Skip to content

Commit

Permalink
create new submodule
Browse files Browse the repository at this point in the history
  • Loading branch information
@badra001
badra001 committed Oct 14, 2022
1 parent 59eea33 commit b480f6e
Show file tree
Hide file tree
Showing 21 changed files with 616 additions and 0 deletions.
11 changes: 11 additions & 0 deletions vpc-transit-gateway-association-data/OFF/credentials.vpc-transit-gateway.tf.off
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
provider "aws" {
alias = "tgw_west"
region = "us-gov-west-1"
profile = var.network_account_profile
}

provider "aws" {
alias = "tgw_east"
region = "us-gov-east-1"
profile = var.network_account_profile
}
225 changes: 225 additions & 0 deletions vpc-transit-gateway-association-data/OFF/vpc-transit-gateway.tf.off
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,225 @@
locals {
trs_region_outputs = data.terraform_remote_state.vpc_east.outputs
# tgw_id = local.trs_region_outputs.transit_gateway_id
# tgw_id = data.aws_ec2_transit_gateway.gateway_east.id
info_vpc = data.terraform_remote_state.vpc.outputs.info_vpc
}

data "aws_ec2_transit_gateway" "gateway_east" { }

data "aws_ec2_transit_gateway" "gateway_west" {
provider = aws.tgw_main_west
}

data "aws_ec2_transit_gateway_peering_attachment" "peer_west" {
provider = aws.tgw_main_west
filter {
name = "tag:Name"
values = [ "tgw-proto-peer" ]
}
}

locals {
transit_gateway_peer_attachment_id_west = data.aws_ec2_transit_gateway_peering_attachment.peer_west.id
}

module "routing_attachment" {
source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//routing"
vpc_id = local.vpc_id

vpc_full_name = var.vpc_full_name
availability_zones = []
private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
create_public_route_table = false
private_route_table_label = "attachment"
enable_igw = false
enable_nat = false
enable_vpc_endpoint_s3 = false
enable_vpc_endpoint_dynamodb = false

vpc_name = var.vpc_name
vpc_short_name = var.vpc_short_name
vpc_cidr_block = var.vpc_cidr_block
vpc_index = var.vpc_index

tags = merge(
local.common_tags,
local.tags,
)
}

# routes to tgw (for now, 10.128/16, should be each of the highest cidr blocks per account). It would be nice to use prefix lists, but not supported in gov
resource "aws_route" "gateway" {
for_each = module.routing.private_route_table_ids
route_table_id = each.value
# destination_cidr_block = "0.0.0.0/0"
destination_cidr_block = "10.128.0.0/16"
transit_gateway_id = data.aws_ec2_transit_gateway.gateway_east.id
depends_on = [ aws_ec2_transit_gateway_vpc_attachment.vpc_attachment ]
}

#---
# route tables east
#---
data "aws_ec2_transit_gateway_route_tables" "route_tables_east" {
provider = aws.tgw_main_east
filter {
name = "transit-gateway-id"
values = [ data.aws_ec2_transit_gateway.gateway_east.id ]
}
}

data "aws_ec2_transit_gateway_route_table" "route_tables_east" {
provider = aws.tgw_main_east
for_each = toset(data.aws_ec2_transit_gateway_route_tables.route_tables_east.ids)
id = each.key
}

locals {
transit_gateway_route_table_ids_east = { for k,v in data.aws_ec2_transit_gateway_route_table.route_tables_east: v.tags["boc:network_vrf"] => k }
}

#---
# route tables west
#---
data "aws_ec2_transit_gateway_route_tables" "route_tables_west" {
provider = aws.tgw_main_west
filter {
name = "transit-gateway-id"
values = [ data.aws_ec2_transit_gateway.gateway_west.id ]
}
}

data "aws_ec2_transit_gateway_route_table" "route_tables_west" {
provider = aws.tgw_main_west
for_each = toset(data.aws_ec2_transit_gateway_route_tables.route_tables_west.ids)
id = each.key
}

locals {
transit_gateway_route_table_ids_west = { for k,v in data.aws_ec2_transit_gateway_route_table.route_tables_west: v.tags["boc:network_vrf"] => k }
}


#---
# assocaite this vpc to route table in east
#---
resource "aws_ec2_transit_gateway_route_table_association" "route_table" {
provider = aws.tgw_main_east
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east[var.tgw_environment]
}

#---
# attach this vpc to tgw
#---
resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_attachment" {
subnet_ids = [for sn in module.subnets.private_subnets_ids : sn.id if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
transit_gateway_id = data.aws_ec2_transit_gateway.gateway_east.id
vpc_id = local.vpc_id
dns_support = "enable"
ipv6_support = "disable"
transit_gateway_default_route_table_association = true
transit_gateway_default_route_table_propagation = true

tags = merge(
local.common_tags,
tomap({ Name = "tgwa-proto-${var.vpc_short_name}-${local.region}" }),
tomap({ "boc:tgw_environment" = var.tgw_environment }),
)
}

