Merge pull request #15 from terraform-modules/feature-enhance-routing

update routing, vpc endpoint

CHANGELOG.md

@@ -2,81 +2,81 @@
 
 ## Version 1.x
 
-* v1.0.0 -- 20210502
+* 1.0.0 -- 20210502
   - initial creation
 
-* v1.0.1 -- 20210504
+* 1.0.1 -- 20210504
   - security-groups
     - add default security group
   - vpc
     - add default route table (main)
   - vpn
     - add bgp_asn to output
 
-* v1.0.2 -- 20210505
+* 1.0.2 -- 20210505
   - add nacls, nacls-rules
   - move variables into more common things and make links
 
-* v1.0.3 -- 20210512
+* 1.0.3 -- 20210512
   - security-groups
     - add output of security_groups map(object{name,id,arn})
 
-* v1.0.4 -- 20210514
+* 1.0.4 -- 20210514
   - flowlogs
     - setup flow logs
 
-* v1.0.5 -- 20210531
+* 1.0.5 -- 20210531
   - peer
     - setup peer 
 
-* v1.1.0 -- 20210625
+* 1.1.0 -- 20210625
   - vpc
     - add enable_aws_dns to use the AmazonDNS Route53 DNS
 
-* v1.1.1 -- 20210629
+* 1.1.1 -- 20210629
   - peer
     - add output of nacl_info
 
-* v1.1.2 -- 20210702
+* 1.1.2 -- 20210702
   - routing
     - export vpc s3 and dynamodb cidr blocks too, change the way the structure is constructed
 
-* v1.1.3 -- 20210708
+* 1.1.3 -- 20210708
   - subnets
     - add per-subnet tags
 
-* v1.1.4 -- 20210709
+* 1.1.4 -- 20210709
   - vpn
     - add custom_preshared_keys
 
-* v1.1.5 -- 20210712
+* 1.1.5 -- 20210712
   - flowlogs
     - change template input name
 
-* v1.1.6 -- 20210714
+* 1.1.6 -- 20210714
   - flowlogs
     - add tags to resources
 
-* v1.2.0 -- 20211019
+* 1.2.0 -- 20211019
   - vpn
     - add create variable to create/not-create the resources
 
-* v1.3.0 -- 20211020
+* 1.3.0 -- 20211020
   - peer
     - add peer_network_acl_filter
 
-* v1.4.0 -- 20211109
+* 1.4.0 -- 20211109
   - vpc-interface-endpoint
     - create new submodule for setting up an interface endpoint
 
-* v1.4.1 -- 20211109
+* 1.4.1 -- 20211109
   - vpc-interface-endpoint
     - minor change to tagging on name
 
 * (no version) -- 20211119
   - add example for full-setup
 
-* v1.4.2 -- 20220109
+* 1.4.2 -- 20220109
     - add common/versions.tf to prep for tf 0.13+
   - common/defaults.tf
     - add 10/8 to enteprise list and make the default, due to a max of 40 nacl entries in a nacl
@@ -85,12 +85,20 @@
   - peers
     - add variables enable_nacl_entry_self and enable_nacl_entry_peer to determine whether to create the rule local/remote (default false)
 
-* v1.4.3 -- 20220118
+* 1.4.3 -- 20220118
   - vpc-interface-endpoint
     - add to output: subnet_ids, network_interface_ids
 
-* v1.4.4 -- 20220119
+* 1.4.4 -- 20220119
   - vpc-interface-endpoint
     - add vpc-interface-type=Interface filter
 
+* 1.5.0 -- 20220204
+  - routing
+    - add lables for private, public route tables
+
+* 1.5.1 -- 20220208
+  - vpc-interface-endpoint
+    - permit use of aws.* name in service
+
 ## Version 2.x

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.4.4"
+  _module_version = "1.5.1"
 }

examples/ec2-vpc-region-vpcN/apps/test-instances/ec2.tf

@@ -1,3 +1,16 @@
+locals {
+  bootstrap_commands = [
+    #      "sudo bash /tmp/bootstrap.sh /tmp/${var.git_deploy_path} ${local.bootstrap_args} |& tee /tmp/bootstrap.log",
+    "sleep 60",
+    "sudo yum install -y iperf3 bind-utils curl nc awscli",
+    # set region in default profile
+    "aws configure --profile default set region ${local.region}",
+    "aws configure --profile default set output json",
+    "sudo aws configure --profile default set region ${local.region}",
+    "sudo aws configure --profile default set output json",
+  ]
+}
+
 resource "aws_instance" "test" {
   for_each = var.enable_instances ? local.private_subnets_id_map : {}
 
