diff --git a/CHANGELOG.md b/CHANGELOG.md
index e84004b..65974e1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -242,3 +242,13 @@
* 2.4.8 -- 2023-01-18
- flowlogs
- add enable_kinesis_stream flag
+
+* 2.5.0 -- 2023-01-30
+ - vpc-transit-gateway-association self and peer
+ - add variables
+ - create_prefix_list_routing
+ - create_static_peer_routing
+ - enable_vpn_routing
+ - add prefix-list associations for peering routes (if create_prefix_list_routing)
+ - add static routes (if create_static_peer_routing)
+ - create vpn route conditional (if enable_vpn_routing)
diff --git a/common/version.tf b/common/version.tf
index 8aadedb..505e8fa 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,5 +1,5 @@
locals {
- _module_version = "2.4.8"
+ _module_version = "2.5.0"
_module_names = {
"_main_" = "aws-vpc-setup"
diff --git a/vpc-transit-gateway-association/common/README.md b/vpc-transit-gateway-association/common/README.md
index 0cfb0dc..0ee1a74 100644
--- a/vpc-transit-gateway-association/common/README.md
+++ b/vpc-transit-gateway-association/common/README.md
@@ -18,7 +18,10 @@ No resources.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [create\_prefix\_list\_routing](#input\_create\_prefix\_list\_routing) | Flag to create (or not) prefix list routing. This is to be applied only on the TGW main account and VPCs | `bool` | `false` | no |
+| [create\_static\_peer\_routing](#input\_create\_static\_peer\_routing) | Flag to create (or not) static peer. This can be applied on every account including the TGW main account. This conflicts with craete\_prefix\_list\_routing | `bool` | `false` | no |
| [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | object({
availablity_zone = map(any)
gateway_self = string
gateway_peer = string
route_tables_self = map(any)
route_tables_peer = map(any)
map_route_tables_self = map(any)
map_route_tables_peer = map(any)
map_vpn_route_tables_self = map(any)
map_vpn_route_tables_peer = map(any)
prefix_list_id_ipv4 = string
vpn_prefix_list_id_ipv4 = string
vpc_id = string
vpc_cidr_block = string
vpc_cidr_blocks = list(string)
}) | n/a | yes |
+| [enable\_vpn\_routing](#input\_enable\_vpn\_routing) | Flag to enable VPN routing, handled through a prefix list. This is used in the transition from per-VPC VPNs to TGW | `bool` | `false` | no |
## Outputs
diff --git a/vpc-transit-gateway-association/common/variables.routing.tf b/vpc-transit-gateway-association/common/variables.routing.tf
new file mode 100644
index 0000000..92c41e2
--- /dev/null
+++ b/vpc-transit-gateway-association/common/variables.routing.tf
@@ -0,0 +1,17 @@
+variable "create_prefix_list_routing" {
+ description = "Flag to create (or not) prefix list routing. This is to be applied only on the TGW main account and VPCs"
+ type = bool
+ default = false
+}
+
+variable "create_static_peer_routing" {
+ description = "Flag to create (or not) static peer. This can be applied on every account including the TGW main account. This conflicts with craete_prefix_list_routing"
+ type = bool
+ default = false
+}
+
+variable "enable_vpn_routing" {
+ description = "Flag to enable VPN routing, handled through a prefix list. This is used in the transition from per-VPC VPNs to TGW"
+ type = bool
+ default = false
+}
diff --git a/vpc-transit-gateway-association/peer/README.md b/vpc-transit-gateway-association/peer/README.md
index af5df57..72d328c 100644
--- a/vpc-transit-gateway-association/peer/README.md
+++ b/vpc-transit-gateway-association/peer/README.md
@@ -95,7 +95,10 @@ No modules.
| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
| [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
| [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
+| [create\_prefix\_list\_routing](#input\_create\_prefix\_list\_routing) | Flag to create (or not) prefix list routing. This is to be applied only on the TGW main account and VPCs | `bool` | `false` | no |
+| [create\_static\_peer\_routing](#input\_create\_static\_peer\_routing) | Flag to create (or not) static peer. This can be applied on every account including the TGW main account. This conflicts with craete\_prefix\_list\_routing | `bool` | `false` | no |
| [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | object({
availablity_zone = map(any)
gateway_self = string
gateway_peer = string
route_tables_self = map(any)
route_tables_peer = map(any)
map_route_tables_self = map(any)
map_route_tables_peer = map(any)
map_vpn_route_tables_self = map(any)
map_vpn_route_tables_peer = map(any)
prefix_list_id_ipv4 = string
vpn_prefix_list_id_ipv4 = string
vpc_id = string
vpc_cidr_block = string
vpc_cidr_blocks = list(string)
}) | n/a | yes |
+| [enable\_vpn\_routing](#input\_enable\_vpn\_routing) | Flag to enable VPN routing, handled through a prefix list. This is used in the transition from per-VPC VPNs to TGW | `bool` | `false` | no |
| [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| [private\_route\_table\_ids](#input\_private\_route\_table\_ids) | Map of private route table IDs (which exclude the attachment subnets) | `map(string)` | `{}` | no |
diff --git a/vpc-transit-gateway-association/peer/associate.tf b/vpc-transit-gateway-association/peer/associate.tf
index 2df02c0..9aff5f0 100644
--- a/vpc-transit-gateway-association/peer/associate.tf
+++ b/vpc-transit-gateway-association/peer/associate.tf
@@ -11,10 +11,8 @@ locals {
# add routes to peer for non-services
#---
resource "aws_ec2_transit_gateway_route" "vpc_peer_own_rt" {
- provider = aws.peer
- # for_each = { for k in local.selected_rt : k => local.transit_gateway_route_table_ids_peer[k] if k == var.transit_gateway_environment }
- for_each = { for k in local.selected_rt : k => var.data_input.map_route_tables_peer[k] if k == var.transit_gateway_environment }
- # destination_cidr_block = data.aws_vpc.vpc.cidr_block
+ provider = aws.peer
+ for_each = local.create_static_peer_routing ? { for k in local.selected_rt : k => var.data_input.map_route_tables_peer[k] if k == var.transit_gateway_environment } : {}
destination_cidr_block = var.vpc_cidr_block
transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
@@ -25,10 +23,8 @@ resource "aws_ec2_transit_gateway_route" "vpc_peer_own_rt" {
# always add routes to services
#--
resource "aws_ec2_transit_gateway_route" "vpc_peer_common" {
- provider = aws.peer
- # for_each = { "services" = local.transit_gateway_route_table_ids_peer["services"] }
- for_each = { "services" = var.data_input.map_route_tables_peer["services"] }
- # destination_cidr_block = data.aws_vpc.vpc.cidr_block
+ provider = aws.peer
+ for_each = local.create_static_peer_routing ? { "services" = var.data_input.map_route_tables_peer["services"] } : {}
destination_cidr_block = var.vpc_cidr_block
transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
@@ -39,12 +35,12 @@ resource "aws_ec2_transit_gateway_route" "vpc_peer_common" {
# if services, add routes to all other route tables
#--
resource "aws_ec2_transit_gateway_route" "vpc_peer_all" {
- provider = aws.peer
- # for_each = contains(local.propagate_all_rt, var.transit_gateway_environment) ? { for k in local.selected_rt : k => local.transit_gateway_route_table_ids_peer[k] } : {}
- for_each = contains(local.propagate_all_rt, var.transit_gateway_environment) ? { for k in local.selected_rt : k => var.data_input.map_route_tables_peer[k] } : {}
- # destination_cidr_block = data.aws_vpc.vpc.cidr_block
+ provider = aws.peer
+ for_each = local.create_static_peer_routing && contains(local.propagate_all_rt, var.transit_gateway_environment) ? { for k in local.selected_rt : k => var.data_input.map_route_tables_peer[k] } : {}
destination_cidr_block = var.vpc_cidr_block
transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
transit_gateway_route_table_id = each.value
}
+
+
diff --git a/vpc-transit-gateway-association/peer/main.tf b/vpc-transit-gateway-association/peer/main.tf
index bca7ec9..20f03d0 100644
--- a/vpc-transit-gateway-association/peer/main.tf
+++ b/vpc-transit-gateway-association/peer/main.tf
@@ -50,6 +50,10 @@ locals {
region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
self_is_network_account = data.aws_caller_identity.current.account_id == data.aws_caller_identity.network_account.account_id
+ # these two options cannot both be true. To create prefix list routing, this is only done on the network account
+ create_prefix_list_routing = var.create_prefix_list_routing && local.self_is_network_account && ! var.create_static_peer_routing
+ create_static_peer_routing = var.create_static_peer_routing && ! var.create_prefix_list_routing
+
base_tags = {
"boc:tf_module_version" = local._module_version
