From 4739ea119406a5609996c822ecec3973c20300ca Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 14 Feb 2025 08:31:24 -0500 Subject: [PATCH] * 2.11.4 -- 2025-02-14 - vpc-transit-gateway-association - add inspection as possible tgw_environment --- CHANGELOG.md | 8 + common/variables.common.vpc.tf | 2 +- common/version.tf | 2 +- routing/README.md | 2 +- routing/main.tf | 3 +- .../data/README.md | 137 ++++++++++++++++ .../data/variables.tf | 2 +- .../peer/README.md | 133 ++++++++++++++++ .../peer/variables.tf | 2 +- .../self/README.md | 149 ++++++++++++++++++ .../self/variables.tf | 2 +- 11 files changed, 435 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ca17d4..ff6e56e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -443,3 +443,11 @@ * 2.11.2 -- 2025-01-08 - vpc-interface-endpoint - add lab-gov-dmz-network-nonprod account to allowed list of central vpc endpoint accounts + +* 2.11.3 -- 2025-02-12 + - routing + - fix nat gateway for_each (for public stuff) + +* 2.11.4 -- 2025-02-14 + - vpc-transit-gateway-association + - add inspection as possible tgw_environment diff --git a/common/variables.common.vpc.tf b/common/variables.common.vpc.tf index 30643a3..1b92a47 100644 --- a/common/variables.common.vpc.tf +++ b/common/variables.common.vpc.tf @@ -26,7 +26,7 @@ variable "vpc_index" { } variable "vpc_environment" { - description = "VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod)" + description = "VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod, inpection)" type = string default = null } diff --git a/common/version.tf b/common/version.tf index be2df58..82c12f9 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,5 +1,5 @@ locals { - _module_version = "2.11.2" + _module_version = "2.11.4" _module_names = { "_main_" = "aws-vpc-setup" diff --git a/routing/README.md b/routing/README.md index 6534f65..985d8c7 100644 --- a/routing/README.md +++ b/routing/README.md @@ -204,7 +204,7 @@ No modules. | [public\_subnets\_ids](#input\_public\_subnets\_ids) | List of public subnet objects including: subnet, label, availability\_zone, id | 
list(object({
    subnet            = string
    label             = string
    availability_zone = string
    id                = string
    tags              = optional(map(string))
  }))
| `[]` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | | [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | VPC CIDR Block | `string` | n/a | yes | -| [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no | +| [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod, inpection) | `string` | `null` | no | | [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no | | [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes | | [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no | diff --git a/routing/main.tf b/routing/main.tf index 79b219a..d52b38f 100644 --- a/routing/main.tf +++ b/routing/main.tf @@ -120,7 +120,8 @@ locals { } resource "aws_nat_gateway" "nat" { - for_each = var.enable_igw && var.enable_nat ? zipmap(local.availability_zones, local.public_subnets_ids_az) : {} + # for_each = var.enable_igw && var.enable_nat ? zipmap(local.availability_zones, local.public_subnets_ids_az) : {} + for_each = var.enable_igw && var.enable_nat ? { for k, v in local.public_subnets_ids_az : v.availability_zone => v.id } : {} allocation_id = aws_eip.nat[each.key].id subnet_id = each.value # depends_on = [aws_internet_gateway.gateway] diff --git a/vpc-transit-gateway-association/data/README.md b/vpc-transit-gateway-association/data/README.md index a142854..1f27624 100644 --- a/vpc-transit-gateway-association/data/README.md +++ b/vpc-transit-gateway-association/data/README.md @@ -130,3 +130,140 @@ No modules. | [prefix\_list\_id\_ipv4](#output\_prefix\_list\_id\_ipv4) | Managed prefix ID for IPv4 | | [route\_tables\_peer](#output\_route\_tables\_peer) | Transit Gateway route tables peer (other region) | | [route\_tables\_self](#output\_route\_tables\_self) | Transit Gateway route tables self (this region) | + + +# About aws-vpc-setup :: vpc-transit-gateway-association/data + +This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. This is part of a three +section TGW setup, consisting of data (required,this), self, and peer (remote(s)). They do the following: + +* data + * gets transit gateway ID shared to this account and region + * gets transit gateway route tables +* self + * creates routes for the attachment subnets to the transit gatewway + * creates routes to all other things on the transit gateway through a network prefix + * attaches the VPC to the transit gateway + * propagates the route to the associated route tables for the envirornment/VRF + * services is propagated to all +* peer + * creates static routes for transit gateway route tables in a peer region + +# Usage + +```hcl +module "vpc_tgw_data" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/data?ref=tf-upgrade" + providers = { + aws = aws + aws.network_account = aws.network_account + aws.self = aws.tgw_east + aws.peer = aws.tgw_west + } + + network_account_profile = var.network_account_profile + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"] + private_route_table_ids = module.routing.private_route_table_ids + transit_gateway_environment = var.tgw_environment + transit_gateway_label = var.tgw_label + route_prefix_list_name = format("transit-gateway.