add submodule tag-shared-vpc-resources

CHANGELOG.md

@@ -192,3 +192,7 @@
   - vpn-transit-gateway
     - add variable use_single_cgw to use only one CGW per site instead of one per site per VPN
 
+* 2.4.0 -- 2022-10-07
+  - tag-shared-vpc-resources
+    - new submoule to tag vpcs, dhcp options, subnets, route tables, network acls
+    - transit gateways do not support taggging at this time

common/version.tf

@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.3.1"
+  _module_version = "2.4.0"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 
@@ -12,9 +12,11 @@ locals {
     "routing"                  = "aws-vpc-setup/routing"
     "security-groups"          = "aws-vpc-setup/security-groups"
     "subnets"                  = "aws-vpc-setup/subnets"
+    "tag-shared-vpc-resources" = "aws-vpc-setup/tag-shared-vpc-resources"
     "vpc"                      = "aws-vpc-setup/vpc"
     "vpc-interface-endpoint"   = "aws-vpc-setup/vpc-interface-endpoint"
     "vpn"                      = "aws-vpc-setup/vpn"
     "vpn-transit-gateway"      = "aws-vpc-setup/vpn-transit-gateway"
+    "vpn-transit-gateway"      = "aws-vpc-setup/vpn-transit-gateway"
   }
 }

common/versions.tf

@@ -21,6 +21,10 @@ terraform {
       source  = "trevex/ldap"
       version = ">= 0.5.4"
     }
+    local = {
+      source  = "hashicorp/local"
+      version = ">= 1.0.0"
+    }
   }
   required_version = ">= 0.13"
 }

tag-shared-vpc-resources/README.md

@@ -0,0 +1,85 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
+| <a name="requirement_ldap"></a> [ldap](#requirement\_ldap) | >= 0.5.4 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.0.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
+| <a name="requirement_template"></a> [template](#requirement\_template) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
+| <a name="provider_aws.network_account"></a> [aws.network\_account](#provider\_aws.network\_account) | >= 3.66.0 |
+| <a name="provider_local"></a> [local](#provider\_local) | >= 1.0.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | >= 3.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ec2_tag.dhcp_options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.network_acls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.route_tables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.transit_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.vpcs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [null_resource.network_acl](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_ec2_transit_gateway.transit_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
+| [aws_network_acls.network_acls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/network_acls) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_route_table.route_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source |
+| [aws_route_tables.route_tables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source |
+| [aws_subnet.subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
+| [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
+| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+| [aws_vpc_dhcp_options.dhcp_options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_dhcp_options) | data source |
+| [aws_vpcs.vpcs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source |
+| [local_file.network_acl](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| <a name="input_create"></a> [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
+| <a name="input_network_account_profile"></a> [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_tag_enabled_dhcp_options"></a> [tag\_enabled\_dhcp\_options](#input\_tag\_enabled\_dhcp\_options) | Flag to tag or not tag shared VPC DHCP option sets | `bool` | `true` | no |
+| <a name="input_tag_enabled_network_acls"></a> [tag\_enabled\_network\_acls](#input\_tag\_enabled\_network\_acls) | Flag to tag or not tag shared Network ACLs | `bool` | `true` | no |
+| <a name="input_tag_enabled_route_tables"></a> [tag\_enabled\_route\_tables](#input\_tag\_enabled\_route\_tables) | Flag to tag or not tag shared VPC route tables | `bool` | `true` | no |
+| <a name="input_tag_enabled_subnets"></a> [tag\_enabled\_subnets](#input\_tag\_enabled\_subnets) | Flag to tag or not tag shared VPC subnets | `bool` | `true` | no |
+| <a name="input_tag_enabled_transit_gateway"></a> [tag\_enabled\_transit\_gateway](#input\_tag\_enabled\_transit\_gateway) | Flag to tag or not tag shared VPC Transit Gateway (not currently possible in AWS; this has no effect) | `bool` | `false` | no |
+| <a name="input_tag_enabled_vpcs"></a> [tag\_enabled\_vpcs](#input\_tag\_enabled\_vpcs) | Flag to tag or not tag shared VPCs | `bool` | `true` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
+| <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
+| <a name="input_vpc_index"></a> [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
+| <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
+| <a name="input_vpc_short_name"></a> [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_account_caller_arn"></a> [account\_caller\_arn](#output\_account\_caller\_arn) | AWS Caller ARN |
+| <a name="output_account_caller_arn_partition"></a> [account\_caller\_arn\_partition](#output\_account\_caller\_arn\_partition) | AWS Caller ARN Partition |
+| <a name="output_caller_account_id"></a> [caller\_account\_id](#output\_caller\_account\_id) | AWS Account ID |
+| <a name="output_profile"></a> [profile](#output\_profile) | AWS Profile |
+| <a name="output_region"></a> [region](#output\_region) | AWS Region |
+| <a name="output_vpc_full_name"></a> [vpc\_full\_name](#output\_vpc\_full\_name) | VPC Full Name |

