From b480f6e06565ca0ea20d118ac583a2c7a029e306 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 14 Oct 2022 13:18:59 -0400 Subject: [PATCH] create new submodule --- .../credentials.vpc-transit-gateway.tf.off | 11 + .../OFF/vpc-transit-gateway.tf.off | 225 ++++++++++++++++++ .../README.md | 95 ++++++++ .../availabilty_zones.tf | 1 + .../data.network_account.tf | 12 + .../data.routing.tf | 13 + vpc-transit-gateway-association-data/data.tf | 1 + .../data.transit-gateway.tf | 84 +++++++ .../data.vpc.tf | 3 + .../defaults.tf | 1 + vpc-transit-gateway-association-data/main.tf | 43 ++++ .../module_name.tf | 3 + .../outputs.tf | 39 +++ .../prefixes.tf | 1 + .../variables.common.availability_zones.tf | 1 + .../variables.common.tf | 1 + .../variables.common.vpc_id.tf | 1 + .../variables.create.tf | 1 + .../variables.tf | 48 ++++ .../version.tf | 1 + .../versions.tf | 31 +++ 21 files changed, 616 insertions(+) create mode 100644 vpc-transit-gateway-association-data/OFF/credentials.vpc-transit-gateway.tf.off create mode 100644 vpc-transit-gateway-association-data/OFF/vpc-transit-gateway.tf.off create mode 100644 vpc-transit-gateway-association-data/README.md create mode 120000 vpc-transit-gateway-association-data/availabilty_zones.tf create mode 100644 vpc-transit-gateway-association-data/data.network_account.tf create mode 100644 vpc-transit-gateway-association-data/data.routing.tf create mode 120000 vpc-transit-gateway-association-data/data.tf create mode 100644 vpc-transit-gateway-association-data/data.transit-gateway.tf create mode 100644 vpc-transit-gateway-association-data/data.vpc.tf create mode 120000 vpc-transit-gateway-association-data/defaults.tf create mode 100644 vpc-transit-gateway-association-data/main.tf create mode 100644 vpc-transit-gateway-association-data/module_name.tf create mode 100644 vpc-transit-gateway-association-data/outputs.tf create mode 120000 vpc-transit-gateway-association-data/prefixes.tf create mode 120000 vpc-transit-gateway-association-data/variables.common.availability_zones.tf create mode 120000 vpc-transit-gateway-association-data/variables.common.tf create mode 120000 vpc-transit-gateway-association-data/variables.common.vpc_id.tf create mode 120000 vpc-transit-gateway-association-data/variables.create.tf create mode 100644 vpc-transit-gateway-association-data/variables.tf create mode 120000 vpc-transit-gateway-association-data/version.tf create mode 100644 vpc-transit-gateway-association-data/versions.tf diff --git a/vpc-transit-gateway-association-data/OFF/credentials.vpc-transit-gateway.tf.off b/vpc-transit-gateway-association-data/OFF/credentials.vpc-transit-gateway.tf.off new file mode 100644 index 0000000..f7c439e --- /dev/null +++ b/vpc-transit-gateway-association-data/OFF/credentials.vpc-transit-gateway.tf.off @@ -0,0 +1,11 @@ +provider "aws" { + alias = "tgw_west" + region = "us-gov-west-1" + profile = var.network_account_profile +} + +provider "aws" { + alias = "tgw_east" + region = "us-gov-east-1" + profile = var.network_account_profile +} diff --git a/vpc-transit-gateway-association-data/OFF/vpc-transit-gateway.tf.off b/vpc-transit-gateway-association-data/OFF/vpc-transit-gateway.tf.off new file mode 100644 index 0000000..6567821 --- /dev/null +++ b/vpc-transit-gateway-association-data/OFF/vpc-transit-gateway.tf.off @@ -0,0 +1,225 @@ +locals { + trs_region_outputs = data.terraform_remote_state.vpc_east.outputs +# tgw_id = local.trs_region_outputs.transit_gateway_id +# tgw_id = data.aws_ec2_transit_gateway.gateway_east.id + info_vpc = data.terraform_remote_state.vpc.outputs.info_vpc +} + +data "aws_ec2_transit_gateway" "gateway_east" { } + +data "aws_ec2_transit_gateway" "gateway_west" { + provider = aws.tgw_main_west +} + +data "aws_ec2_transit_gateway_peering_attachment" "peer_west" { + provider = aws.tgw_main_west + filter { + name = "tag:Name" + values = [ "tgw-proto-peer" ] + } +} + +locals { + transit_gateway_peer_attachment_id_west = data.aws_ec2_transit_gateway_peering_attachment.peer_west.id +} + +module "routing_attachment" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//routing" + vpc_id = local.vpc_id + + vpc_full_name = var.vpc_full_name + availability_zones = [] + private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"] + create_public_route_table = false + private_route_table_label = "attachment" + enable_igw = false + enable_nat = false + enable_vpc_endpoint_s3 = false + enable_vpc_endpoint_dynamodb = false + + vpc_name = var.vpc_name + vpc_short_name = var.vpc_short_name + vpc_cidr_block = var.vpc_cidr_block + vpc_index = var.vpc_index + + tags = merge( + local.common_tags, + local.tags, + ) +} + +# routes to tgw (for now, 10.128/16, should be each of the highest cidr blocks per account). It would be nice to use prefix lists, but not supported in gov +resource "aws_route" "gateway" { + for_each = module.routing.private_route_table_ids + route_table_id = each.value +# destination_cidr_block = "0.0.0.0/0" + destination_cidr_block = "10.128.0.0/16" + transit_gateway_id = data.aws_ec2_transit_gateway.gateway_east.id + depends_on = [ aws_ec2_transit_gateway_vpc_attachment.vpc_attachment ] +} + +#--- +# route tables east +#--- +data "aws_ec2_transit_gateway_route_tables" "route_tables_east" { + provider = aws.tgw_main_east + filter { + name = "transit-gateway-id" + values = [ data.aws_ec2_transit_gateway.gateway_east.id ] + } +} + +data "aws_ec2_transit_gateway_route_table" "route_tables_east" { + provider = aws.tgw_main_east + for_each = toset(data.aws_ec2_transit_gateway_route_tables.route_tables_east.ids) + id = each.key +} + +locals { + transit_gateway_route_table_ids_east = { for k,v in data.aws_ec2_transit_gateway_route_table.route_tables_east: v.tags["boc:network_vrf"] => k } +} + +#--- +# route tables west +#--- +data "aws_ec2_transit_gateway_route_tables" "route_tables_west" { + provider = aws.tgw_main_west + filter { + name = "transit-gateway-id" + values = [ data.aws_ec2_transit_gateway.gateway_west.id ] + } +} + +data "aws_ec2_transit_gateway_route_table" "route_tables_west" { + provider = aws.tgw_main_west + for_each = toset(data.aws_ec2_transit_gateway_route_tables.route_tables_west.ids) + id = each.key +} + +locals { + transit_gateway_route_table_ids_west = { for k,v in data.aws_ec2_transit_gateway_route_table.route_tables_west: v.tags["boc:network_vrf"] => k } +} + + +#--- +# assocaite this vpc to route table in east +#--- +resource "aws_ec2_transit_gateway_route_table_association" "route_table" { + provider = aws.tgw_main_east + transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id + transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east[var.tgw_environment] +} + +#--- +# attach this vpc to tgw +#--- +resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_attachment" { + subnet_ids = [for sn in module.subnets.private_subnets_ids : sn.id if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"] + transit_gateway_id = data.aws_ec2_transit_gateway.gateway_east.id + vpc_id = local.vpc_id + dns_support = "enable" + ipv6_support = "disable" + transit_gateway_default_route_table_association = true + transit_gateway_default_route_table_propagation = true + + tags = merge( + local.common_tags, + tomap({ Name = "tgwa-proto-${var.vpc_short_name}-${local.region}" }), + tomap({ "boc:tgw_environment" = var.tgw_environment }), + ) +} + +# will need to adjust this where there are common, services, shared +data "aws_ec2_transit_gateway_vpc_attachment" "vpc_services" { + filter { + name = "tag:boc:tgw_environment" + values = ["services"] + } +} + +#--- +# propagate services in {environment} route table in east +#--- +# resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_self" { +# provider = aws.tgw_main_east +# count = var.tgw_environment != "services" ? 1 : 0 +# transit_gateway_attachment_id = data.aws_ec2_transit_gateway_vpc_attachment.vpc_services.id +# transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east[var.tgw_environment] +# } + +#--- +# also add route to other environment in other region to peering attachment in west +#--- +## resource "aws_ec2_transit_gateway_route" "vpc_self_peers" { +## provider = aws.tgw_main_west +## for_each = var.tgw_environment != "services" ? toset([ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment == var.tgw_environment]) : toset([]) +## destination_cidr_block = each.key +## transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west +## transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[var.tgw_environment] +## } + +# propagate in services to this attachment in all route tables +resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_services" { + provider = aws.tgw_main_east + for_each = var.tgw_environment == "services" ? local.transit_gateway_route_table_ids_east : { for k,v in local.transit_gateway_route_table_ids_east: k => v if k == var.tgw_environment } +# count = var.tgw_environment != "services" ? 