From 71074d8e78cc914d9b4d011bd8a5741166a32303 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Thu, 8 Jul 2021 16:03:07 -0400
Subject: [PATCH] v1.1.3: add per-subnet tags

---
 CHANGELOG.md                       |  4 ++++
 common/variables.common.subnets.tf |  2 ++
 common/version.tf                  |  2 +-
 subnets/README.md                  | 29 +++++++++++++++++++++++--
 subnets/main.tf                    | 34 ++++++++++++++++++++++++++++--
 5 files changed, 66 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 604df09..87b6813 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -38,3 +38,7 @@
 * v1.1.2 -- 20210702
   - routing
     - export vpc s3 and dynamodb cidr blocks too, change the way the structure is constructed
+
+* v1.1.3 -- 20210708
+  - subnets
+    - add per-subnet tags
diff --git a/common/variables.common.subnets.tf b/common/variables.common.subnets.tf
index 5aae931..a4c5cfe 100644
--- a/common/variables.common.subnets.tf
+++ b/common/variables.common.subnets.tf
@@ -8,6 +8,7 @@ variable "public_subnets" {
     #      subnets     = list(string)
     #      labels      = list(string)
     #      availability_zones = list(string)
+    tags = map(string)
   }))
   default = []
 }
@@ -22,6 +23,7 @@ variable "private_subnets" {
     #      subnets     = list(string)
     #      labels      = list(string)
     #      availability_zones = list(string)
+    tags = map(string)
   }))
   default = []
 }
diff --git a/common/version.tf b/common/version.tf
index 1cc6d9a..7d60583 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.1.2"
+  _module_version = "1.1.3"
 }
diff --git a/subnets/README.md b/subnets/README.md
index e237632..ff2eb35 100644
--- a/subnets/README.md
+++ b/subnets/README.md
@@ -21,6 +21,31 @@ module "subnets" {
 
   tags = {}
 }
+
+# Subnet structure
+Both `private_subnets` and `public_subnets` have the same structure.  They are a list of subnet
+information _objects_:
+
+```hcl
+  type = list(object({
+    base\_cidr = string
+    label     = string
+    bits      = number
+    private   = bool
+    tags = map(string)
+  }))
+```
+
+* base_cidr: CIDR block for the subnet "collection".  This is an aggrated block of smaller subnets, one
+per availability zone deployed.  Note that this module doesn't stop you from using the wrong blocking.  If you
+specify a /24 split into /26s (2 bits of extra mask) but have 5 availability zones, you'll overrun into the next
+block.  You'll get errors.
+* label: a text label to be applied to each subnet, which will be formatted aws {vpc_full_name}-{label}-{availability_zone}
+* bits: number of additional bits to add to the mask.  Generally, for four availability zones, you'll want to use
+2 here (2^2 = 4).  For two AZs, you can use 1 (2^1 = 2).
+* private: boolean flag indicating whether the subnet is for public use (like with an EIB and NAT gateway or ALB), or private.  Most will
+be private.
+* tags: map of key/value pairs for per-subnet block tags. This was introduced to support EKS subnet tagging.
 ```
 
 ## Requirements
@@ -57,8 +82,8 @@ No modules.
