diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5963329..353f4ac 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -325,3 +325,7 @@
* 2.9.2 -- 2023-06-28
- route53-zone-association
- fix zone_ids to remove null
+
+* 2.9.3 -- 2023-07-05
+ - flowlogs-transit-gateway
+ - remove need for iam_role_arn (not needed for s3)
diff --git a/common/version.tf b/common/version.tf
index 91c73cc..0622996 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,5 +1,5 @@
locals {
- _module_version = "2.9.2"
+ _module_version = "2.9.3"
_module_names = {
"_main_" = "aws-vpc-setup"
diff --git a/examples/vpc-region-shared-setup/apps/dns/README.md b/examples/vpc-region-shared-setup/apps/dns/README.md
new file mode 100644
index 0000000..0d006f9
--- /dev/null
+++ b/examples/vpc-region-shared-setup/apps/dns/README.md
@@ -0,0 +1,55 @@
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+| [aws.east\_main\_dns](#provider\_aws.east\_main\_dns) | n/a |
+| [aws.west\_main\_dns](#provider\_aws.west\_main\_dns) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_route53_resolver_rule_association.all_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource |
+| [aws_route53_vpc_association_authorization.east_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_vpc_association_authorization.east_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_vpc_association_authorization.west_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_vpc_association_authorization.west_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_zone.domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
+| [aws_route53_zone.ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
+| [aws_route53_zone_association.east_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.east_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.west_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.west_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_resolver_rules.all_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_resolver_rules) | data source |
+| [aws_route53_zone.domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [dns\_zone\_create](#input\_dns\_zone\_create) | Flag determing to create (true) or associate (false) the main forward zone. Used for the same VPC domain name across different regions or VPCs | `bool` | `true` | no |
+| [dns\_zone\_description\_prefix](#input\_dns\_zone\_description\_prefix) | Zone description with the org-project-program-environment | `string` | `""` | no |
+| [main\_dns\_profile](#input\_main\_dns\_profile) | Profile name for AWS for the main DNS central account | `string` | `"107742151971-do2-govcloud"` | no |
+| [main\_dns\_vpcs](#input\_main\_dns\_vpcs) | Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS | `map(string)` | {
"us-gov-east-1": "vpc-099a991da7c4eb8a5",
"us-gov-west-1": "vpc-77877a12"
} | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [all\_zones](#output\_all\_zones) | DNS zone list |
+| [domain\_zone\_id](#output\_domain\_zone\_id) | DNS Zone ID |
+| [domain\_zone\_ns](#output\_domain\_zone\_ns) | DNS Zone Nameservers |
+| [ptr\_zone\_id](#output\_ptr\_zone\_id) | DNS PTR Zone IDs |
+| [ptr\_zone\_info](#output\_ptr\_zone\_info) | DNS PTR Zone Info |
+| [ptr\_zone\_ns](#output\_ptr\_zone\_ns) | DNS PTR Zone Nameservers |
+
\ No newline at end of file
diff --git a/examples/vpc-region-shared-setup/apps/dns/associate-route53-endpoints.tf b/examples/vpc-region-shared-setup/apps/dns/associate-route53-endpoints.tf