@@ -46,7 +59,7 @@ resource "aws_instance" "test" {
 
   tags = merge(
     local.common_tags,
-    tomap({ "Name" = format("%v-test-%v", local.vpc_short_name, each.value.label) }),
+    tomap({ "Name" = format("%v-test-%v.%v", local.vpc_short_name, each.value.label, var.vpc_domain_name) }),
   )
 }
 

examples/ec2-vpc-region-vpcN/apps/test-instances/variables.tf

@@ -4,3 +4,15 @@ variable "enable_instances" {
   default     = true
 }
 
+variable "enable_bootstrap" {
+  description = "Flag to enable or disable bootstrap (yum and awscli setup)"
+  type        = bool
+  default     = true
+}
+
+variable "instance_count" {
+  description = "Number to indicate how many instances (up to subnet-count x az-count)"
+  type        = number
+  default     = null
+}
+

routing/README.md

@@ -24,13 +24,18 @@ module "routing" {
 
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
+| <a name="requirement_template"></a> [template](#requirement\_template) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
 
 ## Modules
 
@@ -68,12 +73,16 @@ No modules.
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
+| <a name="input_create_private_route_table"></a> [create\_private\_route\_table](#input\_create\_private\_route\_table) | Flag to enable creation of private route tables (default: true) | `bool` | `true` | no |
+| <a name="input_create_public_route_table"></a> [create\_public\_route\_table](#input\_create\_public\_route\_table) | Flag to enable creation of public route tables (default: true) | `bool` | `true` | no |
 | <a name="input_enable_igw"></a> [enable\_igw](#input\_enable\_igw) | Flag to enable AWS Internet Gateway (IGW) in the VPC (default: false) | `bool` | `false` | no |
 | <a name="input_enable_nat"></a> [enable\_nat](#input\_enable\_nat) | Flag to enable AWS NAT Gateway in the VPC (default: false) | `bool` | `false` | no |
 | <a name="input_enable_vpc_endpoint_dynamodb"></a> [enable\_vpc\_endpoint\_dynamodb](#input\_enable\_vpc\_endpoint\_dynamodb) | Flag to enable\|disable DynamoDB VPC Endpoint (default: true) | `bool` | `true` | no |
 | <a name="input_enable_vpc_endpoint_s3"></a> [enable\_vpc\_endpoint\_s3](#input\_enable\_vpc\_endpoint\_s3) | Flag to enable\|disable S3 VPC Endpoint (default: true) | `bool` | `true` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_private_route_table_label"></a> [private\_route\_table\_label](#input\_private\_route\_table\_label) | Label to include in the route table description for private subnets (default: private) | `string` | `"private"` | no |
 | <a name="input_private_subnets_ids"></a> [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | <pre>list(object({<br>    subnet            = string<br>    label             = string<br>    availability_zone = string<br>    id                = string<br>  }))</pre> | `[]` | no |
+| <a name="input_public_route_table_label"></a> [public\_route\_table\_label](#input\_public\_route\_table\_label) | Label to include in the route table description for public subnets (default: public) | `string` | `"public"` | no |
 | <a name="input_public_subnets_ids"></a> [public\_subnets\_ids](#input\_public\_subnets\_ids) | List of public subnet objects including: subnet, label, availability\_zone, id | <pre>list(object({<br>    subnet            = string<br>    label             = string<br>    availability_zone = string<br>    id                = string<br>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_vpc_cidr_block"></a> [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | VPC CIDR Block | `string` | n/a | yes |

routing/main.tf

@@ -44,18 +44,18 @@ locals {
 # route table: public
 #---
 resource "aws_route_table" "public" {
-  for_each = local.availability_zones
+  for_each = var.create_public_route_table ? local.availability_zones : toset([])
   vpc_id   = var.vpc_id
 
   tags = merge(
     local.base_tags,
     var.tags,
-    map("Name", format("%v%v-%v-%v", local._prefixes["route-table"], var.vpc_full_name, "public", each.key))
+    map("Name", format("%v%v-%v-%v", local._prefixes["route-table"], var.vpc_full_name, var.public_route_table_label, each.key))
   )
 }
 
 resource "aws_route_table_association" "public" {
-  for_each       = { for subnet in var.public_subnets_ids : subnet.label => subnet }
+  for_each       = var.create_public_route_table ? { for subnet in var.public_subnets_ids : subnet.label => subnet } : {}
   subnet_id      = each.value.id
   route_table_id = aws_route_table.public[each.value.availability_zone].id
 }
@@ -64,18 +64,18 @@ resource "aws_route_table_association" "public" {
 # route table: private
 #---
 resource "aws_route_table" "private" {
-  for_each = local.availability_zones
+  for_each = var.create_private_route_table ? local.availability_zones : toset([])
   vpc_id   = var.vpc_id
 
   tags = merge(
     local.base_tags,
     var.tags,
-    map("Name", format("%v%v-%v-%v", local._prefixes["route-table"], var.vpc_full_name, "private", each.key))
+    map("Name", format("%v%v-%v-%v", local._prefixes["route-table"], var.vpc_full_name, var.private_route_table_label, each.key))
   )
 }
 
 resource "aws_route_table_association" "private" {
-  for_each       = { for subnet in var.private_subnets_ids : subnet.label => subnet }
+  for_each       = var.create_private_route_table ? { for subnet in var.private_subnets_ids : subnet.label => subnet } : {}
   subnet_id      = each.value.id
   route_table_id = aws_route_table.private[each.value.availability_zone].id
 }
@@ -87,7 +87,7 @@ resource "aws_route_table_association" "private" {
 #   NATGW
 #---
 resource "aws_eip" "nat" {
-  for_each = var.enable_igw && var.enable_nat ? local.availability_zones : local.empty
+  for_each = var.enable_igw && var.enable_nat ? local.availability_zones : toset([])
   vpc      = true
 
