diff --git a/examples/shared-vpc-setup-tf-upgrade/.gitignore b/examples/shared-vpc-setup-tf-upgrade/.gitignore
new file mode 100644
index 0000000..efb4e2a
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/.gitignore
@@ -0,0 +1 @@
+vpn-configs
diff --git a/examples/shared-vpc-setup-tf-upgrade/M b/examples/shared-vpc-setup-tf-upgrade/M
deleted file mode 100644
index 9b8ce2d..0000000
--- a/examples/shared-vpc-setup-tf-upgrade/M
+++ /dev/null
@@ -1,48 +0,0 @@
-- [x] nhpc-app1.rm.census.gov
-- [x] nhpc-transfer1.rm.census.gov
-- [x] nhpc-login1.rm.census.gov
-- [x] nhpc-login2.rm.census.gov
-- [x] hpc-compute1.rm.census.gov
-- [ ] hpc-compute2.rm.census.gov
-- [ ] hpc-compute3.rm.census.gov
-- [ ] hpc-compute4.rm.census.gov
-- [ ] hpc-compute5.rm.census.gov
-- [ ] hpc-compute6.rm.census.gov
-- [ ] hpc-compute7.rm.census.gov
-- [ ] hpc-compute8.rm.census.gov
-- [ ] hpc-compute9.rm.census.gov
-- [ ] hpc-compute10.rm.census.gov
-- [ ] hpc-compute11.rm.census.gov
-- [ ] hpc-compute12.rm.census.gov
-- [ ] hpc-compute13.rm.census.gov
-- [ ] hpc-compute14.rm.census.gov
-- [ ] hpc-compute15.rm.census.gov
-- [ ] hpc-compute16.rm.census.gov
-- [ ] hpc-compute17.rm.census.gov
-- [ ] hpc-compute18.rm.census.gov
-- [ ] hpc-compute19.rm.census.gov
-- [ ] hpc-compute20.rm.census.gov
-- [ ] hpc-compute21.rm.census.gov
-- [ ] hpc-compute22.rm.census.gov
-- [ ] hpc-compute23.rm.census.gov
-- [ ] hpc-compute24.rm.census.gov
-- [ ] hpc-compute25.rm.census.gov
-- [ ] hpc-compute26.rm.census.gov
-- [ ] hpc-compute27.rm.census.gov
-- [ ] hpc-compute28.rm.census.gov
-- [ ] hpc-compute29.rm.census.gov
-- [ ] hpc-compute30.rm.census.gov
-- [ ] hpc-compute31.rm.census.gov
-- [ ] hpc-compute32.rm.census.gov
-- [ ] hpc-compute33.rm.census.gov
-- [ ] hpc-compute34.rm.census.gov
-- [ ] hpc-compute35.rm.census.gov
-- [ ] hpc-compute36.rm.census.gov
-- [ ] hpc-compute37.rm.census.gov
-- [ ] hpc-compute38.rm.census.gov
-- [ ] hpc-compute39.rm.census.gov
-- [ ] hpc-compute40.rm.census.gov
-- [ ] hpc-compute41.rm.census.gov
-- [ ] hpc-compute42.rm.census.gov
-- [ ] hpc-compute43.rm.census.gov
-- [ ] hpc-compute44.rm.census.gov
diff --git a/examples/shared-vpc-setup-tf-upgrade/OFF/sg-rds-mariadb.tf b/examples/shared-vpc-setup-tf-upgrade/OFF/sg-rds-mariadb.tf
new file mode 100644
index 0000000..533da01
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/OFF/sg-rds-mariadb.tf
@@ -0,0 +1,9 @@
+module "maria" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-maria?ref=tf-upgrade"
+ vpc_id = module.vpc.vpc_id
+}
+
+output "sg_maria_id" {
+ description = "Common MariaDB security group"
+ value = module.maria.this_security_group_id
+}
diff --git a/examples/shared-vpc-setup-tf-upgrade/OFF/sg-rds-mssql.tf b/examples/shared-vpc-setup-tf-upgrade/OFF/sg-rds-mssql.tf
new file mode 100644
index 0000000..0997439
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/OFF/sg-rds-mssql.tf
@@ -0,0 +1,11 @@
+module "rds-mssql" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-mssql?ref=tf-upgrade"
+ vpc_id = module.vpc.vpc_id
+ #vpc_full_name = var.vpc_full_name
+}
+
+output "sg_rds-mssql_id" {
+ description = "RDS MSSQL security group id"
+ value = module.rds-mssql.this_security_group_id
+}
+
diff --git a/examples/shared-vpc-setup-tf-upgrade/OFF/sg-rds-mysql.tf b/examples/shared-vpc-setup-tf-upgrade/OFF/sg-rds-mysql.tf
new file mode 100644
index 0000000..32fd4fe
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/OFF/sg-rds-mysql.tf
@@ -0,0 +1,9 @@
+module "sg_mysql" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-mysql?ref=tf-upgrade"
+ vpc_id = module.vpc.vpc_id
+}
+
+output "sg_mysql_id" {
+ description = "Common MySQL security group"
+ value = module.sg_mysql.this_security_group_id
+}
diff --git a/examples/shared-vpc-setup-tf-upgrade/OFF/sg-rds-postgres.tf b/examples/shared-vpc-setup-tf-upgrade/OFF/sg-rds-postgres.tf
new file mode 100644
index 0000000..c628822
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/OFF/sg-rds-postgres.tf
@@ -0,0 +1,9 @@
+module "sg_postgres" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-postgres?ref=tf-upgrade"
+ vpc_id = module.vpc.vpc_id
+}
+
+output "sg_postgres_id" {
+ description = "Common Postgres security group"
+ value = module.sg_postgres.this_security_group_id
+}
diff --git a/examples/shared-vpc-setup-tf-upgrade/README.md b/examples/shared-vpc-setup-tf-upgrade/README.md
new file mode 100644
index 0000000..14ecadb
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/README.md
@@ -0,0 +1,78 @@
+
+# About
+
+This directory constructs the appropriate resources for the vpc2-dice-dev VPC, including:
+
+* VPC
+* Subnets
+* Route Tables
+* Network ACLs
+* VPN (CGW, VPG, VPN Connectiosn)
+* Flow Logs
+* Securtity Groups (base, others)
+
+
+
+# Application Information
+
+* Application: DICE
+* Environment: development
+* Organization: ADSD, CTO
+* Project: DICE
+* Point of Contact(s):
+* Creation Date: 2021-05-10
+* References:
+ * Requirements: https://github.e.it.census.gov/terraform/cloud-information/blob/master/aws/projects/dice/
+ * Remedy Ticket: {number}
+ * Other: {other}
+* Related Configurations:
+ * {directory-path}
+
+# Application Requirements
+
+# Terraform Directions
+
+## Update files to reflect proper configuration
+
+1. get this module in a temporary location
+ * cd /tmp
+ * git clone git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git
+ * cd aws-vpc-setup
+ * git checkout tf-upgrade
+ * cd examples/full-setup-tf-upgrade
+1. rsync this code to your ACCOUNTREPO/vpc/region/vpcN directory
+1. Go to your repo ACCOUNTREPO/vpc/region/vpcN
+1. remove the /tmp/aws-vpc-setup directory
+1. start branch like 'configure-vpcN' (use N as the number)
+1. flowlogs.tf
+ * set correct region (east, west) in `flowlog_bucket_arn`
+1. variables.vpc.auto.tfvars
+ * put proper values for
+ * vpc_name
+ * vpc_cidr_block
+ * vpc_index (this is the number from vpc{number}-{name}
+ * vpc_short_name (vpc{number})
+ * vpc_full_name (vpc_short_name "-" vpc_name)
+ * vpc_environment
+ * vpc_domain_name (usually {vpc_environment}.PROGRAM.census.gov)
+ * proper `ip_address` for the VPN settings (replace NNN with the value from TCO)
+1. variables.subnets.auto.tfvars
+ * comment out public subnet objects (leaving public_subets = [], in essence; we are no longer using this)
+ * fill in the correct values for the base cidrs, starting with the blocks as shown. These will be validated in a PR
+1. commit, push, and do a PR. This must be merged before any apply. Keep your branch, as you'll have more to add to it.
