-builder: sample-complex

vpns:
  on-premises:
    style: transitGatewayAttached
    ## Substitute for a REAL public IP Address of a VPN device if you plan to establish a VPN connection.  Also adjust the ASN number.
    newCustomerGatewayIp: 1.2.3.4
    newCustomerGatewayAsn: 64501
    newCustomerGatewayName: sample-vpn-onprem CGW
    useTransit: central

providers:
  firewall:
    internet-inspection:
      vpcCidr: 100.64.0.0/16
      useTransit: central
      style: awsNetworkFirewall
      firewallDescription: sample-complex AWS Network Firewall
      firewallName: InspectionInternet
  internet:
    central-egress:
      vpcCidr: 10.10.63.192/26
      style: natEgress
      useTransit: central
  endpoints:
    vpc-endpoints:
      style: serviceInterfaceEndpoint
      vpcCidr: 10.20.0.0/19
      endpointMask: 24
      endpointConfigFile: sample-complex-endpoints
      useTransit: central
    dns-resolvers:
      vpcCidr: 10.10.63.128/26
      # ** Narrow to specific inbound resolver source IPs if desired **
      resolveRequestsFromCidrs:
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16
      forwardRequests:
        # ** Narrow to specific on-premesis domains **
        forDomains:
          - onprem.net
        # ** Replace with the IPs of on-premesis DNS servers **
        toIps:
          - 172.31.1.10
          - 172.31.2.10
        # ** All VPCs are permitted to resolve on prem **
        forVpcs:
          - workload-dev
          - workload-prod
      style: route53ResolverEndpoint
      useTransit: central

dns:
  base:
    domains:
      - cloud.net
    # ** Everyone can resolve our base domain **
    shareWithVpcs:
      - workload-dev
      - workload-prod
  prod:
    domains:
      - prod.cloud.net
    # ** Prod domain can be resolved from prod **
    shareWithVpcs:
      - workload-prod
  dev:
    domains:
      - dev.cloud.net
    # ** Dev domain can be resolved from prod **
    shareWithVpcs:
      - workload-dev

vpcs:
  workload-dev:
    style: workloadIsolated
    vpcCidr: 10.10.0.0/19
    providerInternet: central-egress
    providerEndpoints: vpc-endpoints
    subnets:
      workload:
        cidrMask: 20
        # ** Update with the Dev OU if you wish to RAM Share **
        #sharedWith:
        #  - ou-REPLACEME
  workload-prod:
    style: workloadIsolated
    vpcCidr: 10.10.32.0/20
    providerInternet: central-egress
    providerEndpoints: vpc-endpoints
    subnets:
      workload:
        cidrMask: 21
        # ** Update with the Prod OU if you wish to RAM Share **
        #sharedWith:
        #  - ou-REPLACEME
  central-ingress:
    style: workloadPublic
    vpcCidr: 10.10.64.0/19
    subnets:
      workload:
        cidrMask: 20
        # ** Update with the Prod and Dev OU if you wish to RAM Share **
        #sharedWith:
        #  - ou-REPLACEMEDev
        #  - ou-REPLACEMEProd

transitGateways:
  central:
    style: transitGateway
    tgwDescription: sample-complex TGW
    defaultRoutes:
      # Dev and Prod default to internet egress inspected by a firewall.
      - vpcName: workload-dev
        routesTo: central-egress
        inspectedBy: internet-inspection
      - vpcName: workload-prod
        routesTo: central-egress
        inspectedBy: internet-inspection
    dynamicRoutes:
      # Dev and Prod can both go on-prem via VPN.  BGP will advertise routes for us to use
      - vpcName: workload-dev
        routesTo: on-premises
      - vpcName: workload-prod
        routesTo: on-premises
    blackholeRoutes:
      # Dev may not communicate with prod and vice versa
      - vpcName: workload-dev
        blackholeCidrs:
          - 10.10.32.0/20
      - vpcName: workload-prod
        blackholeCidrs:
          - 10.10.0.0/19