add vpn-transit-gateway

CHANGELOG.md

@@ -101,4 +101,8 @@
   - vpc-interface-endpoint
     - permit use of aws.* name in service
 
+* 1.6.0 -- 20220226
+  - vpn-transit-gateway
+    - setup vpn configurations for the transit gateway
+
 ## Version 2.x

common/defaults.tf

@@ -46,5 +46,6 @@ locals {
       "additional" = []
       "peers"      = []
     }
+    "transit-gateway-environments" = ["services", "dev", "test", "stage", "prod", "cre"]
   }
 }

common/prefixes.tf

@@ -9,20 +9,25 @@ locals {
     "group"          = "g-"
     "security-group" = "" # "sg-"
     # VPC
-    "vpc"              = ""
-    "dhcp-options"     = ""
-    "vpc-peer"         = "vpcp-"
-    "route-table"      = "route-"
-    "subnet"           = ""
-    "vpc-endpoint"     = "vpce-"
-    "elastic-ip"       = "eip-"
-    "nat-gateway"      = "nat-"
-    "internet-gateway" = "igw-"
-    "network-acl"      = "nacl-"
-    "customer-gateway" = "cgw-"
-    "vpn-gateway"      = "vpcg-"
-    "vpn-connection"   = "vpn_"
-    "log-group"        = "lg-"
-    "log-stream"       = "lgs-"
+    "vpc"                         = ""
+    "dhcp-options"                = ""
+    "vpc-peer"                    = "vpcp-"
+    "route-table"                 = "route-"
+    "subnet"                      = ""
+    "vpc-endpoint"                = "vpce-"
+    "elastic-ip"                  = "eip-"
+    "nat-gateway"                 = "nat-"
+    "internet-gateway"            = "igw-"
+    "network-acl"                 = "nacl-"
+    "customer-gateway"            = "cgw-"
+    "vpn-gateway"                 = "vpcg-"
+    "vpn-connection"              = "vpn_"
+    "log-group"                   = "lg-"
+    "log-stream"                  = "lgs-"
+    "transit-gateway"             = "tgw-"
+    "transit-gateway-peer"        = "tgwp-"
+    "transit-gateway-route-table" = "tgwr-"
+    "transit-gateway-attachment"  = "tgwa-"
+    "transit-gateway-vpn"         = "tgwv-"
   }
 }

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.5.1"
+  _module_version = "1.6.0"
 }

examples/dns-vpc-region-vpcN/apps/dns/zones.tf

@@ -21,8 +21,10 @@ locals {
 #   need to pull this ando ther forward zones up to vpc/apps/dns
 #---
 data "aws_route53_zone" "domain_zone" {
-  count = var.dns_zone_create ? 0 : 1
-  name  = local.domain_name
+  #  provider = aws.east
+  count        = var.dns_zone_create ? 0 : 1
+  name         = local.domain_name
+  private_zone = true
 }
 
 resource "aws_route53_zone" "domain_zone" {
@@ -50,15 +52,16 @@ resource "aws_route53_zone" "domain_zone" {
 
 resource "aws_route53_vpc_association_authorization" "west_domain_zone" {
   #  provider = aws.west_main_dns
-  for_each   = tomap({ "zone" = var.dns_zone_create ? aws_route53_zone.domain_zone[0] : data.aws_route53_zone.domain_zone[0] })
+  #  for_each   = tomap({ "zone" = var.dns_zone_create ? aws_route53_zone.domain_zone[0] : data.aws_route53_zone.domain_zone[0] })
+  for_each   = var.dns_zone_create ? { "zone" = aws_route53_zone.domain_zone[0] } : {}
   zone_id    = each.value.zone_id
   vpc_region = "us-gov-west-1"
   vpc_id     = var.main_dns_vpcs["us-gov-west-1"]
 }
 
 resource "aws_route53_zone_association" "west_domain_zone" {
   provider = aws.west_main_dns
-  for_each = aws_route53_vpc_association_authorization.west_domain_zone
+  for_each = var.dns_zone_create ? aws_route53_vpc_association_authorization.west_domain_zone : {}
 
