From ac57ffc523d3711f5f7f375d076a49c9c6a86265 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 12 Oct 2022 12:14:46 -0400 Subject: [PATCH] start vpc-transit-gateway-association --- .../credentials.vpc-transit-gateway.tf | 11 + vpc-transit-gateway-association/data.tf | 1 + .../data.transit-gateway.tf | 15 ++ vpc-transit-gateway-association/defaults.tf | 1 + vpc-transit-gateway-association/prefixes.tf | 1 + .../variables.common.tf | 1 + .../variables.common.vpc.tf | 1 + .../variables.create.tf | 1 + vpc-transit-gateway-association/variables.tf | 5 + vpc-transit-gateway-association/version.tf | 1 + vpc-transit-gateway-association/versions.tf | 1 + .../vpc-transit-gateway.tf.off | 225 ++++++++++++++++++ 12 files changed, 264 insertions(+) create mode 100644 vpc-transit-gateway-association/credentials.vpc-transit-gateway.tf create mode 120000 vpc-transit-gateway-association/data.tf create mode 100644 vpc-transit-gateway-association/data.transit-gateway.tf create mode 120000 vpc-transit-gateway-association/defaults.tf create mode 120000 vpc-transit-gateway-association/prefixes.tf create mode 120000 vpc-transit-gateway-association/variables.common.tf create mode 120000 vpc-transit-gateway-association/variables.common.vpc.tf create mode 120000 vpc-transit-gateway-association/variables.create.tf create mode 100644 vpc-transit-gateway-association/variables.tf create mode 120000 vpc-transit-gateway-association/version.tf create mode 120000 vpc-transit-gateway-association/versions.tf create mode 100644 vpc-transit-gateway-association/vpc-transit-gateway.tf.off diff --git a/vpc-transit-gateway-association/credentials.vpc-transit-gateway.tf b/vpc-transit-gateway-association/credentials.vpc-transit-gateway.tf new file mode 100644 index 0000000..f7c439e --- /dev/null +++ b/vpc-transit-gateway-association/credentials.vpc-transit-gateway.tf @@ -0,0 +1,11 @@ +provider "aws" { + alias = "tgw_west" + region = "us-gov-west-1" + profile = var.network_account_profile +} + +provider "aws" { + alias = "tgw_east" + region = "us-gov-east-1" + profile = var.network_account_profile +} diff --git a/vpc-transit-gateway-association/data.tf b/vpc-transit-gateway-association/data.tf new file mode 120000 index 0000000..995624d --- /dev/null +++ b/vpc-transit-gateway-association/data.tf @@ -0,0 +1 @@ +../common/data.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association/data.transit-gateway.tf b/vpc-transit-gateway-association/data.transit-gateway.tf new file mode 100644 index 0000000..f89e4af --- /dev/null +++ b/vpc-transit-gateway-association/data.transit-gateway.tf @@ -0,0 +1,15 @@ +data "aws_ec2_transit_gateway" "tgw_east" { + provider = aws.tgw_east + filter { + name = "owner-id" + values = [data.aws_arn.network_account.account] + } +} + +data "aws_ec2_transit_gateway" "tgw_west" { + provider = aws.tgw_west + filter { + name = "owner-id" + values = [data.aws_arn.network_account.account] + } +} diff --git a/vpc-transit-gateway-association/defaults.tf b/vpc-transit-gateway-association/defaults.tf new file mode 120000 index 0000000..a5556ac --- /dev/null +++ b/vpc-transit-gateway-association/defaults.tf @@ -0,0 +1 @@ +../common/defaults.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association/prefixes.tf b/vpc-transit-gateway-association/prefixes.tf new file mode 120000 index 0000000..7e265d5 --- /dev/null +++ b/vpc-transit-gateway-association/prefixes.tf @@ -0,0 +1 @@ +../common/prefixes.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association/variables.common.tf b/vpc-transit-gateway-association/variables.common.tf new file mode 120000 index 0000000..7439ed8 --- /dev/null +++ b/vpc-transit-gateway-association/variables.common.tf @@ -0,0 +1 @@ +../common/variables.common.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association/variables.common.vpc.tf b/vpc-transit-gateway-association/variables.common.vpc.tf new file mode 120000 index 0000000..5e77d37 --- /dev/null +++ b/vpc-transit-gateway-association/variables.common.vpc.tf @@ -0,0 +1 @@ +../common/variables.common.vpc.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association/variables.create.tf b/vpc-transit-gateway-association/variables.create.tf new file mode 120000 index 0000000..de1275b --- /dev/null +++ b/vpc-transit-gateway-association/variables.create.tf @@ -0,0 +1 @@ +../common/variables.create.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association/variables.tf b/vpc-transit-gateway-association/variables.tf new file mode 100644 index 0000000..95c5afd --- /dev/null +++ b/vpc-transit-gateway-association/variables.tf @@ -0,0 +1,5 @@ +variable "network_account_profile" { + description = "AWS profile of the source account sharing the VPC resources" + type = string +} + diff --git a/vpc-transit-gateway-association/version.tf b/vpc-transit-gateway-association/version.tf new file mode 120000 index 0000000..b83c5b7 --- /dev/null +++ b/vpc-transit-gateway-association/version.tf @@ -0,0 +1 @@ +../common/version.