From 67082a038797ccaf9816662477f3267f9bedfab6 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 7 Apr 2023 11:25:50 -0400 Subject: [PATCH] update --- examples/vpc-region-shared-setup/.gitignore | 1 + examples/vpc-region-shared-setup/.tf-control | 4 ++ .../vpc-region-shared-setup/.tf-control.tfrc | 23 +++++++ examples/vpc-region-shared-setup/README.md | 64 ++++++++++++++++++ .../apps/.terraform-docs.yml | 44 +++++++++++++ .../vpc-region-shared-setup/apps/.tf-control | 4 ++ .../apps/.tf-control.tfrc | 23 +++++++ .../apps/dns/.terraform-docs.yml | 44 +++++++++++++ .../vpc-region-shared-setup/apps/region.tf | 3 + .../vpc-region-shared-setup/apps/tf-run.data | 7 ++ .../vpc-region-shared-setup/apps/versions.tf | 12 ++++ examples/vpc-region-shared-setup/data.tf | 9 +++ examples/vpc-region-shared-setup/data.vpc.tf | 30 +++++++++ examples/vpc-region-shared-setup/outputs.tf | 59 +++++++++++++++++ examples/vpc-region-shared-setup/region.tf | 4 ++ examples/vpc-region-shared-setup/sg-web.tf | 16 +++++ examples/vpc-region-shared-setup/tf-run.data | 20 ++++++ .../variables.availability_zones.tf | 5 ++ .../variables.subnets.auto.tfvars | 7 ++ .../variables.subnets.tf | 31 +++++++++ .../variables.vpc.auto.tfvars | 19 ++++++ .../vpc-region-shared-setup/variables.vpc.tf | 50 ++++++++++++++ examples/vpc-region-shared-setup/versions.tf | 33 ++++++++++ .../vpc-region-shared-setup/vpc-endpoints.tf | 65 +++++++++++++++++++ examples/vpc-region-shared-setup/vpc.tf | 38 +++++++++++ 25 files changed, 615 insertions(+) create mode 100644 examples/vpc-region-shared-setup/.gitignore create mode 100644 examples/vpc-region-shared-setup/.tf-control create mode 100644 examples/vpc-region-shared-setup/.tf-control.tfrc create mode 100644 examples/vpc-region-shared-setup/README.md create mode 100644 examples/vpc-region-shared-setup/apps/.terraform-docs.yml create mode 100644 examples/vpc-region-shared-setup/apps/.tf-control create mode 100644 examples/vpc-region-shared-setup/apps/.tf-control.tfrc create mode 100644 examples/vpc-region-shared-setup/apps/dns/.terraform-docs.yml create mode 100644 examples/vpc-region-shared-setup/apps/region.tf create mode 100644 examples/vpc-region-shared-setup/apps/tf-run.data create mode 100644 examples/vpc-region-shared-setup/apps/versions.tf create mode 100644 examples/vpc-region-shared-setup/data.tf create mode 100644 examples/vpc-region-shared-setup/data.vpc.tf create mode 100644 examples/vpc-region-shared-setup/outputs.tf create mode 100644 examples/vpc-region-shared-setup/region.tf create mode 100644 examples/vpc-region-shared-setup/sg-web.tf create mode 100644 examples/vpc-region-shared-setup/tf-run.data create mode 100644 examples/vpc-region-shared-setup/variables.availability_zones.tf create mode 100644 examples/vpc-region-shared-setup/variables.subnets.auto.tfvars create mode 100644 examples/vpc-region-shared-setup/variables.subnets.tf create mode 100644 examples/vpc-region-shared-setup/variables.vpc.auto.tfvars create mode 100644 examples/vpc-region-shared-setup/variables.vpc.tf create mode 100644 examples/vpc-region-shared-setup/versions.tf create mode 100644 examples/vpc-region-shared-setup/vpc-endpoints.tf create mode 100644 examples/vpc-region-shared-setup/vpc.tf diff --git a/examples/vpc-region-shared-setup/.gitignore b/examples/vpc-region-shared-setup/.gitignore new file mode 100644 index 0000000..efb4e2a --- /dev/null +++ b/examples/vpc-region-shared-setup/.gitignore @@ -0,0 +1 @@ +vpn-configs diff --git a/examples/vpc-region-shared-setup/.tf-control b/examples/vpc-region-shared-setup/.tf-control