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
-| <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | List of objects with private subnet information to be created | <pre>list(object({<br>    base_cidr = string<br>    label     = string<br>    bits      = number<br>    private   = bool<br>    #      subnets     = list(string)<br>    #      labels      = list(string)<br>    #      availability_zones = list(string)<br>  }))</pre> | `[]` | no |
-| <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | List of objects with public subnet information to be created | <pre>list(object({<br>    base_cidr = string<br>    label     = string<br>    bits      = number<br>    private   = bool<br>    #      subnets     = list(string)<br>    #      labels      = list(string)<br>    #      availability_zones = list(string)<br>  }))</pre> | `[]` | no |
+| <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | List of objects with private subnet information to be created | <pre>list(object({<br>    base_cidr = string<br>    label     = string<br>    bits      = number<br>    private   = bool<br>    #      subnets     = list(string)<br>    #      labels      = list(string)<br>    #      availability_zones = list(string)<br>    tags = map(string)<br>  }))</pre> | `[]` | no |
+| <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | List of objects with public subnet information to be created | <pre>list(object({<br>    base_cidr = string<br>    label     = string<br>    bits      = number<br>    private   = bool<br>    #      subnets     = list(string)<br>    #      labels      = list(string)<br>    #      availability_zones = list(string)<br>    tags = map(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
 | <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
diff --git a/subnets/main.tf b/subnets/main.tf
index 7e88406..9cd6d9b 100644
--- a/subnets/main.tf
+++ b/subnets/main.tf
@@ -22,6 +22,32 @@
 * 
 *   tags = {}
 * }
+*
+* # Subnet structure
+* Both `private_subnets` and `public_subnets` have the same structure.  They are a list of subnet
+* information _objects_:
+* 
+* ```hcl
+*   type = list(object({
+*     base_cidr = string
+*     label     = string
+*     bits      = number
+*     private   = bool
+*     tags = map(string)
+*   }))
+* ```
+*
+* * base_cidr: CIDR block for the subnet "collection".  This is an aggrated block of smaller subnets, one
+* per availability zone deployed.  Note that this module doesn't stop you from using the wrong blocking.  If you 
+* specify a /24 split into /26s (2 bits of extra mask) but have 5 availability zones, you'll overrun into the next
+* block.  You'll get errors.
+* * label: a text label to be applied to each subnet, which will be formatted aws {vpc_full_name}-{label}-{availability_zone}
+* * bits: number of additional bits to add to the mask.  Generally, for four availability zones, you'll want to use
+* 2 here (2^2 = 4).  For two AZs, you can use 1 (2^1 = 2).
+* * private: boolean flag indicating whether the subnet is for public use (like with an EIB and NAT gateway or ALB), or private.  Most will
+* be private.
+* * tags: map of key/value pairs for per-subnet block tags. This was introduced to support EKS subnet tagging.
+*
 */
 
 locals {
@@ -53,10 +79,11 @@ locals {
       subnets            = [for i in local.az_count_list : cidrsubnet(v.base_cidr, v.bits, i)]
       labels             = [for az in local.availability_zones : format("%s-%s", v.label, az)]
       availability_zones = local.availability_zones
+      tags               = lookup(v, "tags", {})
     }
   }
   public_map = flatten([for k, v in local.public_subnets :
-  [for i in local.az_count_list : tomap({ "subnet" = v.subnets[i], "label" = v.labels[i], "availability_zone" = v.availability_zones[i] })]])
+  [for i in local.az_count_list : tomap({ "subnet" = v.subnets[i], "label" = v.labels[i], "availability_zone" = v.availability_zones[i], "tags" = v.tags })]])
 }
 
 
@@ -69,6 +96,7 @@ resource "aws_subnet" "public" {
   tags = merge(
     local.base_tags,
     var.tags,
+    each.value.tags,
     map("Name", format("%v%v-%v", local._prefixes["subnet"], var.vpc_full_name, each.value.label))
   )
 }
@@ -87,10 +115,11 @@ locals {
       subnets            = [for i in local.az_count_list : cidrsubnet(v.base_cidr, v.bits, i)]
       labels             = [for az in local.availability_zones : format("%s-%s", v.label, az)]
       availability_zones = local.availability_zones
+      tags               = lookup(v, "tags", {})
     }
   }
   private_map = flatten([for k, v in local.private_subnets :
-  [for i in local.az_count_list : tomap({ "subnet" = v.subnets[i], "label" = v.labels[i], "availability_zone" = v.availability_zones[i] })]])
+  [for i in local.az_count_list : tomap({ "subnet" = v.subnets[i], "label" = v.labels[i], "availability_zone" = v.availability_zones[i], "tags" = v.tags })]])
 }
 
 resource "aws_subnet" "private" {
@@ -102,6 +131,7 @@ resource "aws_subnet" "private" {
   tags = merge(
     local.base_tags,
     var.tags,
+    each.value.tags,
     map("Name", format("%v%v-%v", local._prefixes["subnet"], var.vpc_full_name, each.value.label))
   )
 }