+
+Once you have a merged PR you can run through the setup
+
+```script
+tf-run apply
+```
+
+Follow the diections from `tf-run`. You'll add all the files to git, do another commit, push and PR, before things are complete.
+
+
+
+
+# Details
+
+
+
diff --git a/examples/shared-vpc-setup-tf-upgrade/apps/.terraform-docs.yml b/examples/shared-vpc-setup-tf-upgrade/apps/.terraform-docs.yml
new file mode 100644
index 0000000..8391b9d
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/apps/.terraform-docs.yml
@@ -0,0 +1,44 @@
+formatter: markdown table
+
+header-from: main.tf
+footer-from: ""
+
+sections:
+## hide: []
+ show:
+ - data-sources
+ - header
+ - footer
+ - inputs
+ - modules
+ - outputs
+ - providers
+ - requirements
+ - resources
+
+output:
+ file: README.md
+ mode: inject
+ template: |-
+
+ {{ .Content }}
+
+
+## output-values:
+## enabled: false
+## from: ""
+##
+## sort:
+## enabled: true
+## by: name
+##
+## settings:
+## anchor: true
+## color: true
+## default: true
+## description: false
+## escape: true
+## indent: 2
+## required: true
+## sensitive: true
+## type: true
diff --git a/examples/shared-vpc-setup-tf-upgrade/apps/dns/.terraform-docs.yml b/examples/shared-vpc-setup-tf-upgrade/apps/dns/.terraform-docs.yml
new file mode 100644
index 0000000..8391b9d
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/apps/dns/.terraform-docs.yml
@@ -0,0 +1,44 @@
+formatter: markdown table
+
+header-from: main.tf
+footer-from: ""
+
+sections:
+## hide: []
+ show:
+ - data-sources
+ - header
+ - footer
+ - inputs
+ - modules
+ - outputs
+ - providers
+ - requirements
+ - resources
+
+output:
+ file: README.md
+ mode: inject
+ template: |-
+
+ {{ .Content }}
+
+
+## output-values:
+## enabled: false
+## from: ""
+##
+## sort:
+## enabled: true
+## by: name
+##
+## settings:
+## anchor: true
+## color: true
+## default: true
+## description: false
+## escape: true
+## indent: 2
+## required: true
+## sensitive: true
+## type: true
diff --git a/examples/shared-vpc-setup-tf-upgrade/apps/dns/README.md b/examples/shared-vpc-setup-tf-upgrade/apps/dns/README.md
new file mode 100644
index 0000000..0d006f9
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/apps/dns/README.md
@@ -0,0 +1,55 @@
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+| [aws.east\_main\_dns](#provider\_aws.east\_main\_dns) | n/a |
+| [aws.west\_main\_dns](#provider\_aws.west\_main\_dns) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_route53_resolver_rule_association.all_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource |
+| [aws_route53_vpc_association_authorization.east_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_vpc_association_authorization.east_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_vpc_association_authorization.west_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_vpc_association_authorization.west_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_zone.domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
+| [aws_route53_zone.ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
+| [aws_route53_zone_association.east_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.east_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.west_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.west_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_resolver_rules.all_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_resolver_rules) | data source |
+| [aws_route53_zone.domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [dns\_zone\_create](#input\_dns\_zone\_create) | Flag determing to create (true) or associate (false) the main forward zone. Used for the same VPC domain name across different regions or VPCs | `bool` | `true` | no |
+| [dns\_zone\_description\_prefix](#input\_dns\_zone\_description\_prefix) | Zone description with the org-project-program-environment | `string` | `""` | no |
+| [main\_dns\_profile](#input\_main\_dns\_profile) | Profile name for AWS for the main DNS central account | `string` | `"107742151971-do2-govcloud"` | no |
+| [main\_dns\_vpcs](#input\_main\_dns\_vpcs) | Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS | `map(string)` | {
"us-gov-east-1": "vpc-099a991da7c4eb8a5",
"us-gov-west-1": "vpc-77877a12"
} | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [all\_zones](#output\_all\_zones) | DNS zone list |
+| [domain\_zone\_id](#output\_domain\_zone\_id) | DNS Zone ID |
+| [domain\_zone\_ns](#output\_domain\_zone\_ns) | DNS Zone Nameservers |
+| [ptr\_zone\_id](#output\_ptr\_zone\_id) | DNS PTR Zone IDs |
+| [ptr\_zone\_info](#output\_ptr\_zone\_info) | DNS PTR Zone Info |
+| [ptr\_zone\_ns](#output\_ptr\_zone\_ns) | DNS PTR Zone Nameservers |
+
\ No newline at end of file
diff --git a/examples/shared-vpc-setup-tf-upgrade/apps/dns/associate-shared.tf b/examples/shared-vpc-setup-tf-upgrade/apps/dns/associate-shared.tf
new file mode 100644
index 0000000..ea9a292
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/apps/dns/associate-shared.tf
@@ -0,0 +1,25 @@
+## locals {
+## reverse_zones = flatten([
+## "10.in-addr.arpa",
+## "168.192.in-addr.arpa",
+## "129.148.in-addr.arpa",
+## [for x in range(16, 32) : format("%v.172.in-addr.arpa", x)],
+## ])
+## reverse_rules = formatlist("reverse-%v", local.reverse_zones)
+## forward_rules = ["forward-all-onprem", "amazon"]
+## all_main_rules = formatlist("resolver-%v", concat(local.forward_rules, local.reverse_rules))
+## }
+
+data "aws_route53_resolver_rules" "all_rules" {