new file mode 100644 index 0000000..b304010 --- /dev/null +++ b/examples/vpc-region-shared-setup/.tf-control @@ -0,0 +1,4 @@ +#TFCOMMAND="terraform_0.13.7" +#TFCOMMAND="terraform_0.14.11" +TFCOMMAND="terraform_latest" +## TF_CLI_CONFIG_FILE=$HOME/.tf-control.tfrc diff --git a/examples/vpc-region-shared-setup/.tf-control.tfrc b/examples/vpc-region-shared-setup/.tf-control.tfrc new file mode 100644 index 0000000..d4b0b15 --- /dev/null +++ b/examples/vpc-region-shared-setup/.tf-control.tfrc @@ -0,0 +1,23 @@ +# https://www.terraform.io/docs/cli/config/config-file.html + +plugin_cache_dir = "/data/terraform/terraform.d/plugin-cache" +#disable_checkpoint = true + +provider_installation { +# filesystem_mirror { +# path = "/apps/terraform/terraform.d/providers" +# include = [ "*/*/*" ] +# } + filesystem_mirror { + path = "/data/terraform/terraform.d/providers" + include = [ "*/*/*" ] + } +# filesystem_mirror { +# path = "/apps/terraform/terraform.d/providers" +# include = [ "external.terraform.census.gov/*/*" ] +# } + direct { + include = [ "*/*/*" ] + } +} + diff --git a/examples/vpc-region-shared-setup/README.md b/examples/vpc-region-shared-setup/README.md new file mode 100644 index 0000000..4148239 --- /dev/null +++ b/examples/vpc-region-shared-setup/README.md @@ -0,0 +1,64 @@ +# About + +This code is used to setup the basic constructs for a shared VPC to a different account. This belongs in the _shared to_ account. + +First, the subnets and other resources must be shared to this account. Next, the tags on the resources must be setup, with +a configuration in `vpc/{region}/shared-setup`. + +Finally, drop the code from `aws-vpc-setup/examples/vpc-region-shared-setup` into the `vpc/{region}/vpc{N}/` directory +and execute `tf-run apply`. + +Shared VPCs do not grant visibility into resources deployed in any other account where there shared VPC exists, including +the source (in our case, the network-prod account). Security Groups are not shared among VPCs, so they must be created in +each account. + +We have a minimal `vpc.tf` that does the following: + +* sets up subnet tags (in progress), in _this_ account and VPC only, primarily for EKS tagging requirements +* reads the VPC information and uses the outputs `vpc_id` and `vpc_info`, used +* creates the `sg_web` security group and related outputs +* creates the base security groups (it-linux-base, it-windows-base, ois-scanning) and related outputs + +You will not be able to do the following in this account, because it is using shared VPCs: + +* create a VPC +* create a subnet +* create a VPC endpoint (maybe -- central endpoints is in progress) + +## Setup + +Once you have copied the files from the example directory, you will need two files from the shared VPC: + +* variables.subnets.auto.tfvars +* variables.vpc.auto.tfvars + +These provide enough settings to populate the directory so that subdirectories of the VPC are able to use +the remote state capabilities to discover specific data. + +Subnets and IDs are not output, so any use of a subnet for selection (say, in an LB target group) will need to use +the `data aws_subnets` resource with the appropriate filters. + +The `variables.vpc.auto.tfvars` needs to be reduced to small number of settings. It is recommended to follow +these steps + +```script +cp SOURCE/variables.vpc.auto.tfvars variables.vpc.auto.tfvars-from-shared +grep -E "^(shared_vpc_label|vpc_name|vpc_cidr_block|vpc_index|vpc_short_name|vpc_full_name|vpc_environment|vpc_domain_name|vpc_dns_servers|vpc_ntp_servers|tgw_environment) *=" \ + variables.vpc.auto.tfvars-from-shared > variables.vpc.auto.tfvars +``` + +This is the set of variable values to be defined (from the shared vpc). + +```hcl +shared_vpc_label = "" +vpc_name = "" +vpc_cidr_block = "" +vpc_index = null +vpc_short_name = "" +vpc_full_name = "" +vpc_environment = "" +vpc_domain_name = "" +vpc_dns_servers = [] +vpc_ntp_servers = [] +tgw_environment = "" +``` diff --git a/examples/vpc-region-shared-setup/apps/.terraform-docs.yml b/examples/vpc-region-shared-setup/apps/.terraform-docs.yml new file mode 100644 index 0000000..8391b9d --- /dev/null +++ b/examples/vpc-region-shared-setup/apps/.terraform-docs.yml @@ -0,0 +1,44 @@ +formatter: markdown table + +header-from: main.tf +footer-from: "" + +sections: +## hide: [] + show: + - data-sources + - header + - footer + - inputs + - modules + - outputs + - providers + - requirements + - resources + +output: + file: README.md + mode: inject + template: |- + + {{ .Content }} + + +## output-values: +## enabled: false +## from: "" +## +## sort: +## enabled: true +## by: name +## +## settings: +## anchor: true +## color: true +## default: true +## description: false +## escape: true +## indent: 2 +## required: true +## sensitive: true +## type: true diff --git a/examples/vpc-region-shared-setup/apps/.tf-control b/examples/vpc-region-shared-setup/apps/.tf-control new file mode 100644 index 0000000..b304010 --- /dev/null +++ b/examples/vpc-region-shared-setup/apps/.tf-control @@ -0,0 +1,4 @@ +#TFCOMMAND="terraform_0.13.7" +#TFCOMMAND="terraform_0.14.11" +TFCOMMAND="terraform_latest" +## TF_CLI_CONFIG_FILE=$HOME/.tf-control.tfrc diff --git a/examples/vpc-region-shared-setup/apps/.tf-control.tfrc b/examples/vpc-region-shared-setup/apps/.tf-control.tfrc new file mode 100644 index 0000000..d4b0b15 --- /dev/null +++ b/examples/vpc-region-shared-setup/apps/.tf-control.tfrc @@ -0,0 +1,23 @@ +# https://www.terraform.io/docs/cli/config/config-file.html + +plugin_cache_dir = "/data/terraform/terraform.d/plugin-cache" +#disable_checkpoint = true + +provider_installation { +# filesystem_mirror { +# path = "/apps/terraform/terraform.d/providers" +# include = [ "*/*/*" ] +# } + filesystem_mirror { + path = "/data/terraform/terraform.d/providers" + include = [ "*/*/*" ] + } +# filesystem_mirror { +# path = "/apps/terraform/terraform.d/providers" +# include = [ "external.terraform.census.gov/*/*" ] +# } + direct { + include = [ "*/*/*" ] + } +} + diff --git a/examples/vpc-region-shared-setup/apps/dns/.terraform-docs.yml b/examples/vpc-region-shared-setup/apps/dns/.terraform-docs.yml new file mode 100644 index 0000000..8391b9d --- /dev/null +++ b/examples/vpc-region-shared-setup/apps/dns/.terraform-docs.yml @@ -0,0 +1,44 @@ +formatter: markdown table + +header-from: main.tf +footer-from: "" + +sections: +## hide: [] + show: + - data-sources + - header + - footer + - inputs + - modules + - outputs + - providers + - requirements + - resources + +output: + file: README.md + mode: inject + template: |- + + {{ .Content }} + + +## output-values: +## enabled: false +## from: "" +## +## sort: +## enabled: true +## by: name +## +## settings: +## anchor: true +## color: true +## default: true +## description: false +## escape: true +## indent: 2 +## required: true +## sensitive: true +## type: true diff --git a/examples/vpc-region-shared-setup/apps/region.tf b/examples/vpc-region-shared-setup/apps/region.tf new file mode 100644 index 0000000..f617506 --- /dev/null +++ b/examples/vpc-region-shared-setup/apps/region.tf @@ -0,0 +1,3 @@ +locals { + region = var.region +} diff --git a/examples/vpc-region-shared-setup/apps/tf-run.data b/examples/vpc-region-shared-setup/apps/tf-run.data new file mode 100644 index 0000000..f8cad8e --- /dev/null +++ b/examples/vpc-region-shared-setup/apps/tf-run.data @@ -0,0 +1,7 @@ +VERSION 1.0.0 +REMOTE-STATE +COMMAND tf-directory-setup.py -l none -f +COMMAND setup-new-directory.sh +COMMAND tf-init -upgrade +ALL +COMMAND tf-directory-setup.py -l s3 diff --git a/examples/vpc-region-shared-setup/apps/versions.tf b/examples/vpc-region-shared-setup/apps/versions.tf new file mode 100644 index 0000000..ec1ce3c --- /dev/null +++ b/examples/vpc-region-shared-setup/apps/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.0" + } + infoblox = { + source = "infobloxopen/infoblox" + version = ">= 2.1.0" + } + } +} diff --git a/examples/vpc-region-shared-setup/data.tf b/examples/vpc-region-shared-setup/data.tf new file mode 100644 index 0000000..cb626c2 --- /dev/null +++ b/examples/vpc-region-shared-setup/data.tf @@ -0,0 +1,9 @@ +data "aws_availability_zones" "zones" { + state = "available" +} + +data "aws_availability_zone" "zone" { + for_each = toset(data.aws_availability_zones.zones.names) + state = "available" + name = each.key +} diff --git a/examples/vpc-region-shared-setup/data.vpc.tf b/examples/vpc-region-shared-setup/data.vpc.tf new file mode 100644 index 0000000..84b4be5 --- /dev/null +++ b/examples/vpc-region-shared-setup/data.vpc.tf @@ -0,0 +1,30 @@ +data "aws_vpcs" "vpcs" { + filter { + name = "tag:Name" + values = [var.vpc_full_name] + } +} + +data "aws_vpc" "vpc" { + id = coalesce(data.aws_vpcs.vpcs.ids[0], null) +} + +data "aws_subnets" "subnets" { + filter { + name = "vpc-id" + values = [data.aws_vpc.vpc.id] + } +} + +data "aws_subnet" "subnet" { + for_each = toset(data.aws_subnets.subnets.ids) + id = each.key +} + +data "aws_vpc_dhcp_options" "dhcp_options" { + dhcp_options_id = data.aws_vpc.vpc.dhcp_options_id +} + +locals { + vpc_id = data.aws_vpc.vpc.id +} diff --git a/examples/vpc-region-shared-setup/outputs.tf b/examples/vpc-region-shared-setup/outputs.tf new file mode 100644 index 0000000..a03cbc3 --- /dev/null +++ b/examples/vpc-region-shared-setup/outputs.tf @@ -0,0 +1,59 @@ +output "vpc_id" { + description = "VPC ID" + value = data.aws_vpc.vpc.id +} + +## output "vpc_arn" { +## description = "VPC ARN" +## value = data.aws_vpc.vpc.arn +## } + +output "vpc_info" { + description = "VPC info" + value = { + vpc_id = data.aws_vpc.vpc.id + vpc_cidr_block = data.aws_vpc.vpc.cidr_block + vpc_arn = data.aws_vpc.vpc.arn + vpc_name = var.vpc_name + vpc_short_name = var.vpc_short_name + # vpc_short_name = split("-", var.vpc_full_name)[0] + vpc_full_name = var.vpc_full_name + "vpc_environment" = var.vpc_environment + # vpc_environment = data.aws_vpc.vpc.tags["Environment"] + owner_id = data.aws_vpc.vpc.owner_id + # vpc_domain_name = var.vpc_domain_name + vpc_domain_name = data.aws_vpc_dhcp_options.dhcp_options.domain_name + # _raw = data.aws_vpc.vpc + "vpc_dns_servers" = var.vpc_dns_servers + ## these really are not used by anything + # "s3_endpoint_id" = null + # "dynamodb_endpoint_id" = null + # "s3_endpoint_cidr_blocks" = null + # "dynamodb_endpoint_cidr_blocks" = null + } +} + +## locals { +## shared_private_subnet_info = [for k, v in data.aws_subnet.subnet : { +## id = v.id +## arn = v.arn +## availability_zone = v.availability_zone +## owner_id = v.owner_id +## cidr_block = v.cidr_block +## subnet = v.cidr_block +## label = replace(v.tags["Name"], format("%v-", var.vpc_full_name), "") +## tags = v.tags +## # _raw = v +## }] +## } +## +## +## output "shared_private_subnet_info" { +## description = "Details from shared VPC subnets" +## value = local.shared_private_subnet_info +## } + +output "security_groups" { + description = "Security Group map(object{name, id, arn})" + value = module.base-security-groups.security_groups +} diff --git a/examples/vpc-region-shared-setup/region.tf b/examples/vpc-region-shared-setup/region.tf new file mode 100644 index 0000000..b7b1696 --- /dev/null +++ b/examples/vpc-region-shared-setup/region.tf @@ -0,0 +1,4 @@ +locals { + region = var.region +} + diff --git a/examples/vpc-region-shared-setup/sg-web.tf b/examples/vpc-region-shared-setup/sg-web.tf new file mode 100644 index 0000000..497efd7 --- /dev/null +++ b/examples/vpc-region-shared-setup/sg-web.tf @@ -0,0 +1,16 @@ +module "sg_web" { + source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//web?ref=tf-upgrade" + vpc_id = local.vpc_id + + tags = merge( + local.tags, + local.common_tags, + var.account_tags, + var.application_tags, + ) +} + +output "sg_web_id" { + description = "Common Web security group" + value = module.sg_web.this_security_group_id +} diff --git a/examples/vpc-region-shared-setup/tf-run.data b/examples/vpc-region-shared-setup/tf-run.data new file mode 100644 index 0000000..ea54249 --- /dev/null +++ b/examples/vpc-region-shared-setup/tf-run.data @@ -0,0 +1,20 @@ +VERSION 1.3.1 +REMOTE-STATE +COMMAND tf-directory-setup.py -l none -f +COMMAND setup-new-directory.sh +COMMAND tf-init -upgrade + +LINKTOP includes.d/variables.account_tags.tf +LINKTOP includes.d/variables.account_tags.auto.tfvars +LINKTOP includes.d/variables.infrastructure_tags.tf +LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars +LINKTOP includes.d/variables.application_tags.tf +LINKTOP includes.d/variables.application_tags.auto.tfvars +LINKTOP common/remote_state.common.tf +LINKTOP infrastructure/%%SHORT_REGION%%/remote_state.infrastructure_%%SHORT_REGION%%.tf + +# module.subnet_tags +# module.sg_web module.base-security-groups + +ALL +COMMAND tf-directory-setup.py -l s3 diff --git a/examples/vpc-region-shared-setup/variables.availability_zones.tf b/examples/vpc-region-shared-setup/variables.availability_zones.tf new file mode 100644 index 0000000..3e906b9 --- /dev/null +++ b/examples/vpc-region-shared-setup/variables.availability_zones.tf @@ -0,0 +1,5 @@ +variable "availability_zones" { + description = "AWS Availability zones for subnet (default: all)" + type = list(string) + default = [] +} diff --git a/examples/vpc-region-shared-setup/variables.subnets.auto.tfvars b/examples/vpc-region-shared-setup/variables.subnets.auto.tfvars new file mode 100644 index 0000000..4d951b7 --- /dev/null +++ b/examples/vpc-region-shared-setup/variables.subnets.auto.tfvars @@ -0,0 +1,7 @@ +# variables.subnets.auto.tfvars + +# copy this file from the source (network-prod) shared vpc configuration +# this is only needed if you have to add subnet tags to the subnets in this account, commonly only for EKS + +public_subnets = [] +private_subnets = [] diff --git a/examples/vpc-region-shared-setup/variables.subnets.tf b/examples/vpc-region-shared-setup/variables.subnets.tf new file mode 100644 index 0000000..7049244 --- /dev/null +++ b/examples/vpc-region-shared-setup/variables.subnets.tf @@ -0,0 +1,31 @@ +# from aws-vpc-setup/subnets/variables.common.subnets.tf +variable "public_subnets" { + description = "List of objects with public subnet information to be created" + type = list(object({ + base_cidr = string + label = string + bits = number + offset = optional(number, 