diff --git a/vpc-transit-gateway-association/self/README.md b/vpc-transit-gateway-association/self/README.md index 890ebb2..3ccc495 100644 --- a/vpc-transit-gateway-association/self/README.md +++ b/vpc-transit-gateway-association/self/README.md @@ -74,6 +74,9 @@ module "vpc_tgw_self" { | Name | Type | |------|------| | [aws_ec2_tag.vpc_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource | +| [aws_ec2_transit_gateway_prefix_list_reference.vpc_self_all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_prefix_list_reference) | resource | +| [aws_ec2_transit_gateway_prefix_list_reference.vpc_self_common](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_prefix_list_reference) | resource | +| [aws_ec2_transit_gateway_prefix_list_reference.vpc_self_own_env](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_prefix_list_reference) | resource | | [aws_ec2_transit_gateway_route_table_association.route_table_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource | | [aws_ec2_transit_gateway_route_table_propagation.vpc_self_common](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource | | [aws_ec2_transit_gateway_route_table_propagation.vpc_self_own_rt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource | @@ -86,6 +89,8 @@ module "vpc_tgw_self" { | [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_ec2_managed_prefix_list.tgw_crossregion_env](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source | +| [aws_ec2_managed_prefix_lists.tgw_crossregion_env](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_lists) | data source | | [aws_ec2_transit_gateway.gateway_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source | | [aws_ec2_transit_gateway.gateway_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source | | [aws_ec2_transit_gateway_peering_attachment.attachment_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source | diff --git a/vpc-transit-gateway-association/self/data.prefix_lists.tf b/vpc-transit-gateway-association/self/data.prefix_lists.tf new file mode 100644 index 0000000..6af9487 --- /dev/null +++ b/vpc-transit-gateway-association/self/data.prefix_lists.tf @@ -0,0 +1,13 @@ +data "aws_ec2_managed_prefix_lists" "tgw_crossregion_env" { + for_each = toset(local._defaults["transit-gateway-environments"]) + filter { + name = "prefix-list-name" + values = [format("%v.crossregion.transit-gateway.%v", each.key, var.tgw_label)] + } +} + +data "aws_ec2_managed_prefix_list" "tgw_crossregion_env" { + for_each = data.aws_ec2_managed_prefix_lists.tgw_crossregion_env + id = each.value.ids[0] +} + diff --git a/vpc-transit-gateway-association/self/routing.tf b/vpc-transit-gateway-association/self/routing.tf index 144c3c4..09686ad 100644 --- a/vpc-transit-gateway-association/self/routing.tf +++ b/vpc-transit-gateway-association/self/routing.tf @@ -67,3 +67,46 @@ resource "aws_route" "gateway_vpn_ipv4" { depends_on = [null_resource.vpc_attachment_exists] } + +#--- +# routing using prefix lists. We want cross-region prefix lists. For services, we create a cross-region prefix list to the +# peer TGW for every environment. For non-services, we create, we create that for services and the env. +# this is done only once, at the TGW main configuration. +#--- +resource "aws_ec2_transit_gateway_prefix_list_reference" "vpc_self_common" { + provider = aws.self + for_each = { "services" = var.data_input.map_route_tables_self["services"] } + + prefix_list_id = data.aws_ec2_managed_prefix_list.tgw_crossregion_env[each.key].id + transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id + transit_gateway_route_table_id = each.value +} + +locals { + propagate_all_rt = ["services", "inter-region"] + # selected_rt = [for k in keys(local.transit_gateway_route_table_ids_peer) : k if ! contains(local.propagate_all_rt, k)] + selected_rt = [for k in keys(var.data_input.map_route_tables_peer) : k if ! contains(local.propagate_all_rt, k)] +} + +#--- +# add routes to peer for non-services +#--- +resource "aws_ec2_transit_gateway_prefix_list_reference" "vpc_self_own_env" { + provider = aws.self + for_each = { for k in local.selected_rt : k => var.data_input.map_route_tables_self[k] if k == var.transit_gateway_environment } + + prefix_list_id = data.aws_ec2_managed_prefix_list.tgw_crossregion_env[each.key].id + transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id +} + +#--- +# if services, add routes to all other route tables +#-- +resource "aws_ec2_transit_gateway_prefix_list_reference" "vpc_self_all" { + provider = aws.self + for_each = contains(local.propagate_all_rt, var.transit_gateway_environment) ? { for k in local.selected_rt : k => var.data_input.map_route_tables_self[k] } : {} + + prefix_list_id = data.aws_ec2_managed_prefix_list.tgw_crossregion_env[each.key].id + transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id + transit_gateway_route_table_id = each.value +}