# will need to adjust this where there are common, services, shared
data "aws_ec2_transit_gateway_vpc_attachment" "vpc_services" {
filter {
name = "tag:boc:tgw_environment"
values = ["services"]
}
}

#---
# propagate services in {environment} route table in east
#---
# resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_self" {
# provider = aws.tgw_main_east
# count = var.tgw_environment != "services" ? 1 : 0
# transit_gateway_attachment_id = data.aws_ec2_transit_gateway_vpc_attachment.vpc_services.id
# transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east[var.tgw_environment]
# }

#---
# also add route to other environment in other region to peering attachment in west
#---
## resource "aws_ec2_transit_gateway_route" "vpc_self_peers" {
## provider = aws.tgw_main_west
## for_each = var.tgw_environment != "services" ? toset([ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment == var.tgw_environment]) : toset([])
## destination_cidr_block = each.key
## transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west
## transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[var.tgw_environment]
## }

# propagate in services to this attachment in all route tables
resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_services" {
provider = aws.tgw_main_east
for_each = var.tgw_environment == "services" ? local.transit_gateway_route_table_ids_east : { for k,v in local.transit_gateway_route_table_ids_east: k => v if k == var.tgw_environment }
# count = var.tgw_environment != "services" ? 1 : 0
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east[each.key]
}

## # for services, add static IP to all environments in other region to peering attachment
## resource "aws_ec2_transit_gateway_route" "vpc_services_peers" {
## provider = aws.tgw_main_west
## for_each = var.tgw_environment == "services" ? toset([ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment != ""]) : toset([ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment == "services"])
## destination_cidr_block = each.key
## transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west
## transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[var.tgw_environment]
## }

# propagate all to inter-region table
resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_inter-region" {
provider = aws.tgw_main_east
count = var.tgw_environment != "services" ? 1 : 0
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id
transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east["inter-region"]
}

# peer route tables for our vpc to tgw peer
locals {
peer_rt = [ for r in keys(local.transit_gateway_route_table_ids_west): r if r!="inter-region" && r!="services" ]
## peer_rt0 = { for k,v in local.info_vpc: v.cidr_block => v.tgw_environment if v.region == local.region && v.tgw_environment != "" }
## peer_rt1 = transpose({ for k,v in local.info_vpc: v.cidr_block => [ v.tgw_environment ] if v.region == local.region && v.tgw_environment != "" })
## peer_rt2 = merge(local.peer_rt1,
## { "services" = [ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment != "" ] },
## )
## peer_rt3 = { for v in local.peer_rt2[var.tgw_environment]: format("%v:%v",var.tgw_environment,v) => {
## label = format("%v:%v",var.tgw_environment,v),
## tgw_environment = var.tgw_environment,
## environment = local.peer_rt0[v],
## cidr_block = v }
## }
}

# for services, add static IP to all environments in other region to peering attachment
resource "aws_ec2_transit_gateway_route" "peer_vpc_environment" {
provider = aws.tgw_main_west
destination_cidr_block = var.vpc_cidr_block
transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west
transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[var.tgw_environment]
}

resource "aws_ec2_transit_gateway_route" "peer_vpc_to_services" {
provider = aws.tgw_main_west
count = var.tgw_environment != "services" ? 1 : 0
destination_cidr_block = var.vpc_cidr_block
transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west
transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west["services"]
}

resource "aws_ec2_transit_gateway_route" "peer_vpc_services" {
provider = aws.tgw_main_west
for_each = var.tgw_environment == "services" ? local.peer_rt : toset([])
destination_cidr_block = var.vpc_cidr_block
transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west
transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[each.key]
}
95 changes: 95 additions & 0 deletions vpc-transit-gateway-association-data/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
# About aws-vpc-setup :: vpc-transit-gateway-association

This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. It does the following:

* gets transit gateway ID shared to this account and region
* gets transit gateway route tables
* creates routes for the attachment subnets to the transit gatewway
* creates routes to all other things on the transit gateway through a network prefix
* attaches the VPC to the transit gateway
* propagates the route to the associated route tables for the envirornment/VRF
* services is propagated to all
* creates static routes for transit gateway route tables in a peer region

## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
| <a name="requirement_ldap"></a> [ldap](#requirement\_ldap) | >= 0.5.4 |
| <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.0.0 |
| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
| <a name="requirement_template"></a> [template](#requirement\_template) | >= 2.0 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
| <a name="provider_aws.network_account"></a> [aws.network\_account](#provider\_aws.network\_account) | >= 3.66.0 |
| <a name="provider_aws.peer"></a> [aws.peer](#provider\_aws.peer) | >= 3.66.0 |
| <a name="provider_aws.self"></a> [aws.self](#provider\_aws.self) | >= 3.66.0 |

## Modules

No modules.