%v", var.tgw_label) +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.13 | +| [aws](#requirement\_aws) | >= 3.66.0 | +| [ldap](#requirement\_ldap) | >= 0.5.4 | +| [local](#requirement\_local) | >= 1.0.0 | +| [null](#requirement\_null) | >= 3.0 | +| [random](#requirement\_random) | >= 3.0 | +| [template](#requirement\_template) | >= 2.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.66.0 | +| [aws.network\_account](#provider\_aws.network\_account) | >= 3.66.0 | +| [aws.peer](#provider\_aws.peer) | >= 3.66.0 | +| [aws.self](#provider\_aws.self) | >= 3.66.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_availability_zone.zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zone) | data source | +| [aws_availability_zones.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_ec2_managed_prefix_list.tgw_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source | +| [aws_ec2_managed_prefix_list.tgw_vpn_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source | +| [aws_ec2_managed_prefix_lists.tgw_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_lists) | data source | +| [aws_ec2_managed_prefix_lists.tgw_vpn_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_lists) | data source | +| [aws_ec2_transit_gateway.gateway_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source | +| [aws_ec2_transit_gateway.gateway_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source | +| [aws_ec2_transit_gateway_peering_attachment.attachment_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source | +| [aws_ec2_transit_gateway_peering_attachment.attachment_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source | +| [aws_ec2_transit_gateway_route_table.route_tables_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_table) | data source | +| [aws_ec2_transit_gateway_route_table.route_tables_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_table) | data source | +| [aws_ec2_transit_gateway_route_tables.route_tables_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_tables) | data source | +| [aws_ec2_transit_gateway_route_tables.route_tables_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_tables) | data source | +| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no | +| [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no | +| [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no | +| [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [private\_route\_table\_ids](#input\_private\_route\_table\_ids) | Map of private route table IDs (which exclude the attachment subnets) | `map(string)` | `{}` | no | +| [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | 
list(object({
    subnet            = string
    label             = string
    availability_zone = string
    id                = string
  }))
| `[]` | no | +| [route\_prefix\_list\_name](#input\_route\_prefix\_list\_name) | Shared prefix list name used for routing to TGW. It is comprised of all of the network CIDR blocks in AWS using TGW. | `string` | `"transit-gateway.prod"` | no | +| [route\_table\_label](#input\_route\_table\_label) | Route table lable for the attachment subnets | `string` | `"attachment"` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | +| [transit\_gateway\_environment](#input\_transit\_gateway\_environment) | Transit Gateway Environment (aka, VRF) to which to connnect this VPC | `string` | n/a | yes | +| [transit\_gateway\_label](#input\_transit\_gateway\_label) | Transit Gateway label for specific instance (sa, prod) | `string` | `"prod"` | no | +| [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | VPC CIDR Block | `string` | `null` | no | +| [vpc\_cidr\_blocks](#input\_vpc\_cidr\_blocks) | VPC CIDR Block List | `list(string)` | `[]` | no | +| [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod, inpection) | `string` | `null` | no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes | +| [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no | +| [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no | +| [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no | +| [vpn\_route\_prefix\_list\_name](#input\_vpn\_route\_prefix\_list\_name) | Shared prefix list name used for routing to TGW through VPN. If null, existing VPN routing if any will be used. | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [availability\_zone\_ids](#output\_availability\_zone\_ids) | VPC Availability zone id list (3) | +| [availability\_zone\_names](#output\_availability\_zone\_names) | VPC Availability zone name list (3) | +| [availability\_zone\_suffixes](#output\_availability\_zone\_suffixes) | VPC Availability zone suffix list (3) | +| [availablity\_zone](#output\_availablity\_zone) | map of data resource aws\_availability\_zone from list of zone names | +| [data\_output](#output\_data\_output) | Map