diff --git a/examples/full-setup-tf-upgrade/outputs.routing.tf b/examples/full-setup-tf-upgrade/outputs.routing.tf new file mode 100644 index 0000000..d1082e3 --- /dev/null +++ b/examples/full-setup-tf-upgrade/outputs.routing.tf @@ -0,0 +1,9 @@ +output "public_route_table_ids" { + description = "Public route table IDs map by availability zone" + value = module.routing.public_route_table_ids +} + +output "private_route_table_ids" { + description = "Private route table IDs map by availability zone" + value = module.routing.private_route_table_ids +} diff --git a/examples/full-setup-tf-upgrade/tgw/.tf-control b/examples/full-setup-tf-upgrade/tgw/.tf-control new file mode 100644 index 0000000..c46880c --- /dev/null +++ b/examples/full-setup-tf-upgrade/tgw/.tf-control @@ -0,0 +1,4 @@ +TFCOMMAND="terraform_latest" +#TFCOMMAND="terraform_0.14.11" +#TFCOMMAND="terraform_0.13.7" +## TF_CLI_CONFIG_FILE=$HOME/.tf-control.tfrc diff --git a/examples/full-setup-tf-upgrade/tgw/.tf-control.tfrc b/examples/full-setup-tf-upgrade/tgw/.tf-control.tfrc new file mode 100644 index 0000000..d4b0b15 --- /dev/null +++ b/examples/full-setup-tf-upgrade/tgw/.tf-control.tfrc @@ -0,0 +1,23 @@ +# https://www.terraform.io/docs/cli/config/config-file.html + +plugin_cache_dir = "/data/terraform/terraform.d/plugin-cache" +#disable_checkpoint = true + +provider_installation { +# filesystem_mirror { +# path = "/apps/terraform/terraform.d/providers" +# include = [ "*/*/*" ] +# } + filesystem_mirror { + path = "/data/terraform/terraform.d/providers" + include = [ "*/*/*" ] + } +# filesystem_mirror { +# path = "/apps/terraform/terraform.d/providers" +# include = [ "external.terraform.census.gov/*/*" ] +# } + direct { + include = [ "*/*/*" ] + } +} + diff --git a/examples/full-setup-tf-upgrade/tgw/README.md b/examples/full-setup-tf-upgrade/tgw/README.md new file mode 100644 index 0000000..07ae2b3 --- /dev/null +++ b/examples/full-setup-tf-upgrade/tgw/README.md @@ -0,0 +1,44 @@ +# Setup of Transit Gateway (TGW) + +This should work with the standard VPC configuration and any TF version. The TGW attachment parts (`tgw/`) require +TF 1.x and havethe configurations accordingly. + +## Files in VPC directory + +Make sure the VPC directory contains these two files: + +* outputs.routing.tf +* variables.tgw_environment.tf + +You will need to do a `tf-apply` to add the new outputs to remote state. + +## FIles in VPC/tgw directory + +Copy the `tgw/` directory from examples into the VPC directory. + +## Update files in VPC directory + +Update the `variables.vpc.auto.tfvars` to add the `tgw_environment` value (services, dev, test, stage, prod, cre). + +## Update files in VPC/tgw directory + +For the network-prod TGW, you do not need to make changes to `variables.vpc-transit-gateway.auto.tfvars`. +For any other TGW (like network-sa), update the profile and label accordingly (tgw_label=sa). + +UPdate the file `locals.tf` to include the proper reference to the parent rmeote state. For example: + +```hcl + vpc_rs = data.terraform_remote_state.vpc_east_vpc5.outputs +``` + +This is used to pull other variables from remote state. + +## Execute + +```script +tf-run apply +``` + + + + diff --git a/examples/full-setup-tf-upgrade/tgw/locals.tf b/examples/full-setup-tf-upgrade/tgw/locals.tf new file mode 100644 index 0000000..d22c3a9 --- /dev/null +++ b/examples/full-setup-tf-upgrade/tgw/locals.tf @@ -0,0 +1,6 @@ +locals { + vpc_rs = data.terraform_remote_state.vpc_SHORTREGION_vpcN.outputs + vpc_id = local.vpc_rs.vpc_id + private_subnets_ids = local.vpc_rs.private_subnets_ids + private_route_table_ids = local.vpc_rs.private_route_table_ids +} diff --git a/examples/full-setup-tf-upgrade/tgw/provider.vpc-transit-gateway.tf b/examples/full-setup-tf-upgrade/tgw/provider.vpc-transit-gateway.tf new file mode 100644 index 0000000..9b132bc --- /dev/null +++ b/examples/full-setup-tf-upgrade/tgw/provider.vpc-transit-gateway.tf @@ -0,0 +1,20 @@ +# establish the additional providers needed for self and peer. For commercial, there will be several peers +# though we have not worked out that configuration. We may split the provider parts out to a different file. + +provider "aws" { + alias = "network_account" + region = var.region + profile = var.network_account_profile +} + +provider "aws" { + alias = "tgw_self" + region = var.region + profile = var.network_account_profile +} + +provider "aws" { + alias = "tgw_peer" + region = var.region == "us-gov-east-1" ? "us-gov-west-1" : "us-gov-east-1" + profile = var.network_account_profile +} diff --git a/examples/full-setup-tf-upgrade/tgw/region.tf