From 4663fa749a5eda9ec2ee8d525404b04a987db985 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 1 Jun 2021 14:43:31 -0400 Subject: [PATCH] add docs --- peer/README.md | 53 ++++++++--- peer/main.tf | 53 ++++++++--- peer/subnet-nacls.peers.tf.disabled | 79 ---------------- peer/vpc-peers.tf.disabled | 137 ---------------------------- 4 files changed, 78 insertions(+), 244 deletions(-) delete mode 100644 peer/subnet-nacls.peers.tf.disabled delete mode 100644 peer/vpc-peers.tf.disabled diff --git a/peer/README.md b/peer/README.md index 0908aca..a6b11e7 100644 --- a/peer/README.md +++ b/peer/README.md @@ -3,24 +3,55 @@ This submodule creates a peering connection with a different VPC, and sets up appropriate network ACLs and routing between the two CIDR blocks. +You must pass the `providers` block to associate `aws.self` with your local AWS provider (whatever +its name or alias is) and `aws.peer` with the remote peer AWS provider name or alias. + +There are a lot of variables to pass. Most of them are for labeling. You can explicitly pass +the `route_table_ids` and `network_acl_ids` for more control, but by default if you do not, it will +use the `vpc_id`, find the route tables for `*services*`, find the subnets associated with that/those +route tables, eliminate those with `public` in the name, and use that to find the network acl IDs. +For now, until we move to 0.13, this will only use the **first** found network acl ID to create the +appropriate network acl rules. + +This creates: +* peering in local and remote account + * requires `credentials.peers.tf` with appropriate profile and values +* accepts peering in both locations +* finds or uses route table IDs to add routes + * local CIDR in peer route tables + * peer CIDR in local route tables +* finds or uses network acl IDs to add rules + * local all in, all out to peer CIDR + * peer all in, all out to local CIDR + +It uses the `vpc_index` as an offset (-1) from the `rule_number` and `peer_rule_number`. For example, +for `vpc_index=2` (aka, vpc2), the rule number in the NACL rule at `rule_number + 1`. + +`peer_tags`, if not passed will default to `tags`. + +`vpc_cidr_block` and `peer_vpc_cidr_block` are retrieved from the VPC itself, so it too is optional. + # Usage ```hcl module "peer_services" { source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//peer" + providers = { + aws.self = aws + aws.peer = aws.us-gov-east-1 + } # self vpc_id = module.vpc.vpc_id vpc_name = var.vpc_name - vpc_cidr_block = var.vpc_cidr_block + # vpc_cidr_block = var.vpc_cidr_block vpc_index = var.vpc_index vpc_short_name = var.vpc_short_name vpc_full_name = var.vpc_full_name - vpc_environment = var.vpc_environment - route_table_ids = [ "rtb-12345678" ] - network_acl_ids = [ "nacl-12345678" ] + # route_table_ids = [ "rtb-12345678" ] + # network_acl_ids = [ "nacl-12345678" ] rule_number = 2500 - rule_increment = 1 + # rule_increment = 1 tags = {} # peer @@ -31,17 +62,11 @@ module "peer_services" { peer_vpc_index = var.peer_vpc_index peer_vpc_short_name = var.peer_vpc_short_name # peer_vpc_full_name = var.peer_vpc_full_name - # peer_vpc_environment = var.peer_vpc_environment # peer_tags = {} - peer_route_table_ids = [ "rtb-87654321" ] - peer_network_acl_ids = [ "nacl-87654321" ] + # peer_route_table_ids = [ "rtb-87654321" ] + # peer_network_acl_ids = [ "nacl-87654321" ] peer_rule_number = 2500 - peer_rule_increment = 1 - - providers = { - aws.self = aws - aws.peer = aws.us-gov-east-1 - } + # peer_rule_increment = 1 } ``` diff --git a/peer/main.tf b/peer/main.tf index eccebc5..d9a9106 100644 --- a/peer/main.tf +++ b/peer/main.tf @@ -3,25 +3,56 @@ * * This submodule creates a peering connection with a different VPC, and sets up appropriate network * ACLs and routing between the two CIDR blocks. +* +* You must pass the `providers` block to associate `aws.self` with your local AWS provider (whatever +* its name or alias is) and `aws.peer` with the remote peer AWS provider name or alias. +* +* There are a lot of variables to pass. Most of them are for labeling. You can explicitly pass +* the `route_table_ids` and `network_acl_ids` for more control, but by default if