- flowlogs-transit-gateway

  - remove need for iam_role_arn (not needed for s3)

CHANGELOG.md

@@ -325,3 +325,7 @@
 * 2.9.2 -- 2023-06-28
   - route53-zone-association
     - fix zone_ids to remove null
+
+* 2.9.3 -- 2023-07-05
+  - flowlogs-transit-gateway
+    - remove need for iam_role_arn (not needed for s3)

common/version.tf

@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.9.2"
+  _module_version = "2.9.3"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 

examples/vpc-region-shared-setup/apps/dns/README.md

@@ -0,0 +1,55 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws.east_main_dns"></a> [aws.east\_main\_dns](#provider\_aws.east\_main\_dns) | n/a |
+| <a name="provider_aws.west_main_dns"></a> [aws.west\_main\_dns](#provider\_aws.west\_main\_dns) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_route53_resolver_rule_association.all_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource |
+| [aws_route53_vpc_association_authorization.east_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_vpc_association_authorization.east_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_vpc_association_authorization.west_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_vpc_association_authorization.west_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_zone.domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
+| [aws_route53_zone.ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
+| [aws_route53_zone_association.east_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.east_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.west_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.west_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_resolver_rules.all_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_resolver_rules) | data source |
+| [aws_route53_zone.domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_dns_zone_create"></a> [dns\_zone\_create](#input\_dns\_zone\_create) | Flag determing to create (true) or associate (false) the main forward zone.  Used for the same VPC domain name across different regions or VPCs | `bool` | `true` | no |
+| <a name="input_dns_zone_description_prefix"></a> [dns\_zone\_description\_prefix](#input\_dns\_zone\_description\_prefix) | Zone description with the org-project-program-environment | `string` | `""` | no |
+| <a name="input_main_dns_profile"></a> [main\_dns\_profile](#input\_main\_dns\_profile) | Profile name for AWS for the main DNS central account | `string` | `"107742151971-do2-govcloud"` | no |
+| <a name="input_main_dns_vpcs"></a> [main\_dns\_vpcs](#input\_main\_dns\_vpcs) | Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS | `map(string)` | <pre>{<br>  "us-gov-east-1": "vpc-099a991da7c4eb8a5",<br>  "us-gov-west-1": "vpc-77877a12"<br>}</pre> | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_all_zones"></a> [all\_zones](#output\_all\_zones) | DNS zone list |
+| <a name="output_domain_zone_id"></a> [domain\_zone\_id](#output\_domain\_zone\_id) | DNS Zone ID |
+| <a name="output_domain_zone_ns"></a> [domain\_zone\_ns](#output\_domain\_zone\_ns) | DNS Zone Nameservers |
+| <a name="output_ptr_zone_id"></a> [ptr\_zone\_id](#output\_ptr\_zone\_id) | DNS PTR Zone IDs |
+| <a name="output_ptr_zone_info"></a> [ptr\_zone\_info](#output\_ptr\_zone\_info) | DNS PTR Zone Info |
+| <a name="output_ptr_zone_ns"></a> [ptr\_zone\_ns](#output\_ptr\_zone\_ns) | DNS PTR Zone Nameservers |
+<!-- END_TF_DOCS -->

examples/vpc-region-shared-setup/apps/dns/associate-route53-endpoints.tf

@@ -0,0 +1,96 @@
+locals {
+  route53_zone_ids = compact(concat([try(aws_route53_zone.domain_zone[0].zone_id, null)], [for k, v in aws_route53_zone.ptr_zone : v.zone_id]))
+}
+
+#---
+# network prod
+#---
+provider "aws" {
+  alias  = "route53_main"
+  region = var.region_map["east"]
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+    session_name = var.os_username
+  }
+}
+
+module "route53_main_east" {
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-east-1"
+  vpc_id   = var.route53_endpoints["route53_main"]["us-gov-east-1"]
+  zone_ids = local.route53_zone_ids
+
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+module "route53_main_west" {
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-west-1"
+  vpc_id   = var.route53_endpoints["route53_main"]["us-gov-west-1"]
+  zone_ids = local.route53_zone_ids
+
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+#---
+# do2-gov ("legacy")
+#---
+provider "aws" {
+  alias  = "route53_main_legacy"
+  region = var.region_map["east"]
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id)
+    session_name = var.os_username
+  }
+}
+
+module "route53_main_legacy_east" {
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main_legacy
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-east-1"
+  vpc_id   = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"]
+  zone_ids = local.route53_zone_ids
+
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+module "route53_main_legacy_west" {
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main_legacy
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-west-1"
+  vpc_id   = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"]
+  zone_ids = local.route53_zone_ids
+
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
+}
+