new file mode 100644
index 0000000..1c2542c
--- /dev/null
+++ b/examples/vpc-region-shared-setup/apps/dns/associate-route53-endpoints.tf
@@ -0,0 +1,96 @@
+locals {
+ route53_zone_ids = compact(concat([try(aws_route53_zone.domain_zone[0].zone_id, null)], [for k, v in aws_route53_zone.ptr_zone : v.zone_id]))
+}
+
+#---
+# network prod
+#---
+provider "aws" {
+ alias = "route53_main"
+ region = var.region_map["east"]
+ assume_role {
+ role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+ session_name = var.os_username
+ }
+}
+
+module "route53_main_east" {
+ providers = {
+ aws.self = aws
+ aws.peer = aws.route53_main
+ }
+
+ source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+ region = "us-gov-east-1"
+ vpc_id = var.route53_endpoints["route53_main"]["us-gov-east-1"]
+ zone_ids = local.route53_zone_ids
+
+ tags = merge(
+ local.common_tags,
+ var.application_tags,
+ )
+}
+
+module "route53_main_west" {
+ providers = {
+ aws.self = aws
+ aws.peer = aws.route53_main
+ }
+
+ source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+ region = "us-gov-west-1"
+ vpc_id = var.route53_endpoints["route53_main"]["us-gov-west-1"]
+ zone_ids = local.route53_zone_ids
+
+ tags = merge(
+ local.common_tags,
+ var.application_tags,
+ )
+}
+
+#---
+# do2-gov ("legacy")
+#---
+provider "aws" {
+ alias = "route53_main_legacy"
+ region = var.region_map["east"]
+ assume_role {
+ role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id)
+ session_name = var.os_username
+ }
+}
+
+module "route53_main_legacy_east" {
+ providers = {
+ aws.self = aws
+ aws.peer = aws.route53_main_legacy
+ }
+
+ source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+ region = "us-gov-east-1"
+ vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"]
+ zone_ids = local.route53_zone_ids
+
+ tags = merge(
+ local.common_tags,
+ var.application_tags,
+ )
+}
+
+module "route53_main_legacy_west" {
+ providers = {
+ aws.self = aws
+ aws.peer = aws.route53_main_legacy
+ }
+
+ source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+ region = "us-gov-west-1"
+ vpc_id = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"]
+ zone_ids = local.route53_zone_ids
+
+ tags = merge(
+ local.common_tags,
+ var.application_tags,
+ )
+}
+
diff --git a/examples/vpc-region-shared-setup/apps/dns/associate-zones.tf b/examples/vpc-region-shared-setup/apps/dns/associate-zones.tf
new file mode 100644
index 0000000..a7254ae
--- /dev/null
+++ b/examples/vpc-region-shared-setup/apps/dns/associate-zones.tf
@@ -0,0 +1,29 @@
+locals {
+ forward_zone_list = [
+ # "dev.csp1.census.gov",
+ ]
+}
+
+# replace ALIAS with that of the target, replace dash with _
+# replace ACCOUNTID with the account_id of the target account (account for ALIAS)
+# replace REGION with the short region, east or west where the zone VPC is defined in the target account
+
+## provider "aws" {
+## alias = "route53_ALIAS"
+## region = var.region_map[REGION]
+## assume_role {
+## role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, ACCOUNTID)
+## session_name = var.os_username
+## }
+## }
+
+## module "route53_ALIAS_zones" {
+## providers = {
+## aws.self = aws
+## aws.peer = aws.route53_ALIAS
+## }
+##
+## source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/vpc?ref=tf-upgrade"
+## vpc_id = local.vpc_id
+## zones = local.forward_zone_list
+## }
diff --git a/examples/vpc-region-shared-setup/apps/dns/locals.tf b/examples/vpc-region-shared-setup/apps/dns/locals.tf