1 : 0 + transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id + transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east[each.key] +} + +## # for services, add static IP to all environments in other region to peering attachment +## resource "aws_ec2_transit_gateway_route" "vpc_services_peers" { +## provider = aws.tgw_main_west +## for_each = var.tgw_environment == "services" ? toset([ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment != ""]) : toset([ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment == "services"]) +## destination_cidr_block = each.key +## transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west +## transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[var.tgw_environment] +## } + +# propagate all to inter-region table +resource "aws_ec2_transit_gateway_route_table_propagation" "vpc_inter-region" { + provider = aws.tgw_main_east + count = var.tgw_environment != "services" ? 1 : 0 + transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.vpc_attachment.id + transit_gateway_route_table_id = local.transit_gateway_route_table_ids_east["inter-region"] +} + +# peer route tables for our vpc to tgw peer +locals { + peer_rt = [ for r in keys(local.transit_gateway_route_table_ids_west): r if r!="inter-region" && r!="services" ] +## peer_rt0 = { for k,v in local.info_vpc: v.cidr_block => v.tgw_environment if v.region == local.region && v.tgw_environment != "" } +## peer_rt1 = transpose({ for k,v in local.info_vpc: v.cidr_block => [ v.tgw_environment ] if v.region == local.region && v.tgw_environment != "" }) +## peer_rt2 = merge(local.peer_rt1, +## { "services" = [ for k,v in local.info_vpc: v.cidr_block if v.region == local.region && v.tgw_environment != "" ] }, +## ) +## peer_rt3 = { for v in local.peer_rt2[var.tgw_environment]: format("%v:%v",var.tgw_environment,v) => { +## label = format("%v:%v",var.tgw_environment,v), +## tgw_environment = var.tgw_environment, +## environment = local.peer_rt0[v], +## cidr_block = v } +## } +} + +# for services, add static IP to all environments in other region to peering attachment +resource "aws_ec2_transit_gateway_route" "peer_vpc_environment" { + provider = aws.tgw_main_west + destination_cidr_block = var.vpc_cidr_block + transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west + transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[var.tgw_environment] +} + +resource "aws_ec2_transit_gateway_route" "peer_vpc_to_services" { + provider = aws.tgw_main_west + count = var.tgw_environment != "services" ? 1 : 0 + destination_cidr_block = var.vpc_cidr_block + transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west + transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west["services"] +} + +resource "aws_ec2_transit_gateway_route" "peer_vpc_services" { + provider = aws.tgw_main_west + for_each = var.tgw_environment == "services" ? local.peer_rt : toset([]) + destination_cidr_block = var.vpc_cidr_block + transit_gateway_attachment_id = local.transit_gateway_peer_attachment_id_west + transit_gateway_route_table_id = local.transit_gateway_route_table_ids_west[each.key] +} diff --git a/vpc-transit-gateway-association-data/README.md b/vpc-transit-gateway-association-data/README.md new file mode 100644 index 0000000..57e58aa --- /dev/null +++ b/vpc-transit-gateway-association-data/README.md @@ -0,0 +1,95 @@ +# About aws-vpc-setup :: vpc-transit-gateway-association + +This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. It does the following: + +* gets transit gateway ID shared to this account and region +* gets transit gateway route tables +* creates routes for the attachment subnets to the transit gatewway +* creates routes to all other things on the transit gateway through a network prefix +* attaches the VPC to the transit gateway +* propagates the route to the associated route tables for the envirornment/VRF + * services is propagated to all +* creates static routes for transit gateway route tables in a peer region + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.13 | +| [aws](#requirement\_aws) | >= 3.66.0 | +| [ldap](#requirement\_ldap) | >= 0.5.4 | +| [local](#requirement\_local) | >= 1.0.0 | +| [null](#requirement\_null) | >= 3.0 | +| [random](#requirement\_random) | >= 3.0 | +| [template](#requirement\_template) | >= 2.