tag-shared-vpc-resources/data.shared.tf

@@ -0,0 +1,12 @@
+data "aws_caller_identity" "network_account" {
+  provider = aws.network_account
+}
+
+data "aws_arn" "network_account" {
+  provider = aws.network_account
+  arn      = data.aws_caller_identity.network_account.arn
+}
+
+# output "network_account" {
+#   value = data.aws_arn.network_account
+# }

tag-shared-vpc-resources/data.tf

@@ -0,0 +1 @@
+../common/data.tf

tag-shared-vpc-resources/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf

tag-shared-vpc-resources/network_account.credentials.tf

@@ -0,0 +1,5 @@
+provider "aws" {
+  alias   = "network_account"
+  region  = var.region
+  profile = var.network_account_profile
+}

tag-shared-vpc-resources/outputs.common.tf

@@ -0,0 +1,29 @@
+output "caller_account_id" {
+  description = "AWS Account ID"
+  value       = data.aws_caller_identity.current.account_id
+}
+
+output "account_caller_arn" {
+  description = "AWS Caller ARN"
+  value       = data.aws_caller_identity.current.arn
+}
+
+output "account_caller_arn_partition" {
+  description = "AWS Caller ARN Partition"
+  value       = data.aws_arn.current.partition
+}
+
+output "profile" {
+  description = "AWS Profile"
+  value       = var.profile
+}
+
+output "region" {
+  description = "AWS Region"
+  value       = local.region
+}
+
+output "vpc_full_name" {
+  description = "VPC Full Name"
+  value       = var.vpc_full_name
+}

tag-shared-vpc-resources/prefixes.tf

@@ -0,0 +1 @@
+../common/prefixes.tf

tag-shared-vpc-resources/region.tf

@@ -0,0 +1,4 @@
+locals {
+  region = var.region
+}
+

tag-shared-vpc-resources/tag-dhcp-ooptions.tf

@@ -0,0 +1,23 @@
+data "aws_vpc_dhcp_options" "dhcp_options" {
+  provider        = aws.network_account
+  for_each        = local._dhcpopt_enabled ? { for k, v in data.aws_vpc.vpc : v.dhcp_options_id => v } : {}
+  dhcp_options_id = each.key
+}
+
+## output "dhcp_options" {
+##   value = data.aws_vpc_dhcp_options.dhcp_options
+## }
+
+locals {
+  _dhcpopt_enabled      = var.tag_enabled_dhcp_options
+  dhcp_options_tags     = { for k, v in data.aws_vpc_dhcp_options.dhcp_options : k => merge(v.tags, { "boc:vpc:owner_id" = v.owner_id }) }
+  dhcp_options_tags_map = flatten([for k, v in local.dhcp_options_tags : [for tk, tv in v : { label = format("%v__%v", k, tk), dhcp_options_id = k, key = tk, value = tv }]])
+}
+
+resource "aws_ec2_tag" "dhcp_options" {
+  for_each = { for t in local.dhcp_options_tags_map : t.label => t }
+
+  resource_id = each.value.dhcp_options_id
+  key         = each.value.key
+  value       = each.value.value
+}

