add code and brief directions for tgw

examples/full-setup-tf-upgrade/outputs.routing.tf

@@ -0,0 +1,9 @@
+output "public_route_table_ids" {
+  description = "Public route table IDs map by availability zone"
+  value       = module.routing.public_route_table_ids
+}
+
+output "private_route_table_ids" {
+  description = "Private route table IDs map by availability zone"
+  value       = module.routing.private_route_table_ids
+}

examples/full-setup-tf-upgrade/tgw/.tf-control

@@ -0,0 +1,4 @@
+TFCOMMAND="terraform_latest"
+#TFCOMMAND="terraform_0.14.11"
+#TFCOMMAND="terraform_0.13.7"
+## TF_CLI_CONFIG_FILE=$HOME/.tf-control.tfrc

examples/full-setup-tf-upgrade/tgw/.tf-control.tfrc

@@ -0,0 +1,23 @@
+# https://www.terraform.io/docs/cli/config/config-file.html
+
+plugin_cache_dir   = "/data/terraform/terraform.d/plugin-cache"
+#disable_checkpoint = true
+
+provider_installation {
+#  filesystem_mirror {
+#    path    = "/apps/terraform/terraform.d/providers"
+#    include = [ "*/*/*" ]
+#  }
+  filesystem_mirror {
+    path    = "/data/terraform/terraform.d/providers"
+    include = [ "*/*/*" ]
+  }
+#  filesystem_mirror {
+#    path    = "/apps/terraform/terraform.d/providers"
+#    include = [ "external.terraform.census.gov/*/*" ]
+#  }
+  direct {
+    include = [ "*/*/*" ]
+  }
+}
+

examples/full-setup-tf-upgrade/tgw/README.md

@@ -0,0 +1,44 @@
+# Setup of Transit Gateway (TGW)
+
+This should work with the standard VPC configuration and any TF version.  The TGW attachment parts (`tgw/`) require
+TF 1.x and havethe configurations accordingly.
+
+## Files in VPC directory
+
+Make sure the VPC directory contains these two files:
+
+* outputs.routing.tf
+* variables.tgw_environment.tf
+
+You will need to do a `tf-apply` to add the new outputs to remote state.
+
+## FIles in VPC/tgw directory
+
+Copy the `tgw/` directory from examples into the VPC directory.
+
+## Update files in VPC directory
+
+Update the `variables.vpc.auto.tfvars` to add the `tgw_environment` value (services, dev, test, stage, prod, cre).
+
+## Update files in VPC/tgw directory
+
+For the network-prod TGW, you do not need to make changes to `variables.vpc-transit-gateway.auto.tfvars`.
+For any other TGW (like network-sa), update the profile and label accordingly (tgw_label=sa).
+
+UPdate the file `locals.tf` to include the proper reference to the parent rmeote state. For example:
+
+```hcl
+  vpc_rs = data.terraform_remote_state.vpc_east_vpc5.outputs
+```
+
+This is used to pull other variables from remote state.
+
+## Execute
+
+```script
+tf-run apply
+```
+
+<!-- No editing needed beyond this point -->
+<!-- BEGIN_TF_DOCS -->
+<!-- END_TF_DOCS -->

examples/full-setup-tf-upgrade/tgw/locals.tf

@@ -0,0 +1,6 @@
+locals {
+  vpc_rs                  = data.terraform_remote_state.vpc_SHORTREGION_vpcN.outputs
+  vpc_id                  = local.vpc_rs.vpc_id
+  private_subnets_ids     = local.vpc_rs.private_subnets_ids
+  private_route_table_ids = local.vpc_rs.private_route_table_ids
+}

examples/full-setup-tf-upgrade/tgw/provider.vpc-transit-gateway.tf

@@ -0,0 +1,20 @@
+# establish the additional providers needed for self and peer. For commercial, there will be several peers
+# though we have not worked out that configuration. We may split the provider parts out to a different file.
+
+provider "aws" {
+  alias   = "network_account"
+  region  = var.region
+  profile = var.network_account_profile
+}
+
+provider "aws" {
+  alias   = "tgw_self"
+  region  = var.region
+  profile = var.network_account_profile
+}
+
+provider "aws" {
+  alias   = "tgw_peer"
+  region  = var.region == "us-gov-east-1" ? "us-gov-west-1" : "us-gov-east-1"
+  profile = var.network_account_profile
+}

