From d04f48d0ac56aee092ad4dd1997fde985b2a976d Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 1 Jun 2021 11:23:44 -0400 Subject: [PATCH] add outputs, add nacl rules --- peer/README.md | 23 ++++++++--- peer/data.peer.tf | 25 ++++++++++-- peer/data.self.tf | 25 ++++++++++-- peer/main.tf | 49 +++++++++++++++++++++-- peer/outputs.tf | 33 +++++++++++++++ peer/variables.peer.tf | 2 +- peer/variables.peers.auto.tfvars.disabled | 7 ---- peer/variables.self.tf | 2 +- 8 files changed, 141 insertions(+), 25 deletions(-) create mode 100644 peer/outputs.tf delete mode 100644 peer/variables.peers.auto.tfvars.disabled diff --git a/peer/README.md b/peer/README.md index 0421536..0ce0970 100644 --- a/peer/README.md +++ b/peer/README.md @@ -19,7 +19,7 @@ module "peer_services" { vpc_environment = var.vpc_environment route_table_ids = [ "rtb-12345678" ] network_acl_ids = [ "nacl-12345678" ] - nacl_rule_number = 2500 + rule_number = 2500 rule_increment = 1 tags = {} @@ -35,7 +35,7 @@ module "peer_services" { # peer_tags = {} peer_route_table_ids = [ "rtb-87654321" ] peer_network_acl_ids = [ "nacl-87654321" ] - peer_nacl_rule_number = 2500 + peer_rule_number = 2500 peer_rule_increment = 1 providers = { @@ -58,7 +58,10 @@ No requirements. ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [nacl\_rule\_peer](#module\_nacl\_rule\_peer) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules | | +| [nacl\_rule\_self](#module\_nacl\_rule\_self) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules | | ## Resources @@ -72,8 +75,12 @@ No modules. | [aws_arn.self_current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.peer_current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_caller_identity.self_current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_network_acls.default_peer_network_acls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/network_acls) | data source | +| [aws_network_acls.default_self_network_acls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/network_acls) | data source | | [aws_region.peer_current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_region.self_current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_route_table.peer_route_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source | +| [aws_route_table.self_route_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source | | [aws_route_tables.default_peer_route_tables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source | | [aws_route_tables.default_self_route_tables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source | | [aws_vpc.peer_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | @@ -85,16 +92,15 @@ No modules. |------|-------------|------|---------|:--------:| | [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | | [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | -| [nacl\_rule\_number](#input\_nacl\_rule\_number) | Starting rule number within the rule | `number` | `null` | no | | [network\_acl\_ids](#input\_network\_acl\_ids) | VPC Network ACL IDs | `list(string)` | `[]` | no | | [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | | [peer\_account\_alias](#input\_peer\_account\_alias) | Peer AWS Account Alias | `string` | `""` | no | | [peer\_account\_id](#input\_peer\_account\_id) | Peer AWS Account ID | `string` | `""` | no | -| [peer\_nacl\_rule\_number](#input\_peer\_nacl\_rule\_number) | Peer Starting rule number within the rule | `number` | `null` | no | | [peer\_network\_acl\_ids](#input\_peer\_network\_acl\_ids) | Peer VPC Network ACL IDs | `list(string)` | `[]` | no | | [peer\_route\_table\_filter](#input\_peer\_route\_table\_filter) | Peer VPC route table search filter list (default: services) | `list(string)` | 
[
  "route-*-services",
  "route-*-services-private*"
]