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.66.0 | +| [aws.network\_account](#provider\_aws.network\_account) | >= 3.66.0 | +| [aws.peer](#provider\_aws.peer) | >= 3.66.0 | +| [aws.self](#provider\_aws.self) | >= 3.66.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_availability_zone.zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zone) | data source | +| [aws_availability_zones.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_ec2_managed_prefix_list.tgw_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source | +| [aws_ec2_managed_prefix_lists.tgw_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_lists) | data source | +| [aws_ec2_transit_gateway.gateway_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source | +| [aws_ec2_transit_gateway.gateway_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source | +| [aws_ec2_transit_gateway_peering_attachment.attachment_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source | +| [aws_ec2_transit_gateway_peering_attachment.attachment_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source | +| [aws_ec2_transit_gateway_route_table.route_tables_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_table) | data source | +| [aws_ec2_transit_gateway_route_table.route_tables_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_table) | data source | +| [aws_ec2_transit_gateway_route_tables.route_tables_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_tables) | data source | +| [aws_ec2_transit_gateway_route_tables.route_tables_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_tables) | data source | +| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no | +| [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no | +| [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no | +| [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [route\_prefix\_list\_name](#input\_route\_prefix\_list\_name) | Shared prefix list name used for routing to TGW. It is comprised of all of the network CIDR blocks in AWS using TGW. | `string` | `"transit-gateway.prod"` | no | +| [route\_table\_label](#input\_route\_table\_label) | Route table lable for the attachment subnets | `string` | `"attachment"` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | +| [transit\_gateway\_environment](#input\_transit\_gateway\_environment) | Transit Gateway Environment (aka, VRF) to which to connnect this VPC | `string` | n/a | yes | +| [transit\_gateway\_label](#input\_transit\_gateway\_label) | Transit Gateway label for specific instance (sa, prod) | `string` | `"prod"` | no | +| [transit\_gateway\_routing\_type](#input\_transit\_gateway\_routing\_type) | Transit Gateway routing type, to select either self or peer (where we may have many peers) | `string` | n/a | yes | +| [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [availability\_zone\_ids](#output\_availability\_zone\_ids) | VPC Availability zone id list (3) | +| [availability\_zone\_names](#output\_availability\_zone\_names) | VPC Availability zone name list (3) | +| [availability\_zone\_suffixes](#output\_availability\_zone\_suffixes) | VPC Availability zone suffix list (3) | +| [availablity\_zone](#output\_availablity\_zone) | map of data resource aws\_availability\_zone from list of zone names | +| [gateway\_peer](#output\_gateway\_peer) | Transit Gateway peer (other region) | +| [gateway\_self](#output\_gateway\_self) | Transit Gateway self (this region) | +| [map\_route\_tables\_peer](#output\_map\_route\_tables\_peer) | Transit Gateway route tables map (VRF:id) peer (other region) | +| [map\_route\_tables\_self](#output\_map\_route\_tables\_self) | Transit Gateway route tables map (VRF:id) self (this region) | +| [prefix\_list\_id\_ipv4](#output\_prefix\_list\_id\_ipv4) | Managed prefix ID for IPv4 | +| [route\_tables\_peer](#output\_route\_tables\_peer) | Transit Gateway route tables peer (other region) | +| [route\_tables\_self](#output\_route\_tables\_self) | Transit Gateway route tables self (this region) | diff --git a/vpc-transit-gateway-association-data/availabilty_zones.tf b/vpc-transit-gateway-association-data/availabilty_zones.tf new file mode 120000 index 0000000..00a240c --- /dev/null +++ b/vpc-transit-gateway-association-data/availabilty_zones.tf @@ -0,0 +1 @@ +../common/availabilty_zones.