start vpc-transit-gateway-association

vpc-transit-gateway-association/credentials.vpc-transit-gateway.tf

@@ -0,0 +1,11 @@
+provider "aws" {
+  alias   = "tgw_west"
+  region  = "us-gov-west-1"
+  profile = var.network_account_profile
+}
+
+provider "aws" {
+  alias   = "tgw_east"
+  region  = "us-gov-east-1"
+  profile = var.network_account_profile
+}

vpc-transit-gateway-association/data.tf

@@ -0,0 +1 @@
+../common/data.tf

vpc-transit-gateway-association/data.transit-gateway.tf

@@ -0,0 +1,15 @@
+data "aws_ec2_transit_gateway" "tgw_east" {
+  provider = aws.tgw_east
+  filter {
+    name   = "owner-id"
+    values = [data.aws_arn.network_account.account]
+  }
+}
+
+data "aws_ec2_transit_gateway" "tgw_west" {
+  provider = aws.tgw_west
+  filter {
+    name   = "owner-id"
+    values = [data.aws_arn.network_account.account]
+  }
+}

vpc-transit-gateway-association/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf

vpc-transit-gateway-association/prefixes.tf

@@ -0,0 +1 @@
+../common/prefixes.tf

vpc-transit-gateway-association/variables.common.tf

@@ -0,0 +1 @@
+../common/variables.common.tf

vpc-transit-gateway-association/variables.common.vpc.tf

@@ -0,0 +1 @@
+../common/variables.common.vpc.tf

vpc-transit-gateway-association/variables.create.tf

@@ -0,0 +1 @@
+../common/variables.create.tf

vpc-transit-gateway-association/variables.tf

@@ -0,0 +1,5 @@
+variable "network_account_profile" {
+  description = "AWS profile of the source account sharing the VPC resources"
+  type        = string
+}
+

