- vpc-transit-gateway-association

  - data: add vpn prefix list
  - self: add routes for vpn

CHANGELOG.md

@@ -211,3 +211,10 @@
 * 2.4.2 -- 2022-10-18
   - vpc
     - add configuration output to be used for TGW routing setup
+  - vpc-transit-gateway-association 
+    - split into data, self, peer
+
+* 2.4.3 -- 2022-10-18
+  - vpc-transit-gateway-association 
+    - data: add vpn prefix list
+    - self: add routes for vpn

common/version.tf

@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.4.2"
+  _module_version = "2.4.3"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 

vpc-transit-gateway-association/data/README.md

@@ -74,7 +74,9 @@ No modules.
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ec2_managed_prefix_list.tgw_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
+| [aws_ec2_managed_prefix_list.tgw_vpn_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
 | [aws_ec2_managed_prefix_lists.tgw_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_lists) | data source |
+| [aws_ec2_managed_prefix_lists.tgw_vpn_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_lists) | data source |
 | [aws_ec2_transit_gateway.gateway_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
 | [aws_ec2_transit_gateway.gateway_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
 | [aws_ec2_transit_gateway_peering_attachment.attachment_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source |
@@ -110,6 +112,7 @@ No modules.
 | <a name="input_vpc_index"></a> [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
 | <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
 | <a name="input_vpc_short_name"></a> [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
+| <a name="input_vpn_route_prefix_list_name"></a> [vpn\_route\_prefix\_list\_name](#input\_vpn\_route\_prefix\_list\_name) | Shared prefix list name used for routing to TGW through VPN.  If null, existing VPN routing if any will be used. | `string` | `null` | no |
 
 ## Outputs
 

vpc-transit-gateway-association/data/data.routing.tf

@@ -11,3 +11,16 @@ data "aws_ec2_managed_prefix_list" "tgw_ipv4" {
 }
 
 #  destination_prefix_list_id = one([for k, v in data.aws_ec2_managed_prefix_list.tgw_ipv4 : k if v.address_family == "IPv4"])
+
+data "aws_ec2_managed_prefix_lists" "tgw_vpn_ipv4" {
+  count = var.vpn_route_prefix_list_name != null ? 1 : 0
+  filter {
+    name   = "prefix-list-name"
+    values = [var.vpn_route_prefix_list_name, format("%v.ipv4", var.vpn_route_prefix_list_name)]
+  }
+}
+
+data "aws_ec2_managed_prefix_list" "tgw_vpn_ipv4" {
+  for_each = var.vpn_route_prefix_list_name != null ? toset(data.aws_ec2_managed_prefix_lists.tgw_vpn_ipv4[0].ids) : toset([])
+  id       = each.key
+}

vpc-transit-gateway-association/data/outputs.tf

@@ -41,13 +41,14 @@ output "prefix_list_id_ipv4" {
 output "data_output" {
   description = "Map of data generated by this submodule need for the vpc-transit-gateway-association module"
   value = {
-    availablity_zone      = data.aws_availability_zone.zone
-    gateway_self          = data.aws_ec2_transit_gateway.gateway_self.id
-    gateway_peer          = data.aws_ec2_transit_gateway.gateway_peer.id
-    route_tables_self     = data.aws_ec2_transit_gateway_route_table.route_tables_self
-    route_tables_peer     = data.aws_ec2_transit_gateway_route_table.route_tables_peer
-    map_route_tables_self = local.transit_gateway_route_table_ids_self
-    map_route_tables_peer = local.transit_gateway_route_table_ids_peer
-    prefix_list_id_ipv4   = one([for k, v in data.aws_ec2_managed_prefix_list.tgw_ipv4 : k if v.address_family == "IPv4"])
+    availablity_zone        = data.aws_availability_zone.zone
+    gateway_self            = data.aws_ec2_transit_gateway.gateway_self.id
+    gateway_peer            = data.aws_ec2_transit_gateway.gateway_peer.id
+    route_tables_self       = data.aws_ec2_transit_gateway_route_table.route_tables_self
+    route_tables_peer       = data.aws_ec2_transit_gateway_route_table.route_tables_peer
+    map_route_tables_self   = local.transit_gateway_route_table_ids_self
+    map_route_tables_peer   = local.transit_gateway_route_table_ids_peer
+    prefix_list_id_ipv4     = try(([for k, v in data.aws_ec2_managed_prefix_list.tgw_ipv4 : k if v.address_family == "IPv4"])[0])
+    vpn_prefix_list_id_ipv4 = var.vpn_route_prefix_list_name != null ? try(([for k, v in data.aws_ec2_managed_prefix_list.tgw_vpn_ipv4 : k if v.address_family == "IPv4"])[0]) : null
   }
 }

vpc-transit-gateway-association/data/variables.tf

@@ -35,6 +35,12 @@ variable "route_prefix_list_name" {
   default     = "transit-gateway.prod"
 }
 