new file mode 100644
index 0000000..73c5521
--- /dev/null
+++ b/examples/vpc-region-shared-setup/apps/dns/locals.tf
@@ -0,0 +1,13 @@
+locals {
+ base_tags = {
+ "boc:created_by" = "terraform"
+ }
+}
+
+locals {
+ vpc_info = data.terraform_remote_state.vpc_REGION_VPCN.outputs.vpc_info
+ vpc_id = local.vpc_info["vpc_id"]
+ domain_name = local.vpc_info["vpc_domain_name"]
+ dns_servers = local.vpc_info["vpc_dns_servers"]
+ vpc_short_name = local.vpc_info["vpc_short_name"]
+}
diff --git a/examples/vpc-region-shared-setup/apps/dns/region.tf b/examples/vpc-region-shared-setup/apps/dns/region.tf
new file mode 100644
index 0000000..f617506
--- /dev/null
+++ b/examples/vpc-region-shared-setup/apps/dns/region.tf
@@ -0,0 +1,3 @@
+locals {
+ region = var.region
+}
diff --git a/examples/vpc-region-shared-setup/apps/dns/tf-run.data b/examples/vpc-region-shared-setup/apps/dns/tf-run.data
new file mode 100644
index 0000000..73fbcf0
--- /dev/null
+++ b/examples/vpc-region-shared-setup/apps/dns/tf-run.data
@@ -0,0 +1,27 @@
+VERSION 1.2.0
+REMOTE-STATE
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+LINK variables.vpc.auto.tfvars
+LINK variables.vpc.tf
+COMMAND tf-init
+
+LINKTOP includes.d/variables.account_tags.tf
+LINKTOP includes.d/variables.account_tags.auto.tfvars
+LINKTOP includes.d/variables.infrastructure_tags.tf
+LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars
+LINKTOP includes.d/variables.application_tags.tf
+LINKTOP includes.d/variables.application_tags.auto.tfvars
+
+TAG settings
+COMMENT edit locals.tf to change vpc_info to refrence this region and vpc
+COMMENT update variables.dns.auto.tfvars to set the proper comment, and whether to create the zone (false is the zone exists elseewhere)
+STOP verify these are done, and then continue with tf-run apply tag:verified-settings
+
+TAG verified-settings
+aws_route53_zone.domain_zone
+# aws_route53_zone.ptr_zone
+# aws_route53_resolver_rule_association.all_rules
+
+ALL
+COMMAND tf-directory-setup.py -l s3
diff --git a/examples/vpc-region-shared-setup/apps/dns/variables.dns.auto.tfvars b/examples/vpc-region-shared-setup/apps/dns/variables.dns.auto.tfvars
new file mode 100644
index 0000000..4bb8c66
--- /dev/null
+++ b/examples/vpc-region-shared-setup/apps/dns/variables.dns.auto.tfvars
@@ -0,0 +1,2 @@
+dns_zone_description_prefix = "General dev ugw1"
+dns_zone_create = false
diff --git a/examples/vpc-region-shared-setup/apps/dns/variables.dns.tf b/examples/vpc-region-shared-setup/apps/dns/variables.dns.tf
new file mode 100644
index 0000000..07cc349
--- /dev/null
+++ b/examples/vpc-region-shared-setup/apps/dns/variables.dns.tf
@@ -0,0 +1,11 @@
+variable "dns_zone_description_prefix" {
+ description = "Zone description with the org-project-program-environment"
+ type = string
+ default = ""
+}
+
+variable "dns_zone_create" {
+ description = "Flag determing to create (true) or associate (false) the main forward zone. Used for the same VPC domain name across different regions or VPCs"
+ type = bool
+ default = true
+}
diff --git a/examples/vpc-region-shared-setup/apps/dns/variables.route53.tf b/examples/vpc-region-shared-setup/apps/dns/variables.route53.tf
new file mode 100644
index 0000000..140e7f2
--- /dev/null
+++ b/examples/vpc-region-shared-setup/apps/dns/variables.route53.tf
@@ -0,0 +1,16 @@
+variable "route53_endpoints" {
+ description = "Map of target route53 endpoints (for inbound) central VPCs"
+ type = map(map(string))
