diff --git a/CHANGELOG.md b/CHANGELOG.md index 28e7339..1d5ad4a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,3 +22,7 @@ * v1.0.4 -- 20210514 - flowlogs - setup flow logs + +* v1.0.5 -- 20210531 + - peer + - setup peer diff --git a/common/version.tf b/common/version.tf index 4840281..4f63093 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.0.4" + _module_version = "1.0.5" } diff --git a/peer/data.peer.tf b/peer/data.peer.tf new file mode 100644 index 0000000..54aa78c --- /dev/null +++ b/peer/data.peer.tf @@ -0,0 +1,26 @@ +data "aws_caller_identity" "peer_current" { + provider = aws.peer +} + +data "aws_arn" "peer_current" { + provider = aws.peer + arn = data.aws_caller_identity.peer_current.arn +} + +data "aws_region" "peer_current" { + provider = aws.peer +} + +data "aws_vpc" "peer_vpc" { + provider = aws.peer + id = var.peer_vpc_id +} + +data "aws_route_tables" "default_peer_route_tables" { + provider = aws.peer + vpc_id = var.peer_vpc_id + filter { + name = "tag:Name" + values = ["*-private-*"] + } +} diff --git a/peer/data.self.tf b/peer/data.self.tf new file mode 100644 index 0000000..19aeb9a --- /dev/null +++ b/peer/data.self.tf @@ -0,0 +1,26 @@ +data "aws_caller_identity" "self_current" { + provider = aws.self +} + +data "aws_arn" "self_current" { + provider = aws.self + arn = data.aws_caller_identity.self_current.arn +} + +data "aws_region" "self_current" { + provider = aws.self +} + +data "aws_vpc" "self_vpc" { + provider = aws.self + id = var.self_vpc_id +} + +data "aws_route_tables" "default_self_route_tables" { + provider = aws.self + vpc_id = var.self_vpc_id + filter { + name = "tag:Name" + values = ["*-private-*"] + } +} diff --git a/peer/defaults.tf b/peer/defaults.tf new file mode 120000 index 0000000..a5556ac --- /dev/null +++ b/peer/defaults.tf @@ -0,0 +1 @@ +../common/defaults.tf \ No newline at end of file diff --git a/peer/main.tf b/peer/main.tf new file mode 100644 index 0000000..6494c28 --- /dev/null +++ b/peer/main.tf @@ -0,0 +1,82 @@ +/* +* # About aws-vpc-setup :: peer +* +* This submodule creates a peering connection with a different VPC, and sets up appropriate network +* ACLs and routing between the two CIDR blocks. +* +* # Usage +* +* ```hcl +* module "peer_services" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//peer" +* +* # self +* vpc_id = module.vpc.vpc_id +* vpc_name = var.vpc_name +* vpc_cidr_block = var.vpc_cidr_block +* vpc_index = var.vpc_index +* vpc_short_name = var.vpc_short_name +* vpc_full_name = var.vpc_full_name +* vpc_environment = var.vpc_environment +* route_table_ids = [ "rtb-12345678" ] +* network_acl_ids = [ "nacl-12345678" ] +* nacl_rule_number = 2500 +* rule_increment = 1 +* tags = {} +* +* # peer +* peer_account_id = var.peer_account_id +* peer_vpc_id = var.peer_vpc_id +* peer_vpc_name = var.peer_vpc_name +* # peer_vpc_cidr_block = var.peer_vpc_cidr_block +* peer_vpc_index = var.peer_vpc_index +* peer_vpc_short_name = var.peer_vpc_short_name +* # peer_vpc_full_name = var.peer_vpc_full_name +* # peer_vpc_environment = var.peer_vpc_environment +* # peer_tags = {} +* peer_route_table_ids = [ "rtb-87654321" ] +* peer_network_acl_ids = [ "nacl-87654321" ] +* peer_nacl_rule_number = 2500 +* peer_rule_increment = 1 +* +* providers = { +* aws.self = aws +* aws.peer = aws.us-gov-east-1 +* } +* } +* ``` +*/ + +locals { + self_account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.self_current.account_id + self_account_environment = data.aws_arn.self_current.partition == "aws-us-gov" ? "gov" : "ew" + + peer_account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.peer_current.account_id + peer_account_environment = data.aws_arn.peer_current.partition == "aws-us-gov" ? "gov" : "ew" + + base_tags = { + "boc:tf_module_version" = local._module_version + "boc:created_by" = "terraform" + } +} + +## vpc_info = { +## name = +## cidr_block = +## index = +## short_name = +## full_name = +## environment = +## } +## vpc_info = { +## "vpc_id" = module.vpc.vpc_id +## "vpc_cidr_block" = local.vpc_cidr_block +## "vpc_arn" = module.vpc.vpc_arn +## "vpc_name" = local.vpc_name +## "vpc_short_name" = local.vpc_short_name +## "vpc_full_name" = local.vpc_full_name +## "vpc_environment" = local.vpc_environment +## "s3_endpoint_id" = module.routing.vpc_endpoint_id_s3 +## "dynanodb_endpoint_id" = module.routing.vpc_endpoint_id_dynamodb +## } +## } diff --git a/peer/prefixes.tf b/peer/prefixes.tf new file mode 120000 index 0000000..7e265d5 --- /dev/null +++ b/peer/prefixes.tf @@ -0,0 +1 @@ +../common/prefixes.tf \ No newline at end of file diff --git a/peer/requirements.tf b/peer/requirements.tf new file mode 100644 index 0000000..b4b8682 --- /dev/null +++ b/peer/requirements.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + # configuration_aliases = [aws.self, aws.peer] + } + } +} diff --git a/peer/subnet-nacls.peers.tf.disabled b/peer/subnet-nacls.peers.tf.disabled new file mode 100644 index 0000000..acd4fe2 --- /dev/null +++ b/peer/subnet-nacls.peers.tf.disabled @@ -0,0 +1,79 @@ +# no peer1 on vpc1 + +# peer1: vpc1 = 2000, vpc2 = 2001, ... +# peer2: vpc1 = 2100, vpc2 = 2101, ... + +locals { + nacl_id_me = [aws_network_acl.private.id] + + peer2_start = 2100 + nacl_id_peer2 = tolist(data.aws_network_acls.peer2.ids) +} + +#--- +# peer2: local vpc[1,2,3,4,5] to govcloud-account-107742151971 vpc1-services +#--- +# IN me->peer2 +resource "aws_network_acl_rule" "in_me_peer2" { + provider = aws + count = length(local.nacl_id_me) + network_acl_id = aws_network_acl.private.id + rule_number = local.peer2_start + (var.vpc_index - 1) + egress = false + protocol = "all" + rule_action = "allow" + from_port = 0 + to_port = 0 + cidr_block = local.cidr_block_peer2 +} + +# OUT me->peer2 +resource "aws_network_acl_rule" "out_me_peer2" { + provider = aws + count = length(local.nacl_id_me) + network_acl_id = aws_network_acl.private.id + rule_number = local.peer2_start + (var.vpc_index - 1) + egress = true + protocol = "all" + rule_action = "allow" + from_port = 0 + to_port = 0 + cidr_block = local.cidr_block_peer2 +} + +data "aws_network_acls" "peer2" { + provider = aws.peer2 + vpc_id = local.vpc_id_peer2 + filter { + name = "tag:Name" + values = ["*${var.vpc_tag_peer2}*private*", "*${var.vpc_tag_peer2}"] + } +} + +# IN peer2->me +resource "aws_network_acl_rule" "in_peer2_me" { + provider = aws.peer2 + count = length(local.nacl_id_peer2) + network_acl_id = local.nacl_id_peer2[count.index] + rule_number = local.peer2_start + (var.vpc_index - 1) + egress = false + protocol = "all" + rule_action = "allow" + from_port = 0 + to_port = 0 + cidr_block = local.cidr_block_me +} + +# OUT peer2->me +resource "aws_network_acl_rule" "out_peer2_me" { + provider = aws.peer2 + count = length(local.nacl_id_peer2) + network_acl_id = local.nacl_id_peer2[count.index] + rule_number = local.peer2_start + (var.vpc_index - 1) + egress = true + protocol = "all" + rule_action = "allow" + from_port = 0 + to_port = 0 + cidr_block = local.cidr_block_me +} diff --git a/peer/variables.common.tf b/peer/variables.common.tf new file mode 120000 index 0000000..7439ed8 --- /dev/null +++ b/peer/variables.common.tf @@ -0,0 +1 @@ +../common/variables.common.tf \ No newline at end of file diff --git a/peer/variables.common.vpc.tf b/peer/variables.common.vpc.tf new file mode 120000 index 0000000..5e77d37 --- /dev/null +++ b/peer/variables.common.vpc.tf @@ -0,0 +1 @@ +../common/variables.common.vpc.tf \ No newline