   zone_id    = each.value.zone_id
   vpc_id     = each.value.vpc_id
@@ -74,7 +77,8 @@ resource "aws_route53_zone_association" "west_domain_zone" {
 
 resource "aws_route53_vpc_association_authorization" "east_domain_zone" {
   #  provider = aws.east_main_dns
-  for_each = tomap({ "zone" = var.dns_zone_create ? aws_route53_zone.domain_zone[0] : data.aws_route53_zone.domain_zone[0] })
+  #  for_each = tomap({ "zone" = var.dns_zone_create ? aws_route53_zone.domain_zone[0] : data.aws_route53_zone.domain_zone[0] })
+  for_each = var.dns_zone_create ? { "zone" = aws_route53_zone.domain_zone[0] } : {}
 
   zone_id    = each.value.zone_id
   vpc_region = "us-gov-east-1"
@@ -83,7 +87,7 @@ resource "aws_route53_vpc_association_authorization" "east_domain_zone" {
 
 resource "aws_route53_zone_association" "east_domain_zone" {
   provider   = aws.east_main_dns
-  for_each   = aws_route53_vpc_association_authorization.east_domain_zone
+  for_each   = var.dns_zone_create ? aws_route53_vpc_association_authorization.east_domain_zone : {}
   zone_id    = each.value.zone_id
   vpc_id     = each.value.vpc_id
   vpc_region = each.value.vpc_region

examples/ec2-vpc-region-vpcN-new/apps/test-instances/ec2.tf

@@ -18,7 +18,7 @@ resource "aws_instance" "test" {
   for_each = var.enable_instances ? { for k in local.private_subnets_id_list : k => local.private_subnets_id_map[k] } : {}
 
   ami                    = local.ami
-  instance_type          = local.my_instance_type
+  instance_type          = local.instance_type
   availability_zone      = each.value.availability_zone
   key_name               = local.key_name
   subnet_id              = each.value.id

