From 975d3ada52784c2be17901aec6d21f1ea8b28064 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 20 Oct 2022 11:31:58 -0400 Subject: [PATCH] add --- .../variables.vpc-transit-gateway.tf | 15 +++ .../variables.vpc.auto.tfvars.update | 5 + .../variables.vpc.tf.update | 12 +++ .../vpc-transit-gateway.tf | 96 +++++++++++++++++++ .../vpc.tf.update | 23 +++++ 5 files changed, 151 insertions(+) create mode 100644 examples/vpc-transit-gateway-attachment/variables.vpc-transit-gateway.tf create mode 100644 examples/vpc-transit-gateway-attachment/variables.vpc.auto.tfvars.update create mode 100644 examples/vpc-transit-gateway-attachment/variables.vpc.tf.update create mode 100644 examples/vpc-transit-gateway-attachment/vpc-transit-gateway.tf create mode 100644 examples/vpc-transit-gateway-attachment/vpc.tf.update diff --git a/examples/vpc-transit-gateway-attachment/variables.vpc-transit-gateway.tf b/examples/vpc-transit-gateway-attachment/variables.vpc-transit-gateway.tf new file mode 100644 index 0000000..f656992 --- /dev/null +++ b/examples/vpc-transit-gateway-attachment/variables.vpc-transit-gateway.tf @@ -0,0 +1,15 @@ +variable "network_account_profile" { + description = "AWS profile of the source account sharing the VPC resources" + type = string +} + +variable "tgw_label" { + description = "Transit Gateway label for specific instance (sa, prod)" + type = string + default = "prod" + + validation { + condition = contains(["sa", "prod"], var.tgw_label) + error_message = "tgw_label must be set to valid environment, used in determining managed prefixes" + } +} diff --git a/examples/vpc-transit-gateway-attachment/variables.vpc.auto.tfvars.update b/examples/vpc-transit-gateway-attachment/variables.vpc.auto.tfvars.update new file mode 100644 index 0000000..e332c48 --- /dev/null +++ b/examples/vpc-transit-gateway-attachment/variables.vpc.auto.tfvars.update @@ -0,0 +1,5 @@ +# make sure to add to variables.vpc.auto.tfvars tgw_environment, with the appropriate selected +# valid VRF. See the definition for the variable tgw_environment. If omitted, it defaults to null +# and no attachments will be made + +tgw_environment = "unconfigured" diff --git a/examples/vpc-transit-gateway-attachment/variables.vpc.tf.update b/examples/vpc-transit-gateway-attachment/variables.vpc.tf.update new file mode 100644 index 0000000..f334e75 --- /dev/null +++ b/examples/vpc-transit-gateway-attachment/variables.vpc.tf.update @@ -0,0 +1,12 @@ +# update the variables.vpc.tf defintions for validation of the tgw_environment variable + +variable "tgw_environment" { + description = "Transit Gateway environment route table (services, dev, test, stage, prod, network)" + type = string + default = null + + validation { + condition = vr.tgw_environment == null || contains(["services", "dev", "test", "stage", "prod", "cre"], var.tgw_environment) + error_message = "tgw_environment value must be one of the valid VRF selections or null for no attachment" + } +} diff --git a/examples/vpc-transit-gateway-attachment/vpc-transit-gateway.tf b/examples/vpc-transit-gateway-attachment/vpc-transit-gateway.tf new file mode 100644 index 0000000..d63ba74 --- /dev/null +++ b/examples/vpc-transit-gateway-attachment/vpc-transit-gateway.tf @@ -0,0 +1,96 @@ +# establish the additional providers needed for self and peer. For commercial, there will be several peers +# though we have not worked out that configuration. We may split the provider parts out to a different file. + +provider "aws" { + alias = "network_account" + region = var.region + profile = var.network_account_profile +} + +provider "aws" { + alias = "tgw_self" + region = var.region + profile = var.network_account_profile +} + +provider "aws" { + alias = "tgw_peer" + region = var.region == "us-gov-east-1" ? "us-gov-west-1" : "us-gov-east-1" + profile = var.network_account_profile +} + +# this is a three part setup, but due to proper referencing it will do them in the correct order +# first, we need to get data, then do self, and then do peer +# this expects in the network account for the environment, two managed prefixe lists are setup, one for all CIDR blocks handled +# by TGW (transit-gateway.