at end of file diff --git a/peer/variables.common.vpc_id.tf b/peer/variables.common.vpc_id.tf new file mode 120000 index 0000000..bc2e061 --- /dev/null +++ b/peer/variables.common.vpc_id.tf @@ -0,0 +1 @@ +../common/variables.common.vpc_id.tf \ No newline at end of file diff --git a/peer/variables.peer.tf b/peer/variables.peer.tf new file mode 100644 index 0000000..a0b7d56 --- /dev/null +++ b/peer/variables.peer.tf @@ -0,0 +1,82 @@ +variable "peer_account_id" { + description = "Peer AWS Account ID" + type = string + default = "" +} + +variable "peer_account_alias" { + description = "Peer AWS Account Alias" + type = string + default = "" +} + +variable "peer_tags" { + description = "Peer AWS Tags to apply to appropriate resources (default: current var.tags)" + type = map(string) + default = {} +} + +variable "peer_vpc_id" { + description = "Peer VPC ID" + type = string +} + +variable "peer_vpc_name" { + description = "Peer VPC name component used through the VPC descrbing its purpose" + type = string + default = null +} + +variable "peer_vpc_short_name" { + description = "Peer VPC short name component (vpc{index})" + type = string + default = null +} + +variable "peer_vpc_full_name" { + description = "Peer VPC full name component (vpc{index}-{vpc_name})" + type = string + default = null +} + +variable "peer_vpc_index" { + description = "Peer VPC index number (integer starting at 1)" + type = number + default = null +} + +variable "peer_vpc_environment" { + description = "Peer VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod)" + type = string + default = null +} + +variable "peer_route_table_ids" { + description = "Peer VPC route table IDs (default: all *private* route tables at peer VPC)" + type = list(string) + default = [] +} + +variable "peer_vpc_cidr_block" { + description = "Peer VPC CIDR Block (default: obtain from peer VPC)" + type = string + default = "" +} + +variable "peer_network_acl_ids" { + description = "Peer VPC Network ACL IDs" + type = list(string) + default = [] +} + +variable "peer_nacl_rule_number" { + description = "Peer Starting rule number within the rule" + type = number + default = null +} + +variable "peer_rule_increment" { + description = "Peer Rule number increment per new CIDR block" + type = number + default = 1 +} diff --git a/peer/variables.peers.auto.tfvars.disabled b/peer/variables.peers.auto.tfvars.disabled new file mode 100644 index 0000000..4936acb --- /dev/null +++ b/peer/variables.peers.auto.tfvars.disabled @@ -0,0 +1,7 @@ +profile_peer2 = "107742151971-do2-govcloud" +region_peer2 = "us-gov-west-1" +regions_peer2 = ["us-gov-west-1"] +account_id_peer2 = "107742151971" +# vpc1-services +vpc_peer2 = "vpc-77877a12" +vpc_tag_peer2 = "vpc1-services" diff --git a/peer/variables.self.tf b/peer/variables.self.tf new file mode 100644 index 0000000..7dc9e8c --- /dev/null +++ b/peer/variables.self.tf @@ -0,0 +1,29 @@ +variable "route_table_ids" { + description = "Self VPC route table IDs (default: all *private* route tables at self VPC)" + type = list(string) + default = [] +} + +variable "vpc_cidr_block" { + description = "Self VPC CIDR Block (default: obtain from self VPC)" + type = string + default = "" +} + +variable "network_acl_ids" { + description = "VPC Network ACL IDs" + type = list(string) + default = [] +} + +variable "nacl_rule_number" { + description = "Starting rule number within the rule" + type = number + default = null +} + +variable "rule_increment" { + description = "Rule number increment per new CIDR block" + type = number + default = 1 +} diff --git a/peer/version.tf b/peer/version.tf new file mode 120000 index 0000000..b83c5b7 --- /dev/null +++ b/peer/version.tf @@ -0,0 +1 @@ +../common/version.tf \ No newline at end of file diff --git a/peer/vpc-peers.tf.disabled b/peer/vpc-peers.tf.disabled new file mode 100644 index 0000000..36493c6 --- /dev/null +++ b/peer/vpc-peers.tf.disabled @@ -0,0 +1,137 @@ +# no peer1 on vpc1-shared +#--- +# local account shared peer vpc peer1 +#--- + +locals { + vpc_id_me = aws_vpc.vpc.id + cidr_block_me = var.vpc_cidr_block + short_me = split(",", var.vpc_full_name) + route_tables_me = tolist(data.aws_route_tables.me.ids) + + vpc_id_peer2 = var.vpc_peer2 + cidr_block_peer2 = data.aws_vpc.peer2.cidr_block + # short_peer2 = [ "${var.account_id_peer2}_${var.vpc_peer2}" ] + short_peer2 = ["${var.account_id_peer2}_${var.vpc_tag_peer2}"] + route_tables_peer2 = tolist(data.aws_route_tables.peer2.ids) + label_peer2 = format("vpcp-%s:%s", local.short_me[0], local.short_peer2[0]) +} + +#--- +# peer2 +#--- +data "aws_vpc" "peer2" { + provider = aws.peer2 + id = local.vpc_id_peer2 +} + +#--- +# private route tables, local and peer +#--- +data "aws_route_tables" "me" { + provider = aws + vpc_id = local.vpc_id_me + filter { + name = "tag:Name" + values = ["*-private-*"] + } +} + +data "aws_route_tables" "peer2" { + provider = aws.peer2 + vpc_id = local.vpc_id_peer2 + filter { + name = "tag:Name" + values = ["*${var.vpc_tag_peer2}*private*", "*${var.vpc_tag_peer2}"] + } +} + +resource "aws_vpc_peering_connection" "me_peer2" { + provider = aws + vpc_id = local.vpc_id_me + peer_vpc_id = local.vpc_id_peer2 + peer_owner_id = var.account_id_peer2 + peer_region = var.region_peer2 + auto_accept = false + + # accepter { + # allow_remote_vpc_dns_resolution = false + # allow_classic_link_to_remote_vpc = false + # allow_vpc_to_remote_classic_link = false + # } + # requester { + # allow_remote_vpc_dns_resolution = false + # allow_classic_link_to_remote_vpc = false + # allow_vpc_to_remote_classic_link = false + # } + + tags = merge( + local.common_tags, + map("Name", local.label_peer2), + ) +} + + +resource "aws_vpc_peering_connection_accepter" "me_peer2" { + provider = aws.peer2 + vpc_peering_connection_id = aws_vpc_peering_connection.me_peer2.id + auto_accept = true + # depends_on = ["aws_vpc_peering_connection.me_peer2"] + + # accepter { + # allow_remote_vpc_dns_resolution = false + # allow_classic_link_to_remote_vpc = false + # allow_vpc_to_remote_classic_link = false + # } + # requester { + # allow_remote_vpc_dns_resolution = false + # allow_classic_link_to_remote_vpc = false + # allow_vpc_to_remote_classic_link = false + # } + + # accepter { + # allow_remote_vpc_dns_resolution = true + # } + # tags { + # Name = "vpcp-do2cat-vpc3_do3ma1ew-vpc1" + # Environment = "infrastructure" + # CostAllocation = "csvd:inf" + # Creator = "${var.tag_creator}" + # } + tags = merge( + local.common_tags, + map("Name", local.label_peer2), + ) +} + +# local routes +resource "aws_route" "me_peer2" { + provider = aws + count = length(data.aws_route_tables.me.ids) + # route_table_id = data.aws_route_tables.me.ids[count.index] + route_table_id = local.route_tables_me[count.index] + destination_cidr_block = local.cidr_block_peer2 + vpc_peering_connection_id = aws_vpc_peering_connection.me_peer2.id +} + +# peer routes +resource "aws_route" "peer2_me" { + provider = aws.peer2 + count = length(data.aws_route_tables.peer2.ids) + # route_table_id = data.aws_route_tables.peer2.ids[count.index] + route_table_id = local.route_tables_peer2[count.index] + destination_cidr_block = local.cidr_block_me + vpc_peering_connection_id = aws_vpc_peering_connection.me_peer2.id +} + +# output "rt_me" { +# value = data.aws_route_tables.me.ids +# } +# output "rt_peer1" { +# value = data.aws_route_tables.peer1.ids +# } +# +# output "rt_peer2" { +# value = data.aws_route_tables.peer2.ids +# } +