vpn-transit-gateway/data.tf

@@ -0,0 +1 @@
+../common/data.tf

vpn-transit-gateway/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf

vpn-transit-gateway/main.tf

@@ -0,0 +1,189 @@
+/*
+* # About aws-vpc-setup :: vpn-transit-gateway
+* 
+* This sets up a VPN for the specified site (hq or bcc) and all the necessary related components:
+* * customer gateway per site, environment and sequence
+* * vpn connection to the transit gateway
+*
+* It generates a password for each site and uses the same one for each of the site's two tunnels.
+*
+* To download the configuration, follow these directions [page 24 from AWS docs](https://docs.aws.amazon.com/vpn/latest/s2svpn/s2s-vpn-user-guide.pdf):
+*
+* > To download the configuration file
+* > 1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
+* > 1. In the navigation pane, choose Site-to-Site VPN Connections.
+* > 1. Select your VPN connection and choose Download Configuration.
+* > 1. Select the vendor, platform, and software that corresponds to your customer gateway device or
+* > 1oftware. If your device is not listed, choose Generic. Choose Download.
+* >    * Vendor: Cisco Systems, Inc.
+* >    * Platform: Cisco ASR 1000
+* >    * Software: IOS 12.4+
+*
+* # Usage
+* 
+* ```hcl
+* module "vpn_transit-gateway" {
+*   source          = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpn-transit-gateway"
+*   create          = true
+*   transit_gateway_id = "tgw-12345678"
+*   vpc_id          = "vpc-1234568"
+*   vpc_full_name   = "vpc2-dice-dev"
+*   tgw_environment = "dev"
+*   vpn_settings = [ 
+*     { site = "hq",   environment = "dev", sequence = 1, "bgp_asn_id" = 65510, "ip_address" = "148.129.160.100" },
+*     { site = "bcc",  environment = "dev", sequence = 1, "bgp_asn_id" = 65511, "ip_address" = "148.129.90.100" },
+*   ]
+*   tags            = {}
+*
+*  # optional
+*  # use_tgw_prefixes = true
+* }
+* ```
+*/
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  region              = data.aws_region.current.name
+
+  _vpn_settings = [for v in var.vpn_settings : merge(v, {
+    site        = lower(v.site)
+    environment = lower(v.environment)
+    label       = format("%v-%v-%v", lower(v.site), lower(v.environment), v.sequence)
+    is_valid    = contains(local._defaults["transit-gateway-environments"], lower(v.environment))
+  })]
+  vpn_settings = var.create ? { for v in local._vpn_settings : v.label => v if v.is_valid } : {}
+  tgw_route_table_propagation = length(var.tgw_route_table_propagation) > 0 && length(local.vpn_settings) > 0 ? { for p in setproduct(keys(local.vpn_settings), var.tgw_route_table_propagation) : format("%v:%v", p[0], p[1]) => {
+    label           = format("%v:%v", p[0], p[1])
+    vpn_label       = p[0]
+    tgw_route_table = p[1]
+  } } : {}
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+
+  #  vpn_gateway = element(concat(aws_vpn_gateway.vpn[*].id, list("")), 0)
+}
+
+
+## #---
+## # vpn gateway (one per vpc)
+## #---
+## resource "aws_vpn_gateway" "vpn" {
+##   count  = var.create ? 1 : 0
+##   vpc_id = var.vpc_id
+## 
+##   tags = merge(
+##     local.base_tags,
+##     var.tags,
+##     map("Name", format("%v%v", local._prefixes["vpn-gateway"], var.vpc_full_name))
+##   )
+## }
+## 
+## resource "aws_vpn_gateway_attachment" "vpn" {
+##   count          = var.create ? 1 : 0
+##   vpc_id         = var.vpc_id
+##   vpn_gateway_id = local.vpn_gateway
+## }
+
+#---
+# customer gateway, one per vpc per site
+#---
+resource "aws_customer_gateway" "vpn" {
+  for_each   = var.create ? local.vpn_settings : {}
+  bgp_asn    = each.value.bgp_asn_id
+  ip_address = each.value.ip_address
+  type       = "ipsec.1"
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    {
+      Name                  = format("%v%v%v", (var.use_tgw_prefixes ? local._prefixes["transit-gateway-vpn"] : ""), local._prefixes["customer-gateway"], each.key)
+      "boc:tgw_environment" = var.tgw_environment
+    },
+  )
+}
+
+#---
+# vpn pre-shared key (same for each tunnel per site, one per site)
+#---
+resource "random_string" "tunnel_preshared_key" {
+  for_each         = var.create ? local.vpn_settings : {}
+  length           = 32
+  special          = true
+  override_special = "._"
+}
+
+#---
+# vpn connection, one per vpn endpoint
+#---
+resource "aws_vpn_connection" "vpn" {
+  for_each = var.create ? local.vpn_settings : {}
+  type     = aws_customer_gateway.vpn[each.key]
+
+  transit_gateway_id  = var.transit_gateway_id
+  customer_gateway_id = aws_customer_gateway.vpn[each.key].id
+  enable_acceleration = false
+
+  tunnel1_preshared_key = length(each.value.preshared_keys) == 0 ? random_string.tunnel_preshared_key[each.key].result : element(each.value.preshared_keys, 0)
+  tunnel2_preshared_key = length(each.value.preshared_keys) == 0 ? random_string.tunnel_preshared_key[each.key].result : element(each.value.preshared_keys, 1)
+
+  tunnel1_inside_cidr = length(each.value.tunnel_ips) == 0 ? null : element(each.value.tunnel_ips, 0)
+  tunnel2_inside_cidr = length(each.value.tunnel_ips) == 0 ? null : element(each.value.tunnel_ips, 1)
+
+  static_routes_only = false
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    {
+      Name                  = format("%v%v%v", (var.use_tgw_prefixes ? local._prefixes["transit-gateway-vpn"] : ""), local._prefixes["vpn-connection"], each.key)
+      "boc:tgw_environment" = var.tgw_environment
+    },
+  )
+}
+
+
+## #---
+## # vpn routes and propagation
+## #---
+## # do not use connection routes for vpn bgp dynamic routing
+## # assumes dynamic routing only, so this is commented out and will need to be re-worked if static is desired
+## #resource "aws_vpn_connection_route" "vpn" {
+## #  count                  = var.vpc_vpn_dynamic_routing ? 0 : length(var.network_census)
+## #  destination_cidr_block = var.network_census[count.index]
+## #  vpn_connection_id      = aws_vpn_connection.vpn.id
+## #}
+## 
+## locals {
+##   vpn_route_table_ids = [
+##     for pair in setproduct(keys(local.vpn_settings), var.route_table_ids) : {
+##       site           = pair[0]
+##       route_table_id = pair[1]
+##     }
+##   ]
+## }
+## 
+## # use this resource, do not use propagating_vgws on the route tables. Need this for one per route table ID
+## resource "aws_vpn_gateway_route_propagation" "vpn" {
+##   for_each = var.create ? { for v in local.vpn_route_table_ids : "${v.site}.${v.route_table_id}" => v } : {}
+## 
+##   #  vpn_gateway_id = aws_vpn_gateway.vpn.id
+##   vpn_gateway_id = local.vpn_gateway
+##   route_table_id = each.value.route_table_id
+## }
+
+resource "aws_ec2_transit_gateway_route_table_association" "route_table" {
+  for_each                       = var.create ? local.vpn_settings : {}
+  transit_gateway_attachment_id  = aws_vpn_connection.vpn[each.key].transit_gateway_attachment_id
+  transit_gateway_route_table_id = var.tgw_route_table_association
+}
+
+resource "aws_ec2_transit_gateway_route_table_propagation" "propagate" {
+  for_each                       = var.create ? local.tgw_route_table_propagation : {}
+  transit_gateway_attachment_id  = aws_vpn_connection.vpn[each.value.vpn_label].transit_gateway_attachment_id
+  transit_gateway_route_table_id = each.value.tgw_route_table
+}