of data generated by this submodule need for the vpc-transit-gateway-association module | +| [gateway\_peer](#output\_gateway\_peer) | Transit Gateway peer (other region) | +| [gateway\_self](#output\_gateway\_self) | Transit Gateway self (this region) | +| [map\_route\_tables\_peer](#output\_map\_route\_tables\_peer) | Transit Gateway route tables map (VRF:id) peer (other region) | +| [map\_route\_tables\_self](#output\_map\_route\_tables\_self) | Transit Gateway route tables map (VRF:id) self (this region) | +| [prefix\_list\_id\_ipv4](#output\_prefix\_list\_id\_ipv4) | Managed prefix ID for IPv4 | +| [route\_tables\_peer](#output\_route\_tables\_peer) | Transit Gateway route tables peer (other region) | +| [route\_tables\_self](#output\_route\_tables\_self) | Transit Gateway route tables self (this region) | + \ No newline at end of file diff --git a/vpc-transit-gateway-association/data/variables.tf b/vpc-transit-gateway-association/data/variables.tf index e107346..fbd783c 100644 --- a/vpc-transit-gateway-association/data/variables.tf +++ b/vpc-transit-gateway-association/data/variables.tf @@ -8,7 +8,7 @@ variable "transit_gateway_environment" { type = string validation { - condition = contains(["services", "dev", "test", "stage", "prod", "cre"], var.transit_gateway_environment) + condition = contains(["services", "dev", "test", "stage", "prod", "cre", "inspection"], var.transit_gateway_environment) error_message = "transit_gateway_environment value must be one of the valid VRF selections" } } diff --git a/vpc-transit-gateway-association/peer/README.md b/vpc-transit-gateway-association/peer/README.md index 27bf6e5..5b64375 100644 --- a/vpc-transit-gateway-association/peer/README.md +++ b/vpc-transit-gateway-association/peer/README.md @@ -128,3 +128,136 @@ No modules. | [map\_route\_tables\_self](#output\_map\_route\_tables\_self) | Transit Gateway route tables map (VRF:id) self (this region) | | [route\_tables\_peer](#output\_route\_tables\_peer) | Transit Gateway route tables peer (other region) | | [route\_tables\_self](#output\_route\_tables\_self) | Transit Gateway route tables self (this region) | + + +# About aws-vpc-setup :: vpc-transit-gateway-association/peer + +This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. This is part of a three +section TGW setup, consisting of data (required), self , and peer (this) (remote(s)). They do the following: + +* data + * gets transit gateway ID shared to this account and region + * gets transit gateway route tables +* self + * creates routes for the attachment subnets to the transit gatewway + * creates routes to all other things on the transit gateway through a network prefix + * attaches the VPC to the transit gateway + * propagates the route to the associated route tables for the envirornment/VRF + * services is propagated to all +* peer + * creates static routes for transit gateway route tables in a peer region + +# Usage + +```hcl +module "vpc_tgw_peer" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/peer?ref=tf-upgrade" + providers = { + aws = aws + aws.network_account = aws.network_account + aws.self = aws.tgw_east + aws.peer = aws.tgw_west + } + + network_account_profile = var.network_account_profile + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"] + private_route_table_ids = module.routing.private_route_table_ids + transit_gateway_environment = var.tgw_environment + transit_gateway_label = var.tgw_label + route_prefix_list_name = format("transit-gateway.%v", var.tgw_label) + data_input = module.vpc_tgw_data.data_output + + depends_on = [module.vpc_tgw_self] +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.13 | +| [aws](#requirement\_aws) | >= 3.66.0 | +| [ldap](#requirement\_ldap) | >= 0.5.4 | +| [local](#requirement\_local) | >= 1.0.0 | +| [null](#requirement\_null) | >= 3.0 | +| [random](#requirement\_random) | >= 3.0 | +| [template](#requirement\_template) | >= 2.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.66.0 | +| [aws.network\_account](#provider\_aws.network\_account) | >= 3.66.0 | +| [aws.peer](#provider\_aws.peer) | >= 3.66.0 | +| [aws.self](#provider\_aws.self) | >= 3.66.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_ec2_transit_gateway_route.vpc_peer_all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route) | resource | +| [aws_ec2_transit_gateway_route.vpc_peer_common](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route) | resource | +| [aws_ec2_transit_gateway_route.vpc_peer_own_rt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_ec2_transit_gateway.gateway_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source | +| [aws_ec2_transit_gateway.gateway_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source | +| [aws_ec2_transit_gateway_peering_attachment.attachment_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source | +| [aws_ec2_transit_gateway_peering_attachment.attachment_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source | +| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source | +| [aws_iam_account_alias.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_region.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no | +| [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no | +| [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no | +| [create\_prefix\_list\_routing](#input\_create\_prefix\_list\_routing) | Flag to create (or not) prefix list routing. This is to be applied only on the TGW main account and VPCs | `bool` | `false` | no | +| [create\_static\_peer\_routing](#input\_create\_static\_peer\_routing) | Flag to create (or not) static peer. This can be applied on every account including the TGW main account. This conflicts with craete\_prefix\_list\_routing | `bool` | `false` | no | +| [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | 