examples/full-setup-tf-upgrade/tgw/region.tf

@@ -0,0 +1,4 @@
+locals {
+  region = var.region
+}
+

examples/full-setup-tf-upgrade/tgw/tf-run.data

@@ -0,0 +1,10 @@
+VERSION 1.0.1
+REMOTE-STATE
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+COMMAND tf-init -upgrade
+COMMAND ln -sf ../variables.vpc.auto.tfvars
+COMMAND ln -sf ../variables.vpc.tf
+
+ALL
+COMMAND tf-directory-setup.py -l s3

examples/full-setup-tf-upgrade/tgw/variables.vpc-transit-gateway.auto.tfvars

@@ -0,0 +1,3 @@
+tgw_enable_vpn          = false
+network_account_profile = "057405694017-ent-gov-network-prod"
+tgw_label               = "prod"

examples/full-setup-tf-upgrade/tgw/variables.vpc-transit-gateway.tf

@@ -0,0 +1,109 @@
+variable "tgw_environment" {
+  description = "Transit Gateway environment route table (services, dev, test, stage, prod, cre)"
+  type        = string
+  default     = null
+
+  validation {
+    condition     = contains(["services", "dev", "test", "stage", "prod", "cre"], var.tgw_environment)
+    error_message = "The tgw_environment must contain one of the legal values: services, dev, test, stage, prod, cre"
+  }
+}
+
+variable "tgw_environment_exists" {
+  description = "Transit Gateway environment already setup in another VPC (say, for multiple test enviroments but diff vpc like test,ite,qa)"
+  type        = bool
+  default     = false
+}
+
+# example: site=hq, environment=services, sequence=1, bgp_asn_id=asn, ip_address=endpoint-ip-on-prem, tunnel_ips=169.254.x.1/30,169.254.x.2/30, preshared_keys=bob,alice
+variable "tgw_vpn_settings" {
+  description = "Transit Gateway VPN Connection details array of objects"
+  type = list(object(
+    {
+      site        = string
+      environment = string
+      sequence    = number
+      #      region         = optional(string)
+      region            = string
+      bgp_asn_id        = number
+      ip_address        = string
+      tunnel_ips        = list(string)
+      preshared_keys    = list(string)
+      tunnel_interfaces = optional(list(number), [0, 0])
+      tunnel_track      = optional(list(number), [0, 0])
+      tunnel_loopback   = optional(number, 0)
+      #      tunnel_interfaces = optional(list(number))
+      #      tunnel_track      = optional(list(number))
+      #      tunnel_loopback   = optional(number)
+    }
+  ))
+  default = []
+}
+
+variable "tgw_routing_prefix_list" {
+  description = "Managed prefix list for TGW routing"
+  type        = string
+  default     = ""
+}
+
+variable "tgw_vpn_routing_prefix_list" {
+  description = "Managed prefix list for TGW VPN routing"
+  type        = string
+  default     = ""
+}
+
+variable "tgw_enable_vpn" {
+  description = "Enable AWS VPN Configuration on the Transit Gateway (default: false)"
+  type        = bool
+  default     = false
+}
+
+variable "tgw_routing_cidr_blocks" {
+  description = "List of CIDR blocks for which TGW routing will apply.  This would include all of the AWS CIDR blocks, possibly only a 0.0.0.0/0 route, but not any on-prem routes"
+  type        = list(string)
+  default     = []
+}
+
+variable "tgw_vpn_routing_cidr_blocks" {
+  description = "List of CIDR blocks for which TGW routing will apply for the VPN learned blocks, specifically on-prem routes. This may be replaced by a 0/0 route in the future"
+  type        = list(string)
+  default     = []
+}
+
+## # to use the optional(), you have to enable experiments. Probably do not need this at this time
+## # see the docs: https://www.terraform.io/language/expressions/type-constraints
+## 
+## terraform {
+##   experiments = [module_variable_optional_attrs]
+## }
+## 
+
+
+variable "generate_yaml_files" {
+  description = "Flag to enable or disable generation of YAML file from VPN information"
+  type        = bool
+  default     = true
+}
+
+variable "use_single_cgw" {
+  description = "Flag to enable or disable the use of a single customer gateway per site vs one per site and VPN"
+  type        = bool
+  default     = false
+}
+
+variable "network_account_profile" {
+  description = "AWS profile of the source account sharing the VPC resources"
+  type        = string
+  default     = null
+}
+
+variable "tgw_label" {
+  description = "Transit Gateway label for specific instance (sa, prod)"
+  type        = string
+  default     = "prod"
+
+  validation {
+    condition     = contains(["sa", "prod"], var.tgw_label)
+    error_message = "tgw_label must be set to valid environment, used in determining managed prefixes"
+  }
+}

