add peer module

terraform-modules · May 31, 2021 · b4dddb0 · b4dddb0
1 parent efd1552
commit b4dddb0
Show file tree

Hide file tree

Showing 17 changed files with 487 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -22,3 +22,7 @@
 * v1.0.4 -- 20210514
   - flowlogs
     - setup flow logs
+
+* v1.0.5 -- 20210531
+  - peer
+    - setup peer 
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.0.4"
+  _module_version = "1.0.5"
 }
diff --git a/peer/data.peer.tf b/peer/data.peer.tf
@@ -0,0 +1,26 @@
+data "aws_caller_identity" "peer_current" {
+  provider = aws.peer
+}
+
+data "aws_arn" "peer_current" {
+  provider = aws.peer
+  arn      = data.aws_caller_identity.peer_current.arn
+}
+
+data "aws_region" "peer_current" {
+  provider = aws.peer
+}
+
+data "aws_vpc" "peer_vpc" {
+  provider = aws.peer
+  id       = var.peer_vpc_id
+}
+
+data "aws_route_tables" "default_peer_route_tables" {
+  provider = aws.peer
+  vpc_id   = var.peer_vpc_id
+  filter {
+    name   = "tag:Name"
+    values = ["*-private-*"]
+  }
+}
diff --git a/peer/data.self.tf b/peer/data.self.tf
@@ -0,0 +1,26 @@
+data "aws_caller_identity" "self_current" {
+  provider = aws.self
+}
+
+data "aws_arn" "self_current" {
+  provider = aws.self
+  arn      = data.aws_caller_identity.self_current.arn
+}
+
+data "aws_region" "self_current" {
+  provider = aws.self
+}
+
+data "aws_vpc" "self_vpc" {
+  provider = aws.self
+  id       = var.self_vpc_id
+}
+
+data "aws_route_tables" "default_self_route_tables" {
+  provider = aws.self
+  vpc_id   = var.self_vpc_id
+  filter {
+    name   = "tag:Name"
+    values = ["*-private-*"]
+  }
+}
diff --git a/peer/defaults.tf b/peer/defaults.tf
@@ -0,0 +1 @@
+../common/defaults.tf
diff --git a/peer/main.tf b/peer/main.tf
@@ -0,0 +1,82 @@
+/*
+* # About aws-vpc-setup :: peer
+* 
+* This submodule creates a peering connection with a different VPC, and sets up appropriate network
+* ACLs and routing between the two CIDR blocks.
+* 
+* # Usage
+* 
+* ```hcl
+* module "peer_services" {
+*   source               = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//peer"
+*
+* # self
+*   vpc_id               = module.vpc.vpc_id
+*   vpc_name             = var.vpc_name
+*   vpc_cidr_block       = var.vpc_cidr_block
+*   vpc_index            = var.vpc_index
+*   vpc_short_name       = var.vpc_short_name
+*   vpc_full_name        = var.vpc_full_name
+*   vpc_environment      = var.vpc_environment
+*   route_table_ids      = [ "rtb-12345678" ]
+*   network_acl_ids      = [ "nacl-12345678" ]
+*   nacl_rule_number     = 2500
+*   rule_increment       = 1
+*   tags = {}
+*
+* # peer
+*   peer_account_id           = var.peer_account_id
+*   peer_vpc_id               = var.peer_vpc_id
+*   peer_vpc_name             = var.peer_vpc_name
+*   # peer_vpc_cidr_block       = var.peer_vpc_cidr_block
+*   peer_vpc_index            = var.peer_vpc_index
+*   peer_vpc_short_name       = var.peer_vpc_short_name
+*   # peer_vpc_full_name        = var.peer_vpc_full_name
+*   # peer_vpc_environment      = var.peer_vpc_environment
+*   # peer_tags = {}
+*   peer_route_table_ids      = [ "rtb-87654321" ]
+*   peer_network_acl_ids      = [ "nacl-87654321" ]
+*   peer_nacl_rule_number     = 2500
+*   peer_rule_increment       = 1
+*
+*   providers = {
+*     aws.self = aws
+*     aws.peer = aws.us-gov-east-1
+*   }
+* }
+* ```
+*/
+
+locals {
+  self_account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.self_current.account_id
+  self_account_environment = data.aws_arn.self_current.partition == "aws-us-gov" ? "gov" : "ew"
+