object({
    availablity_zone          = map(any)
    gateway_self              = string
    gateway_peer              = string
    route_tables_self         = map(any)
    route_tables_peer         = map(any)
    map_route_tables_self     = map(any)
    map_route_tables_peer     = map(any)
    map_vpn_route_tables_self = map(any)
    map_vpn_route_tables_peer = map(any)
    prefix_list_id_ipv4       = string
    vpn_prefix_list_id_ipv4   = string
    vpc_id                    = string
    vpc_cidr_block            = string
    vpc_cidr_blocks           = list(string)
  })
| n/a | yes | +| [enable\_vpn\_routing](#input\_enable\_vpn\_routing) | Flag to enable VPN routing, handled through a prefix list. This is used in the transition from per-VPC VPNs to TGW | `bool` | `true` | no | +| [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [private\_route\_table\_ids](#input\_private\_route\_table\_ids) | Map of private route table IDs (which exclude the attachment subnets) | `map(string)` | `{}` | no | +| [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | 
list(object({
    subnet            = string
    label             = string
    availability_zone = string
    id                = string
  }))
| `[]` | no | +| [route\_prefix\_list\_name](#input\_route\_prefix\_list\_name) | Shared prefix list name used for routing to TGW. It is comprised of all of the network CIDR blocks in AWS using TGW. | `string` | `"transit-gateway.prod"` | no | +| [route\_table\_label](#input\_route\_table\_label) | Route table lable for the attachment subnets | `string` | `"attachment"` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | +| [transit\_gateway\_environment](#input\_transit\_gateway\_environment) | Transit Gateway Environment (aka, VRF) to which to connnect this VPC | `string` | n/a | yes | +| [transit\_gateway\_label](#input\_transit\_gateway\_label) | Transit Gateway label for specific instance (sa, prod) | `string` | `"prod"` | no | +| [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | VPC CIDR Block | `string` | `null` | no | +| [vpc\_cidr\_blocks](#input\_vpc\_cidr\_blocks) | VPC CIDR Block List | `list(string)` | `[]` | no | +| [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod, inpection) | `string` | `null` | no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes | +| [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no | +| [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no | +| [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no | +| [vpn\_route\_prefix\_list\_name](#input\_vpn\_route\_prefix\_list\_name) | Shared prefix list name used for routing to TGW through VPN. If null, existing VPN routing if any will be used. | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [gateway\_peer](#output\_gateway\_peer) | Transit Gateway peer (other region) | +| [gateway\_self](#output\_gateway\_self) | Transit Gateway self (this region) | +| [map\_route\_tables\_peer](#output\_map\_route\_tables\_peer) | Transit Gateway route tables map (VRF:id) peer (other region) | +| [map\_route\_tables\_self](#output\_map\_route\_tables\_self) | Transit Gateway route tables map (VRF:id) self (this region) | +| [route\_tables\_peer](#output\_route\_tables\_peer) | Transit Gateway route tables peer (other region) | +| [route\_tables\_self](#output\_route\_tables\_self) | Transit Gateway route tables self (this region) | + \ No newline at end of file diff --git a/vpc-transit-gateway-association/peer/variables.tf b/vpc-transit-gateway-association/peer/variables.tf index e107346..fbd783c 100644 --- a/vpc-transit-gateway-association/peer/variables.tf +++ b/vpc-transit-gateway-association/peer/variables.tf @@ -8,7 +8,7 @@ variable "transit_gateway_environment" { type = string validation { - condition = contains(["services", "dev", "test", "stage", "prod", "cre"], var.transit_gateway_environment) + condition = contains(["services", "dev", "test", "stage", "prod", "cre", "inspection"], var.transit_gateway_environment) error_message = "transit_gateway_environment value must be one of the valid VRF selections" } } diff --git a/vpc-transit-gateway-association/self/README.md b/vpc-transit-gateway-association/self/README.md index e5b4084..aaad513 100644 --- a/vpc-transit-gateway-association/self/README.md +++ b/vpc-transit-gateway-association/self/README.md @@ -144,3 +144,152 @@ module "vpc_tgw_self" { | [route\_tables\_peer](#output\_route\_tables\_peer) | Transit Gateway route tables peer (other region) | | [route\_tables\_self](#output\_route\_tables\_self) | Transit Gateway route tables self (this region) | | [vpc\_attachment\_id](#output\_vpc\_attachment\_id) | Transit Gateway VPC Attachment ID for this VPC | + + +# About aws-vpc-setup :: vpc-transit-gateway-association/self + +This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. This is part of a three +section TGW setup, consisting of data (required), self (this), and peer (remote(s)). They do the following: + +* data + * gets transit gateway ID shared to this account and region + * gets transit gateway route tables +* self + * creates routes for the attachment subnets to the transit gatewway + * creates routes to all other things on the transit gateway through a network prefix + * attaches the VPC to the transit gateway + * propagates the route to the associated route tables for the envirornment/VRF + * services is propagated to all +* peer + * creates static routes for transit gateway route tables in a peer region + +# Usage + +```hcl +# call once for self, once for each peer (if we have multiple regions for peers, change the peer to each region) +# note the self must be done before the peer +module "vpc_tgw_self" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/self?ref=tf-upgrade" + providers = { + aws = aws + aws.network_account = aws.network_account + aws.self = aws.tgw_east + aws.peer = aws.tgw_west + } + + network_account_profile = var.network_account_profile + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"] + private_route_table_ids = module.routing.private_route_table_ids + transit_gateway_environment = var.tgw_environment + transit_gateway_label = var.tgw_label + route_prefix_list_name = format("transit-gateway.%v", var.tgw_label) + data_input = module.vpc_tgw_data.data_output +} +```` ` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.13 | +| [aws](#requirement\_aws) | >= 3.66.0 | +| [ldap](#requirement\_ldap) | >= 0.5.4 | +| [local](#requirement\_local) | >= 1.0.0 | +| [null](#requirement\_null) | >= 3.0 | +| [random](#requirement\_random) | >= 3.0 | +| [template](#requirement\_template) | >= 2.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.66.0 | +| [aws.network\_account](#provider\_aws.network\_account) | >= 3.66.0 | +| [aws.peer](#provider\_aws.peer) | >= 3.66.0 | +| [aws.self](#provider\_aws.self) | >= 3.66.0 | +| [null](#provider\_null) | >= 3.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [routing\_attachment\_ipv4](#module\_routing\_attachment\_ipv4) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//routing | tf-upgrade | + +## Resources + +| Name | Type | +|------|------| +| [aws_ec2_tag.vpc_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource | +| [aws_ec2_transit_gateway_prefix_list_reference.vpc_self_all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_prefix_list_reference) | resource | +| [aws_ec2_transit_gateway_prefix_list_reference.vpc_self_common](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_prefix_list_reference) | resource | +| [aws_ec2_transit_gateway_prefix_list_reference.vpc_self_own_env](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_prefix_list_reference) | resource | +| [aws_ec2_transit_gateway_route_table_association.route_table_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource | +| [aws_ec2_transit_gateway_route_table_propagation.vpc_self_common](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource | +| [aws_ec2_transit_gateway_route_table_propagation.vpc_self_own_rt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource | +| [aws_ec2_transit_gateway_route_table_propagation.vpn_vpc_self_own_rt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource | +| [aws_ec2_transit_gateway_vpc_attachment.vpc_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment) | resource | +| [aws_route.gateway_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | +| [aws_route.gateway_vpn_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | +| [null_resource.vpc_attachment_exists](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_ec2_managed_prefix_list.tgw_crossregion_env](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source | +| [aws_ec2_managed_prefix_lists.tgw_crossregion_env](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_lists) | data source | +| [aws_ec2_transit_gateway.gateway_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source | +| [aws_ec2_transit_gateway.gateway_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source | +| [aws_ec2_transit_gateway_peering_attachment.attachment_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source | +| [aws_ec2_transit_gateway_peering_attachment.attachment_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source | +| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source | +| [aws_iam_account_alias.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_region.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no | +| [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no | +| [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no | +| [create\_prefix\_list\_routing](#input\_create\_prefix\_list\_routing) | Flag to create (or not) prefix list routing. This is to be applied only on the TGW main account and VPCs | `bool` | `false` | no | +| [create\_static\_peer\_routing](#input\_create\_static\_peer\_routing) | Flag to create (or not) static peer. This can be applied on every account including the TGW main account. This conflicts with craete\_prefix\_list\_routing | `bool` | `false` | no | +| [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | 