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association/versions.tf b/vpc-transit-gateway-association/versions.tf new file mode 120000 index 0000000..41bb22f --- /dev/null +++ b/vpc-transit-gateway-association/versions.tf @@ -0,0 +1 @@ +../common/versions.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association/vpc-transit-gateway.tf.off b/vpc-transit-gateway-association/vpc-transit-gateway.tf.off new file mode 100644 index 0000000..6567821 --- /dev/null +++ b/vpc-transit-gateway-association/vpc-transit-gateway.tf.off @@ -0,0 +1,225 @@ +locals { + trs_region_outputs = data.terraform_remote_state.vpc_east.outputs +# tgw_id = local.trs_region_outputs.transit_gateway_id +# tgw_id = data.aws_ec2_transit_gateway.gateway_east.id + info_vpc = data.terraform_remote_state.vpc.outputs.info_vpc +} + +data "aws_ec2_transit_gateway" "gateway_east" { } + +data "aws_ec2_transit_gateway" "gateway_west" { + provider = aws.tgw_main_west +} + +data "aws_ec2_transit_gateway_peering_attachment" "peer_west" { + provider = aws.tgw_main_west + filter { + name = "tag:Name" + values = [ "tgw-proto-peer" ] + } +} + +locals { + transit_gateway_peer_attachment_id_west = data.aws_ec2_transit_gateway_peering_attachment.peer_west.id +} + +module "routing_attachment" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//routing" + vpc_id = local.vpc_id + + vpc_full_name = var.vpc_full_name + availability_zones = [] + private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"] + create_public_route_table = false + private_route_table_label = "attachment" + enable_igw = false + enable_nat = false + enable_vpc_endpoint_s3 = false + enable_vpc_endpoint_dynamodb = false + + vpc_name = var.vpc_name + vpc_short_name = var.vpc_short_name + vpc_cidr_block = var.vpc_cidr_block + vpc_index = var.vpc_index + + tags = merge( + local.common_tags, + local.tags, + ) +} + +# routes to tgw (for now, 10.128/16, should be each of the highest cidr blocks per account). It would be nice to use prefix lists, but not supported in gov +resource "aws_route" "gateway" { + for_each = module.routing.private_route_table_ids + route_table_id = each.value +# destination_cidr_block = "0.0.0.0/0" + destination_cidr_block = "10.128.0.0/16" + transit_gateway_id = data.aws_ec2_transit_gateway.gateway_east.id + depends_on = [ aws_ec2_transit_gateway_vpc_attachment.vpc_attachment ] +} + +#--- +# route tables east +#--- +data "aws_ec2_transit_gateway_route_tables" "route_tables_east" { + provider = aws.tgw_main_east + filter { + name = "transit-gateway-id" + values = [ data.aws_ec2_transit_gateway.gateway_east.id ] + } +} + +data "aws_ec2_transit_gateway_route_table" "route_tables_east" { + provider = aws.tgw_main_east + for_each = toset(data.aws_ec2_transit_gateway_route_tables.route_tables_east.ids) + id = each.key +} + +locals { + transit_gateway_route_table_ids_east = { for k,v in data.aws_ec2_transit_gateway_route_table.route_tables_east: v.tags["boc:network_vrf"] => k } +} + +#--- +# route tables west +#--- +data "aws_ec2_transit_gateway_route_tables" "route_tables_west" { + provider = aws.tgw_main_west + filter { + name = "transit-gateway-id" + values = [ data.aws_ec2_transit_gateway.gateway_west.id ] + } +} + +data "aws_ec2_transit_gateway_route_table" "route_tables_west" { + provider = aws.tgw_main_west + for_each = toset(data.aws_ec2_transit_gateway_route_tables.route_tables_west.ids) + id = each.key +} + +locals { + transit_gateway_route_table_ids_west = { for k,v in data.aws_ec2_transit_gateway_route_table.route_tables_west: v.tags["boc:network_vrf"] => k } +} + + +#--- +# assocaite this vpc to route table in east +#--- +resource "aws_ec2_transit_gateway_route_table_association" "route_table" { + provider = aws.tgw_main_east + transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id + transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east[var.tgw_environment] +} + +#--- +# attach this vpc to tgw +#--- +resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_attachment" { + subnet_ids = [for sn in module.subnets.private_subnets_ids : sn.id if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"] + transit_gateway_id = data.aws_ec2_transit_gateway.gateway_east.id + vpc_id = local.vpc_id + dns_support = "enable" + ipv6_support = "disable" + transit_gateway_default_route_table_association = true + transit_gateway_default_route_table_propagation = true + + tags = merge( + local.common_tags, + tomap({ Name = "tgwa-proto-${var.vpc_short_name}-${local.region}" }), + tomap({ "boc:tgw_environment" = var.tgw_environment }), + ) +} + +# will need to adjust this where there are common, services, shared +data "aws_ec2_transit_gateway_vpc_attachment" "vpc_services" { + filter { + name = "tag:boc:tgw_environment" + values = ["services"] + } +} + +#--- +# propagate services in {environment} route table in east +#--- +# resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_self" { +# provider = aws.tgw_main_east +# count = var.tgw_environment != "services" ? 