diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3210e45..750d48e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -211,3 +211,10 @@
* 2.4.2 -- 2022-10-18
- vpc
- add configuration output to be used for TGW routing setup
+ - vpc-transit-gateway-association
+ - split into data, self, peer
+
+* 2.4.3 -- 2022-10-18
+ - vpc-transit-gateway-association
+ - data: add vpn prefix list
+ - self: add routes for vpn
diff --git a/common/version.tf b/common/version.tf
index d100514..9761672 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,5 +1,5 @@
locals {
- _module_version = "2.4.2"
+ _module_version = "2.4.3"
_module_names = {
"_main_" = "aws-vpc-setup"
diff --git a/vpc-transit-gateway-association/data/README.md b/vpc-transit-gateway-association/data/README.md
index a02bedb..a142854 100644
--- a/vpc-transit-gateway-association/data/README.md
+++ b/vpc-transit-gateway-association/data/README.md
@@ -74,7 +74,9 @@ No modules.
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_ec2_managed_prefix_list.tgw_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
+| [aws_ec2_managed_prefix_list.tgw_vpn_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
| [aws_ec2_managed_prefix_lists.tgw_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_lists) | data source |
+| [aws_ec2_managed_prefix_lists.tgw_vpn_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_lists) | data source |
| [aws_ec2_transit_gateway.gateway_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
| [aws_ec2_transit_gateway.gateway_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
| [aws_ec2_transit_gateway_peering_attachment.attachment_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source |
@@ -110,6 +112,7 @@ No modules.
| [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
| [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
| [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
+| [vpn\_route\_prefix\_list\_name](#input\_vpn\_route\_prefix\_list\_name) | Shared prefix list name used for routing to TGW through VPN. If null, existing VPN routing if any will be used. | `string` | `null` | no |
## Outputs
diff --git a/vpc-transit-gateway-association/data/data.routing.tf b/vpc-transit-gateway-association/data/data.routing.tf
index c1b9d80..a76eb98 100644
--- a/vpc-transit-gateway-association/data/data.routing.tf
+++ b/vpc-transit-gateway-association/data/data.routing.tf
@@ -11,3 +11,16 @@ data "aws_ec2_managed_prefix_list" "tgw_ipv4" {
}
# destination_prefix_list_id = one([for k, v in data.aws_ec2_managed_prefix_list.tgw_ipv4 : k if v.address_family == "IPv4"])
+
+data "aws_ec2_managed_prefix_lists" "tgw_vpn_ipv4" {
+ count = var.vpn_route_prefix_list_name != null ? 1 : 0
+ filter {
+ name = "prefix-list-name"
+ values = [var.vpn_route_prefix_list_name, format("%v.ipv4", var.vpn_route_prefix_list_name)]
+ }
+}
+
+data "aws_ec2_managed_prefix_list" "tgw_vpn_ipv4" {
+ for_each = var.vpn_route_prefix_list_name != null ? toset(data.aws_ec2_managed_prefix_lists.tgw_vpn_ipv4[0].ids) : toset([])
+ id = each.key
+}
diff --git a/vpc-transit-gateway-association/data/outputs.tf b/vpc-transit-gateway-association/data/outputs.tf
index 871495e..3f235d7 100644
--- a/vpc-transit-gateway-association/data/outputs.tf
+++ b/vpc-transit-gateway-association/data/outputs.tf
@@ -41,13 +41,14 @@ output "prefix_list_id_ipv4" {
output "data_output" {
description = "Map of data generated by this submodule need for the vpc-transit-gateway-association module"
value = {
- availablity_zone = data.aws_availability_zone.zone
- gateway_self = data.aws_ec2_transit_gateway.gateway_self.id
- gateway_peer = data.aws_ec2_transit_gateway.gateway_peer.id
- route_tables_self = data.aws_ec2_transit_gateway_route_table.route_tables_self
- route_tables_peer = data.aws_ec2_transit_gateway_route_table.route_tables_peer
- map_route_tables_self = local.transit_gateway_route_table_ids_self