+ share_status = "SHARED_WITH_ME"
+}
+
+data "aws_route53_resolver_rules" "all_rules_me" {
+ share_status = "SHARED_BY_ME"
+}
+
+resource "aws_route53_resolver_rule_association" "all_rules" {
+ for_each = length(data.aws_route53_resolver_rules.all_rules.resolver_rule_ids) > 0 ? toset(data.aws_route53_resolver_rules.all_rules.resolver_rule_ids) : (var.profile != var.main_dns_profile ? toset(data.aws_route53_resolver_rules.all_rules_me.resolver_rule_ids) : toset([]))
+ resolver_rule_id = each.key
+ vpc_id = local.vpc_id
+}
diff --git a/examples/shared-vpc-setup-tf-upgrade/apps/dns/locals.tf b/examples/shared-vpc-setup-tf-upgrade/apps/dns/locals.tf
new file mode 100644
index 0000000..6c49d21
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/apps/dns/locals.tf
@@ -0,0 +1,13 @@
+locals {
+ base_tags = {
+ "boc:created_by" = "terraform"
+ }
+}
+
+locals {
+ vpc_info = data.terraform_remote_state.vpc_REGION_vpcN.outputs.vpc_info
+ vpc_id = local.vpc_info["vpc_id"]
+ domain_name = local.vpc_info["vpc_domain_name"]
+ dns_servers = local.vpc_info["vpc_dns_servers"]
+ vpc_short_name = local.vpc_info["vpc_short_name"]
+}
diff --git a/examples/shared-vpc-setup-tf-upgrade/apps/dns/provider.main_dns.tf b/examples/shared-vpc-setup-tf-upgrade/apps/dns/provider.main_dns.tf
new file mode 100644
index 0000000..0e693d1
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/apps/dns/provider.main_dns.tf
@@ -0,0 +1,11 @@
+provider "aws" {
+ alias = "east_main_dns"
+ region = var.region_map["east"]
+ profile = var.main_dns_profile
+}
+
+provider "aws" {
+ alias = "west_main_dns"
+ region = var.region_map["west"]
+ profile = var.main_dns_profile
+}
diff --git a/examples/shared-vpc-setup-tf-upgrade/apps/dns/region.tf b/examples/shared-vpc-setup-tf-upgrade/apps/dns/region.tf
new file mode 100644
index 0000000..f617506
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/apps/dns/region.tf
@@ -0,0 +1,3 @@
+locals {
+ region = var.region
+}
diff --git a/examples/shared-vpc-setup-tf-upgrade/apps/dns/sort-ip.py b/examples/shared-vpc-setup-tf-upgrade/apps/dns/sort-ip.py
new file mode 100755
index 0000000..293f723
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/apps/dns/sort-ip.py
@@ -0,0 +1,19 @@
+#!/bin/env python
+
+import json
+import sys
+import ipaddress
+
+r=0
+outdata={'ip_addresses_sorted':''}
+try:
+ indata=json.load(sys.stdin)
+ ipa=indata['ip_addresses'].split(',')
+ ips=sorted(ipa,key=ipaddress.ip_address)
+ outdata['ip_addresses_sorted']=','.join(ips)
+ print(json.dumps(outdata))
+except:
+ sys.stderr.write("unable to parse input address\n")
+ r=1
+
+sys.exit(r)
diff --git a/examples/shared-vpc-setup-tf-upgrade/apps/dns/tf-run.data b/examples/shared-vpc-setup-tf-upgrade/apps/dns/tf-run.data
new file mode 100644
index 0000000..26ec2e6
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/apps/dns/tf-run.data
@@ -0,0 +1,13 @@
+VERSION 1.1.3
+REMOTE-STATE
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+COMMAND tf-init -upgrade
+
+LINKTOP includes.d/variables.application_tags.tf
+LINKTOP includes.d/prod/variables.application_tags.auto.tfvars
+LINK variables.vpc.tf
+LINK variables.vpc.auto.tfvars
+
+ALL
+COMMAND tf-directory-setup.py -l s3
diff --git a/examples/shared-vpc-setup-tf-upgrade/apps/dns/variables.dns.auto.tfvars b/examples/shared-vpc-setup-tf-upgrade/apps/dns/variables.dns.auto.tfvars
new file mode 100644
index 0000000..649480f
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/apps/dns/variables.dns.auto.tfvars
@@ -0,0 +1,2 @@
+dns_zone_description_prefix = "{project} {environment}"
+dns_zone_create = true
diff --git a/examples/shared-vpc-setup-tf-upgrade/apps/dns/variables.dns.tf b/examples/shared-vpc-setup-tf-upgrade/apps/dns/variables.dns.tf
new file mode 100644
index 0000000..68ed443
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/apps/dns/variables.dns.tf
@@ -0,0 +1,27 @@
+variable "main_dns_vpcs" {
+ description = "Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS"
+ type = map(string)
+ default = {
+ "us-gov-west-1" = "vpc-77877a12"
+ "us-gov-east-1" = "vpc-099a991da7c4eb8a5"
+ }
+}
+
+variable "main_dns_profile" {
+ description = "Profile name for AWS for the main DNS central account"
+ type = string
+ default = "107742151971-do2-govcloud"
+}
+
+
+variable "dns_zone_description_prefix" {
+ description = "Zone description with the org-project-program-environment"
+ type = string
+ default = ""
+}
+
+variable "dns_zone_create" {
+ description = "Flag determing to create (true) or associate (false) the main forward zone. Used for the same VPC domain name across different regions or VPCs"
+ type = bool
+ default = true
+}
diff --git a/examples/shared-vpc-setup-tf-upgrade/apps/dns/versions.tf b/examples/shared-vpc-setup-tf-upgrade/apps/dns/versions.tf
new file mode 100644
index 0000000..c791e91
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/apps/dns/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 1.0.0"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 4.0"
+ }
+ }
+}
diff --git a/examples/shared-vpc-setup-tf-upgrade/apps/dns/zones.tf b/examples/shared-vpc-setup-tf-upgrade/apps/dns/zones.tf
new file mode 100644
index 0000000..d58dcd4
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/apps/dns/zones.tf
@@ -0,0 +1,209 @@
+locals {
+ # calculate set of /24 blocks for PTR subnets from cidr bock size
+ vpc_cidr_block = local.vpc_info["vpc_cidr_block"]
+ bits = tonumber(split("/", local.vpc_cidr_block)[1])
+ split_bits = 24 - local.bits