0) + private = bool + tags = map(string) + enabled = optional(bool, true) + availability_zone = optional(string) + })) + default = [] +} + +# availability_zone does nothign at this point +variable "private_subnets" { + description = "List of objects with private subnet information to be created" + type = list(object({ + base_cidr = string + label = string + bits = number + offset = optional(number, 0) + private = bool + tags = map(string) + enabled = optional(bool, true) + availability_zone = optional(string) + })) + default = [] +} diff --git a/examples/vpc-region-shared-setup/variables.vpc.auto.tfvars b/examples/vpc-region-shared-setup/variables.vpc.auto.tfvars new file mode 100644 index 0000000..b394d9b --- /dev/null +++ b/examples/vpc-region-shared-setup/variables.vpc.auto.tfvars @@ -0,0 +1,19 @@ +# variables.vpc.auto.tfvars + +# copy this file from the source (network-prod) shared vpc configuration. +# You need only the specific variables listed here. You can obtain that with +# +# grep -E "^(shared_vpc_label|vpc_name|vpc_cidr_block|vpc_index|vpc_short_name|vpc_full_name|vpc_environment|vpc_domain_name|vpc_dns_servers|vpc_ntp_servers|tgw_environment) *=" \ +# SOURCE/variables.vpc.auto.tfvars > variables.vpc.auto.tfvars + +shared_vpc_label = "" +vpc_name = "" +vpc_cidr_block = "" +vpc_index = null +vpc_short_name = "" +vpc_full_name = "" +vpc_environment = "" +vpc_domain_name = "" +vpc_dns_servers = [] +vpc_ntp_servers = [] +tgw_environment = "" diff --git a/examples/vpc-region-shared-setup/variables.vpc.tf b/examples/vpc-region-shared-setup/variables.vpc.tf new file mode 100644 index 0000000..da3cd9c --- /dev/null +++ b/examples/vpc-region-shared-setup/variables.vpc.tf @@ -0,0 +1,50 @@ +variable "vpc_name" { + description = "VPC Name including environment (if necessary), excluding vpc{N}. From shared VPC definition." + type = string +} + +variable "vpc_index" { + description = "VPC index number. This was used for NACL rule number caculations, and it is no longer needed. It is ignored in this configuration." + type = number + default = null +} + +variable "vpc_cidr_block" { + description = "VPC CIDR Block. From shared VPC definition." + type = string +} + +variable "vpc_short_name" { + description = "VPC short name component, vpc{index}. From shared VPC definition." + type = string +} + +variable "vpc_environment" { + description = "VPC environment purpose (common, shared, dev, stage, ite, prod). From shared VPC defintion." + type = string + default = "" +} + +variable "shared_vpc_label" { + description = "Label to use for shared VPC for flowlogs and other things. From shared VPC definition." + type = string + default = null +} + + +variable "tgw_environment" { + description = "Transit Gateway environment route table (services, dev, test, stage, prod, cre). Not used for any network setup. From shared VPC definition." + type = string + default = null + + validation { + condition = var.tgw_environment == null || contains(["services", "dev", "test", "stage", "prod", "cre"], var.tgw_environment) + error_message = "The tgw_environment must contain one of the legal values: services, dev, test, stage, prod, cre." + } +} + +# in variables.d/variable.scommon.tf +# - vpc_full_name +# - vpc_domain_name +# - vpc_dns_servers +# - vpc_ntp_servers diff --git a/examples/vpc-region-shared-setup/versions.tf b/examples/vpc-region-shared-setup/versions.tf new file mode 100644 index 0000000..bf73497 --- /dev/null +++ b/examples/vpc-region-shared-setup/versions.tf @@ -0,0 +1,33 @@ +terraform { + required_version = ">= 1.0.0" + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + ## ldap = { + ## source = "trevex/ldap" + ## version = ">= 0.5.4" + ## } + ## external = { + ## source = "hashicorp/external" + ## version = ">= 1.0" + ## } + ## null = { + ## source = "hashicorp/null" + ## version = ">= 1.0" + ## } + ## random = { + ## source = "hashicorp/random" + ## version = ">= 1.0" + ## } + ## template = { + ## source = "hashicorp/template" + ## version = ">= 1.0" + ## } + ## infoblox = { + ## source = "infobloxopen/infoblox" + ## version = ">= 2.1.0" + ## } + } +} diff --git a/examples/vpc-region-shared-setup/vpc-endpoints.tf b/examples/vpc-region-shared-setup/vpc-endpoints.tf new file mode 100644 index 0000000..a473c6e --- /dev/null +++ b/examples/vpc-region-shared-setup/vpc-endpoints.tf @@ -0,0 +1,65 @@ +# dynamodb and s3 gateway endpoints defined in vpc module + +# select here where label starts with app- +# private_subnets_ids = data.terraform_remote_state.vpc_east_vpc3.outputs.private_subnets_ids +# or use data + +# some help from here: https://dev.to/danquack/private-fargate-deployment-with-vpc-endpoints-1h0p + +locals { + security_group_ids = [module.sg_web.this_security_group_id] + + # currently this list doesn't do anything, but it's mostly to track what is in place here. A future + # revision of the vpc endpoints module will allow this as a for_each (tf 0.13+) + # keep in alphabetical order in the list and the file + + # disable by setting to null + # enable by setting to "", or if it require a different service name, set that + vpc_endpoints = { + ## "autoscaling" = "" + ## "ec2" = "" + ## "ec2messages" = "" + ## "ecr.api" = "" + ## "ecr.dkr" = "" + ## "ecs" = "" + ## "elasticfilesystem" = "" + ## "elasticloadbalancing" = "" + ## "kms" = "" + ## "logs" = "" + ## "secretsmanager" = "" + ## "ssm" = "" + ## "ssmmessages" = "" + ## "sts" = "" + } +} + +data "aws_subnets" "endpoint_subnets" { + filter { + name = "vpc-id" + values = [local.vpc_id] + } + filter { + name = "tag:Name" + values = ["*-endpoints-*"] + } +} + +module "vpce" { + for_each = { for k, v in local.vpc_endpoints : k => v if v != null } + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint?ref=tf-upgrade" + + service = each.value == "" ? each.key : each.value + subnet_ids = tolist(data.aws_subnets.endpoint_subnets.ids) + security_group_ids = local.security_group_ids + + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + + tags = merge( + local.tags, + local.common_tags, + var.account_tags, + var.application_tags, + ) +} diff --git a/examples/vpc-region-shared-setup/vpc.tf b/examples/vpc-region-shared-setup/vpc.tf new file mode 100644 index 0000000..6fbb5fc --- /dev/null +++ b/examples/vpc-region-shared-setup/vpc.tf @@ -0,0 +1,38 @@ +locals { + tags = { + CostAllocation = "csvd:infrastructure" + Environment = var.vpc_environment + } +} + +module "subnet_tags" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//subnet_tags?ref=tf-upgrade" + + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + availability_zones = var.availability_zones + public_subnets = var.public_subnets + private_subnets = var.private_subnets + + tags = merge( + local.tags, + var.account_tags, + var.application_tags, + ) +} + +module "base-security-groups" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//security-groups?ref=tf-upgrade" + vpc_id = local.vpc_id + + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + enable_manage_default_sg = false + + tags = merge( + local.tags, + local.common_tags, + var.account_tags, + var.application_tags, + ) +}