+  peer_account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.peer_current.account_id
+  peer_account_environment = data.aws_arn.peer_current.partition == "aws-us-gov" ? "gov" : "ew"
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+## vpc_info = {
+##   name =
+##   cidr_block =
+##   index =  
+##   short_name =
+##   full_name = 
+##   environment = 
+## }
+##   vpc_info = {
+##     "vpc_id"               = module.vpc.vpc_id
+##     "vpc_cidr_block"       = local.vpc_cidr_block
+##     "vpc_arn"              = module.vpc.vpc_arn
+##     "vpc_name"             = local.vpc_name
+##     "vpc_short_name"       = local.vpc_short_name
+##     "vpc_full_name"        = local.vpc_full_name
+##     "vpc_environment"      = local.vpc_environment
+##     "s3_endpoint_id"       = module.routing.vpc_endpoint_id_s3
+##     "dynanodb_endpoint_id" = module.routing.vpc_endpoint_id_dynamodb
+##   }
+## }
diff --git a/peer/prefixes.tf b/peer/prefixes.tf
@@ -0,0 +1 @@
+../common/prefixes.tf
diff --git a/peer/requirements.tf b/peer/requirements.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      #      configuration_aliases = [aws.self, aws.peer]
+    }
+  }
+}
diff --git a/peer/subnet-nacls.peers.tf.disabled b/peer/subnet-nacls.peers.tf.disabled
@@ -0,0 +1,79 @@
+# no peer1 on vpc1
+
+# peer1: vpc1 = 2000, vpc2 = 2001, ...
+# peer2: vpc1 = 2100, vpc2 = 2101, ...
+
+locals {
+  nacl_id_me = [aws_network_acl.private.id]
+
+  peer2_start   = 2100
+  nacl_id_peer2 = tolist(data.aws_network_acls.peer2.ids)
+}
+
+#---
+# peer2: local vpc[1,2,3,4,5] to govcloud-account-107742151971 vpc1-services
+#---
+# IN me->peer2
+resource "aws_network_acl_rule" "in_me_peer2" {
+  provider       = aws
+  count          = length(local.nacl_id_me)
+  network_acl_id = aws_network_acl.private.id
+  rule_number    = local.peer2_start + (var.vpc_index - 1)
+  egress         = false
+  protocol       = "all"
+  rule_action    = "allow"
+  from_port      = 0
+  to_port        = 0
+  cidr_block     = local.cidr_block_peer2
+}
+
+# OUT me->peer2
+resource "aws_network_acl_rule" "out_me_peer2" {
+  provider       = aws
+  count          = length(local.nacl_id_me)
+  network_acl_id = aws_network_acl.private.id
+  rule_number    = local.peer2_start + (var.vpc_index - 1)
+  egress         = true
+  protocol       = "all"
+  rule_action    = "allow"
+  from_port      = 0
+  to_port        = 0
+  cidr_block     = local.cidr_block_peer2
+}
+
+data "aws_network_acls" "peer2" {
+  provider = aws.peer2
+  vpc_id   = local.vpc_id_peer2
+  filter {
+    name   = "tag:Name"
+    values = ["*${var.vpc_tag_peer2}*private*", "*${var.vpc_tag_peer2}"]
+  }
+}
+
+# IN peer2->me
+resource "aws_network_acl_rule" "in_peer2_me" {
+  provider       = aws.peer2
+  count          = length(local.nacl_id_peer2)
+  network_acl_id = local.nacl_id_peer2[count.index]
+  rule_number    = local.peer2_start + (var.vpc_index - 1)
+  egress         = false
+  protocol       = "all"
+  rule_action    = "allow"
+  from_port      = 0
+  to_port        = 0
+  cidr_block     = local.cidr_block_me
+}
+
+# OUT peer2->me
+resource "aws_network_acl_rule" "out_peer2_me" {
+  provider       = aws.peer2
+  count          = length(local.nacl_id_peer2)
+  network_acl_id = local.nacl_id_peer2[count.index]
+  rule_number    = local.peer2_start + (var.vpc_index - 1)
+  egress         = true
+  protocol       = "all"
+  rule_action    = "allow"
+  from_port      = 0
+  to_port        = 0
+  cidr_block     = local.cidr_block_me
+}
diff --git a/peer/variables.common.tf b/peer/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
