- vpc-transit-gateway-association self and peer

  - add variables
    - create_prefix_list_routing
    - create_static_peer_routing
    - enable_vpn_routing
  - add prefix-list associations for peering routes (if create_prefix_list_routing)
  - add static routes (if create_static_peer_routing)
  - create vpn route conditional (if enable_vpn_routing)

CHANGELOG.md

@@ -242,3 +242,13 @@
 * 2.4.8 -- 2023-01-18
   - flowlogs
     - add enable_kinesis_stream flag
+
+* 2.5.0 -- 2023-01-30
+  - vpc-transit-gateway-association self and peer
+    - add variables
+      - create_prefix_list_routing
+      - create_static_peer_routing
+      - enable_vpn_routing
+    - add prefix-list associations for peering routes (if create_prefix_list_routing)
+    - add static routes (if create_static_peer_routing)
+    - create vpn route conditional (if enable_vpn_routing)

common/version.tf

@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.4.8"
+  _module_version = "2.5.0"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 

vpc-transit-gateway-association/common/README.md

@@ -18,7 +18,10 @@ No resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_create_prefix_list_routing"></a> [create\_prefix\_list\_routing](#input\_create\_prefix\_list\_routing) | Flag to create (or not) prefix list routing. This is to be applied only on the TGW main account and VPCs | `bool` | `false` | no |
+| <a name="input_create_static_peer_routing"></a> [create\_static\_peer\_routing](#input\_create\_static\_peer\_routing) | Flag to create (or not) static peer. This can be applied on every account including the TGW main account. This conflicts with craete\_prefix\_list\_routing | `bool` | `false` | no |
 | <a name="input_data_input"></a> [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | <pre>object({<br>    availablity_zone          = map(any)<br>    gateway_self              = string<br>    gateway_peer              = string<br>    route_tables_self         = map(any)<br>    route_tables_peer         = map(any)<br>    map_route_tables_self     = map(any)<br>    map_route_tables_peer     = map(any)<br>    map_vpn_route_tables_self = map(any)<br>    map_vpn_route_tables_peer = map(any)<br>    prefix_list_id_ipv4       = string<br>    vpn_prefix_list_id_ipv4   = string<br>    vpc_id                    = string<br>    vpc_cidr_block            = string<br>    vpc_cidr_blocks           = list(string)<br>  })</pre> | n/a | yes |
+| <a name="input_enable_vpn_routing"></a> [enable\_vpn\_routing](#input\_enable\_vpn\_routing) | Flag to enable VPN routing, handled through a prefix list.  This is used in the transition from per-VPC VPNs to TGW | `bool` | `false` | no |
 
 ## Outputs
 

vpc-transit-gateway-association/common/variables.routing.tf

@@ -0,0 +1,17 @@
+variable "create_prefix_list_routing" {
+  description = "Flag to create (or not) prefix list routing. This is to be applied only on the TGW main account and VPCs"
+  type        = bool
+  default     = false
+}
+
+variable "create_static_peer_routing" {
+  description = "Flag to create (or not) static peer. This can be applied on every account including the TGW main account. This conflicts with craete_prefix_list_routing"
+  type        = bool
+  default     = false
+}
+
+variable "enable_vpn_routing" {
+  description = "Flag to enable VPN routing, handled through a prefix list.  This is used in the transition from per-VPC VPNs to TGW"
+  type        = bool
+  default     = false
+}

vpc-transit-gateway-association/peer/README.md

@@ -95,7 +95,10 @@ No modules.
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
 | <a name="input_create"></a> [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
+| <a name="input_create_prefix_list_routing"></a> [create\_prefix\_list\_routing](#input\_create\_prefix\_list\_routing) | Flag to create (or not) prefix list routing. This is to be applied only on the TGW main account and VPCs | `bool` | `false` | no |
+| <a name="input_create_static_peer_routing"></a> [create\_static\_peer\_routing](#input\_create\_static\_peer\_routing) | Flag to create (or not) static peer. This can be applied on every account including the TGW main account. This conflicts with craete\_prefix\_list\_routing | `bool` | `false` | no |
 | <a name="input_data_input"></a> [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | <pre>object({<br>    availablity_zone          = map(any)<br>    gateway_self              = string<br>    gateway_peer              = string<br>    route_tables_self         = map(any)<br>    route_tables_peer         = map(any)<br>    map_route_tables_self     = map(any)<br>    map_route_tables_peer     = map(any)<br>    map_vpn_route_tables_self = map(any)<br>    map_vpn_route_tables_peer = map(any)<br>    prefix_list_id_ipv4       = string<br>    vpn_prefix_list_id_ipv4   = string<br>    vpc_id                    = string<br>    vpc_cidr_block            = string<br>    vpc_cidr_blocks           = list(string)<br>  })</pre> | n/a | yes |
+| <a name="input_enable_vpn_routing"></a> [enable\_vpn\_routing](#input\_enable\_vpn\_routing) | Flag to enable VPN routing, handled through a prefix list.  This is used in the transition from per-VPC VPNs to TGW | `bool` | `false` | no |
 | <a name="input_network_account_profile"></a> [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_private_route_table_ids"></a> [private\_route\_table\_ids](#input\_private\_route\_table\_ids) | Map of private route table IDs (which exclude the attachment subnets) | `map(string)` | `{}` | no |