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association-data/data.network_account.tf b/vpc-transit-gateway-association-data/data.network_account.tf new file mode 100644 index 0000000..d0ef9c1 --- /dev/null +++ b/vpc-transit-gateway-association-data/data.network_account.tf @@ -0,0 +1,12 @@ +data "aws_caller_identity" "network_account" { + provider = aws.network_account +} + +data "aws_arn" "network_account" { + provider = aws.network_account + arn = data.aws_caller_identity.network_account.arn +} + +# output "network_account" { +# value = data.aws_arn.network_account +# } diff --git a/vpc-transit-gateway-association-data/data.routing.tf b/vpc-transit-gateway-association-data/data.routing.tf new file mode 100644 index 0000000..c1b9d80 --- /dev/null +++ b/vpc-transit-gateway-association-data/data.routing.tf @@ -0,0 +1,13 @@ +data "aws_ec2_managed_prefix_lists" "tgw_ipv4" { + filter { + name = "prefix-list-name" + values = [var.route_prefix_list_name, format("%v.ipv4", var.route_prefix_list_name)] + } +} + +data "aws_ec2_managed_prefix_list" "tgw_ipv4" { + for_each = toset(data.aws_ec2_managed_prefix_lists.tgw_ipv4.ids) + id = each.key +} + +# destination_prefix_list_id = one([for k, v in data.aws_ec2_managed_prefix_list.tgw_ipv4 : k if v.address_family == "IPv4"]) diff --git a/vpc-transit-gateway-association-data/data.tf b/vpc-transit-gateway-association-data/data.tf new file mode 120000 index 0000000..995624d --- /dev/null +++ b/vpc-transit-gateway-association-data/data.tf @@ -0,0 +1 @@ +../common/data.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association-data/data.transit-gateway.tf b/vpc-transit-gateway-association-data/data.transit-gateway.tf new file mode 100644 index 0000000..552a02d --- /dev/null +++ b/vpc-transit-gateway-association-data/data.transit-gateway.tf @@ -0,0 +1,84 @@ +#--- +# transit gateways + +data "aws_ec2_transit_gateway" "gateway_self" { + provider = aws.self + filter { + name = "owner-id" + values = [data.aws_arn.network_account.account] + } +} + +data "aws_ec2_transit_gateway" "gateway_peer" { + provider = aws.peer + filter { + name = "owner-id" + values = [data.aws_arn.network_account.account] + } +} + +#--- +# tgw route tables self +#--- +data "aws_ec2_transit_gateway_route_tables" "route_tables_self" { + provider = aws.self + filter { + name = "transit-gateway-id" + values = [data.aws_ec2_transit_gateway.gateway_self.id] + } +} + +data "aws_ec2_transit_gateway_route_table" "route_tables_self" { + provider = aws.self + for_each = toset(data.aws_ec2_transit_gateway_route_tables.route_tables_self.ids) + id = each.key +} + +locals { + transit_gateway_route_table_ids_self = { for k, v in data.aws_ec2_transit_gateway_route_table.route_tables_self : v.tags["boc:network_vrf"] => k if contains(keys(v.tags), "boc:network_vrf") } +} + +#--- +# route tables west +#--- +data "aws_ec2_transit_gateway_route_tables" "route_tables_peer" { + provider = aws.peer + filter { + name = "transit-gateway-id" + values = [data.aws_ec2_transit_gateway.gateway_peer.id] + } +} + +data "aws_ec2_transit_gateway_route_table" "route_tables_peer" { + provider = aws.peer + for_each = toset(data.aws_ec2_transit_gateway_route_tables.route_tables_peer.ids) + id = each.key +} + +locals { + transit_gateway_route_table_ids_peer = { for k, v in data.aws_ec2_transit_gateway_route_table.route_tables_peer : v.tags["boc:network_vrf"] => k if contains(keys(v.tags), "boc:network_vrf") } +} + +# These two hold a map of VRF => route table +# * transit_gateway_route_table_ids_self +# * transit_gateway_route_table_ids_peer + +#--- +# peering attachments +#--- +data "aws_ec2_transit_gateway_peering_attachment" "attachment_self" { + provider = aws.self + filter { + name = "transit-gateway-id" + values = [data.aws_ec2_transit_gateway.gateway_self.id] + } +} + +data "aws_ec2_transit_gateway_peering_attachment" "attachment_peer" { + provider = aws.peer + filter { + name = "transit-gateway-id" + values = [data.aws_ec2_transit_gateway.gateway_peer.id] + } +} + diff --git a/vpc-transit-gateway-association-data/data.vpc.tf b/vpc-transit-gateway-association-data/data.vpc.tf new file mode 100644 index 0000000..34f3677 --- /dev/null +++ b/vpc-transit-gateway-association-data/data.vpc.tf @@ -0,0 +1,3 @@ +data "aws_vpc" "vpc" { + id = var.vpc_id +} diff --git a/vpc-transit-gateway-association-data/defaults.tf b/vpc-transit-gateway-association-data/defaults.tf new file mode 120000 index 0000000..a5556ac --- /dev/null +++ b/vpc-transit-gateway-association-data/defaults.tf @@ -0,0 +1 @@ +../common/defaults.