- map_route_tables_peer = local.transit_gateway_route_table_ids_peer
- prefix_list_id_ipv4 = one([for k, v in data.aws_ec2_managed_prefix_list.tgw_ipv4 : k if v.address_family == "IPv4"])
+ availablity_zone = data.aws_availability_zone.zone
+ gateway_self = data.aws_ec2_transit_gateway.gateway_self.id
+ gateway_peer = data.aws_ec2_transit_gateway.gateway_peer.id
+ route_tables_self = data.aws_ec2_transit_gateway_route_table.route_tables_self
+ route_tables_peer = data.aws_ec2_transit_gateway_route_table.route_tables_peer
+ map_route_tables_self = local.transit_gateway_route_table_ids_self
+ map_route_tables_peer = local.transit_gateway_route_table_ids_peer
+ prefix_list_id_ipv4 = try(([for k, v in data.aws_ec2_managed_prefix_list.tgw_ipv4 : k if v.address_family == "IPv4"])[0])
+ vpn_prefix_list_id_ipv4 = var.vpn_route_prefix_list_name != null ? try(([for k, v in data.aws_ec2_managed_prefix_list.tgw_vpn_ipv4 : k if v.address_family == "IPv4"])[0]) : null
}
}
diff --git a/vpc-transit-gateway-association/data/variables.tf b/vpc-transit-gateway-association/data/variables.tf
index 0656be0..e107346 100644
--- a/vpc-transit-gateway-association/data/variables.tf
+++ b/vpc-transit-gateway-association/data/variables.tf
@@ -35,6 +35,12 @@ variable "route_prefix_list_name" {
default = "transit-gateway.prod"
}
+variable "vpn_route_prefix_list_name" {
+ description = "Shared prefix list name used for routing to TGW through VPN. If null, existing VPN routing if any will be used."
+ type = string
+ default = null
+}
+
variable "transit_gateway_label" {
description = "Transit Gateway label for specific instance (sa, prod)"
type = string
diff --git a/vpc-transit-gateway-association/peer/README.md b/vpc-transit-gateway-association/peer/README.md
index ea4af65..154c226 100644
--- a/vpc-transit-gateway-association/peer/README.md
+++ b/vpc-transit-gateway-association/peer/README.md
@@ -93,7 +93,7 @@ No modules.
| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
| [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
| [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
-| [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | object({
availablity_zone = map(any)
gateway_self = string
gateway_peer = string
route_tables_self = map(any)
route_tables_peer = map(any)
map_route_tables_self = map(any)
map_route_tables_peer = map(any)
prefix_list_id_ipv4 = string
}) | n/a | yes |
+| [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | object({
availablity_zone = map(any)
gateway_self = string
gateway_peer = string
route_tables_self = map(any)
route_tables_peer = map(any)
map_route_tables_self = map(any)
map_route_tables_peer = map(any)
prefix_list_id_ipv4 = string
vpn_prefix_list_id_ipv4 = string
}) | n/a | yes |
| [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| [private\_route\_table\_ids](#input\_private\_route\_table\_ids) | Map of private route table IDs (which exclude the attachment subnets) | `map(string)` | `{}` | no |
diff --git a/vpc-transit-gateway-association/peer/variables.data_input.tf b/vpc-transit-gateway-association/peer/variables.data_input.tf
index a27009a..97d228f 100644
--- a/vpc-transit-gateway-association/peer/variables.data_input.tf
+++ b/vpc-transit-gateway-association/peer/variables.data_input.tf
@@ -1,13 +1,14 @@
variable "data_input" {
description = "Map of data generated by vpc-transit-gateway-association-data"
type = object({
- availablity_zone = map(any)
- gateway_self = string
- gateway_peer = string
- route_tables_self = map(any)
- route_tables_peer = map(any)
- map_route_tables_self = map(any)
- map_route_tables_peer = map(any)
- prefix_list_id_ipv4 = string
+ availablity_zone = map(any)
+ gateway_self = string
+ gateway_peer = string
+ route_tables_self = map(any)
+ route_tables_peer = map(any)
+ map_route_tables_self = map(any)
+ map_route_tables_peer = map(any)