vpc-transit-gateway-association/peer/associate.tf

@@ -11,10 +11,8 @@ locals {
 # add routes to peer for non-services
 #---
 resource "aws_ec2_transit_gateway_route" "vpc_peer_own_rt" {
-  provider = aws.peer
-  #  for_each = { for k in local.selected_rt : k => local.transit_gateway_route_table_ids_peer[k] if k == var.transit_gateway_environment }
-  for_each = { for k in local.selected_rt : k => var.data_input.map_route_tables_peer[k] if k == var.transit_gateway_environment }
-  #  destination_cidr_block = data.aws_vpc.vpc.cidr_block
+  provider               = aws.peer
+  for_each               = local.create_static_peer_routing ? { for k in local.selected_rt : k => var.data_input.map_route_tables_peer[k] if k == var.transit_gateway_environment } : {}
   destination_cidr_block = var.vpc_cidr_block
 
   transit_gateway_attachment_id  = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
@@ -25,10 +23,8 @@ resource "aws_ec2_transit_gateway_route" "vpc_peer_own_rt" {
 # always add routes to services
 #--
 resource "aws_ec2_transit_gateway_route" "vpc_peer_common" {
-  provider = aws.peer
-  #  for_each = { "services" = local.transit_gateway_route_table_ids_peer["services"] }
-  for_each = { "services" = var.data_input.map_route_tables_peer["services"] }
-  #  destination_cidr_block = data.aws_vpc.vpc.cidr_block
+  provider               = aws.peer
+  for_each               = local.create_static_peer_routing ? { "services" = var.data_input.map_route_tables_peer["services"] } : {}
   destination_cidr_block = var.vpc_cidr_block
 
   transit_gateway_attachment_id  = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
@@ -39,12 +35,12 @@ resource "aws_ec2_transit_gateway_route" "vpc_peer_common" {
 # if services, add routes to all other route tables
 #--
 resource "aws_ec2_transit_gateway_route" "vpc_peer_all" {
-  provider = aws.peer
-  #  for_each = contains(local.propagate_all_rt, var.transit_gateway_environment) ? { for k in local.selected_rt : k => local.transit_gateway_route_table_ids_peer[k] } : {}
-  for_each = contains(local.propagate_all_rt, var.transit_gateway_environment) ? { for k in local.selected_rt : k => var.data_input.map_route_tables_peer[k] } : {}
-  #  destination_cidr_block = data.aws_vpc.vpc.cidr_block
+  provider               = aws.peer
+  for_each               = local.create_static_peer_routing && contains(local.propagate_all_rt, var.transit_gateway_environment) ? { for k in local.selected_rt : k => var.data_input.map_route_tables_peer[k] } : {}
   destination_cidr_block = var.vpc_cidr_block
 
   transit_gateway_attachment_id  = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
   transit_gateway_route_table_id = each.value
 }
+
+

vpc-transit-gateway-association/peer/main.tf

@@ -50,6 +50,10 @@ locals {
   region_short            = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
   self_is_network_account = data.aws_caller_identity.current.account_id == data.aws_caller_identity.network_account.account_id
 
+  # these two options cannot both be true.  To create prefix list routing, this is only done on the network account
+  create_prefix_list_routing = var.create_prefix_list_routing && local.self_is_network_account && ! var.create_static_peer_routing
+  create_static_peer_routing = var.create_static_peer_routing && ! var.create_prefix_list_routing
+
   base_tags = {
     "boc:tf_module_version" = local._module_version
     "boc:tf_module_name"    = lookup(local._module_names, local._module_name, local._module_names["_main_"])