+ _ptr_zones = local.split_bits > 0 ? { for x in range(0, pow(2, local.split_bits)) : x => cidrsubnet(local.vpc_cidr_block, local.split_bits, x) } : {}
+ ptr_zones = { for x, s in local._ptr_zones : s => {
+ index = x
+ cidr = s
+ octets = split(".", split("/", s)[0])
+ bits = tonumber(split("/", s)[1])
+ ptr_zone = format("%v.in-addr.arpa", join(".", reverse(slice(split(".", split("/", s)[0]), 0, 3))))
+ }
+ }
+
+ zone_description = var.dns_zone_description_prefix == "" ? var.dns_zone_description_prefix : format("%v ", var.dns_zone_description_prefix)
+}
+
+#---
+# domain (forward) zone
+# need to pull this ando ther forward zones up to vpc/apps/dns
+#---
+data "aws_route53_zone" "domain_zone" {
+ # provider = aws.east
+ count = var.dns_zone_create ? 0 : 1
+ name = local.domain_name
+ private_zone = true
+}
+
+resource "aws_route53_zone" "domain_zone" {
+ count = var.dns_zone_create ? 1 : 0
+ name = local.domain_name
+ comment = format("%vDNS Forward Zone %v", local.zone_description, local.domain_name)
+ force_destroy = false
+
+ vpc {
+ vpc_id = local.vpc_id
+ vpc_region = local.region
+ }
+
+ lifecycle {
+ ignore_changes = [vpc]
+ }
+
+ tags = merge(
+ local.base_tags,
+ local.common_tags,
+ var.application_tags,
+ tomap({ "Name" = local.domain_name }),
+ )
+}
+
+resource "aws_route53_vpc_association_authorization" "west_domain_zone" {
+ # provider = aws.west_main_dns
+ # for_each = tomap({ "zone" = var.dns_zone_create ? aws_route53_zone.domain_zone[0] : data.aws_route53_zone.domain_zone[0] })
+ for_each = var.dns_zone_create ? { "zone" = aws_route53_zone.domain_zone[0] } : {}
+ zone_id = each.value.zone_id
+ vpc_region = "us-gov-west-1"
+ vpc_id = var.main_dns_vpcs["us-gov-west-1"]
+}
+
+resource "aws_route53_zone_association" "west_domain_zone" {
+ provider = aws.west_main_dns
+ for_each = var.dns_zone_create ? aws_route53_vpc_association_authorization.west_domain_zone : {}
+
+ zone_id = each.value.zone_id
+ vpc_id = each.value.vpc_id
+ vpc_region = each.value.vpc_region
+}
+
+# resource "aws_route53_zone_association" "east_domain_zone" {
+# for_each = tomap({"zone" = aws_route53_zone.domain_zone[0]})
+# zone_id = each.value.zone_id
+# vpc_region = "us-gov-east-1"
+# vpc_id = var.main_dns_vpcs["us-gov-east-1"]
+# }
+
+resource "aws_route53_vpc_association_authorization" "east_domain_zone" {
+ # provider = aws.east_main_dns
+ # for_each = tomap({ "zone" = var.dns_zone_create ? aws_route53_zone.domain_zone[0] : data.aws_route53_zone.domain_zone[0] })
+ for_each = var.dns_zone_create ? { "zone" = aws_route53_zone.domain_zone[0] } : {}
+
+ zone_id = each.value.zone_id
+ vpc_region = "us-gov-east-1"
+ vpc_id = var.main_dns_vpcs["us-gov-east-1"]
+}
+
+resource "aws_route53_zone_association" "east_domain_zone" {
+ provider = aws.east_main_dns
+ for_each = var.dns_zone_create ? aws_route53_vpc_association_authorization.east_domain_zone : {}
+ zone_id = each.value.zone_id
+ vpc_id = each.value.vpc_id
+ vpc_region = each.value.vpc_region
+}
+
+output "domain_zone_id" {
+ description = "DNS Zone ID"
+ # value = aws_route53_zone.domain_zone[0].zone_id
+ value = var.dns_zone_create ? aws_route53_zone.domain_zone[0].zone_id : data.aws_route53_zone.domain_zone[0].zone_id
+}
+
+output "domain_zone_ns" {
+ description = "DNS Zone Nameservers"
+ # value = aws_route53_zone.domain_zone[0].name_servers
+ value = var.dns_zone_create ? aws_route53_zone.domain_zone[0].name_servers : data.aws_route53_zone.domain_zone[0].name_servers
+}
+
+#---
+# ptr (reverse) zones
+#---
+resource "aws_route53_zone" "ptr_zone" {
+ for_each = local.ptr_zones
+
+ name = each.value.ptr_zone
+ comment = format("%vDNS PTR Zone %v (%v)", local.zone_description, each.value.ptr_zone, each.value.cidr)
+ force_destroy = false
+
+ vpc {
+ vpc_id = local.vpc_id
+ vpc_region = local.region
+ }
+
+ lifecycle {
+ ignore_changes = [vpc]
+ }
+
+ tags = merge(
+ local.base_tags,
+ local.common_tags,
+ var.application_tags,
+ tomap({ "Name" = each.value.ptr_zone }),
+ )
+}
+
+resource "aws_route53_vpc_association_authorization" "west_ptr_zone" {
+ # provider = aws.west_main_dns
+ for_each = aws_route53_zone.ptr_zone
+
+ zone_id = each.value.zone_id
+ vpc_region = "us-gov-west-1"
+ vpc_id = var.main_dns_vpcs["us-gov-west-1"]
+}
+
+resource "aws_route53_zone_association" "west_ptr_zone" {
+ provider = aws.west_main_dns
+ for_each = aws_route53_vpc_association_authorization.west_ptr_zone
+
+ zone_id = each.value.zone_id
+ vpc_id = each.value.vpc_id
+ vpc_region = each.value.vpc_region
+}
+
+resource "aws_route53_vpc_association_authorization" "east_ptr_zone" {
+ # provider = aws.east_main_dns
+ for_each = aws_route53_zone.ptr_zone
+
+ zone_id = each.value.zone_id
+ vpc_region = "us-gov-east-1"
+ vpc_id = var.main_dns_vpcs["us-gov-east-1"]
+}
+
+resource "aws_route53_zone_association" "east_ptr_zone" {
+ provider = aws.east_main_dns
+ for_each = aws_route53_vpc_association_authorization.east_ptr_zone
+
+ zone_id = each.value.zone_id
+ vpc_id = each.value.vpc_id
+ vpc_region = each.value.vpc_region
+}
+
+## resource "aws_route53_zone_association" "west_ptr_zone" {
+## for_each = aws_route53_zone.ptr_zone
+## zone_id = each.value.zone_id
+## vpc_region = "us-gov-west-1"
+## vpc_id = var.main_dns_vpcs["us-gov-west-1"]
+## }
+##
+## resource "aws_route53_zone_association" "east_ptr_zone" {
+## for_each = aws_route53_zone.ptr_zone
+## zone_id = each.value.zone_id
+## vpc_region = "us-gov-east-1"
+## vpc_id = var.main_dns_vpcs["us-gov-east-1"]