you do not, it will +* use the `vpc_id`, find the route tables for `*services*`, find the subnets associated with that/those +* route tables, eliminate those with `public` in the name, and use that to find the network acl IDs. +* For now, until we move to 0.13, this will only use the **first** found network acl ID to create the +* appropriate network acl rules. +* +* This creates: +* * peering in local and remote account +* * requires `credentials.peers.tf` with appropriate profile and values +* * accepts peering in both locations +* * finds or uses route table IDs to add routes +* * local CIDR in peer route tables +* * peer CIDR in local route tables +* * finds or uses network acl IDs to add rules +* * local all in, all out to peer CIDR +* * peer all in, all out to local CIDR +* +* It uses the `vpc_index` as an offset (-1) from the `rule_number` and `peer_rule_number`. For example, +* for `vpc_index=2` (aka, vpc2), the rule number in the NACL rule at `rule_number + 1`. +* +* `peer_tags`, if not passed will default to `tags`. +* +* `vpc_cidr_block` and `peer_vpc_cidr_block` are retrieved from the VPC itself, so it too is optional. * * # Usage * * ```hcl * module "peer_services" { * source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//peer" +* providers = { +* aws.self = aws +* aws.peer = aws.us-gov-east-1 +* } * * # self * vpc_id = module.vpc.vpc_id * vpc_name = var.vpc_name -* vpc_cidr_block = var.vpc_cidr_block +* # vpc_cidr_block = var.vpc_cidr_block * vpc_index = var.vpc_index * vpc_short_name = var.vpc_short_name * vpc_full_name = var.vpc_full_name -* vpc_environment = var.vpc_environment -* route_table_ids = [ "rtb-12345678" ] -* network_acl_ids = [ "nacl-12345678" ] +* # route_table_ids = [ "rtb-12345678" ] +* # network_acl_ids = [ "nacl-12345678" ] * rule_number = 2500 -* rule_increment = 1 +* # rule_increment = 1 * tags = {} * * # peer @@ -32,17 +63,11 @@ * peer_vpc_index = var.peer_vpc_index * peer_vpc_short_name = var.peer_vpc_short_name * # peer_vpc_full_name = var.peer_vpc_full_name -* # peer_vpc_environment = var.peer_vpc_environment * # peer_tags = {} -* peer_route_table_ids = [ "rtb-87654321" ] -* peer_network_acl_ids = [ "nacl-87654321" ] +* # peer_route_table_ids = [ "rtb-87654321" ] +* # peer_network_acl_ids = [ "nacl-87654321" ] * peer_rule_number = 2500 -* peer_rule_increment = 1 -* -* providers = { -* aws.self = aws -* aws.peer = aws.us-gov-east-1 -* } +* # peer_rule_increment = 1 * } * ``` */ diff --git a/peer/subnet-nacls.peers.tf.disabled b/peer/subnet-nacls.peers.tf.disabled deleted file mode 100644 index acd4fe2..0000000 --- a/peer/subnet-nacls.peers.tf.disabled +++ /dev/null @@ -1,79 +0,0 @@ -# no peer1 on vpc1 - -# peer1: vpc1 = 2000, vpc2 = 2001, ... -# peer2: vpc1 = 2100, vpc2 = 2101, ... - -locals { - nacl_id_me = [aws_network_acl.private.id] - - peer2_start = 2100 - nacl_id_peer2 = tolist(data.aws_network_acls.peer2.ids) -} - -#--- -# peer2: local vpc[1,2,3,4,5] to govcloud-account-107742151971 vpc1-services -#--- -# IN me->peer2 -resource "aws_network_acl_rule" "in_me_peer2" { - provider = aws - count = length(local.nacl_id_me) - network_acl_id = aws_network_acl.private.id - rule_number = local.peer2_start + (var.vpc_index - 1) - egress = false - protocol = "all" - rule_action = "allow" - from_port = 0 - to_port = 0 - cidr_block = local.cidr_block_peer2 -} - -# OUT me->peer2 -resource "aws_network_acl_rule" "out_me_peer2" { - provider = aws - count = length(local.nacl_id_me) - network_acl_id = aws_network_acl.private.id - rule_number = local.peer2_start + (var.vpc_index - 1) - egress = true - protocol = "all" - rule_action = "allow" - from_port = 0 - to_port = 0 - cidr_block = local.cidr_block_peer2 -} - -data "aws_network_acls" "peer2" { - provider = aws.peer2 - vpc_id = local.vpc_id_peer2 - filter { - name = "tag:Name" - values = ["*${var.vpc_tag_peer2}*private*", "*${var.vpc_tag_peer2}"] - } -} - -# IN peer2->me -resource "aws_network_acl_rule" "in_peer2_me" { - provider = aws.peer2 - count = length(local.nacl_id_peer2) - network_acl_id = local.nacl_id_peer2[count.index] - rule_number = local.peer2_start + (var.vpc_index - 1) - egress = false - protocol = "all" - rule_action = "allow" - from_port = 0 - to_port = 0 - cidr_block = local.cidr_block_me -} - -# OUT peer2->me -resource "aws_network_acl_rule" "out_peer2_me" { - provider = aws.peer2 - count = length(local.nacl_id_peer2) - network_acl_id = local.nacl_id_peer2[count.index] - rule_number = local.peer2_start + (var.vpc_index - 1) - egress = true - protocol = "all" - rule_action = "allow" - from_port = 0 - to_port = 0 - cidr_block = local.cidr_block_me -} diff --git a/peer/vpc-peers.tf.disabled b/peer/vpc-peers.tf.disabled deleted file mode 100644 index 36493c6..0000000 --- a/peer/vpc-peers.tf.disabled +++ /dev/null @@ -1,137 +0,0 @@ -# no peer1 on vpc1-shared -#--- -# local account shared peer vpc peer1 -#--- - -locals { - vpc_id_me = aws_vpc.vpc.id - cidr_block_me = var.vpc_cidr_block - short_me = split(",", var.vpc_full_name) - route_tables_me = tolist(data.aws_route_tables.me.ids) - - vpc_id_peer2 = var.vpc_peer2 - cidr_block_peer2 = data.aws_vpc.peer2.cidr_block - # short_peer2 = [ "${var.account_id_peer2}_${var.vpc_peer2}" ] - short_peer2 = ["${var.account_id_peer2}_${var.vpc_tag_peer2}"] - route_tables_peer2 = tolist(data.aws_route_tables.peer2.ids) - label_peer2 = format("vpcp-%s:%s", local.short_me[0], local.short_peer2[0]) -} - -#--- -# peer2 -#--- -data "aws_vpc" "peer2" { - provider = aws.peer2 - id = local.vpc_id_peer2 -} - -#--- -# private route tables, local and peer -#--- -data "aws_route_tables" "me" { - provider = aws - vpc_id = local.vpc_id_me - filter { - name = "tag:Name" - values = ["*-private-*"] - } -} - -data "aws_route_tables" "peer2" { - provider = aws.peer2 - vpc_id = local.vpc_id_peer2 - filter { - name = "tag:Name" - values = ["*${var.vpc_tag_peer2}*private*", "*${var.vpc_tag_peer2}"] - } -} - -resource "aws_vpc_peering_connection" "me_peer2" { - provider = aws - vpc_id = local.vpc_id_me - peer_vpc_id = local.vpc_id_peer2 - peer_owner_id = var.account_id_peer2 - peer_region = var.region_peer2 - auto_accept = false - - # accepter { - # allow_remote_vpc_dns_resolution = false - # allow_classic_link_to_remote_vpc = false - # allow_vpc_to_remote_classic_link = false - # } - # requester { - # allow_remote_vpc_dns_resolution = false - # allow_classic_link_to_remote_vpc = false - # allow_vpc_to_remote_classic_link = false - # } - - tags = merge( - local.common_tags, - map("Name", local.label_peer2), - ) -} - - -resource "aws_vpc_peering_connection_accepter" "me_peer2" { - provider = aws.peer2 - vpc_peering_connection_id = aws_vpc_peering_connection.me_peer2.id - auto_accept = true - # depends_on = ["aws_vpc_peering_connection.me_peer2"] - - # accepter { - # allow_remote_vpc_dns_resolution = false - # allow_classic_link_to_remote_vpc = false - # allow_vpc_to_remote_classic_link = false - # } - # requester { - # allow_remote_vpc_dns_resolution = false - # allow_classic_link_to_remote_vpc = false - # allow_vpc_to_remote_classic_link = false - # } - - # accepter { - # allow_remote_vpc_dns_resolution = true - # } - # tags { - # Name = "vpcp-do2cat-vpc3_do3ma1ew-vpc1" - # Environment = "infrastructure" - # CostAllocation = "csvd:inf" - # Creator = "${var.tag_creator}" - # } - tags = merge( - local.common_tags, - map("Name", local.label_peer2), - ) -} - -# local routes -resource "aws_route" "me_peer2" { - provider = aws - count = length(data.aws_route_tables.me.ids) - # route_table_id = data.aws_route_tables.me.ids[count.index] - route_table_id = local.route_tables_me[count.index] - destination_cidr_block = local.cidr_block_peer2 - vpc_peering_connection_id = aws_vpc_peering_connection.me_peer2.id -} - -# peer routes -resource "aws_route" "peer2_me" { - provider = aws.peer2 - count = length(data.aws_route_tables.peer2.ids) - # route_table_id = data.aws_route_tables.peer2.ids[count.index] - route_table_id = local.route_tables_peer2[count.index] - destination_cidr_block = local.cidr_block_me - vpc_peering_connection_id = aws_vpc_peering_connection.me_peer2.id -} - -# output "rt_me" { -# value = data.aws_route_tables.me.ids -# } -# output "rt_peer1" { -# value = data.aws_route_tables.peer1.ids -# } -# -# output "rt_peer2" { -# value = data.aws_route_tables.peer2.ids -# } -