examples/vpc-region-shared-setup/apps/dns/associate-zones.tf

@@ -0,0 +1,29 @@
+locals {
+  forward_zone_list = [
+    #    "dev.csp1.census.gov",
+  ]
+}
+
+# replace ALIAS with that of the target, replace dash with _
+# replace ACCOUNTID with the account_id of the target account (account for ALIAS)
+# replace REGION with the short region, east or west where the zone VPC is defined in the target account
+
+## provider "aws" {
+##   alias  = "route53_ALIAS"
+##   region = var.region_map[REGION]
+##   assume_role {
+##     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, ACCOUNTID)
+##     session_name = var.os_username
+##   }
+## }
+
+## module "route53_ALIAS_zones" {
+##   providers = {
+##     aws.self = aws
+##     aws.peer = aws.route53_ALIAS
+##   }
+## 
+##   source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/vpc?ref=tf-upgrade"
+##   vpc_id = local.vpc_id
+##   zones  = local.forward_zone_list
+## }

examples/vpc-region-shared-setup/apps/dns/locals.tf

@@ -0,0 +1,13 @@
+locals {
+  base_tags = {
+    "boc:created_by" = "terraform"
+  }
+}
+
+locals {
+  vpc_info       = data.terraform_remote_state.vpc_REGION_VPCN.outputs.vpc_info
+  vpc_id         = local.vpc_info["vpc_id"]
+  domain_name    = local.vpc_info["vpc_domain_name"]
+  dns_servers    = local.vpc_info["vpc_dns_servers"]
+  vpc_short_name = local.vpc_info["vpc_short_name"]
+}

examples/vpc-region-shared-setup/apps/dns/region.tf

@@ -0,0 +1,3 @@
+locals {
+  region = var.region
+}

examples/vpc-region-shared-setup/apps/dns/tf-run.data

@@ -0,0 +1,27 @@
+VERSION 1.2.0
+REMOTE-STATE
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+LINK variables.vpc.auto.tfvars
+LINK variables.vpc.tf
+COMMAND tf-init 
+
+LINKTOP includes.d/variables.account_tags.tf
+LINKTOP includes.d/variables.account_tags.auto.tfvars
+LINKTOP includes.d/variables.infrastructure_tags.tf
+LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars
+LINKTOP includes.d/variables.application_tags.tf
+LINKTOP includes.d/variables.application_tags.auto.tfvars
+
+TAG settings
+COMMENT edit locals.tf to change vpc_info to refrence this region and vpc
+COMMENT update variables.dns.auto.tfvars to set the proper comment, and whether to create the zone (false is the zone exists elseewhere)
+STOP verify these are done, and then continue with tf-run apply tag:verified-settings
+
+TAG verified-settings
+aws_route53_zone.domain_zone
+# aws_route53_zone.ptr_zone
+# aws_route53_resolver_rule_association.all_rules
+
+ALL
+COMMAND tf-directory-setup.py -l s3

examples/vpc-region-shared-setup/apps/dns/variables.dns.auto.tfvars

@@ -0,0 +1,2 @@
+dns_zone_description_prefix = "General dev ugw1"
+dns_zone_create             = false

examples/vpc-region-shared-setup/apps/dns/variables.dns.tf

@@ -0,0 +1,11 @@
+variable "dns_zone_description_prefix" {
+  description = "Zone description with the org-project-program-environment"
+  type        = string
+  default     = ""
+}
+
+variable "dns_zone_create" {
+  description = "Flag determing to create (true) or associate (false) the main forward zone.  Used for the same VPC domain name across different regions or VPCs"
+  type        = bool
+  default     = true
+}

examples/vpc-region-shared-setup/apps/dns/variables.route53.tf

@@ -0,0 +1,16 @@
+variable "route53_endpoints" {
+  description = "Map of target route53 endpoints (for inbound) central VPCs"
+  type        = map(map(string))
+  default = {
+    route53_main = {
+      "account_id"    = "057405694017"
+      "us-gov-east-1" = "vpc-0871ba8a6040d623a"
+      "us-gov-west-1" = "vpc-0f03ea065333f72c5"
+    }
+    route53_main_legacy = {
+      "account_id"    = "107742151971"
+      "us-gov-east-1" = "vpc-099a991da7c4eb8a5"
+      "us-gov-west-1" = "vpc-77877a12"
+    }
+  }
+}

examples/vpc-region-shared-setup/apps/dns/variables.username.tf

@@ -0,0 +1,5 @@
+variable "os_username" {
+  description = "OS username from environment variable, ideally as $USER"
+  type        = string
+  default     = null
+}

examples/vpc-region-shared-setup/apps/dns/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.0.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
+    }
+  }
+}