vpn-transit-gateway/outputs.tf

@@ -0,0 +1,22 @@
+output "vpn_tunnel_endpoints" {
+  description = "VPN Tunnel Endpoint IP Addresses"
+  value = { for k in keys(local._vpn_settings) : k => {
+    site             = k
+    customer_address = aws_customer_gateway.vpn[k].ip_address
+    bgp_asn          = aws_customer_gateway.vpn[k].bgp_asn
+    tunnel1_bgp_asn  = aws_vpn_connection.vpn[k].tunnel1_bgp_asn
+    tunnel2_bgp_asn  = aws_vpn_connection.vpn[k].tunnel2_bgp_asn
+    tunnel1_address  = aws_vpn_connection.vpn[k].tunnel1_address
+    tunnel2_address  = aws_vpn_connection.vpn[k].tunnel2_address
+    }
+  }
+}
+
+output "vpn_labels" {
+  description = "VPN Labels for Description field of Endpoint device (Cisco ASR)"
+  value = { for k in keys(local._vpn_settings) : k => {
+    site  = k
+    label = format("aws:%v:%v:%v:%v", local.region, local.account_id, aws_vpn_connection.vpn[k].id, var.vpc_full_name)
+    }
+  }
+}

vpn-transit-gateway/prefixes.tf

@@ -0,0 +1 @@
+../common/prefixes.tf

vpn-transit-gateway/variables.common.tf

@@ -0,0 +1 @@
+../common/variables.common.tf

vpn-transit-gateway/variables.common.vpc.tf

@@ -0,0 +1 @@
+../common/variables.common.vpc.tf

vpn-transit-gateway/variables.common.vpc_id.tf

@@ -0,0 +1 @@
+../common/variables.common.vpc_id.tf

vpn-transit-gateway/variables.create.tf

@@ -0,0 +1 @@
+../common/variables.create.tf