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association-data/main.tf b/vpc-transit-gateway-association-data/main.tf new file mode 100644 index 0000000..2585da5 --- /dev/null +++ b/vpc-transit-gateway-association-data/main.tf @@ -0,0 +1,43 @@ +/* +* # About aws-vpc-setup :: vpc-transit-gateway-association +* +* This sets up the necessary transit gateway configuration for attaching a VPC with all of the components. It does the following: +* +* * gets transit gateway ID shared to this account and region +* * gets transit gateway route tables +* * creates routes for the attachment subnets to the transit gatewway +* * creates routes to all other things on the transit gateway through a network prefix +* * attaches the VPC to the transit gateway +* * propagates the route to the associated route tables for the envirornment/VRF +* * services is propagated to all +* * creates static routes for transit gateway route tables in a peer region + +* # Usage +* +* ```hcl +* module "vpc_tgw" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association?ref=tf-upgrade" +* network_account_profile = "057445207498-ent-gov-network-sa" +* } +* ``` +*/ + +locals { + account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id + account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" + region = data.aws_region.current.name + region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)]) + + base_tags = { + "boc:tf_module_version" = local._module_version + "boc:tf_module_name" = lookup(local._module_names, local._module_name, local._module_names["_main_"]) + "boc:created_by" = "terraform" + } +} + + +# vpc_id = local.vpc_id +# vpc_full_name = var.vpc_full_name +# availability_zones = [] +# subnet_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"] +# route_table_label = "attachment" diff --git a/vpc-transit-gateway-association-data/module_name.tf b/vpc-transit-gateway-association-data/module_name.tf new file mode 100644 index 0000000..1f505b5 --- /dev/null +++ b/vpc-transit-gateway-association-data/module_name.tf @@ -0,0 +1,3 @@ +locals { + _module_name = "vpc-transit-gateway-association-data" +} diff --git a/vpc-transit-gateway-association-data/outputs.tf b/vpc-transit-gateway-association-data/outputs.tf new file mode 100644 index 0000000..ec3537e --- /dev/null +++ b/vpc-transit-gateway-association-data/outputs.tf @@ -0,0 +1,39 @@ +output "availablity_zone" { + description = "map of data resource aws_availability_zone from list of zone names" + value = data.aws_availability_zone.zone +} + +output "gateway_self" { + description = "Transit Gateway self (this region)" + value = data.aws_ec2_transit_gateway.gateway_self.id +} + +output "gateway_peer" { + description = "Transit Gateway peer (other region)" + value = data.aws_ec2_transit_gateway.gateway_peer.id +} + +output "route_tables_self" { + description = "Transit Gateway route tables self (this region)" + value = data.aws_ec2_transit_gateway_route_table.route_tables_self +} + +output "route_tables_peer" { + description = "Transit Gateway route tables peer (other region)" + value = data.aws_ec2_transit_gateway_route_table.route_tables_peer +} + +output "map_route_tables_self" { + description = "Transit Gateway route tables map (VRF:id) self (this region)" + value = local.transit_gateway_route_table_ids_self +} + +output "map_route_tables_peer" { + description = "Transit Gateway route tables map (VRF:id) peer (other region)" + value = local.transit_gateway_route_table_ids_peer +} + +output "prefix_list_id_ipv4" { + description = "Managed prefix ID for IPv4" + value = one([for k, v in data.aws_ec2_managed_prefix_list.tgw_ipv4 : k if v.address_family == "IPv4"]) +} diff --git a/vpc-transit-gateway-association-data/prefixes.tf b/vpc-transit-gateway-association-data/prefixes.tf new file mode 120000 index 0000000..7e265d5 --- /dev/null +++ b/vpc-transit-gateway-association-data/prefixes.tf @@ -0,0 +1 @@ +../common/prefixes.