From 1183a73537aa129b178cc6a9693f989b4102de1b Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 12 Oct 2022 16:16:41 -0400 Subject: [PATCH] continue work --- vpc-transit-gateway-association/README.md | 14 +++++++- .../availabilty_zones.tf | 1 + .../data.transit-gateway.tf | 4 +++ vpc-transit-gateway-association/main.tf | 7 ++++ vpc-transit-gateway-association/routing.tf | 34 +++++++++++++++++++ .../variables.common.availability_zones.tf | 1 + .../variables.common.vpc_id.tf | 1 + vpc-transit-gateway-association/variables.tf | 20 +++++++++++ 8 files changed, 81 insertions(+), 1 deletion(-) create mode 120000 vpc-transit-gateway-association/availabilty_zones.tf create mode 100644 vpc-transit-gateway-association/routing.tf create mode 120000 vpc-transit-gateway-association/variables.common.availability_zones.tf create mode 120000 vpc-transit-gateway-association/variables.common.vpc_id.tf diff --git a/vpc-transit-gateway-association/README.md b/vpc-transit-gateway-association/README.md index 322eae6..c8fbafb 100644 --- a/vpc-transit-gateway-association/README.md +++ b/vpc-transit-gateway-association/README.md @@ -32,7 +32,9 @@ module "vpc_tgw" { ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [routing\_attachment](#module\_routing\_attachment) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//routing | tf-upgrade | ## Resources @@ -40,6 +42,8 @@ No modules. |------|------| | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_availability_zone.zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zone) | data source | +| [aws_availability_zones.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_ec2_transit_gateway.gateway_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source | @@ -57,12 +61,17 @@ No modules. |------|-------------|------|---------|:--------:| | [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no | | [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no | +| [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no | | [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no | | [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes | | [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [route\_table\_label](#input\_route\_table\_label) | Route table lable for the attachment subnets | `string` | `"attachment"` | no | +| [subnet\_ids](#input\_subnet\_ids) | List of subnet IDs for this VPC for the TGW attachment. This should be not public, and should be a separate attachment set of /28 subnets with no other use | `list(string)` | n/a | yes | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | +| [transit\_gateway\_environment](#input\_transit\_gateway\_environment) | Transit Gateway Environment (aka, VRF) to which to connnect this VPC | `string` | n/a | yes | | [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no | | [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes | | [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no | | [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no | | [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no | @@ -71,6 +80,9 @@ No modules. | Name | Description | |------|-------------| +| [availability\_zone\_ids](#output\_availability\_zone\_ids) | VPC Availability zone id list (3) | +| [availability\_zone\_names](#output\_availability\_zone\_names) | VPC Availability zone name list (3) | +| [availability\_zone\_suffixes](#output\_availability\_zone\_suffixes) | VPC Availability zone suffix list (3) | | [gateway\_peer](#output\_gateway\_peer) | Transit Gateway peer (other region) | | [gateway\_self](#output\_gateway\_self) | Transit Gateway self (this region) | | [map\_route\_tables\_peer](#output\_map\_route\_tables\_peer) | Transit Gateway route tables map (VRF:id) peer (other region) | diff --git a/vpc-transit-gateway-association/availabilty_zones.tf b/vpc-transit-gateway-association/availabilty_zones.tf new file mode 120000 index 0000000..00a240c --- /dev/null +++ b/vpc-transit-gateway-association/availabilty_zones.tf @@ -0,0 +1 @@ +../common/availabilty_zones.