vpc-transit-gateway-association/version.tf

@@ -0,0 +1 @@
+../common/version.tf

vpc-transit-gateway-association/versions.tf

@@ -0,0 +1 @@
+../common/versions.tf

vpc-transit-gateway-association/vpc-transit-gateway.tf.off

@@ -0,0 +1,225 @@
+locals {
+  trs_region_outputs = data.terraform_remote_state.vpc_east.outputs
+#  tgw_id = local.trs_region_outputs.transit_gateway_id
+#  tgw_id = data.aws_ec2_transit_gateway.gateway_east.id
+  info_vpc = data.terraform_remote_state.vpc.outputs.info_vpc
+}
+
+data "aws_ec2_transit_gateway" "gateway_east" { }
+
+data "aws_ec2_transit_gateway" "gateway_west" {
+  provider = aws.tgw_main_west
+}
+
+data "aws_ec2_transit_gateway_peering_attachment" "peer_west" {
+  provider = aws.tgw_main_west
+  filter {
+    name   = "tag:Name"
+    values = [ "tgw-proto-peer" ]
+  }
+}
+
+locals {
+  transit_gateway_peer_attachment_id_west  = data.aws_ec2_transit_gateway_peering_attachment.peer_west.id
+}
+
+module "routing_attachment" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//routing"
+  vpc_id = local.vpc_id
+
+  vpc_full_name                = var.vpc_full_name
+  availability_zones           = []
+  private_subnets_ids          = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+  create_public_route_table    = false
+  private_route_table_label    = "attachment"
+  enable_igw                   = false
+  enable_nat                   = false
+  enable_vpc_endpoint_s3       = false
+  enable_vpc_endpoint_dynamodb = false
+
+  vpc_name       = var.vpc_name
+  vpc_short_name = var.vpc_short_name
+  vpc_cidr_block = var.vpc_cidr_block
+  vpc_index      = var.vpc_index
+
+  tags = merge(
+    local.common_tags,
+    local.tags,
+  )
+}
+
+# routes to tgw (for now, 10.128/16, should be each of the highest cidr blocks per account). It would be nice to use prefix lists, but not supported in gov
+resource "aws_route" "gateway" {
+  for_each               = module.routing.private_route_table_ids 
+  route_table_id         = each.value
+#  destination_cidr_block = "0.0.0.0/0"
+  destination_cidr_block = "10.128.0.0/16"
+  transit_gateway_id         = data.aws_ec2_transit_gateway.gateway_east.id
+  depends_on = [ aws_ec2_transit_gateway_vpc_attachment.vpc_attachment ]
+}
+
+#---
+# route tables east
+#---
+data "aws_ec2_transit_gateway_route_tables" "route_tables_east" {
+  provider = aws.tgw_main_east
+  filter {
+    name   = "transit-gateway-id"
+    values = [ data.aws_ec2_transit_gateway.gateway_east.id ]
+  }
+}
+
+data "aws_ec2_transit_gateway_route_table" "route_tables_east" {
+  provider = aws.tgw_main_east
+  for_each = toset(data.aws_ec2_transit_gateway_route_tables.route_tables_east.ids)
+  id = each.key
+}
+
+locals {
+  transit_gateway_route_table_ids_east = { for k,v in data.aws_ec2_transit_gateway_route_table.route_tables_east: v.tags["boc:network_vrf"] => k }
+}
+
+#---
+# route tables west
+#---
+data "aws_ec2_transit_gateway_route_tables" "route_tables_west" {
+  provider = aws.tgw_main_west
+  filter {
+    name   = "transit-gateway-id"
+    values = [ data.aws_ec2_transit_gateway.gateway_west.id ]
+  }
+}
+
+data "aws_ec2_transit_gateway_route_table" "route_tables_west" {
+  provider = aws.tgw_main_west
+  for_each = toset(data.aws_ec2_transit_gateway_route_tables.route_tables_west.ids)
+  id = each.key
+}
+
+locals {
+  transit_gateway_route_table_ids_west = { for k,v in data.aws_ec2_transit_gateway_route_table.route_tables_west: v.tags["boc:network_vrf"] => k }
+}
+
+
+#---
+# assocaite this vpc to route table in east
+#---
+resource "aws_ec2_transit_gateway_route_table_association" "route_table" {
+  provider = aws.tgw_main_east
+  transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+  transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east[var.tgw_environment]
+}
+
+#---
+# attach this vpc to tgw
+#---
+resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_attachment" {
+  subnet_ids                                      = [for sn in module.subnets.private_subnets_ids : sn.id if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+  transit_gateway_id                              = data.aws_ec2_transit_gateway.gateway_east.id
+  vpc_id                                          = local.vpc_id
+  dns_support                                     = "enable"
+  ipv6_support                                    = "disable"
+  transit_gateway_default_route_table_association = true
+  transit_gateway_default_route_table_propagation = true
+
+  tags = merge(
+    local.common_tags,
+    tomap({ Name = "tgwa-proto-${var.vpc_short_name}-${local.region}" }),
+    tomap({ "boc:tgw_environment" = var.tgw_environment }),
+  )
+}
+
+# will need to adjust this where there are common, services, shared
+data "aws_ec2_transit_gateway_vpc_attachment" "vpc_services" {
+  filter {
+    name   = "tag:boc:tgw_environment"
+    values = ["services"]
+  }
+}
+
+#---
+# propagate services in {environment} route table in east
+#---
+# resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_self" {
+#   provider = aws.tgw_main_east
+#   count = var.tgw_environment != "services" ? 1 : 0
+#   transit_gateway_attachment_id  = data.aws_ec2_transit_gateway_vpc_attachment.vpc_services.id
+#   transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east[var.tgw_environment]
+# }
+
+#---
+# also add route to other environment in other region  to peering attachment in west
+#---
+## resource "aws_ec2_transit_gateway_route" "vpc_self_peers" {
+##   provider = aws.tgw_main_west
+##   for_each = var.tgw_environment != "services" ? toset([ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment == var.tgw_environment]) : toset([])
+##   destination_cidr_block = each.key
+##   transit_gateway_attachment_id  = local.transit_gateway_peer_attachment_id_west
+##   transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[var.tgw_environment]
+## }
+
+# propagate in services to this attachment in all route tables
+resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_services" {
+  provider = aws.tgw_main_east
+  for_each = var.tgw_environment == "services" ? local.transit_gateway_route_table_ids_east :  { for k,v in local.transit_gateway_route_table_ids_east: k => v if k == var.tgw_environment }
+#  count = var.tgw_environment != "services" ? 1 : 0
+  transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+  transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east[each.key]
+}
+
+## # for services, add static IP to all environments in other region to peering attachment
+## resource "aws_ec2_transit_gateway_route" "vpc_services_peers" {
+##   provider = aws.tgw_main_west
+##   for_each = var.tgw_environment == "services" ? toset([ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment != ""]) : toset([ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment == "services"]) 
+##   destination_cidr_block = each.key
+##   transit_gateway_attachment_id  = local.transit_gateway_peer_attachment_id_west
+##   transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[var.tgw_environment]
+## }
+
+# propagate all to inter-region table
+resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_inter-region" {
+  provider = aws.tgw_main_east
+  count = var.tgw_environment != "services" ? 1 : 0
+  transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
+  transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east["inter-region"]
+}
+
+# peer route tables for our vpc to tgw peer
+locals {
+  peer_rt  = [ for r in keys(local.transit_gateway_route_table_ids_west): r if r!="inter-region" && r!="services" ]
+##   peer_rt0 = { for k,v in local.info_vpc: v.cidr_block => v.tgw_environment if v.region == local.region && v.tgw_environment != "" }
+##   peer_rt1 = transpose({ for k,v in local.info_vpc: v.cidr_block => [ v.tgw_environment ] if v.region == local.region && v.tgw_environment != "" })
+##   peer_rt2 = merge(local.peer_rt1,
+##     { "services" = [ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment != "" ] },
+##   )
+##   peer_rt3 = { for v in local.peer_rt2[var.tgw_environment]: format("%v:%v",var.tgw_environment,v) => {
+##     label = format("%v:%v",var.tgw_environment,v),
+##     tgw_environment = var.tgw_environment,
+##     environment = local.peer_rt0[v],
+##     cidr_block = v } 
+##   } 
+}
+
+# for services, add static IP to all environments in other region to peering attachment
+resource "aws_ec2_transit_gateway_route" "peer_vpc_environment" {
+  provider = aws.tgw_main_west
+  destination_cidr_block = var.vpc_cidr_block
+  transit_gateway_attachment_id  = local.transit_gateway_peer_attachment_id_west
+  transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[var.tgw_environment]
+}
+
+resource "aws_ec2_transit_gateway_route" "peer_vpc_to_services" {
+  provider = aws.tgw_main_west
+  count = var.tgw_environment != "services" ? 1 : 0
+  destination_cidr_block = var.vpc_cidr_block
+  transit_gateway_attachment_id  = local.transit_gateway_peer_attachment_id_west
+  transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west["services"]
+}
+
+resource "aws_ec2_transit_gateway_route" "peer_vpc_services" {
+  provider = aws.tgw_main_west
+  for_each = var.tgw_environment == "services" ? local.peer_rt : toset([])
+  destination_cidr_block = var.vpc_cidr_block
+  transit_gateway_attachment_id  = local.transit_gateway_peer_attachment_id_west
+  transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[each.key]
+}