vpc-transit-gateway-association/peer/variables.routing.tf

@@ -0,0 +1 @@
+../common/variables.routing.tf

vpc-transit-gateway-association/self/README.md

@@ -109,7 +109,10 @@ module "vpc_tgw_self" {
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
 | <a name="input_create"></a> [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
+| <a name="input_create_prefix_list_routing"></a> [create\_prefix\_list\_routing](#input\_create\_prefix\_list\_routing) | Flag to create (or not) prefix list routing. This is to be applied only on the TGW main account and VPCs | `bool` | `false` | no |
+| <a name="input_create_static_peer_routing"></a> [create\_static\_peer\_routing](#input\_create\_static\_peer\_routing) | Flag to create (or not) static peer. This can be applied on every account including the TGW main account. This conflicts with craete\_prefix\_list\_routing | `bool` | `false` | no |
 | <a name="input_data_input"></a> [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | <pre>object({<br>    availablity_zone          = map(any)<br>    gateway_self              = string<br>    gateway_peer              = string<br>    route_tables_self         = map(any)<br>    route_tables_peer         = map(any)<br>    map_route_tables_self     = map(any)<br>    map_route_tables_peer     = map(any)<br>    map_vpn_route_tables_self = map(any)<br>    map_vpn_route_tables_peer = map(any)<br>    prefix_list_id_ipv4       = string<br>    vpn_prefix_list_id_ipv4   = string<br>    vpc_id                    = string<br>    vpc_cidr_block            = string<br>    vpc_cidr_blocks           = list(string)<br>  })</pre> | n/a | yes |
+| <a name="input_enable_vpn_routing"></a> [enable\_vpn\_routing](#input\_enable\_vpn\_routing) | Flag to enable VPN routing, handled through a prefix list.  This is used in the transition from per-VPC VPNs to TGW | `bool` | `false` | no |
 | <a name="input_network_account_profile"></a> [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_private_route_table_ids"></a> [private\_route\_table\_ids](#input\_private\_route\_table\_ids) | Map of private route table IDs (which exclude the attachment subnets) | `map(string)` | `{}` | no |

vpc-transit-gateway-association/self/main.tf

@@ -50,17 +50,19 @@ locals {
   region_short            = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
   self_is_network_account = data.aws_caller_identity.current.account_id == data.aws_caller_identity.network_account.account_id
 
+  # these two options cannot both be true.  To create prefix list routing, this is only done on the network account
+  create_prefix_list_routing = var.create_prefix_list_routing && local.self_is_network_account && ! var.create_static_peer_routing
+  create_static_peer_routing = var.create_static_peer_routing && ! var.create_prefix_list_routing
+
   base_tags = {
     "boc:tf_module_version" = local._module_version
     "boc:tf_module_name"    = lookup(local._module_names, local._module_name, local._module_names["_main_"])
     "boc:created_by"        = "terraform"
   }
 }
 
-
 #  vpc_id = local.vpc_id
 #  vpc_full_name                = var.vpc_full_name
 #  availability_zones           = []
 #  subnet_ids          = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
 #  route_table_label    = "attachment"
-

vpc-transit-gateway-association/self/routing.tf

@@ -59,7 +59,7 @@ resource "aws_route" "gateway_ipv4" {
 }
 
 resource "aws_route" "gateway_vpn_ipv4" {
-  for_each = var.vpn_route_prefix_list_name != null && var.data_input.vpn_prefix_list_id_ipv4 != null ? var.private_route_table_ids : {}
+  for_each = var.enable_vpn_routing && var.vpn_route_prefix_list_name != null && var.data_input.vpn_prefix_list_id_ipv4 != null ? var.private_route_table_ids : {}
 
   route_table_id             = each.value
   destination_prefix_list_id = var.data_input.vpn_prefix_list_id_ipv4
@@ -75,7 +75,7 @@ resource "aws_route" "gateway_vpn_ipv4" {
 #---
 resource "aws_ec2_transit_gateway_prefix_list_reference" "vpc_self_common" {
   provider = aws.self
-  for_each = { "services" = var.data_input.map_route_tables_self["services"] }
+  for_each = local.create_prefix_list_routing ? { "services" = var.data_input.map_route_tables_self["services"] } : {}
 
   prefix_list_id                 = data.aws_ec2_managed_prefix_list.tgw_crossregion_env[each.key].id
   transit_gateway_attachment_id  = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
@@ -87,7 +87,7 @@ resource "aws_ec2_transit_gateway_prefix_list_reference" "vpc_self_common" {
 #---
 resource "aws_ec2_transit_gateway_prefix_list_reference" "vpc_self_own_env" {
   provider = aws.self
-  for_each = { for k in local.selected_rt : k => var.data_input.map_route_tables_self[k] if k == var.transit_gateway_environment }
+  for_each = local.create_prefix_list_routing ? { for k in local.selected_rt : k => var.data_input.map_route_tables_self[k] if k == var.transit_gateway_environment } : {}
 
   prefix_list_id                 = data.aws_ec2_managed_prefix_list.tgw_crossregion_env[each.key].id
   transit_gateway_attachment_id  = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
@@ -99,7 +99,7 @@ resource "aws_ec2_transit_gateway_prefix_list_reference" "vpc_self_own_env" {
 #--
 resource "aws_ec2_transit_gateway_prefix_list_reference" "vpc_self_all" {
   provider = aws.self
-  for_each = contains(local.propagate_all_rt, var.transit_gateway_environment) ? { for k in local.selected_rt : k => var.data_input.map_route_tables_self[k] } : {}
+  for_each = local.create_prefix_list_routing && contains(local.propagate_all_rt, var.transit_gateway_environment) ? { for k in local.selected_rt : k => var.data_input.map_route_tables_self[k] } : {}
 
   prefix_list_id                 = data.aws_ec2_managed_prefix_list.tgw_crossregion_env[each.key].id
   transit_gateway_attachment_id  = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id

vpc-transit-gateway-association/self/variables.routing.tf

@@ -0,0 +1 @@
+../common/variables.routing.tf