+## }
+##
+
+output "ptr_zone_id" {
+ description = "DNS PTR Zone IDs"
+ value = { for x, s in local.ptr_zones : x => aws_route53_zone.ptr_zone[x].zone_id }
+}
+
+output "ptr_zone_ns" {
+ description = "DNS PTR Zone Nameservers"
+ value = { for x, s in local.ptr_zones : x => aws_route53_zone.ptr_zone[x].name_servers }
+}
+
+output "ptr_zone_info" {
+ description = "DNS PTR Zone Info"
+ value = { for x, s in local.ptr_zones : x => {
+ cidr = s.cidr
+ ptr_zone = s.ptr_zone
+ zone_id = aws_route53_zone.ptr_zone[x].zone_id
+ name_servers = aws_route53_zone.ptr_zone[x].name_servers
+ } }
+}
+
+output "all_zones" {
+ description = "DNS zone list"
+ value = flatten(concat([local.domain_name], [for x, s in local.ptr_zones : s.ptr_zone]))
+}
diff --git a/examples/shared-vpc-setup-tf-upgrade/apps/region.tf b/examples/shared-vpc-setup-tf-upgrade/apps/region.tf
index b7b1696..f617506 100644
--- a/examples/shared-vpc-setup-tf-upgrade/apps/region.tf
+++ b/examples/shared-vpc-setup-tf-upgrade/apps/region.tf
@@ -1,4 +1,3 @@
locals {
region = var.region
}
-
diff --git a/examples/shared-vpc-setup-tf-upgrade/apps/versions.tf b/examples/shared-vpc-setup-tf-upgrade/apps/versions.tf
index 12b558f..ec1ce3c 100644
--- a/examples/shared-vpc-setup-tf-upgrade/apps/versions.tf
+++ b/examples/shared-vpc-setup-tf-upgrade/apps/versions.tf
@@ -4,30 +4,9 @@ terraform {
source = "hashicorp/aws"
version = ">= 3.0"
}
- # ldap = {
- # source = "trevex/ldap"
- # version = ">= 0.5.4"
- # }
- # external = {
- # source = "hashicorp/external"
- # version = ">= 1.0"
- # }
- # null = {
- # source = "hashicorp/null"
- # version = ">= 1.0"
- # }
- # random = {
- # source = "hashicorp/random"
- # version = ">= 1.0"
- # }
- # template = {
- # source = "hashicorp/template"
- # version = ">= 1.0"
- # }
- # infoblox = {
- # source = "infobloxopen/infoblox"
- # version = ">= 2.1.0"
- # }
+ infoblox = {
+ source = "infobloxopen/infoblox"
+ version = ">= 2.1.0"
+ }
}
- required_version = ">= 1.0"
}
diff --git a/examples/shared-vpc-setup-tf-upgrade/data.tf b/examples/shared-vpc-setup-tf-upgrade/data.tf
new file mode 100644
index 0000000..cb626c2
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/data.tf
@@ -0,0 +1,9 @@
+data "aws_availability_zones" "zones" {
+ state = "available"
+}
+
+data "aws_availability_zone" "zone" {
+ for_each = toset(data.aws_availability_zones.zones.names)
+ state = "available"
+ name = each.key
+}
diff --git a/examples/shared-vpc-setup-tf-upgrade/shared-vpc-data.tf b/examples/shared-vpc-setup-tf-upgrade/data.vpc.tf
similarity index 66%
rename from examples/shared-vpc-setup-tf-upgrade/shared-vpc-data.tf
rename to examples/shared-vpc-setup-tf-upgrade/data.vpc.tf
index 6b1b686..84b4be5 100644
--- a/examples/shared-vpc-setup-tf-upgrade/shared-vpc-data.tf
+++ b/examples/shared-vpc-setup-tf-upgrade/data.vpc.tf
@@ -25,18 +25,6 @@ data "aws_vpc_dhcp_options" "dhcp_options" {
dhcp_options_id = data.aws_vpc.vpc.dhcp_options_id
}
-## output "vpcs" {
-## value = data.aws_vpcs.vpcs
-## }
-##
-## output "vpc" {
-## value = data.aws_vpc.vpc
-## }
-##
-## output "subnets" {
-## value = data.aws_subnets.subnets
-## }
-##
-## output "subnet" {
-## value = data.aws_subnet.subnet
-## }
+locals {
+ vpc_id = data.aws_vpc.vpc.id
+}
diff --git a/examples/shared-vpc-setup-tf-upgrade/outputs.shared-vpc.tf b/examples/shared-vpc-setup-tf-upgrade/outputs.shared-vpc.tf
deleted file mode 100644
index 66030f5..0000000
--- a/examples/shared-vpc-setup-tf-upgrade/outputs.shared-vpc.tf
+++ /dev/null
@@ -1,35 +0,0 @@
-locals {
- shared_vpc_info = {
- vpc_id = data.aws_vpc.vpc.id
- vpc_arn = data.aws_vpc.vpc.arn
- vpc_cidr_block = data.aws_vpc.vpc.cidr_block
- vpc_full_name = var.vpc_full_name
- owner_id = data.aws_vpc.vpc.owner_id
- vpc_environment = data.aws_vpc.vpc.tags["Environment"]
- vpc_short_name = split("-", var.vpc_full_name)[0]
- vpc_domain_name = data.aws_vpc_dhcp_options.dhcp_options.domain_name
- # _raw = data.aws_vpc.vpc
- }
- shared_private_subnet_info = [for k, v in data.aws_subnet.subnet : {
- id = v.id
- arn = v.arn
- availability_zone = v.availability_zone
- owner_id = v.owner_id
- cidr_block = v.cidr_block
- subnet = v.cidr_block
- label = replace(v.tags["Name"], format("%v-", var.vpc_full_name), "")
- tags = v.tags
- # _raw = v
- }]
-}
-
-
-output "shared_vpc_info" {
- description = "Details from shared VPC"
- value = local.shared_vpc_info
-}
-
-output "shared_private_subnet_info" {
- description = "Details from shared VPC subnets"
- value = local.shared_private_subnet_info
-}
diff --git a/examples/shared-vpc-setup-tf-upgrade/outputs.tf b/examples/shared-vpc-setup-tf-upgrade/outputs.tf
new file mode 100644
index 0000000..01d91e1
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/outputs.tf
@@ -0,0 +1,53 @@
+output "vpc_id" {
+ description = "VPC ID"
+ value = data.aws_vpc.vpc.id
+}
+
+output "vpc_arn" {
+ description = "VPC ARN"
+ value = data.aws_vpc.vpc.arn
+}
+
+output "vpc_info" {
+ description = "VPC info"
+ value = {
+ vpc_id = data.aws_vpc.vpc.id
+ vpc_cidr_block = data.aws_vpc.vpc.cidr_block
+ vpc_arn = data.aws_vpc.vpc.arn
+ vpc_name = var.vpc_name
+ vpc_short_name = var.vpc_short_name
+ # vpc_short_name = split("-", var.vpc_full_name)[0]
+ vpc_full_name = var.vpc_full_name
+ "vpc_environment" = var.vpc_environment
+ # vpc_environment = data.aws_vpc.vpc.tags["Environment"]
+ owner_id = data.aws_vpc.vpc.owner_id
+ # vpc_domain_name = var.vpc_domain_name
+ vpc_domain_name = data.aws_vpc_dhcp_options.dhcp_options.domain_name