diff --git a/peer/variables.common.vpc.tf b/peer/variables.common.vpc.tf
@@ -0,0 +1 @@
+../common/variables.common.vpc.tf
diff --git a/peer/variables.common.vpc_id.tf b/peer/variables.common.vpc_id.tf
@@ -0,0 +1 @@
+../common/variables.common.vpc_id.tf
diff --git a/peer/variables.peer.tf b/peer/variables.peer.tf
@@ -0,0 +1,82 @@
+variable "peer_account_id" {
+  description = "Peer AWS Account ID"
+  type        = string
+  default     = ""
+}
+
+variable "peer_account_alias" {
+  description = "Peer AWS Account Alias"
+  type        = string
+  default     = ""
+}
+
+variable "peer_tags" {
+  description = "Peer AWS Tags to apply to appropriate resources (default: current var.tags)"
+  type        = map(string)
+  default     = {}
+}
+
+variable "peer_vpc_id" {
+  description = "Peer VPC ID"
+  type        = string
+}
+
+variable "peer_vpc_name" {
+  description = "Peer VPC name component used through the VPC descrbing its purpose"
+  type        = string
+  default     = null
+}
+
+variable "peer_vpc_short_name" {
+  description = "Peer VPC short name component (vpc{index})"
+  type        = string
+  default     = null
+}
+
+variable "peer_vpc_full_name" {
+  description = "Peer VPC full name component (vpc{index}-{vpc_name})"
+  type        = string
+  default     = null
+}
+
+variable "peer_vpc_index" {
+  description = "Peer VPC index number (integer starting at 1)"
+  type        = number
+  default     = null
+}
+
+variable "peer_vpc_environment" {
+  description = "Peer VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod)"
+  type        = string
+  default     = null
+}
+
+variable "peer_route_table_ids" {
+  description = "Peer VPC route table IDs (default: all *private* route tables at peer VPC)"
+  type        = list(string)
+  default     = []
+}
+
+variable "peer_vpc_cidr_block" {
+  description = "Peer VPC CIDR Block (default: obtain from peer VPC)"
+  type        = string
+  default     = ""
+}
+
+variable "peer_network_acl_ids" {
+  description = "Peer VPC Network ACL IDs"
+  type        = list(string)
+  default     = []
+}
+
+variable "peer_nacl_rule_number" {
+  description = "Peer Starting rule number within the rule"
+  type        = number
+  default     = null
+}
+
+variable "peer_rule_increment" {
+  description = "Peer Rule number increment per new CIDR block"
+  type        = number
+  default     = 1
+}
diff --git a/peer/variables.peers.auto.tfvars.disabled b/peer/variables.peers.auto.tfvars.disabled
@@ -0,0 +1,7 @@
+profile_peer2    = "107742151971-do2-govcloud"
+region_peer2     = "us-gov-west-1"
+regions_peer2    = ["us-gov-west-1"]
+account_id_peer2 = "107742151971"
+# vpc1-services
+vpc_peer2     = "vpc-77877a12"
+vpc_tag_peer2 = "vpc1-services"
diff --git a/peer/variables.self.tf b/peer/variables.self.tf
@@ -0,0 +1,29 @@
+variable "route_table_ids" {
+  description = "Self VPC route table IDs (default: all *private* route tables at self VPC)"
+  type        = list(string)
+  default     = []
+}
+
+variable "vpc_cidr_block" {
+  description = "Self VPC CIDR Block (default: obtain from self VPC)"
+  type        = string
+  default     = ""
+}
+
+variable "network_acl_ids" {
+  description = "VPC Network ACL IDs"
+  type        = list(string)
+  default     = []
+}
+
+variable "nacl_rule_number" {
+  description = "Starting rule number within the rule"
+  type        = number
+  default     = null
+}
+
+variable "rule_increment" {
+  description = "Rule number increment per new CIDR block"
+  type        = number
+  default     = 1
+}
diff --git a/peer/version.tf b/peer/version.tf
@@ -0,0 +1 @@
+../common/version.tf