+ default = {
+ route53_main = {
+ "account_id" = "057405694017"
+ "us-gov-east-1" = "vpc-0871ba8a6040d623a"
+ "us-gov-west-1" = "vpc-0f03ea065333f72c5"
+ }
+ route53_main_legacy = {
+ "account_id" = "107742151971"
+ "us-gov-east-1" = "vpc-099a991da7c4eb8a5"
+ "us-gov-west-1" = "vpc-77877a12"
+ }
+ }
+}
diff --git a/examples/vpc-region-shared-setup/apps/dns/variables.username.tf b/examples/vpc-region-shared-setup/apps/dns/variables.username.tf
new file mode 100644
index 0000000..46f8f47
--- /dev/null
+++ b/examples/vpc-region-shared-setup/apps/dns/variables.username.tf
@@ -0,0 +1,5 @@
+variable "os_username" {
+ description = "OS username from environment variable, ideally as $USER"
+ type = string
+ default = null
+}
diff --git a/examples/vpc-region-shared-setup/apps/dns/versions.tf b/examples/vpc-region-shared-setup/apps/dns/versions.tf
new file mode 100644
index 0000000..c791e91
--- /dev/null
+++ b/examples/vpc-region-shared-setup/apps/dns/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 1.0.0"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 4.0"
+ }
+ }
+}
diff --git a/examples/vpc-region-shared-setup/apps/dns/zones.tf b/examples/vpc-region-shared-setup/apps/dns/zones.tf
new file mode 100644
index 0000000..09b4df6
--- /dev/null
+++ b/examples/vpc-region-shared-setup/apps/dns/zones.tf
@@ -0,0 +1,118 @@
+locals {
+ # calculate set of /24 blocks for PTR subnets from cidr bock size
+ vpc_cidr_block = local.vpc_info["vpc_cidr_block"]
+ bits = tonumber(split("/", local.vpc_cidr_block)[1])
+ split_bits = 24 - local.bits
+ _ptr_zones = local.split_bits > 0 ? { for x in range(0, pow(2, local.split_bits)) : x => cidrsubnet(local.vpc_cidr_block, local.split_bits, x) } : {}
+ ptr_zones = { for x, s in local._ptr_zones : s => {
+ index = x
+ cidr = s
+ octets = split(".", split("/", s)[0])
+ bits = tonumber(split("/", s)[1])
+ ptr_zone = format("%v.in-addr.arpa", join(".", reverse(slice(split(".", split("/", s)[0]), 0, 3))))
+ }
+ }
+
+ zone_description = var.dns_zone_description_prefix == "" ? var.dns_zone_description_prefix : format("%v ", var.dns_zone_description_prefix)
+}
+
+#---
+# domain (forward) zone
+# need to pull this ando ther forward zones up to vpc/apps/dns
+#---
+data "aws_route53_zone" "domain_zone" {
+ # provider = aws.east
+ # count = var.dns_zone_create ? 0 : 1
+ count = var.dns_zone_create ? 0 : 0
+ name = local.domain_name
+ private_zone = true
+}
+
+resource "aws_route53_zone" "domain_zone" {
+ count = var.dns_zone_create ? 1 : 0
+ name = local.domain_name
+ comment = format("%vDNS Forward Zone %v", local.zone_description, local.domain_name)
+ force_destroy = false
+
+ vpc {
+ vpc_id = local.vpc_id
+ vpc_region = local.region
+ }
+
+ lifecycle {
+ ignore_changes = [vpc]
+ }
+
+ tags = merge(
+ local.base_tags,
+ local.common_tags,
+ var.application_tags,
+ tomap({ "Name" = local.domain_name }),
+ )
+}
+
+output "domain_zone_id" {
+ description = "DNS Zone ID"
+ # value = aws_route53_zone.domain_zone[0].zone_id
+ # value = var.dns_zone_create ? aws_route53_zone.domain_zone[0].zone_id : data.aws_route53_zone.domain_zone[0].zone_id
+ value = var.dns_zone_create ? aws_route53_zone.domain_zone[0].zone_id : null
+}
+
+output "domain_zone_ns" {
+ description = "DNS Zone Nameservers"
+ # value = aws_route53_zone.domain_zone[0].name_servers
+ # value = var.dns_zone_create ? aws_route53_zone.domain_zone[0].name_servers : data.aws_route53_zone.domain_zone[0].name_servers