+ # _raw = data.aws_vpc.vpc
+ "vpc_dns_servers" = []
+ "s3_endpoint_id" = null
+ "dynamodb_endpoint_id" = null
+ "s3_endpoint_cidr_blocks" = null
+ "dynamodb_endpoint_cidr_blocks" = null
+ }
+}
+
+## locals {
+## shared_private_subnet_info = [for k, v in data.aws_subnet.subnet : {
+## id = v.id
+## arn = v.arn
+## availability_zone = v.availability_zone
+## owner_id = v.owner_id
+## cidr_block = v.cidr_block
+## subnet = v.cidr_block
+## label = replace(v.tags["Name"], format("%v-", var.vpc_full_name), "")
+## tags = v.tags
+## # _raw = v
+## }]
+## }
+##
+##
+## output "shared_private_subnet_info" {
+## description = "Details from shared VPC subnets"
+## value = local.shared_private_subnet_info
+## }
diff --git a/examples/shared-vpc-setup-tf-upgrade/sg-web.tf b/examples/shared-vpc-setup-tf-upgrade/sg-web.tf
new file mode 100644
index 0000000..497efd7
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/sg-web.tf
@@ -0,0 +1,16 @@
+module "sg_web" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//web?ref=tf-upgrade"
+ vpc_id = local.vpc_id
+
+ tags = merge(
+ local.tags,
+ local.common_tags,
+ var.account_tags,
+ var.application_tags,
+ )
+}
+
+output "sg_web_id" {
+ description = "Common Web security group"
+ value = module.sg_web.this_security_group_id
+}
diff --git a/examples/shared-vpc-setup-tf-upgrade/shared-vpc.tf b/examples/shared-vpc-setup-tf-upgrade/shared-vpc.tf
deleted file mode 100644
index 9ce30c9..0000000
--- a/examples/shared-vpc-setup-tf-upgrade/shared-vpc.tf
+++ /dev/null
@@ -1,25 +0,0 @@
-locals {
- # vpc_info = data.terraform_remote_state.vpc_east_shared_vpc1.outputs.shared_vpc_info
- # subnet_info = data.terraform_remote_state.vpc_east_shared_vpc1.outputs.shared_private_subnet_info
- vpc_info = local.shared_vpc_info
- subnet_info = local.shared_private_subnet_info
- vpc_id = local.vpc_info.vpc_id
-
- tags = {
- CostAllocation = "csvd:infrastructure"
- Environment = var.vpc_environment
- }
-}
-
-# the only thing not shared are security groups, so they need to be created in each account/region and
-# vpc where they intend to be used
-
-module "base-security-groups" {
- source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//security-groups?ref=tf-upgrade"
- vpc_id = local.vpc_id
-
- enable_manage_default_sg = false
- vpc_full_name = var.vpc_full_name
- vpc_environment = var.vpc_environment
- tags = local.tags
-}
diff --git a/examples/shared-vpc-setup-tf-upgrade/tf-run.data b/examples/shared-vpc-setup-tf-upgrade/tf-run.data
index f8cad8e..35fcfda 100644
--- a/examples/shared-vpc-setup-tf-upgrade/tf-run.data
+++ b/examples/shared-vpc-setup-tf-upgrade/tf-run.data
@@ -1,7 +1,38 @@
-VERSION 1.0.0
+VERSION 1.3.0
REMOTE-STATE
COMMAND tf-directory-setup.py -l none -f
COMMAND setup-new-directory.sh
COMMAND tf-init -upgrade
-ALL
+
+LINKTOP includes.d/variables.account_tags.tf
+LINKTOP includes.d/variables.account_tags.auto.tfvars
+LINKTOP includes.d/variables.infrastructure_tags.tf
+LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars
+LINKTOP includes.d/variables.application_tags.tf
+## LINKTOP includes.d/variables.application_tags.auto.tfvars
+
+## LINKTOP provider_configs.d/provider.infoblox.auto.tfvars
+## LINKTOP provider_configs.d/provider.infoblox.tf
+## LINKTOP provider_configs.d/provider.infoblox.variables.tf
+LINKTOP common/remote_state.common.tf
+LINKTOP infrastructure/%%SHORT_REGION%%/remote_state.infrastructure_%%SHORT_REGION%%.tf
+
+## module.vpc module.subnets
COMMAND tf-directory-setup.py -l s3
+
+## TAG stop-plan
+## COMMENT Until you reach this point with a tf-run apply, a plan action will fail as there are resources which need to be created
+## PAUSE
+
+## module.routing
+## module.vpn
+## module.flowlogs
+module.base-security-groups
+module.sg_web
+## module.nacls module.nacls_enterprise module.nacls_endpoints module.nacls_public_vpc module.nacls_public_nat
+## module.peer_services_main_west module.peer_services_main_east
+## ALL
+ALL
+
+## COMMENT continue setup for apps: cd apps; tf-run apply
+## COMMENT continue setup for apps/dns: cd apps/dns; tf-run apply
diff --git a/examples/shared-vpc-setup-tf-upgrade/variables.availability_zones.tf b/examples/shared-vpc-setup-tf-upgrade/variables.availability_zones.tf
new file mode 100644
index 0000000..3e906b9
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/variables.availability_zones.tf
@@ -0,0 +1,5 @@
+variable "availability_zones" {
+ description = "AWS Availability zones for subnet (default: all)"
+ type = list(string)
+ default = []
+}
diff --git a/examples/shared-vpc-setup-tf-upgrade/variables.shared-vpc.auto.tfvars b/examples/shared-vpc-setup-tf-upgrade/variables.shared-vpc.auto.tfvars
deleted file mode 100644
index 00cd607..0000000
--- a/examples/shared-vpc-setup-tf-upgrade/variables.shared-vpc.auto.tfvars
+++ /dev/null
@@ -1,9 +0,0 @@
-# network_account_profile = "057445207498-ent-gov-network-sa"
-
-vpc_name = "tgw-common"
-vpc_full_name = "vpc1-tgw-common"
-vpc_environment = "common"
-vpc_domain_name = "common.network-sa-1.csp1.census.gov"
-tgw_environment = "services"
-
-
diff --git a/examples/shared-vpc-setup-tf-upgrade/variables.shared-vpc.tf b/examples/shared-vpc-setup-tf-upgrade/variables.shared-vpc.tf
deleted file mode 100644
index 6fa13fc..0000000
--- a/examples/shared-vpc-setup-tf-upgrade/variables.shared-vpc.tf
+++ /dev/null
@@ -1,51 +0,0 @@
-# variable "network_account_profile" {
-# description = "AWS profile of the source account sharing the VPC resources"