+variable "vpn_route_prefix_list_name" {
+  description = "Shared prefix list name used for routing to TGW through VPN.  If null, existing VPN routing if any will be used."
+  type        = string
+  default     = null
+}
+
 variable "transit_gateway_label" {
   description = "Transit Gateway label for specific instance (sa, prod)"
   type        = string

vpc-transit-gateway-association/peer/README.md

@@ -93,7 +93,7 @@ No modules.
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
 | <a name="input_create"></a> [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
-| <a name="input_data_input"></a> [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | <pre>object({<br>    availablity_zone      = map(any)<br>    gateway_self          = string<br>    gateway_peer          = string<br>    route_tables_self     = map(any)<br>    route_tables_peer     = map(any)<br>    map_route_tables_self = map(any)<br>    map_route_tables_peer = map(any)<br>    prefix_list_id_ipv4   = string<br>  })</pre> | n/a | yes |
+| <a name="input_data_input"></a> [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | <pre>object({<br>    availablity_zone        = map(any)<br>    gateway_self            = string<br>    gateway_peer            = string<br>    route_tables_self       = map(any)<br>    route_tables_peer       = map(any)<br>    map_route_tables_self   = map(any)<br>    map_route_tables_peer   = map(any)<br>    prefix_list_id_ipv4     = string<br>    vpn_prefix_list_id_ipv4 = string<br>  })</pre> | n/a | yes |
 | <a name="input_network_account_profile"></a> [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_private_route_table_ids"></a> [private\_route\_table\_ids](#input\_private\_route\_table\_ids) | Map of private route table IDs (which exclude the attachment subnets) | `map(string)` | `{}` | no |

vpc-transit-gateway-association/peer/variables.data_input.tf

@@ -1,13 +1,14 @@
 variable "data_input" {
   description = "Map of data generated by vpc-transit-gateway-association-data"
   type = object({
-    availablity_zone      = map(any)
-    gateway_self          = string
-    gateway_peer          = string
-    route_tables_self     = map(any)
-    route_tables_peer     = map(any)
-    map_route_tables_self = map(any)
-    map_route_tables_peer = map(any)
-    prefix_list_id_ipv4   = string
+    availablity_zone        = map(any)
+    gateway_self            = string
+    gateway_peer            = string
+    route_tables_self       = map(any)
+    route_tables_peer       = map(any)
+    map_route_tables_self   = map(any)
+    map_route_tables_peer   = map(any)
+    prefix_list_id_ipv4     = string
+    vpn_prefix_list_id_ipv4 = string
   })
 }

vpc-transit-gateway-association/self/README.md

@@ -78,6 +78,7 @@ module "vpc_tgw_self" {
 | [aws_ec2_transit_gateway_route_table_propagation.vpc_self_own_rt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |
 | [aws_ec2_transit_gateway_vpc_attachment.vpc_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment) | resource |
 | [aws_route.gateway_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
+| [aws_route.gateway_vpn_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
 | [null_resource.vpc_attachment_exists](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
@@ -99,7 +100,7 @@ module "vpc_tgw_self" {
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
 | <a name="input_create"></a> [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
-| <a name="input_data_input"></a> [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | <pre>object({<br>    availablity_zone      = map(any)<br>    gateway_self          = string<br>    gateway_peer          = string<br>    route_tables_self     = map(any)<br>    route_tables_peer     = map(any)<br>    map_route_tables_self = map(any)<br>    map_route_tables_peer = map(any)<br>    prefix_list_id_ipv4   = string<br>  })</pre> | n/a | yes |
+| <a name="input_data_input"></a> [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | <pre>object({<br>    availablity_zone        = map(any)<br>    gateway_self            = string<br>    gateway_peer            = string<br>    route_tables_self       = map(any)<br>    route_tables_peer       = map(any)<br>    map_route_tables_self   = map(any)<br>    map_route_tables_peer   = map(any)<br>    prefix_list_id_ipv4     = string<br>    vpn_prefix_list_id_ipv4 = string<br>  })</pre> | n/a | yes |
 | <a name="input_network_account_profile"></a> [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_private_route_table_ids"></a> [private\_route\_table\_ids](#input\_private\_route\_table\_ids) | Map of private route table IDs (which exclude the attachment subnets) | `map(string)` | `{}` | no |

vpc-transit-gateway-association/self/routing.tf

@@ -55,12 +55,12 @@ resource "aws_route" "gateway_ipv4" {
   depends_on = [null_resource.vpc_attachment_exists]
 }
 
-# resource "aws_route" "gateway_vpn_ipv4" {
-#   for_each = var.private_route_table_ids 
-# 
-#   route_table_id = each.value
-#   destination_prefix_list_id = var.data_input.prefix_list_id_ipv4
-#   transit_gateway_id         = data.aws_ec2_transit_gateway.gateway_self.id
-# 
-#   depends_on = [null_resource.vpc_attachment_exists]
-# }
+resource "aws_route" "gateway_vpn_ipv4" {
+  for_each = var.private_route_table_ids
+
+  route_table_id             = each.value
+  destination_prefix_list_id = var.data_input.vpn_prefix_list_id_ipv4
+  transit_gateway_id         = data.aws_ec2_transit_gateway.gateway_self.id
+
+  depends_on = [null_resource.vpc_attachment_exists]
+}

vpc-transit-gateway-association/self/variables.data_input.tf

@@ -1,13 +1,14 @@
 variable "data_input" {
   description = "Map of data generated by vpc-transit-gateway-association-data"
   type = object({
-    availablity_zone      = map(any)
-    gateway_self          = string
-    gateway_peer          = string
-    route_tables_self     = map(any)
-    route_tables_peer     = map(any)
-    map_route_tables_self = map(any)
-    map_route_tables_peer = map(any)
-    prefix_list_id_ipv4   = string
+    availablity_zone        = map(any)
+    gateway_self            = string
+    gateway_peer            = string
+    route_tables_self       = map(any)
+    route_tables_peer       = map(any)
+    map_route_tables_self   = map(any)
+    map_route_tables_peer   = map(any)
+    prefix_list_id_ipv4     = string
+    vpn_prefix_list_id_ipv4 = string
   })
 }