## Resources

| Name | Type |
|------|------|
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_availability_zone.zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zone) | data source |
| [aws_availability_zones.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_ec2_managed_prefix_list.tgw_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
| [aws_ec2_managed_prefix_lists.tgw_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_lists) | data source |
| [aws_ec2_transit_gateway.gateway_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
| [aws_ec2_transit_gateway.gateway_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
| [aws_ec2_transit_gateway_peering_attachment.attachment_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source |
| [aws_ec2_transit_gateway_peering_attachment.attachment_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source |
| [aws_ec2_transit_gateway_route_table.route_tables_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_table) | data source |
| [aws_ec2_transit_gateway_route_table.route_tables_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_table) | data source |
| [aws_ec2_transit_gateway_route_tables.route_tables_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_tables) | data source |
| [aws_ec2_transit_gateway_route_tables.route_tables_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_tables) | data source |
| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
| <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
| <a name="input_create"></a> [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
| <a name="input_network_account_profile"></a> [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| <a name="input_route_prefix_list_name"></a> [route\_prefix\_list\_name](#input\_route\_prefix\_list\_name) | Shared prefix list name used for routing to TGW. It is comprised of all of the network CIDR blocks in AWS using TGW. | `string` | `"transit-gateway.prod"` | no |
| <a name="input_route_table_label"></a> [route\_table\_label](#input\_route\_table\_label) | Route table lable for the attachment subnets | `string` | `"attachment"` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
| <a name="input_transit_gateway_environment"></a> [transit\_gateway\_environment](#input\_transit\_gateway\_environment) | Transit Gateway Environment (aka, VRF) to which to connnect this VPC | `string` | n/a | yes |
| <a name="input_transit_gateway_label"></a> [transit\_gateway\_label](#input\_transit\_gateway\_label) | Transit Gateway label for specific instance (sa, prod) | `string` | `"prod"` | no |
| <a name="input_transit_gateway_routing_type"></a> [transit\_gateway\_routing\_type](#input\_transit\_gateway\_routing\_type) | Transit Gateway routing type, to select either self or peer (where we may have many peers) | `string` | n/a | yes |
| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |

## Outputs

| Name | Description |
|------|-------------|
| <a name="output_availability_zone_ids"></a> [availability\_zone\_ids](#output\_availability\_zone\_ids) | VPC Availability zone id list (3) |
| <a name="output_availability_zone_names"></a> [availability\_zone\_names](#output\_availability\_zone\_names) | VPC Availability zone name list (3) |
| <a name="output_availability_zone_suffixes"></a> [availability\_zone\_suffixes](#output\_availability\_zone\_suffixes) | VPC Availability zone suffix list (3) |
| <a name="output_availablity_zone"></a> [availablity\_zone](#output\_availablity\_zone) | map of data resource aws\_availability\_zone from list of zone names |
| <a name="output_gateway_peer"></a> [gateway\_peer](#output\_gateway\_peer) | Transit Gateway peer (other region) |
| <a name="output_gateway_self"></a> [gateway\_self](#output\_gateway\_self) | Transit Gateway self (this region) |
| <a name="output_map_route_tables_peer"></a> [map\_route\_tables\_peer](#output\_map\_route\_tables\_peer) | Transit Gateway route tables map (VRF:id) peer (other region) |
| <a name="output_map_route_tables_self"></a> [map\_route\_tables\_self](#output\_map\_route\_tables\_self) | Transit Gateway route tables map (VRF:id) self (this region) |
| <a name="output_prefix_list_id_ipv4"></a> [prefix\_list\_id\_ipv4](#output\_prefix\_list\_id\_ipv4) | Managed prefix ID for IPv4 |
| <a name="output_route_tables_peer"></a> [route\_tables\_peer](#output\_route\_tables\_peer) | Transit Gateway route tables peer (other region) |
| <a name="output_route_tables_self"></a> [route\_tables\_self](#output\_route\_tables\_self) | Transit Gateway route tables self (this region) |
1 change: 1 addition & 0 deletions vpc-transit-gateway-association-data/availabilty_zones.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../common/availabilty_zones.tf
12 changes: 12 additions & 0 deletions vpc-transit-gateway-association-data/data.network_account.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
data "aws_caller_identity" "network_account" {
provider = aws.network_account
}

data "aws_arn" "network_account" {
provider = aws.network_account
arn = data.aws_caller_identity.network_account.arn
}

# output "network_account" {
# value = data.aws_arn.network_account
# }
13 changes: 13 additions & 0 deletions vpc-transit-gateway-association-data/data.routing.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
data "aws_ec2_managed_prefix_lists" "tgw_ipv4" {
filter {
name = "prefix-list-name"
values = [var.route_prefix_list_name, format("%v.ipv4", var.route_prefix_list_name)]
}
}

data "aws_ec2_managed_prefix_list" "tgw_ipv4" {
for_each = toset(data.aws_ec2_managed_prefix_lists.tgw_ipv4.ids)
id = each.key
}

# destination_prefix_list_id = one([for k, v in data.aws_ec2_managed_prefix_list.tgw_ipv4 : k if v.address_family == "IPv4"])
1 change: 1 addition & 0 deletions vpc-transit-gateway-association-data/data.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../common/data.tf

0 comments on commit b480f6e

Please sign in to comment.