update

examples/vpc-region-shared-setup/.gitignore

@@ -0,0 +1 @@
+vpn-configs

examples/vpc-region-shared-setup/.tf-control

@@ -0,0 +1,4 @@
+#TFCOMMAND="terraform_0.13.7"
+#TFCOMMAND="terraform_0.14.11"
+TFCOMMAND="terraform_latest"
+## TF_CLI_CONFIG_FILE=$HOME/.tf-control.tfrc

examples/vpc-region-shared-setup/.tf-control.tfrc

@@ -0,0 +1,23 @@
+# https://www.terraform.io/docs/cli/config/config-file.html
+
+plugin_cache_dir   = "/data/terraform/terraform.d/plugin-cache"
+#disable_checkpoint = true
+
+provider_installation {
+#  filesystem_mirror {
+#    path    = "/apps/terraform/terraform.d/providers"
+#    include = [ "*/*/*" ]
+#  }
+  filesystem_mirror {
+    path    = "/data/terraform/terraform.d/providers"
+    include = [ "*/*/*" ]
+  }
+#  filesystem_mirror {
+#    path    = "/apps/terraform/terraform.d/providers"
+#    include = [ "external.terraform.census.gov/*/*" ]
+#  }
+  direct {
+    include = [ "*/*/*" ]
+  }
+}
+

examples/vpc-region-shared-setup/README.md

@@ -0,0 +1,64 @@
+# About
+
+This code is used to setup the basic constructs for a shared VPC to a different account. This belongs in the _shared to_ account.
+
+First, the subnets and other resources must be shared to this account.  Next, the tags on the resources must be setup, with
+a configuration in `vpc/{region}/shared-setup`.
+
+Finally, drop the code from `aws-vpc-setup/examples/vpc-region-shared-setup` into the `vpc/{region}/vpc{N}/` directory
+and execute `tf-run apply`.
+
+Shared VPCs do not grant visibility into resources deployed in any other account where there shared VPC exists, including
+the source (in our case, the network-prod account).  Security Groups are not shared among VPCs, so they must be created in
+each account.
+
+We have a minimal `vpc.tf` that does the following:
+
+* sets up subnet tags (in progress), in _this_ account and VPC only, primarily for EKS tagging requirements
+* reads the VPC information and uses the outputs `vpc_id` and `vpc_info`, used 
+* creates the `sg_web` security group and related outputs
+* creates the base security groups (it-linux-base, it-windows-base, ois-scanning) and related outputs
+
+You will not be able to do the following in this account, because it is using shared VPCs:
+
+* create a VPC
+* create a subnet
+* create a VPC endpoint (maybe -- central endpoints is in progress)
+
+## Setup
+
+Once you have copied the files from the example directory, you will need two files from the shared VPC:
+
+* variables.subnets.auto.tfvars
+* variables.vpc.auto.tfvars
+
+These provide enough settings to populate the directory so that subdirectories of the VPC are able to use
+the remote state capabilities to discover specific data.
+
+Subnets and IDs are not output, so any use of a subnet for selection (say, in an LB target group) will need to use
+the `data aws_subnets` resource with the appropriate filters.
+
+The `variables.vpc.auto.tfvars` needs to be reduced to small number of settings.  It is recommended to follow
+these steps
+
+```script
+cp SOURCE/variables.vpc.auto.tfvars variables.vpc.auto.tfvars-from-shared
+grep -E "^(shared_vpc_label|vpc_name|vpc_cidr_block|vpc_index|vpc_short_name|vpc_full_name|vpc_environment|vpc_domain_name|vpc_dns_servers|vpc_ntp_servers|tgw_environment) *=" \
+  variables.vpc.auto.tfvars-from-shared > variables.vpc.auto.tfvars
+```
+
+This is the set of variable values to be defined (from the shared vpc).
+
+```hcl
+shared_vpc_label = ""
+vpc_name         = ""
+vpc_cidr_block   = ""
+vpc_index        = null
+vpc_short_name   = ""
+vpc_full_name    = ""
+vpc_environment  = ""
+vpc_domain_name  = ""
+vpc_dns_servers  = []
+vpc_ntp_servers  = []
+tgw_environment  = ""
+```