-# type = string
-# }
-
-# vpc_name = "tgw-common"
-# vpc_cidr_block = "10.189.0.0/23"
-# vpc_index = "1"
-# vpc_short_name = "vpc1"
-# vpc_full_name = "vpc1-tgw-common"
-# vpc_environment = "common"
-# vpc_domain_name = "common.network-sa-1.csp1.census.gov"
-# vpc_dns_servers = ["148.129.127.22", "148.129.191.22"]
-# vpc_ntp_servers = ["148.129.127.23", "148.129.191.23"]
-# vpc_enable_igw = false
-# vpc_enable_nat = false
-# vpc_enable_vpn = false
-# vpc_enable_awsdns = true
-#
-# vpn_settings = []
-# tgw_environment = "services"
-
-
-variable "vpc_name" {
- description = "VPC Name including environment (if necessary), excluding vpc{N}"
- type = string
-}
-
-# vpc_full_name
-
-## variable "vpc_cidr_block" {
-## description = "VPC CIDR Block"
-## type = string
-## }
-##
-## variable "vpc_short_name" {
-## description = "VPC short name component, vpc{index}"
-## type = string
-## }
-
-variable "vpc_environment" {
- description = "VPC environment purpose (common, shared, dev, stage, ite, prod)"
- type = string
- default = ""
-}
-
-variable "tgw_environment" {
- description = "Transit Gateway environment route table (services, dev, test, stage, prod, network)"
- type = string
- default = null
-}
diff --git a/examples/shared-vpc-setup-tf-upgrade/variables.subnets.auto.tfvars b/examples/shared-vpc-setup-tf-upgrade/variables.subnets.auto.tfvars
new file mode 100644
index 0000000..0255455
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/variables.subnets.auto.tfvars
@@ -0,0 +1,19 @@
+public_subnets = [
+ ## { base_cidr = "10.188.64.0/24", label = "public", bits = 2, private = false, enabled=false, tags = {} },
+]
+private_subnets = [
+ { base_cidr = "10.188.65.0/24", label = "endpoints", bits = 2, private = true, enabled = true, tags = {} },
+ { base_cidr = "10.188.65.192/26", label = "attachment", bits = 2, private = true, enabled = true, tags = { "boc:vpc:route-table" = "attachment" } },
+ { base_cidr = "10.188.66.0/23", label = "private-lb", bits = 2, private = true, enabled = true,
+ tags = { "kubernetes.io/role/internal-elb" = 1 }
+ },
+ { base_cidr = "10.188.68.0/23", label = "db", bits = 2, private = true, enabled = true, tags = {} },
+ # { base_cidr = "10.188.70.0/23", label = "(free)", bits = 2, private = true, enabled=false, tags = {} },
+ { base_cidr = "10.188.72.0/22", label = "apps", bits = 2, private = true, enabled = true, tags = {} },
+ # { base_cidr = "10.188.76.0/22", label = "(free)", bits = 2, private = true, enabled=false, tags = {} },
+ { base_cidr = "10.188.80.0/21", label = "container", bits = 2, private = true, enabled = true,
+ tags = {
+ # "kubernetes.io/cluster/dice-ite" = "shared"
+ },
+ }
+]
diff --git a/examples/shared-vpc-setup-tf-upgrade/variables.subnets.tf b/examples/shared-vpc-setup-tf-upgrade/variables.subnets.tf
new file mode 100644
index 0000000..75f328b
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/variables.subnets.tf
@@ -0,0 +1,37 @@
+# from aws-vpc-setup/subnets/variables.common.subnets.tf
+variable "public_subnets" {
+ description = "List of objects with public subnet information to be created"
+ type = list(object({
+ base_cidr = string
+ label = string
+ bits = number
+ offset = optional(number, 0)
+ private = bool
+ tags = map(string)
+ enabled = optional(bool, true)
+ availability_zone = optional(string)
+ # subnets = list(string)
+ # labels = list(string)
+ # availability_zones = list(string)
+ }))
+ default = []
+}
+
+# availability_zone does nothign at this point
+variable "private_subnets" {
+ description = "List of objects with private subnet information to be created"
+ type = list(object({
+ base_cidr = string
+ label = string
+ bits = number
+ offset = optional(number, 0)
+ private = bool
+ tags = map(string)
+ enabled = optional(bool, true)
+ availability_zone = optional(string)
+ # subnets = list(string)
+ # labels = list(string)
+ # availability_zones = list(string)
+ }))
+ default = []
+}
diff --git a/examples/shared-vpc-setup-tf-upgrade/variables.vpc.auto.tfvars b/examples/shared-vpc-setup-tf-upgrade/variables.vpc.auto.tfvars
index 5b8be63..bdb5648 100644
--- a/examples/shared-vpc-setup-tf-upgrade/variables.vpc.auto.tfvars
+++ b/examples/shared-vpc-setup-tf-upgrade/variables.vpc.auto.tfvars
@@ -1,16 +1,11 @@
-## vpc_name = "tgw-common"
-## vpc_cidr_block = "10.189.0.0/23"
-## vpc_index = "1"
-## vpc_short_name = "vpc1"
-## vpc_full_name = "vpc1-tgw-common"
-## vpc_environment = "common"
-## vpc_domain_name = "common.network-sa-1.csp1.census.gov"
-## vpc_dns_servers = ["148.129.127.22", "148.129.191.22"]
-## vpc_ntp_servers = ["148.129.127.23", "148.129.191.23"]
-## vpc_enable_igw = false
-## vpc_enable_nat = false
-## vpc_enable_vpn = false
-## vpc_enable_awsdns = true
-##
-## vpn_settings = []
-## tgw_environment = "services"
+shared_vpc_label = "general"
+vpc_name = "gen-dev"
+vpc_cidr_block = "10.182.32.0/19"
+vpc_index = 2
+vpc_short_name = "vpc2"
+vpc_full_name = "vpc2-gen-dev"
+vpc_environment = "dev"
+vpc_domain_name = "dev.csp1.census.gov"
+vpc_dns_servers = []
+vpc_ntp_servers = []
+tgw_environment = "dev"
diff --git a/examples/shared-vpc-setup-tf-upgrade/variables.vpc.tf b/examples/shared-vpc-setup-tf-upgrade/variables.vpc.tf
new file mode 100644
index 0000000..da3cd9c
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/variables.vpc.tf
@@ -0,0 +1,50 @@
+variable "vpc_name" {
+ description = "VPC Name including environment (if necessary), excluding vpc{N}. From shared VPC definition."