+ prefix_list_id_ipv4 = string
+ vpn_prefix_list_id_ipv4 = string
})
}
diff --git a/vpc-transit-gateway-association/self/README.md b/vpc-transit-gateway-association/self/README.md
index 0796c70..3c203df 100644
--- a/vpc-transit-gateway-association/self/README.md
+++ b/vpc-transit-gateway-association/self/README.md
@@ -78,6 +78,7 @@ module "vpc_tgw_self" {
| [aws_ec2_transit_gateway_route_table_propagation.vpc_self_own_rt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |
| [aws_ec2_transit_gateway_vpc_attachment.vpc_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment) | resource |
| [aws_route.gateway_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
+| [aws_route.gateway_vpn_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
| [null_resource.vpc_attachment_exists](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
@@ -99,7 +100,7 @@ module "vpc_tgw_self" {
| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
| [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
| [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
-| [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | object({
availablity_zone = map(any)
gateway_self = string
gateway_peer = string
route_tables_self = map(any)
route_tables_peer = map(any)
map_route_tables_self = map(any)
map_route_tables_peer = map(any)
prefix_list_id_ipv4 = string
}) | n/a | yes |
+| [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | object({
availablity_zone = map(any)
gateway_self = string
gateway_peer = string
route_tables_self = map(any)
route_tables_peer = map(any)
map_route_tables_self = map(any)
map_route_tables_peer = map(any)
prefix_list_id_ipv4 = string
vpn_prefix_list_id_ipv4 = string
}) | n/a | yes |
| [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| [private\_route\_table\_ids](#input\_private\_route\_table\_ids) | Map of private route table IDs (which exclude the attachment subnets) | `map(string)` | `{}` | no |
diff --git a/vpc-transit-gateway-association/self/routing.tf b/vpc-transit-gateway-association/self/routing.tf
index 33a7efc..a8e0747 100644
--- a/vpc-transit-gateway-association/self/routing.tf
+++ b/vpc-transit-gateway-association/self/routing.tf
@@ -55,12 +55,12 @@ resource "aws_route" "gateway_ipv4" {
depends_on = [null_resource.vpc_attachment_exists]
}
-# resource "aws_route" "gateway_vpn_ipv4" {
-# for_each = var.private_route_table_ids
-#
-# route_table_id = each.value
-# destination_prefix_list_id = var.data_input.prefix_list_id_ipv4
-# transit_gateway_id = data.aws_ec2_transit_gateway.gateway_self.id
-#
-# depends_on = [null_resource.vpc_attachment_exists]
-# }
+resource "aws_route" "gateway_vpn_ipv4" {
+ for_each = var.private_route_table_ids
+
+ route_table_id = each.value
+ destination_prefix_list_id = var.data_input.vpn_prefix_list_id_ipv4
+ transit_gateway_id = data.aws_ec2_transit_gateway.gateway_self.id
+
+ depends_on = [null_resource.vpc_attachment_exists]
+}
diff --git a/vpc-transit-gateway-association/self/variables.data_input.tf b/vpc-transit-gateway-association/self/variables.data_input.tf
index a27009a..97d228f 100644
--- a/vpc-transit-gateway-association/self/variables.data_input.tf
+++ b/vpc-transit-gateway-association/self/variables.data_input.tf
@@ -1,13 +1,14 @@
variable "data_input" {
description = "Map of data generated by vpc-transit-gateway-association-data"
type = object({
- availablity_zone = map(any)
- gateway_self = string
- gateway_peer = string
- route_tables_self = map(any)
- route_tables_peer = map(any)
- map_route_tables_self = map(any)
- map_route_tables_peer = map(any)
- prefix_list_id_ipv4 = string
+ availablity_zone = map(any)
+ gateway_self = string
+ gateway_peer = string
+ route_tables_self = map(any)
+ route_tables_peer = map(any)
+ map_route_tables_self = map(any)
+ map_route_tables_peer = map(any)
+ prefix_list_id_ipv4 = string
+ vpn_prefix_list_id_ipv4 = string
})
}