+ value = var.dns_zone_create ? aws_route53_zone.domain_zone[0].name_servers : null
+}
+
+#---
+# ptr (reverse) zones
+#---
+resource "aws_route53_zone" "ptr_zone" {
+ for_each = local.ptr_zones
+
+ name = each.value.ptr_zone
+ comment = format("%vDNS PTR Zone %v (%v)", local.zone_description, each.value.ptr_zone, each.value.cidr)
+ force_destroy = false
+
+ vpc {
+ vpc_id = local.vpc_id
+ vpc_region = local.region
+ }
+
+ lifecycle {
+ ignore_changes = [vpc]
+ }
+
+ tags = merge(
+ local.base_tags,
+ local.common_tags,
+ var.application_tags,
+ tomap({ "Name" = each.value.ptr_zone }),
+ )
+}
+
+output "ptr_zone_id" {
+ description = "DNS PTR Zone IDs"
+ value = { for x, s in local.ptr_zones : x => aws_route53_zone.ptr_zone[x].zone_id }
+}
+
+output "ptr_zone_ns" {
+ description = "DNS PTR Zone Nameservers"
+ value = { for x, s in local.ptr_zones : x => aws_route53_zone.ptr_zone[x].name_servers }
+}
+
+output "ptr_zone_info" {
+ description = "DNS PTR Zone Info"
+ value = { for x, s in local.ptr_zones : x => {
+ cidr = s.cidr
+ ptr_zone = s.ptr_zone
+ zone_id = aws_route53_zone.ptr_zone[x].zone_id
+ name_servers = aws_route53_zone.ptr_zone[x].name_servers
+ } }
+}
+
+output "all_zones" {
+ description = "DNS zone list"
+ value = flatten(concat([local.domain_name], [for x, s in local.ptr_zones : s.ptr_zone]))
+}
diff --git a/flowlogs-transit-gateway/README.md b/flowlogs-transit-gateway/README.md
index 035cc68..f83b7d9 100644
--- a/flowlogs-transit-gateway/README.md
+++ b/flowlogs-transit-gateway/README.md
@@ -43,6 +43,7 @@ module "flowlogs-transit-gateway" {
| [terraform](#requirement\_terraform) | >= 0.13 |
| [aws](#requirement\_aws) | >= 3.66.0 |
| [ldap](#requirement\_ldap) | >= 0.5.4 |
+| [local](#requirement\_local) | >= 1.0.0 |
| [null](#requirement\_null) | >= 3.0 |
| [random](#requirement\_random) | >= 3.0 |
| [template](#requirement\_template) | >= 2.0 |
@@ -52,7 +53,7 @@ module "flowlogs-transit-gateway" {
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >= 3.66.0 |
-| [local](#provider\_local) | n/a |
+| [local](#provider\_local) | >= 1.0.0 |
| [null](#provider\_null) | >= 3.0 |
| [template](#provider\_template) | >= 2.0 |
@@ -85,7 +86,7 @@ No modules.
| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
| [enable\_kinesis](#input\_enable\_kinesis) | Flag to enable AWS Kinesis streams for flow logs | `bool` | `true` | no |
| [flowlog\_bucket\_arn](#input\_flowlog\_bucket\_arn) | S3 Bucket to hold the VPC flowlogs | `string` | n/a | yes |
-| [flowlog\_role\_arn](#input\_flowlog\_role\_arn) | IAM Role with proper permissions to allow writing VPC flowlogs to cloudwatch logs and streamss | `string` | n/a | yes |
+| [flowlog\_role\_arn](#input\_flowlog\_role\_arn) | IAM Role with proper permissions to allow writing VPC flowlogs to cloudwatch logs and streamss | `string` | `null` | no |
| [label](#input\_label) | Text label associated with the Transit Gateway | `string` | n/a | yes |
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
diff --git a/flowlogs-transit-gateway/variables.tf b/flowlogs-transit-gateway/variables.tf
index be2a3f7..e5834f4 100644
--- a/flowlogs-transit-gateway/variables.tf
+++ b/flowlogs-transit-gateway/variables.tf
@@ -6,6 +6,7 @@ variable "flowlog_bucket_arn" {
variable "flowlog_role_arn" {
description = "IAM Role with proper permissions to allow writing VPC flowlogs to cloudwatch logs and streamss"
type = string
+ default = null
}
variable "transit_gateway_id" {