examples/full-setup-tf-upgrade/tgw/vpc-transit-gateway.tf

@@ -0,0 +1,83 @@
+# this is a three part setup, but due to proper referencing it will do them in the correct order
+# first, we need to get data, then do self, and then do peer
+# this expects in the network account for the environment, two managed prefixe lists are setup, one for all CIDR blocks handled
+# by TGW (transit-gateway.{label}) and another for VPNs back to on-prem (vpn-transit-gateway.{label}).
+
+module "vpc_tgw_data" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/data?ref=tf-upgrade"
+  providers = {
+    aws                 = aws
+    aws.network_account = aws.network_account
+    aws.self            = aws.tgw_self
+    aws.peer            = aws.tgw_peer
+  }
+
+  network_account_profile = var.network_account_profile
+  vpc_id                  = local.vpc_id
+  vpc_cidr_block          = var.vpc_cidr_block
+  vpc_full_name           = var.vpc_full_name
+  #  private_subnets_ids         = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+  #  private_route_table_ids     = module.routing.private_route_table_ids
+  private_subnets_ids         = [for sn in local.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+  private_route_table_ids     = local.private_route_table_ids
+  transit_gateway_environment = var.tgw_environment
+  transit_gateway_label       = var.tgw_label
+  route_prefix_list_name      = format("transit-gateway.%v", var.tgw_label)
+  vpn_route_prefix_list_name  = format("vpn-transit-gateway.%v", var.tgw_label)
+}
+
+
+# call once for self, once for each peer (if we have multiple regions for peers, change the peer to each region)
+# note the self must be done before the peer
+
+module "vpc_tgw_self" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/self?ref=tf-upgrade"
+  providers = {
+    aws                 = aws
+    aws.network_account = aws.network_account
+    aws.self            = aws.tgw_self
+    aws.peer            = aws.tgw_peer
+  }
+  count = var.tgw_environment != null ? 1 : 0
+
+  network_account_profile = var.network_account_profile
+  vpc_id                  = local.vpc_id
+  vpc_cidr_block          = var.vpc_cidr_block
+  vpc_full_name           = var.vpc_full_name
+  #  private_subnets_ids         = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+  #  private_route_table_ids     = module.routing.private_route_table_ids
+  private_subnets_ids         = [for sn in local.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+  private_route_table_ids     = local.private_route_table_ids
+  transit_gateway_environment = var.tgw_environment
+  transit_gateway_label       = var.tgw_label
+  route_prefix_list_name      = format("transit-gateway.%v", var.tgw_label)
+  vpn_route_prefix_list_name  = format("vpn-transit-gateway.%v", var.tgw_label)
+  data_input                  = module.vpc_tgw_data.data_output
+}
+
+module "vpc_tgw_peer" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/peer?ref=tf-upgrade"
+  providers = {
+    aws                 = aws
+    aws.network_account = aws.network_account
+    aws.self            = aws.tgw_self
+    aws.peer            = aws.tgw_peer
+  }
+  count = var.tgw_environment != null ? 1 : 0
+
+  network_account_profile = var.network_account_profile
+  vpc_id                  = local.vpc_id
+  vpc_cidr_block          = var.vpc_cidr_block
+  vpc_full_name           = var.vpc_full_name
+  #  private_subnets_ids         = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+  #  private_route_table_ids     = module.routing.private_route_table_ids
+  private_subnets_ids         = [for sn in local.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
+  private_route_table_ids     = local.private_route_table_ids
+  transit_gateway_environment = var.tgw_environment
+  transit_gateway_label       = var.tgw_label
+  route_prefix_list_name      = format("transit-gateway.%v", var.tgw_label)
+  vpn_route_prefix_list_name  = format("vpn-transit-gateway.%v", var.tgw_label)
+  data_input                  = module.vpc_tgw_data.data_output
+
+  depends_on = [module.vpc_tgw_self]
+}

examples/full-setup-tf-upgrade/variables.tgw_environment.tf

@@ -0,0 +1,5 @@
+variable "tgw_environment" {
+  description = "Transit Gateway environment route table (services, dev, test, stage, prod, cre)"
+  type        = string
+  default     = null
+}