1 : 0 +# transit_gateway_attachment_id = data.aws_ec2_transit_gateway_vpc_attachment.vpc_services.id +# transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east[var.tgw_environment] +# } + +#--- +# also add route to other environment in other region to peering attachment in west +#--- +## resource "aws_ec2_transit_gateway_route" "vpc_self_peers" { +## provider = aws.tgw_main_west +## for_each = var.tgw_environment != "services" ? toset([ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment == var.tgw_environment]) : toset([]) +## destination_cidr_block = each.key +## transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west +## transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[var.tgw_environment] +## } + +# propagate in services to this attachment in all route tables +resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_services" { + provider = aws.tgw_main_east + for_each = var.tgw_environment == "services" ? local.transit_gateway_route_table_ids_east : { for k,v in local.transit_gateway_route_table_ids_east: k => v if k == var.tgw_environment } +# count = var.tgw_environment != "services" ? 1 : 0 + transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id + transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east[each.key] +} + +## # for services, add static IP to all environments in other region to peering attachment +## resource "aws_ec2_transit_gateway_route" "vpc_services_peers" { +## provider = aws.tgw_main_west +## for_each = var.tgw_environment == "services" ? toset([ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment != ""]) : toset([ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment == "services"]) +## destination_cidr_block = each.key +## transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west +## transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[var.tgw_environment] +## } + +# propagate all to inter-region table +resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_inter-region" { + provider = aws.tgw_main_east + count = var.tgw_environment != "services" ? 1 : 0 + transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id + transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east["inter-region"] +} + +# peer route tables for our vpc to tgw peer +locals { + peer_rt = [ for r in keys(local.transit_gateway_route_table_ids_west): r if r!="inter-region" && r!="services" ] +## peer_rt0 = { for k,v in local.info_vpc: v.cidr_block => v.tgw_environment if v.region == local.region && v.tgw_environment != "" } +## peer_rt1 = transpose({ for k,v in local.info_vpc: v.cidr_block => [ v.tgw_environment ] if v.region == local.region && v.tgw_environment != "" }) +## peer_rt2 = merge(local.peer_rt1, +## { "services" = [ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment != "" ] }, +## ) +## peer_rt3 = { for v in local.peer_rt2[var.tgw_environment]: format("%v:%v",var.tgw_environment,v) => { +## label = format("%v:%v",var.tgw_environment,v), +## tgw_environment = var.tgw_environment, +## environment = local.peer_rt0[v], +## cidr_block = v } +## } +} + +# for services, add static IP to all environments in other region to peering attachment +resource "aws_ec2_transit_gateway_route" "peer_vpc_environment" { + provider = aws.tgw_main_west + destination_cidr_block = var.vpc_cidr_block + transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west + transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[var.tgw_environment] +} + +resource "aws_ec2_transit_gateway_route" "peer_vpc_to_services" { + provider = aws.tgw_main_west + count = var.tgw_environment != "services" ? 1 : 0 + destination_cidr_block = var.vpc_cidr_block + transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west + transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west["services"] +} + +resource "aws_ec2_transit_gateway_route" "peer_vpc_services" { + provider = aws.tgw_main_west + for_each = var.tgw_environment == "services" ? local.peer_rt : toset([]) + destination_cidr_block = var.vpc_cidr_block + transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west + transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[each.key] +}