{label}) and another for VPNs back to on-prem (vpn-transit-gateway.{label}). + +module "vpc_tgw_data" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/data?ref=tf-upgrade" + providers = { + aws = aws + aws.network_account = aws.network_account + aws.self = aws.tgw_self + aws.peer = aws.tgw_peer + } + + network_account_profile = var.network_account_profile + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"] + private_route_table_ids = module.routing.private_route_table_ids + transit_gateway_environment = var.tgw_environment + transit_gateway_label = var.tgw_label + route_prefix_list_name = format("transit-gateway.%v", var.tgw_label) + vpn_route_prefix_list_name = format("vpn-transit-gateway.%v", var.tgw_label) +} + + +# call once for self, once for each peer (if we have multiple regions for peers, change the peer to each region) +# note the self must be done before the peer + +module "vpc_tgw_self" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/self?ref=tf-upgrade" + providers = { + aws = aws + aws.network_account = aws.network_account + aws.self = aws.tgw_self + aws.peer = aws.tgw_peer + } + count = var.tgw_environment != null ? 1 : 0 + + network_account_profile = var.network_account_profile + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"] + private_route_table_ids = module.routing.private_route_table_ids + transit_gateway_environment = var.tgw_environment + transit_gateway_label = var.tgw_label + route_prefix_list_name = format("transit-gateway.%v", var.tgw_label) + vpn_route_prefix_list_name = format("vpn-transit-gateway.%v", var.tgw_label) + data_input = module.vpc_tgw_data.data_output +} + +module "vpc_tgw_peer" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/peer?ref=tf-upgrade" + providers = { + aws = aws + aws.network_account = aws.network_account + aws.self = aws.tgw_self + aws.peer = aws.tgw_peer + } + count = var.tgw_environment != null ? 1 : 0 + + network_account_profile = var.network_account_profile + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"] + private_route_table_ids = module.routing.private_route_table_ids + transit_gateway_environment = var.tgw_environment + transit_gateway_label = var.tgw_label + route_prefix_list_name = format("transit-gateway.%v", var.tgw_label) + vpn_route_prefix_list_name = format("vpn-transit-gateway.%v", var.tgw_label) + data_input = module.vpc_tgw_data.data_output + + depends_on = [module.vpc_tgw_self] +} + diff --git a/examples/vpc-transit-gateway-attachment/vpc.tf.update b/examples/vpc-transit-gateway-attachment/vpc.tf.update new file mode 100644 index 0000000..dff4218 --- /dev/null +++ b/examples/vpc-transit-gateway-attachment/vpc.tf.update @@ -0,0 +1,23 @@ +# update the module.vpc to add the tgw_environment=var.tgw_environment line. This is so a VPC configuration +# file can be created in setup/ which will be used for updating routing on the on-prem ASRs through TGG + +module "vpc" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc?ref=tf-upgrade" + + vpc_name = var.vpc_name + vpc_cidr_block = var.vpc_cidr_block + vpc_index = var.vpc_index + vpc_short_name = var.vpc_short_name + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + vpc_domain_name = var.vpc_domain_name + vpc_dns_servers = var.vpc_dns_servers + vpc_ntp_servers = var.vpc_ntp_servers + enable_aws_dns = var.vpc_enable_awsdns + tgw_environment = var.tgw_environment + + tags = merge( + local.tags, + tomap({ "boc:tgw_environment" = var.tgw_environment }), + ) +}