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association-data/variables.common.availability_zones.tf b/vpc-transit-gateway-association-data/variables.common.availability_zones.tf new file mode 120000 index 0000000..dca20a3 --- /dev/null +++ b/vpc-transit-gateway-association-data/variables.common.availability_zones.tf @@ -0,0 +1 @@ +../common/variables.common.availability_zones.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association-data/variables.common.tf b/vpc-transit-gateway-association-data/variables.common.tf new file mode 120000 index 0000000..7439ed8 --- /dev/null +++ b/vpc-transit-gateway-association-data/variables.common.tf @@ -0,0 +1 @@ +../common/variables.common.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association-data/variables.common.vpc_id.tf b/vpc-transit-gateway-association-data/variables.common.vpc_id.tf new file mode 120000 index 0000000..bc2e061 --- /dev/null +++ b/vpc-transit-gateway-association-data/variables.common.vpc_id.tf @@ -0,0 +1 @@ +../common/variables.common.vpc_id.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association-data/variables.create.tf b/vpc-transit-gateway-association-data/variables.create.tf new file mode 120000 index 0000000..de1275b --- /dev/null +++ b/vpc-transit-gateway-association-data/variables.create.tf @@ -0,0 +1 @@ +../common/variables.create.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association-data/variables.tf b/vpc-transit-gateway-association-data/variables.tf new file mode 100644 index 0000000..d1c1568 --- /dev/null +++ b/vpc-transit-gateway-association-data/variables.tf @@ -0,0 +1,48 @@ +variable "network_account_profile" { + description = "AWS profile of the source account sharing the VPC resources" + type = string +} + +variable "transit_gateway_environment" { + description = "Transit Gateway Environment (aka, VRF) to which to connnect this VPC" + type = string + + validation { + condition = contains(["services", "dev", "test", "stage", "prod", "cre"], var.transit_gateway_environment) + error_message = "transit_gateway_environment value must be one of the valid VRF selections" + } +} + +variable "transit_gateway_routing_type" { + description = "Transit Gateway routing type, to select either self or peer (where we may have many peers)" + type = string + + validation { + condition = contains(["self", "peer"], var.transit_gateway_routing_type) + error_message = "transit_gateway_routing_type must be either self or peer" + } +} + +variable "route_table_label" { + description = "Route table lable for the attachment subnets" + type = string + default = "attachment" +} + +variable "route_prefix_list_name" { + description = "Shared prefix list name used for routing to TGW. It is comprised of all of the network CIDR blocks in AWS using TGW." + type = string + default = "transit-gateway.prod" +} + +variable "transit_gateway_label" { + description = "Transit Gateway label for specific instance (sa, prod)" + type = string + default = "prod" +} + +## variable "subnet_ids" { +## description = "List of subnet IDs for this VPC for the TGW attachment. This should be not public, and should be a separate attachment set of /28 subnets with no other use" +## type = list(string) +## } + diff --git a/vpc-transit-gateway-association-data/version.tf b/vpc-transit-gateway-association-data/version.tf new file mode 120000 index 0000000..b83c5b7 --- /dev/null +++ b/vpc-transit-gateway-association-data/version.tf @@ -0,0 +1 @@ +../common/version.tf \ No newline at end of file diff --git a/vpc-transit-gateway-association-data/versions.tf b/vpc-transit-gateway-association-data/versions.tf new file mode 100644 index 0000000..fb772a1 --- /dev/null +++ b/vpc-transit-gateway-association-data/versions.tf @@ -0,0 +1,31 @@ +terraform { + # experiments = [module_variable_optional_attrs] + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.66.0" + configuration_aliases = [aws.network_account, aws.self, aws.peer] + } + null = { + source = "hashicorp/null" + version = ">= 3.0" + } + random = { + source = "hashicorp/random" + version = ">= 3.0" + } + template = { + source = "hashicorp/template" + version = ">= 2.0" + } + ldap = { + source = "trevex/ldap" + version = ">= 0.5.4" + } + local = { + source = "hashicorp/local" + version = ">= 1.0.0" + } + } + required_version = ">= 0.13" +}