b/examples/full-setup-tf-upgrade/tgw/region.tf new file mode 100644 index 0000000..b7b1696 --- /dev/null +++ b/examples/full-setup-tf-upgrade/tgw/region.tf @@ -0,0 +1,4 @@ +locals { + region = var.region +} + diff --git a/examples/full-setup-tf-upgrade/tgw/tf-run.data b/examples/full-setup-tf-upgrade/tgw/tf-run.data new file mode 100644 index 0000000..b7b5dbb --- /dev/null +++ b/examples/full-setup-tf-upgrade/tgw/tf-run.data @@ -0,0 +1,10 @@ +VERSION 1.0.1 +REMOTE-STATE +COMMAND tf-directory-setup.py -l none -f +COMMAND setup-new-directory.sh +COMMAND tf-init -upgrade +COMMAND ln -sf ../variables.vpc.auto.tfvars +COMMAND ln -sf ../variables.vpc.tf + +ALL +COMMAND tf-directory-setup.py -l s3 diff --git a/examples/full-setup-tf-upgrade/tgw/variables.vpc-transit-gateway.auto.tfvars b/examples/full-setup-tf-upgrade/tgw/variables.vpc-transit-gateway.auto.tfvars new file mode 100644 index 0000000..fed3cf3 --- /dev/null +++ b/examples/full-setup-tf-upgrade/tgw/variables.vpc-transit-gateway.auto.tfvars @@ -0,0 +1,3 @@ +tgw_enable_vpn = false +network_account_profile = "057405694017-ent-gov-network-prod" +tgw_label = "prod" diff --git a/examples/full-setup-tf-upgrade/tgw/variables.vpc-transit-gateway.tf b/examples/full-setup-tf-upgrade/tgw/variables.vpc-transit-gateway.tf new file mode 100644 index 0000000..ef6d8a3 --- /dev/null +++ b/examples/full-setup-tf-upgrade/tgw/variables.vpc-transit-gateway.tf @@ -0,0 +1,109 @@ +variable "tgw_environment" { + description = "Transit Gateway environment route table (services, dev, test, stage, prod, cre)" + type = string + default = null + + validation { + condition = contains(["services", "dev", "test", "stage", "prod", "cre"], var.tgw_environment) + error_message = "The tgw_environment must contain one of the legal values: services, dev, test, stage, prod, cre" + } +} + +variable "tgw_environment_exists" { + description = "Transit Gateway environment already setup in another VPC (say, for multiple test enviroments but diff vpc like test,ite,qa)" + type = bool + default = false +} + +# example: site=hq, environment=services, sequence=1, bgp_asn_id=asn, ip_address=endpoint-ip-on-prem, tunnel_ips=169.254.x.1/30,169.254.x.2/30, preshared_keys=bob,alice +variable "tgw_vpn_settings" { + description = "Transit Gateway VPN Connection details array of objects" + type = list(object( + { + site = string + environment = string + sequence = number + # region = optional(string) + region = string + bgp_asn_id = number + ip_address = string + tunnel_ips = list(string) + preshared_keys = list(string) + tunnel_interfaces = optional(list(number), [0, 0]) + tunnel_track = optional(list(number), [0, 0]) + tunnel_loopback = optional(number, 0) + # tunnel_interfaces = optional(list(number)) + # tunnel_track = optional(list(number)) + # tunnel_loopback = optional(number) + } + )) + default = [] +} + +variable "tgw_routing_prefix_list" { + description = "Managed prefix list for TGW routing" + type = string + default = "" +} + +variable "tgw_vpn_routing_prefix_list" { + description = "Managed prefix list for TGW VPN routing" + type = string + default = "" +} + +variable "tgw_enable_vpn" { + description = "Enable AWS VPN Configuration on the Transit Gateway (default: false)" + type = bool + default = false +} + +variable "tgw_routing_cidr_blocks" { + description = "List of CIDR blocks for which TGW routing will apply. This would include all of the AWS CIDR blocks, possibly only a 0.0.0.0/0 route, but not any on-prem routes" + type = list(string) + default = [] +} + +variable "tgw_vpn_routing_cidr_blocks" { + description = "List of CIDR blocks for which TGW routing will apply for the VPN learned blocks, specifically on-prem routes. This may be replaced by a 0/0 route in the future" + type = list(string) + default = [] +} + +## # to use the optional(), you have to enable experiments. Probably do not need this at this time +## # see the docs: https://www.terraform.io/language/expressions/type-constraints +## +## terraform { +## experiments = [module_variable_optional_attrs] +## } +## + + +variable "generate_yaml_files" { + description = "Flag to enable or disable generation of YAML file from VPN information" + type = bool + default = true +} + +variable "use_single_cgw" { + description = "Flag to enable or disable the use of a single customer gateway per site vs one per site and VPN" + type = bool + default = false +} + +variable "network_account_profile" { + description = "AWS profile of the source account sharing the VPC resources" + type = string + default = null +} + +variable "tgw_label" { + description = "Transit Gateway label for specific instance (sa, prod)" + type = string + default = "prod" + + validation { + condition = contains(["sa", "prod"], var.tgw_label) + error_message = "tgw_label must be set to valid environment, used in determining managed prefixes" + } +} diff --git a/examples/full-setup-tf-upgrade/tgw/vpc-transit-gateway.tf b/examples/full-setup-tf-upgrade/tgw/vpc-transit-gateway.tf new file mode 100644 index 0000000..7f76b47 --- /dev/null +++ b/examples/full-setup-tf-upgrade/tgw/vpc-transit-gateway.tf @@ -0,0 +1,83 @@ +# this is a three part setup, but due to proper referencing it will do them in the correct order +# first, we need to get data, then do self, and then do peer +# this expects in the network account for the environment, two managed prefixe lists are setup, one for all CIDR blocks handled +# by TGW (transit-gateway.{label}) and another for VPNs back to on-prem (vpn-transit-gateway.{label}). + +module "vpc_tgw_data" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/data?ref=tf-upgrade" + providers = { + aws = aws + aws.network_account = aws.network_account + aws.self = aws.tgw_self + aws.peer = aws.tgw_peer + } + + network_account_profile = var.network_account_profile + vpc_id = local.vpc_id + vpc_cidr_block = var.vpc_cidr_block + vpc_full_name = var.vpc_full_name + # private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"] + # private_route_table_ids = module.routing.private_route_table_ids + private_subnets_ids = [for sn in local.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"] + private_route_table_ids = local.private_route_table_ids + transit_gateway_environment = var.tgw_environment + transit_gateway_label = var.tgw_label + route_prefix_list_name = format("transit-gateway.%v", var.tgw_label) + vpn_route_prefix_list_name = format("vpn-transit-gateway.%v", var.tgw_label) +} + + +# call once for self, once for each peer (if we have multiple regions for peers, change the peer to each region) +# note the self must be done before the peer + +module "vpc_tgw_self" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/self?ref=tf-upgrade" + providers = { + aws = aws + aws.network_account = aws.network_account + aws.self = aws.tgw_self + aws.peer = aws.tgw_peer + } + count = var.tgw_environment != null ? 1 : 0 + + network_account_profile = var.network_account_profile + vpc_id = local.vpc_id + vpc_cidr_block = var.vpc_cidr_block + vpc_full_name = var.vpc_full_name + # private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"] + # private_route_table_ids = module.routing.private_route_table_ids + private_subnets_ids = [for sn in local.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"] + private_route_table_ids = local.private_route_table_ids + transit_gateway_environment = var.tgw_environment + transit_gateway_label = var.tgw_label + route_prefix_list_name = format("transit-gateway.%v", var.tgw_label) + vpn_route_prefix_list_name = format("vpn-transit-gateway.%v", var.tgw_label) + data_input = module.vpc_tgw_data.data_output +} + +module "vpc_tgw_peer" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association/peer?ref=tf-upgrade" + providers = { + aws = aws + aws.network_account = aws.network_account + aws.self = aws.tgw_self + aws.peer = aws.tgw_peer + } + count = var.tgw_environment != null ? 1 : 0 + + network_account_profile = var.network_account_profile + vpc_id = local.vpc_id + vpc_cidr_block = var.vpc_cidr_block + vpc_full_name = var.vpc_full_name + # private_subnets_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"] + # private_route_table_ids = module.routing.private_route_table_ids + private_subnets_ids = [for sn in local.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"] + private_route_table_ids = local.private_route_table_ids + transit_gateway_environment = var.tgw_environment + transit_gateway_label = var.tgw_label + route_prefix_list_name = format("transit-gateway.%v", var.tgw_label) + vpn_route_prefix_list_name = format("vpn-transit-gateway.%v", var.tgw_label) + data_input = module.vpc_tgw_data.data_output + + depends_on = [module.vpc_tgw_self] +} diff --git a/examples/full-setup-tf-upgrade/variables.tgw_environment.tf b/examples/full-setup-tf-upgrade/variables.tgw_environment.tf new file mode 100644 index 0000000..c52aba3 --- /dev/null +++ b/examples/full-setup-tf-upgrade/variables.tgw_environment.tf @@ -0,0 +1,5 @@ +variable "tgw_environment" { + description = "Transit Gateway environment route table (services, dev, test, stage, prod, cre)" + type = string + default = null +}