   tags = merge(
@@ -97,6 +97,9 @@ resource "aws_eip" "nat" {
   )
 }
 
+# might want to disalbe creation of igw and natgw if not creating public or private route tables
+# or pass in the table names
+
 resource "aws_internet_gateway" "gateway" {
   count  = var.enable_igw ? 1 : 0
   vpc_id = var.vpc_id
@@ -115,7 +118,7 @@ locals {
 }
 
 resource "aws_nat_gateway" "nat" {
-  for_each      = var.enable_igw && var.enable_nat ? zipmap(local.availability_zones, local.public_subnets_ids_az) : local.empty
+  for_each      = var.enable_igw && var.enable_nat ? zipmap(local.availability_zones, local.public_subnets_ids_az) : {}
   allocation_id = aws_eip.nat[each.key].id
   subnet_id     = each.value
   #  depends_on    = [aws_internet_gateway.gateway]
@@ -128,14 +131,14 @@ resource "aws_nat_gateway" "nat" {
 }
 
 resource "aws_route" "nat_public" {
-  for_each               = var.enable_igw && var.enable_nat ? local.availability_zones : local.empty
+  for_each               = var.create_public_route_table && var.enable_igw && var.enable_nat ? local.availability_zones : toset([])
   route_table_id         = aws_route_table.public[each.key].id
   destination_cidr_block = "0.0.0.0/0"
   gateway_id             = aws_internet_gateway.gateway[0].id
 }
 
 resource "aws_route" "nat_private" {
-  for_each               = var.enable_igw && var.enable_nat ? local.availability_zones : local.empty
+  for_each               = var.create_private_route_table && var.enable_igw && var.enable_nat ? local.availability_zones : toset([])
   route_table_id         = aws_route_table.private[each.key].id
   destination_cidr_block = "0.0.0.0/0"
   nat_gateway_id         = aws_nat_gateway.nat[each.key].id

routing/outputs.tf

@@ -40,12 +40,12 @@
 
 output "public_route_table_ids" {
   description = "Public route table IDs map by availability zone"
-  value       = { for k in local.availability_zones : k => aws_route_table.public[k].id }
+  value       = var.create_public_route_table ? { for k in local.availability_zones : k => aws_route_table.public[k].id } : {}
 }
 
 output "private_route_table_ids" {
   description = "Private route table IDs map by availability zone"
-  value       = { for k in local.availability_zones : k => aws_route_table.private[k].id }
+  value       = var.create_private_route_table ? { for k in local.availability_zones : k => aws_route_table.private[k].id } : {}
 }
 
 output "vpc_endpoint_s3_id" {

routing/variables.routing.tf

@@ -0,0 +1,23 @@
+variable "private_route_table_label" {
+  description = "Label to include in the route table description for private subnets (default: private)"
+  type        = string
+  default     = "private"
+}
+
+variable "public_route_table_label" {
+  description = "Label to include in the route table description for public subnets (default: public)"
+  type        = string
+  default     = "public"
+}
+
+variable "create_private_route_table" {
+  description = "Flag to enable creation of private route tables (default: true)"
+  type        = bool
+  default     = true
+}
+
+variable "create_public_route_table" {
+  description = "Flag to enable creation of public route tables (default: true)"
+  type        = bool
+  default     = true
+}

vpc-interface-endpoint/main.tf

@@ -57,8 +57,12 @@ locals {
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
   region              = data.aws_region.current.name
 
-  service       = length(regexall("^com.amazonaws", var.service)) == 0 ? var.service : format("com.amazonaws.%v.%v", local.region, var.service)
-  short_service = length(regexall("^com.amazonaws", var.service)) == 0 ? var.service : replace(local.service, format("com.amazonaws.%v.", local.region), "")
+  service_parts      = split(".", var.service)
+  service            = length(local.service_parts) == 1 ? format("com.amazonaws.%v.%v", local.region, var.service) : var.service
+  full_service_parts = split(".", local.service)
+
+  #  short_service = length(regexall("^com.amazonaws", var.service)) == 0 ? var.service : replace(local.service, format("com.amazonaws.%v.", local.region), "")
+  short_service = element(local.full_service_parts, local.full_service_parts[0] == "com" ? length(local.full_service_parts) - 1 : 0)
 
   base_tags = {
     "boc:tf_module_version" = local._module_version
@@ -70,7 +74,8 @@ locals {
 #  https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcEndpoints.html
 
 data "aws_vpc_endpoint_service" "interface_endpoint" {
-  service = local.service
+  service      = local.full_service_parts[0] == "com" ? local.service : null
+  service_name = local.full_service_parts[0] != "com" ? local.service : null
   filter {
     name   = "service-type"
     values = ["Interface"]