examples/vpc-region-shared-setup/apps/.terraform-docs.yml

@@ -0,0 +1,44 @@
+formatter: markdown table
+
+header-from: main.tf
+footer-from: ""
+
+sections:
+##  hide: []
+  show: 
+    - data-sources
+    - header
+    - footer
+    - inputs
+    - modules
+    - outputs
+    - providers
+    - requirements
+    - resources
+
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+
+## output-values:
+##   enabled: false
+##   from: ""
+## 
+## sort:
+##   enabled: true
+##   by: name
+## 
+## settings:
+##   anchor: true
+##   color: true
+##   default: true
+##   description: false
+##   escape: true
+##   indent: 2
+##   required: true
+##   sensitive: true
+##   type: true

examples/vpc-region-shared-setup/apps/.tf-control

@@ -0,0 +1,4 @@
+#TFCOMMAND="terraform_0.13.7"
+#TFCOMMAND="terraform_0.14.11"
+TFCOMMAND="terraform_latest"
+## TF_CLI_CONFIG_FILE=$HOME/.tf-control.tfrc

examples/vpc-region-shared-setup/apps/.tf-control.tfrc

@@ -0,0 +1,23 @@
+# https://www.terraform.io/docs/cli/config/config-file.html
+
+plugin_cache_dir   = "/data/terraform/terraform.d/plugin-cache"
+#disable_checkpoint = true
+
+provider_installation {
+#  filesystem_mirror {
+#    path    = "/apps/terraform/terraform.d/providers"
+#    include = [ "*/*/*" ]
+#  }
+  filesystem_mirror {
+    path    = "/data/terraform/terraform.d/providers"
+    include = [ "*/*/*" ]
+  }
+#  filesystem_mirror {
+#    path    = "/apps/terraform/terraform.d/providers"
+#    include = [ "external.terraform.census.gov/*/*" ]
+#  }
+  direct {
+    include = [ "*/*/*" ]
+  }
+}
+

examples/vpc-region-shared-setup/apps/dns/.terraform-docs.yml

@@ -0,0 +1,44 @@
+formatter: markdown table
+
+header-from: main.tf
+footer-from: ""
+
+sections:
+##  hide: []
+  show: 
+    - data-sources
+    - header
+    - footer
+    - inputs
+    - modules
+    - outputs
+    - providers
+    - requirements
+    - resources
+
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+
+## output-values:
+##   enabled: false
+##   from: ""
+## 
+## sort:
+##   enabled: true
+##   by: name
+## 
+## settings:
+##   anchor: true
+##   color: true
+##   default: true
+##   description: false
+##   escape: true
+##   indent: 2
+##   required: true
+##   sensitive: true
+##   type: true

examples/vpc-region-shared-setup/apps/region.tf

@@ -0,0 +1,3 @@
+locals {
+  region = var.region
+}

examples/vpc-region-shared-setup/apps/tf-run.data

@@ -0,0 +1,7 @@
+VERSION 1.0.0
+REMOTE-STATE
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+COMMAND tf-init -upgrade
+ALL
+COMMAND tf-directory-setup.py -l s3

examples/vpc-region-shared-setup/apps/versions.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.0"
+    }
+    infoblox = {
+      source  = "infobloxopen/infoblox"
+      version = ">= 2.1.0"
+    }
+  }
+}

examples/vpc-region-shared-setup/data.tf

@@ -0,0 +1,9 @@
+data "aws_availability_zones" "zones" {
+  state = "available"
+}
+
+data "aws_availability_zone" "zone" {
+  for_each = toset(data.aws_availability_zones.zones.names)
+  state    = "available"
+  name     = each.key
+}

examples/vpc-region-shared-setup/data.vpc.tf

@@ -0,0 +1,30 @@
+data "aws_vpcs" "vpcs" {
+  filter {
+    name   = "tag:Name"
+    values = [var.vpc_full_name]
+  }
+}
+
+data "aws_vpc" "vpc" {
+  id = coalesce(data.aws_vpcs.vpcs.ids[0], null)
+}
+
+data "aws_subnets" "subnets" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.vpc.id]
+  }
+}
+
+data "aws_subnet" "subnet" {
+  for_each = toset(data.aws_subnets.subnets.ids)
+  id       = each.key
+}
+
+data "aws_vpc_dhcp_options" "dhcp_options" {
+  dhcp_options_id = data.aws_vpc.vpc.dhcp_options_id
+}
+
+locals {
+  vpc_id = data.aws_vpc.vpc.id
+}