| no | | [peer\_route\_table\_ids](#input\_peer\_route\_table\_ids) | Peer VPC route table IDs (default: all *private* route tables at peer VPC) | `list(string)` | `[]` | no | | [peer\_rule\_increment](#input\_peer\_rule\_increment) | Peer Rule number increment per new CIDR block | `number` | `1` | no | +| [peer\_rule\_number](#input\_peer\_rule\_number) | Peer Starting rule number within the rule | `number` | `null` | no | | [peer\_tags](#input\_peer\_tags) | Peer AWS Tags to apply to appropriate resources (default: current var.tags) | `map(string)` | `{}` | no | | [peer\_vpc\_cidr\_block](#input\_peer\_vpc\_cidr\_block) | Peer VPC CIDR Block (default: obtain from peer VPC) | `string` | `""` | no | | [peer\_vpc\_environment](#input\_peer\_vpc\_environment) | Peer VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no | @@ -106,6 +112,7 @@ No modules. | [route\_table\_filter](#input\_route\_table\_filter) | VPC route table search filter list (default: all private) | `list(string)` | 
[
  "*-private-*"
]
| no | | [route\_table\_ids](#input\_route\_table\_ids) | Self VPC route table IDs (default: all *private* route tables at self VPC) | `list(string)` | `[]` | no | | [rule\_increment](#input\_rule\_increment) | Rule number increment per new CIDR block | `number` | `1` | no | +| [rule\_number](#input\_rule\_number) | Starting rule number within the rule | `number` | `null` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | | [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | Self VPC CIDR Block (default: obtain from self VPC) | `string` | `""` | no | | [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no | @@ -117,4 +124,8 @@ No modules. ## Outputs -No outputs. +| Name | Description | +|------|-------------| +| [network\_acl\_ids](#output\_network\_acl\_ids) | Network ACL IDs for peering | +| [peering\_info](#output\_peering\_info) | Peering Information | +| [route\_table\_ids](#output\_route\_table\_ids) | Route Table IDs for Peering | diff --git a/peer/data.peer.tf b/peer/data.peer.tf index 626291d..8b67c9e 100644 --- a/peer/data.peer.tf +++ b/peer/data.peer.tf @@ -18,12 +18,31 @@ data "aws_vpc" "peer_vpc" { # defaults to all private and services vpc data "aws_route_tables" "default_peer_route_tables" { - # count = length(var.peer_route_table_ids) > 0 ? 1 : 0 provider = aws.peer vpc_id = var.peer_vpc_id filter { - name = "tag:Name" - # values = ["*-private-*", "route-*-services"] + name = "tag:Name" values = var.peer_route_table_filter } } + +# get one per found route table to get subnet associations +data "aws_route_table" "peer_route_table" { + provider = aws.peer + for_each = toset(data.aws_route_tables.default_peer_route_tables.ids) + route_table_id = each.key +} + +locals { + peer_subnets = flatten([for rt in data.aws_route_table.peer_route_table : [for a in rt.associations : a.subnet_id]]) +} + +# get network acls associated with subnets in route table +data "aws_network_acls" "default_peer_network_acls" { + provider = aws.peer + vpc_id = var.peer_vpc_id + filter { + name = "association.subnet-id" + values = local.peer_subnets + } +} diff --git a/peer/data.self.tf b/peer/data.self.tf index 3ad9a2f..03ebe18 100644 --- a/peer/data.self.tf +++ b/peer/data.self.tf @@ -18,12 +18,31 @@ data "aws_vpc" "self_vpc" { # defaults to all private and services vpc data "aws_route_tables" "default_self_route_tables" { - # count = length(var.route_table_ids) > 0 ? 1 : 0 provider = aws.self vpc_id = var.vpc_id filter { - name = "tag:Name" - # values = ["*-private-*"] + name = "tag:Name" values = var.route_table_filter } } + +# get one per found route table to get subnet associations +data "aws_route_table" "self_route_table" { + provider = aws.self + for_each = toset(data.aws_route_tables.default_self_route_tables.ids) + route_table_id = each.key +} + +locals { + self_subnets = flatten([for rt in data.aws_route_table.self_route_table : [for a in rt.associations : a.subnet_id]]) +} + +# get network acls associated with subnets in route table +data "aws_network_acls" "default_self_network_acls" { + provider = aws.self + vpc_id = var.self_vpc_id + filter { + name = "association.subnet-id" + values = local.self_subnets + } +} diff --git a/peer/main.tf b/peer/main.tf index 5b44951..f5a73aa 100644 --- a/peer/main.tf +++ b/peer/main.tf @@ -20,7 +20,7 @@ * vpc_environment = var.vpc_environment * route_table_ids = [ "rtb-12345678" ] * network_acl_ids = [ "nacl-12345678" ] -* nacl_rule_number = 2500 +* rule_number = 2500 * rule_increment = 1 * tags = {} * @@ -36,7 +36,7 @@ * # peer_tags = {} * peer_route_table_ids = [ "rtb-87654321" ] * peer_network_acl_ids = [ "nacl-87654321" ] -* peer_nacl_rule_number = 2500 +* peer_rule_number = 2500 * peer_rule_increment = 1 * * providers = { @@ -76,8 +76,11 @@ locals { self_label = format("%v%v %v:%v", local._prefixes["vpc-peer"], var.vpc_full_name, local.peer_account_id, var.peer_vpc_full_name) peer_label = format("%v%v %v:%v", local._prefixes["vpc-peer"], var.peer_vpc_full_name, local.self_account_id, var.vpc_full_name) - self_route_table_ids = length(var.route_table_ids) > 0 ? var.route_table_ids : flatten(data.aws_route_tables.default_self_route_tables[*].ids) - peer_route_table_ids = length(var.peer_route_table_ids) > 0 ? var.peer_route_table_ids : flatten(data.aws_route_tables.default_peer_route_tables[*].ids) + self_route_table_ids = length(var.route_table_ids) > 0 ? var.route_table_ids : data.aws_route_tables.default_self_route_tables.ids + peer_route_table_ids = length(var.peer_route_table_ids) > 0 ? var.peer_route_table_ids : data.aws_route_tables.default_peer_route_tables.ids + + self_network_acl_ids = length(var.network_acl_ids) > 0 ? var.network_acl_ids : data.aws_network_acls.default_peer_network_acls.ids + peer_network_acl_ids = length(var.peer_network_acl_ids) > 0 ? var.peer_network_acl_ids : data.aws_network_acls.default_peer_network_acls.ids self_tags = merge( var.tags, @@ -142,3 +145,41 @@ resource "aws_route" "peer" { destination_cidr_block = local.self_cidr_block vpc_peering_connection_id = aws_vpc_peering_connection.self.id } + +#--- +# network acls +#--- +module "nacl_rule_self" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules" + provider = aws.self + network_acl_id = local.self_network_acl_ids[0] + + rule_description = local.self_label + cidr_blocks = [local.peer_cidr_block] + rules = ["all_inbound", "all_outbound"] + rule_number = var.rule_number + rule_increment = var.rule_increment + tags = merge( + var.tags, + local.base_tags, + ) +} + +#--- +# network acls +#--- +module "nacl_rule_peer" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules" + provider = aws.peer + network_acl_id = local.peer_network_acl_ids[0] + + rule_description = local.peer_label + cidr_blocks = [local.self_cidr_block] + rules = ["all_inbound", "all_outbound"] + rule_number = var.peer_rule_number + rule_increment = var.peer_rule_increment + tags = merge( + var.tags, + local.base_tags, + ) +} diff --git a/peer/outputs.tf b/peer/outputs.tf new file mode 100644 index 0000000..770ae6f --- /dev/null +++ b/peer/outputs.tf @@ -0,0 +1,33 @@ +output "network_acl_ids" { + description = "Network ACL IDs for peering" + value = { + self = local.self_network_acl_ids + peer = local.peer_network_acl_ids + } +} + +output "route_table_ids" { + description = "Route Table IDs for Peering" + value = { + self = local.self_route_table_ids + peer = local.peer_route_table_ids + } +} + +output "peering_info" { + description = "Peering Information" + value = { + self = { + vpc_id = local.self_vpc_id + tag_name = local.self_vpc_tag_name + cidr_block = local.self_cidr_block + label = local.self_label + } + peer = { + vpc_id = local.peer_vpc_id + tag_name = local.peer_vpc_tag_name + cidr_block = local.peer_cidr_block + label = local.peer_label + } + } +} diff --git a/peer/variables.peer.tf b/peer/variables.peer.tf index bab6455..3022db6 100644 --- a/peer/variables.peer.tf +++ b/peer/variables.peer.tf @@ -75,7 +75,7 @@ variable "peer_network_acl_ids" { default = [] } -variable "peer_nacl_rule_number" { +variable "peer_rule_number" { description = "Peer Starting rule number within the rule" type = number default = null diff --git a/peer/variables.peers.auto.tfvars.disabled b/peer/variables.peers.auto.tfvars.disabled deleted file mode 100644 index 4936acb..0000000 --- a/peer/variables.peers.auto.tfvars.disabled +++ /dev/null @@ -1,7 +0,0 @@ -profile_peer2 = "107742151971-do2-govcloud" -region_peer2 = "us-gov-west-1" -regions_peer2 = ["us-gov-west-1"] -account_id_peer2 = "107742151971" -# vpc1-services -vpc_peer2 = "vpc-77877a12" -vpc_tag_peer2 = "vpc1-services" diff --git a/peer/variables.self.tf b/peer/variables.self.tf index f1c0885..b4e9da5 100644 --- a/peer/variables.self.tf +++ b/peer/variables.self.tf @@ -22,7 +22,7 @@ variable "network_acl_ids" { default = [] } -variable "nacl_rule_number" { +variable "rule_number" { description = "Starting rule number within the rule" type = number default = null