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association/data.transit-gateway.tf b/vpc-transit-gateway-association/data.transit-gateway.tf index b32a619..ab2b12a 100644 --- a/vpc-transit-gateway-association/data.transit-gateway.tf +++ b/vpc-transit-gateway-association/data.transit-gateway.tf @@ -58,3 +58,7 @@ data "aws_ec2_transit_gateway_route_table" "route_tables_peer" { locals { transit_gateway_route_table_ids_peer = { for k, v in data.aws_ec2_transit_gateway_route_table.route_tables_peer : v.tags["boc:network_vrf"] => k if contains(keys(v.tags), "boc:network_vrf") } } + +# These two hold a map of VRF => route table +# * transit_gateway_route_table_ids_self +# * transit_gateway_route_table_ids_peer diff --git a/vpc-transit-gateway-association/main.tf b/vpc-transit-gateway-association/main.tf index 80bc2b2..0891e3e 100644 --- a/vpc-transit-gateway-association/main.tf +++ b/vpc-transit-gateway-association/main.tf @@ -23,3 +23,10 @@ locals { "boc:created_by" = "terraform" } } + + +# vpc_id = local.vpc_id +# vpc_full_name = var.vpc_full_name +# availability_zones = [] +# subnet_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"] +# route_table_label = "attachment" diff --git a/vpc-transit-gateway-association/routing.tf b/vpc-transit-gateway-association/routing.tf new file mode 100644 index 0000000..8457a76 --- /dev/null +++ b/vpc-transit-gateway-association/routing.tf @@ -0,0 +1,34 @@ +module "routing_attachment" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//routing?ref=tf-upgrade" + vpc_id = var.vpc_id + + vpc_full_name = var.vpc_full_name + availability_zones = var.availability_zones + private_subnets_ids = var.subnt_ids + create_public_route_table = false + private_route_table_label = var.route_table_label + enable_igw = false + enable_nat = false + enable_vpc_endpoint_s3 = false + enable_vpc_endpoint_dynamodb = false + + vpc_name = var.vpc_name + vpc_short_name = var.vpc_short_name + vpc_cidr_block = var.vpc_cidr_block + # vpc_index = var.vpc_index + + tags = merge( + local.common_tags, + local.tags, + ) +} + +## # routes to tgw (for now, 10.128/16, should be each of the highest cidr blocks per account). It would be nice to use prefix lists, but not supported in gov +## resource "aws_route" "gateway" { +## for_each = module.routing.private_route_table_ids +## route_table_id = each.value +## # destination_cidr_block = "0.0.0.0/0" +## destination_cidr_block = "10.128.0.0/16" +## transit_gateway_id = data.aws_ec2_transit_gateway.gateway_east.id +## depends_on = [ aws_ec2_transit_gateway_vpc_attachment.vpc_attachment ] +## } diff --git a/vpc-transit-gateway-association/variables.common.availability_zones.tf b/vpc-transit-gateway-association/variables.common.availability_zones.tf new file mode 120000 index 0000000..dca20a3 --- /dev/null +++ b/vpc-transit-gateway-association/variables.common.availability_zones.tf @@ -0,0 +1 @@ +../common/variables.common.availability_zones.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association/variables.common.vpc_id.tf b/vpc-transit-gateway-association/variables.common.vpc_id.tf new file mode 120000 index 0000000..296b297 --- /dev/null +++ b/vpc-transit-gateway-association/variables.common.vpc_id.tf @@ -0,0 +1 @@ +../common//variables.common.vpc_id.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association/variables.tf b/vpc-transit-gateway-association/variables.tf index 95c5afd..ee37663 100644 --- a/vpc-transit-gateway-association/variables.tf +++ b/vpc-transit-gateway-association/variables.tf @@ -3,3 +3,23 @@ variable "network_account_profile" { type = string } +variable "transit_gateway_environment" { + description = "Transit Gateway Environment (aka, VRF) to which to connnect this VPC" + type = string + + validation { + condition = contains(local._defaults["transit-gateway-environments"], var.transit_gateway_environment) + error_message = "transit_gateway_environment value must be one of the valid VRF selections" + } +} + +variable "subnet_ids" { + description = "List of subnet IDs for this VPC for the TGW attachment. This should be not public, and should be a separate attachment set of /28 subnets with no other use" + type = list(string) +} + +variable "route_table_label" { + description = "Route table lable for the attachment subnets" + type = string + default = "attachment" +}