examples/vpc-region-shared-setup/outputs.tf

@@ -0,0 +1,59 @@
+output "vpc_id" {
+  description = "VPC ID"
+  value       = data.aws_vpc.vpc.id
+}
+
+## output "vpc_arn" {
+##   description = "VPC ARN"
+##   value       = data.aws_vpc.vpc.arn
+## }
+
+output "vpc_info" {
+  description = "VPC info"
+  value = {
+    vpc_id         = data.aws_vpc.vpc.id
+    vpc_cidr_block = data.aws_vpc.vpc.cidr_block
+    vpc_arn        = data.aws_vpc.vpc.arn
+    vpc_name       = var.vpc_name
+    vpc_short_name = var.vpc_short_name
+    #    vpc_short_name  = split("-", var.vpc_full_name)[0]
+    vpc_full_name     = var.vpc_full_name
+    "vpc_environment" = var.vpc_environment
+    #    vpc_environment = data.aws_vpc.vpc.tags["Environment"]
+    owner_id = data.aws_vpc.vpc.owner_id
+    #    vpc_domain_name               = var.vpc_domain_name
+    vpc_domain_name = data.aws_vpc_dhcp_options.dhcp_options.domain_name
+    #    _raw = data.aws_vpc.vpc
+    "vpc_dns_servers" = var.vpc_dns_servers
+    ## these really are not used by anything
+    #    "s3_endpoint_id"                = null
+    #    "dynamodb_endpoint_id"          = null
+    #    "s3_endpoint_cidr_blocks"       = null
+    #    "dynamodb_endpoint_cidr_blocks" = null
+  }
+}
+
+## locals {
+##   shared_private_subnet_info = [for k, v in data.aws_subnet.subnet : {
+##     id                = v.id
+##     arn               = v.arn
+##     availability_zone = v.availability_zone
+##     owner_id          = v.owner_id
+##     cidr_block        = v.cidr_block
+##     subnet            = v.cidr_block
+##     label             = replace(v.tags["Name"], format("%v-", var.vpc_full_name), "")
+##     tags              = v.tags
+##     #    _raw              = v
+##   }]
+## }
+## 
+## 
+## output "shared_private_subnet_info" {
+##   description = "Details from shared VPC subnets"
+##   value       = local.shared_private_subnet_info
+## }
+
+output "security_groups" {
+  description = "Security Group map(object{name, id, arn})"
+  value       = module.base-security-groups.security_groups
+}

examples/vpc-region-shared-setup/region.tf

@@ -0,0 +1,4 @@
+locals {
+  region = var.region
+}
+

examples/vpc-region-shared-setup/sg-web.tf

@@ -0,0 +1,16 @@
+module "sg_web" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//web?ref=tf-upgrade"
+  vpc_id = local.vpc_id
+
+  tags = merge(
+    local.tags,
+    local.common_tags,
+    var.account_tags,
+    var.application_tags,
+  )
+}
+
+output "sg_web_id" {
+  description = "Common Web security group"
+  value       = module.sg_web.this_security_group_id
+}

examples/vpc-region-shared-setup/tf-run.data

@@ -0,0 +1,20 @@
+VERSION 1.3.1
+REMOTE-STATE
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+COMMAND tf-init -upgrade
+
+LINKTOP includes.d/variables.account_tags.tf
+LINKTOP includes.d/variables.account_tags.auto.tfvars
+LINKTOP includes.d/variables.infrastructure_tags.tf
+LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars
+LINKTOP includes.d/variables.application_tags.tf
+LINKTOP includes.d/variables.application_tags.auto.tfvars
+LINKTOP common/remote_state.common.tf
+LINKTOP infrastructure/%%SHORT_REGION%%/remote_state.infrastructure_%%SHORT_REGION%%.tf
+
+# module.subnet_tags
+# module.sg_web module.base-security-groups
+
+ALL
+COMMAND tf-directory-setup.py -l s3

examples/vpc-region-shared-setup/variables.availability_zones.tf

@@ -0,0 +1,5 @@
+variable "availability_zones" {
+  description = "AWS Availability zones for subnet (default: all)"
+  type        = list(string)
+  default     = []
+}

examples/vpc-region-shared-setup/variables.subnets.auto.tfvars

@@ -0,0 +1,7 @@
+# variables.subnets.auto.tfvars
+
+# copy this file from the source (network-prod) shared vpc configuration
+# this is only needed if you have to add subnet tags to the subnets in this account, commonly only for EKS
+
+public_subnets  = []
+private_subnets = []