object({
    availablity_zone          = map(any)
    gateway_self              = string
    gateway_peer              = string
    route_tables_self         = map(any)
    route_tables_peer         = map(any)
    map_route_tables_self     = map(any)
    map_route_tables_peer     = map(any)
    map_vpn_route_tables_self = map(any)
    map_vpn_route_tables_peer = map(any)
    prefix_list_id_ipv4       = string
    vpn_prefix_list_id_ipv4   = string
    vpc_id                    = string
    vpc_cidr_block            = string
    vpc_cidr_blocks           = list(string)
  })
| n/a | yes | +| [enable\_vpn\_routing](#input\_enable\_vpn\_routing) | Flag to enable VPN routing, handled through a prefix list. This is used in the transition from per-VPC VPNs to TGW | `bool` | `true` | no | +| [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [private\_route\_table\_ids](#input\_private\_route\_table\_ids) | Map of private route table IDs (which exclude the attachment subnets) | `map(string)` | `{}` | no | +| [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | 
list(object({
    subnet            = string
    label             = string
    availability_zone = string
    id                = string
  }))
| `[]` | no | +| [route\_prefix\_list\_name](#input\_route\_prefix\_list\_name) | Shared prefix list name used for routing to TGW. It is comprised of all of the network CIDR blocks in AWS using TGW. | `string` | `"transit-gateway.prod"` | no | +| [route\_table\_label](#input\_route\_table\_label) | Route table lable for the attachment subnets | `string` | `"attachment"` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | +| [transit\_gateway\_environment](#input\_transit\_gateway\_environment) | Transit Gateway Environment (aka, VRF) to which to connnect this VPC | `string` | n/a | yes | +| [transit\_gateway\_environments](#input\_transit\_gateway\_environments) | Transit Gateway Environments possible. Pass a different list to use in the Lab or DMZ environment | `list(string)` | `[]` | no | +| [transit\_gateway\_label](#input\_transit\_gateway\_label) | Transit Gateway label for specific instance (sa, prod) | `string` | `"prod"` | no | +| [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | VPC CIDR Block | `string` | `null` | no | +| [vpc\_cidr\_blocks](#input\_vpc\_cidr\_blocks) | VPC CIDR Block List | `list(string)` | `[]` | no | +| [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod, inpection) | `string` | `null` | no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes | +| [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no | +| [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no | +| [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no | +| [vpn\_route\_prefix\_list\_name](#input\_vpn\_route\_prefix\_list\_name) | Shared prefix list name used for routing to TGW through VPN. If null, existing VPN routing if any will be used. | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [gateway\_peer](#output\_gateway\_peer) | Transit Gateway peer (other region) | +| [gateway\_self](#output\_gateway\_self) | Transit Gateway self (this region) | +| [map\_route\_tables\_peer](#output\_map\_route\_tables\_peer) | Transit Gateway route tables map (VRF:id) peer (other region) | +| [map\_route\_tables\_self](#output\_map\_route\_tables\_self) | Transit Gateway route tables map (VRF:id) self (this region) | +| [route\_tables\_peer](#output\_route\_tables\_peer) | Transit Gateway route tables peer (other region) | +| [route\_tables\_self](#output\_route\_tables\_self) | Transit Gateway route tables self (this region) | +| [vpc\_attachment\_id](#output\_vpc\_attachment\_id) | Transit Gateway VPC Attachment ID for this VPC | + \ No newline at end of file diff --git a/vpc-transit-gateway-association/self/variables.tf b/vpc-transit-gateway-association/self/variables.tf index bb62bad..e84550d 100644 --- a/vpc-transit-gateway-association/self/variables.tf +++ b/vpc-transit-gateway-association/self/variables.tf @@ -8,7 +8,7 @@ variable "transit_gateway_environment" { type = string validation { - condition = contains(["services", "dev", "test", "stage", "prod", "cre"], var.transit_gateway_environment) + condition = contains(["services", "dev", "test", "stage", "prod", "cre", "inspection"], var.transit_gateway_environment) error_message = "transit_gateway_environment value must be one of the valid VRF selections" } }