tag-shared-vpc-resources/tag-network-acls.tf

@@ -0,0 +1,73 @@
+data "aws_network_acls" "network_acls" {
+  for_each = local._nacl_enabled ? toset(data.aws_vpcs.vpcs.ids) : toset([])
+  filter {
+    name   = "owner-id"
+    values = [data.aws_arn.network_account.account]
+  }
+  filter {
+    name   = "vpc-id"
+    values = [each.key]
+  }
+}
+
+## data "aws_network_acl" "network_acl" {
+##   provider = aws.network_account
+##   for_each = toset(flatten(concat([for k, v in data.aws_network_acls.network_acls : v.ids])))
+##   id       = each.key
+## }
+
+# there is no aws_network_acl data resource. Fake this out with null_resource
+#  aws --profile "057445207498-ent-gov-network-sa" --region $(get-region) ec2 describe-network-acls --network-acl-id "acl-0c19a5f3ea6a86d51"  > X.json
+
+resource "null_resource" "network_acl" {
+  for_each = toset(flatten(concat([for k, v in data.aws_network_acls.network_acls : v.ids])))
+  triggers = {
+    directory      = "setup"
+    network_acl_id = each.key
+    filename       = "network_acl.${each.key}.json"
+  }
+
+  provisioner "local-exec" {
+    command = "test -d ${path.root}/${self.triggers.directory} || mkdir -p ${path.root}/${self.triggers.directory}"
+  }
+
+  provisioner "local-exec" {
+    working_dir = "${path.root}/${self.triggers.directory}"
+    command     = "aws ec2 describe-network-acls --network-acl-id ${each.key} --output json > ${self.triggers.filename}"
+    environment = {
+      AWS_PROFILE = var.network_account_profile
+      AWS_REGION  = local.region
+    }
+  }
+}
+
+data "local_file" "network_acl" {
+  #  for_each = toset(flatten(concat([for k, v in data.aws_network_acls.network_acls : v.ids])))
+  for_each = null_resource.network_acl
+  filename = format("%v/%v/%v", path.root, each.value.triggers.directory, each.value.triggers.filename)
+}
+
+## output "network_acls" {
+##   value = data.aws_network_acls.network_acls
+## }
+## 
+## output "network_acl" {
+## ##  value = data.aws_network_acl.network_acl
+##   value = local.network_acls
+## }
+
+locals {
+  _nacl_enabled         = var.tag_enabled_network_acls
+  _network_acls         = local._nacl_enabled ? { for k, v in data.local_file.network_acl : k => jsondecode(v.content) } : {}
+  network_acls          = { for k, v in local._network_acls : k => lookup(v, "NetworkAcls", [{ "Tags" : [], "OwnerId" : "" }])[0] }
+  network_acls_tags     = { for k, v in local.network_acls : k => merge({ for t in v.Tags : t.Key => t.Value }, { "boc:vpc:owner_id" = v.OwnerId }) }
+  network_acls_tags_map = flatten([for k, v in local.network_acls_tags : [for tk, tv in v : { label = format("%v__%v", k, tk), network_acl_id = k, key = tk, value = tv }]])
+}
+
+resource "aws_ec2_tag" "network_acls" {
+  for_each = { for t in local.network_acls_tags_map : t.label => t }
+
+  resource_id = each.value.network_acl_id
+  key         = each.value.key
+  value       = each.value.value
+}

tag-shared-vpc-resources/tag-route-tables.tf

@@ -0,0 +1,40 @@
+data "aws_route_tables" "route_tables" {
+  for_each = local._rt_enabled ? toset(data.aws_vpcs.vpcs.ids) : toset([])
+  filter {
+    name = "owner-id"
+    #    values = [ local.network_account_id ]
+    values = [data.aws_arn.network_account.account]
+  }
+  filter {
+    name   = "vpc-id"
+    values = [each.key]
+  }
+}
+
+data "aws_route_table" "route_table" {
+  provider       = aws.network_account
+  for_each       = toset(flatten(concat([for k, v in data.aws_route_tables.route_tables : v.ids])))
+  route_table_id = each.key
+}
+
+## output "route_tables" {
+##   value = data.aws_route_tables.route_tables
+## }
+## 
+## output "route_table" {
+##   value = data.aws_route_table.route_table
+## }
+
+locals {
+  _rt_enabled           = var.tag_enabled_route_tables
+  route_tables_tags     = { for k, v in data.aws_route_table.route_table : k => merge(v.tags, { "boc:vpc:owner_id" = v.owner_id }) }
+  route_tables_tags_map = flatten([for k, v in local.route_tables_tags : [for tk, tv in v : { label = format("%v__%v", k, tk), route_table_id = k, key = tk, value = tv }]])
+}
+
+resource "aws_ec2_tag" "route_tables" {
+  for_each = { for t in local.route_tables_tags_map : t.label => t }
+
+  resource_id = each.value.route_table_id
+  key         = each.value.key
+  value       = each.value.value
+}

tag-shared-vpc-resources/tag-subnets.tf

@@ -0,0 +1,39 @@
+data "aws_subnets" "subnets" {
+  for_each = local._subnet_enabled ? toset(data.aws_vpcs.vpcs.ids) : toset([])
+  filter {
+    name   = "owner-id"
+    values = [data.aws_arn.network_account.account]
+  }
+  filter {
+    name   = "vpc-id"
+    values = [each.key]
+  }
+}
+
+data "aws_subnet" "subnet" {
+  provider = aws.network_account
+  for_each = toset(flatten(concat([for k, v in data.aws_subnets.subnets : v.ids])))
+  id       = each.key
+}
+
+## output "subnets" {
+##   value = data.aws_subnets.subnets
+## }
+## 
+## output "subnet" {
+##   value = data.aws_subnet.subnet
+## }
+
+locals {
+  _subnet_enabled  = var.tag_enable_subnets
+  subnets_tags     = { for k, v in data.aws_subnet.subnet : k => merge(v.tags, { "boc:vpc:owner_id" = v.owner_id }) }
+  subnets_tags_map = flatten([for k, v in local.subnets_tags : [for tk, tv in v : { label = format("%v__%v", k, tk), subnet_id = k, key = tk, value = tv }]])
+}
+
+resource "aws_ec2_tag" "subnets" {
+  for_each = { for t in local.subnets_tags_map : t.label => t }
+
+  resource_id = each.value.subnet_id
+  key         = each.value.key
+  value       = each.value.value
+}