+ type = string
+}
+
+variable "vpc_index" {
+ description = "VPC index number. This was used for NACL rule number caculations, and it is no longer needed. It is ignored in this configuration."
+ type = number
+ default = null
+}
+
+variable "vpc_cidr_block" {
+ description = "VPC CIDR Block. From shared VPC definition."
+ type = string
+}
+
+variable "vpc_short_name" {
+ description = "VPC short name component, vpc{index}. From shared VPC definition."
+ type = string
+}
+
+variable "vpc_environment" {
+ description = "VPC environment purpose (common, shared, dev, stage, ite, prod). From shared VPC defintion."
+ type = string
+ default = ""
+}
+
+variable "shared_vpc_label" {
+ description = "Label to use for shared VPC for flowlogs and other things. From shared VPC definition."
+ type = string
+ default = null
+}
+
+
+variable "tgw_environment" {
+ description = "Transit Gateway environment route table (services, dev, test, stage, prod, cre). Not used for any network setup. From shared VPC definition."
+ type = string
+ default = null
+
+ validation {
+ condition = var.tgw_environment == null || contains(["services", "dev", "test", "stage", "prod", "cre"], var.tgw_environment)
+ error_message = "The tgw_environment must contain one of the legal values: services, dev, test, stage, prod, cre."
+ }
+}
+
+# in variables.d/variable.scommon.tf
+# - vpc_full_name
+# - vpc_domain_name
+# - vpc_dns_servers
+# - vpc_ntp_servers
diff --git a/examples/shared-vpc-setup-tf-upgrade/versions.tf b/examples/shared-vpc-setup-tf-upgrade/versions.tf
index 31a7d19..bf73497 100644
--- a/examples/shared-vpc-setup-tf-upgrade/versions.tf
+++ b/examples/shared-vpc-setup-tf-upgrade/versions.tf
@@ -1,33 +1,33 @@
terraform {
+ required_version = ">= 1.0.0"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.0"
- }
- ldap = {
- source = "trevex/ldap"
- version = ">= 0.5.4"
- }
- external = {
- source = "hashicorp/external"
- version = ">= 1.0"
- }
- null = {
- source = "hashicorp/null"
- version = ">= 1.0"
- }
- random = {
- source = "hashicorp/random"
- version = ">= 1.0"
- }
- template = {
- source = "hashicorp/template"
- version = ">= 1.0"
- }
- infoblox = {
- source = "infobloxopen/infoblox"
- version = ">= 2.1.0"
+ version = ">= 4.0"
}
+ ## ldap = {
+ ## source = "trevex/ldap"
+ ## version = ">= 0.5.4"
+ ## }
+ ## external = {
+ ## source = "hashicorp/external"
+ ## version = ">= 1.0"
+ ## }
+ ## null = {
+ ## source = "hashicorp/null"
+ ## version = ">= 1.0"
+ ## }
+ ## random = {
+ ## source = "hashicorp/random"
+ ## version = ">= 1.0"
+ ## }
+ ## template = {
+ ## source = "hashicorp/template"
+ ## version = ">= 1.0"
+ ## }
+ ## infoblox = {
+ ## source = "infobloxopen/infoblox"
+ ## version = ">= 2.1.0"
+ ## }
}
- required_version = ">= 1.0"
}
diff --git a/examples/shared-vpc-setup-tf-upgrade/vpc-endpoints.tf b/examples/shared-vpc-setup-tf-upgrade/vpc-endpoints.tf
new file mode 100644
index 0000000..a473c6e
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/vpc-endpoints.tf
@@ -0,0 +1,65 @@
+# dynamodb and s3 gateway endpoints defined in vpc module
+
+# select here where label starts with app-
+# private_subnets_ids = data.terraform_remote_state.vpc_east_vpc3.outputs.private_subnets_ids
+# or use data
+
+# some help from here: https://dev.to/danquack/private-fargate-deployment-with-vpc-endpoints-1h0p
+
+locals {
+ security_group_ids = [module.sg_web.this_security_group_id]
+
+ # currently this list doesn't do anything, but it's mostly to track what is in place here. A future
+ # revision of the vpc endpoints module will allow this as a for_each (tf 0.13+)
+ # keep in alphabetical order in the list and the file
+
+ # disable by setting to null
+ # enable by setting to "", or if it require a different service name, set that
+ vpc_endpoints = {
+ ## "autoscaling" = ""
+ ## "ec2" = ""
+ ## "ec2messages" = ""
+ ## "ecr.api" = ""
+ ## "ecr.dkr" = ""
+ ## "ecs" = ""
+ ## "elasticfilesystem" = ""
+ ## "elasticloadbalancing" = ""
+ ## "kms" = ""
+ ## "logs" = ""
+ ## "secretsmanager" = ""
+ ## "ssm" = ""
+ ## "ssmmessages" = ""
+ ## "sts" = ""
+ }
+}
+
+data "aws_subnets" "endpoint_subnets" {
+ filter {
+ name = "vpc-id"
+ values = [local.vpc_id]
+ }
+ filter {
+ name = "tag:Name"
+ values = ["*-endpoints-*"]
+ }
+}
+
+module "vpce" {
+ for_each = { for k, v in local.vpc_endpoints : k => v if v != null }
+ source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint?ref=tf-upgrade"
+
+ service = each.value == "" ? each.key : each.value
+ subnet_ids = tolist(data.aws_subnets.endpoint_subnets.ids)
+ security_group_ids = local.security_group_ids
+
+ vpc_id = local.vpc_id
+ vpc_full_name = var.vpc_full_name
+ vpc_environment = var.vpc_environment
+
+ tags = merge(
+ local.tags,
+ local.common_tags,
+ var.account_tags,
+ var.application_tags,
+ )
+}
diff --git a/examples/shared-vpc-setup-tf-upgrade/vpc.tf b/examples/shared-vpc-setup-tf-upgrade/vpc.tf
new file mode 100644
index 0000000..0246116
--- /dev/null
+++ b/examples/shared-vpc-setup-tf-upgrade/vpc.tf
@@ -0,0 +1,27 @@
+locals {
+ tags = {
+ CostAllocation = "csvd:infrastructure"
+ Environment = var.vpc_environment
+ }
+}
+
+module "base-security-groups" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//security-groups?ref=tf-upgrade"
+ vpc_id = local.vpc_id
+
+ vpc_full_name = var.vpc_full_name
+ vpc_environment = var.vpc_environment
+ enable_manage_default_sg = false
+
+ tags = merge(
+ local.tags,
+ local.common_tags,
+ var.account_tags,
+ var.application_tags,
+ )
+}
+
+## locals {
+## vpc_info = local.shared_vpc_info
+## subnet_info = local.shared_private_subnet_info
+## }