"boc:tf_module_name" = lookup(local._module_names, local._module_name, local._module_names["_main_"])
diff --git a/vpc-transit-gateway-association/peer/variables.routing.tf b/vpc-transit-gateway-association/peer/variables.routing.tf
new file mode 120000
index 0000000..81753b7
--- /dev/null
+++ b/vpc-transit-gateway-association/peer/variables.routing.tf
@@ -0,0 +1 @@
+../common/variables.routing.tf
\ No newline at end of file
diff --git a/vpc-transit-gateway-association/self/README.md b/vpc-transit-gateway-association/self/README.md
index 3ccc495..9b97bba 100644
--- a/vpc-transit-gateway-association/self/README.md
+++ b/vpc-transit-gateway-association/self/README.md
@@ -109,7 +109,10 @@ module "vpc_tgw_self" {
| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
| [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no |
| [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
+| [create\_prefix\_list\_routing](#input\_create\_prefix\_list\_routing) | Flag to create (or not) prefix list routing. This is to be applied only on the TGW main account and VPCs | `bool` | `false` | no |
+| [create\_static\_peer\_routing](#input\_create\_static\_peer\_routing) | Flag to create (or not) static peer. This can be applied on every account including the TGW main account. This conflicts with craete\_prefix\_list\_routing | `bool` | `false` | no |
| [data\_input](#input\_data\_input) | Map of data generated by vpc-transit-gateway-association-data | object({
availablity_zone = map(any)
gateway_self = string
gateway_peer = string
route_tables_self = map(any)
route_tables_peer = map(any)
map_route_tables_self = map(any)
map_route_tables_peer = map(any)
map_vpn_route_tables_self = map(any)
map_vpn_route_tables_peer = map(any)
prefix_list_id_ipv4 = string
vpn_prefix_list_id_ipv4 = string
vpc_id = string
vpc_cidr_block = string
vpc_cidr_blocks = list(string)
}) | n/a | yes |
+| [enable\_vpn\_routing](#input\_enable\_vpn\_routing) | Flag to enable VPN routing, handled through a prefix list. This is used in the transition from per-VPC VPNs to TGW | `bool` | `false` | no |
| [network\_account\_profile](#input\_network\_account\_profile) | AWS profile of the source account sharing the VPC resources | `string` | n/a | yes |
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| [private\_route\_table\_ids](#input\_private\_route\_table\_ids) | Map of private route table IDs (which exclude the attachment subnets) | `map(string)` | `{}` | no |
diff --git a/vpc-transit-gateway-association/self/main.tf b/vpc-transit-gateway-association/self/main.tf
index 762caf3..f9720f0 100644
--- a/vpc-transit-gateway-association/self/main.tf
+++ b/vpc-transit-gateway-association/self/main.tf
@@ -50,6 +50,10 @@ locals {
region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
self_is_network_account = data.aws_caller_identity.current.account_id == data.aws_caller_identity.network_account.account_id
+ # these two options cannot both be true. To create prefix list routing, this is only done on the network account
+ create_prefix_list_routing = var.create_prefix_list_routing && local.self_is_network_account && ! var.create_static_peer_routing
+ create_static_peer_routing = var.create_static_peer_routing && ! var.create_prefix_list_routing
+
base_tags = {
"boc:tf_module_version" = local._module_version
"boc:tf_module_name" = lookup(local._module_names, local._module_name, local._module_names["_main_"])
@@ -57,10 +61,8 @@ locals {
}
}
-
# vpc_id = local.vpc_id
# vpc_full_name = var.vpc_full_name
# availability_zones = []
# subnet_ids = [for sn in module.subnets.private_subnets_ids : sn if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
# route_table_label = "attachment"
-
diff --git a/vpc-transit-gateway-association/self/routing.tf b/vpc-transit-gateway-association/self/routing.tf
index d8d8250..ceceeaf 100644
--- a/vpc-transit-gateway-association/self/routing.tf
+++ b/vpc-transit-gateway-association/self/routing.tf
@@ -59,7 +59,7 @@ resource "aws_route" "gateway_ipv4" {
}
resource "aws_route" "gateway_vpn_ipv4" {
- for_each = var.vpn_route_prefix_list_name != null && var.data_input.vpn_prefix_list_id_ipv4 != null ? var.private_route_table_ids : {}
+ for_each = var.enable_vpn_routing && var.vpn_route_prefix_list_name != null && var.data_input.vpn_prefix_list_id_ipv4 != null ? var.private_route_table_ids : {}
route_table_id = each.value
destination_prefix_list_id = var.data_input.vpn_prefix_list_id_ipv4
@@ -75,7 +75,7 @@ resource "aws_route" "gateway_vpn_ipv4" {
#---
resource "aws_ec2_transit_gateway_prefix_list_reference" "vpc_self_common" {
provider = aws.self
- for_each = { "services" = var.data_input.map_route_tables_self["services"] }
+ for_each = local.create_prefix_list_routing ? { "services" = var.data_input.map_route_tables_self["services"] } : {}
prefix_list_id = data.aws_ec2_managed_prefix_list.tgw_crossregion_env[each.key].id
transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
@@ -87,7 +87,7 @@ resource "aws_ec2_transit_gateway_prefix_list_reference" "vpc_self_common" {
#---
resource "aws_ec2_transit_gateway_prefix_list_reference" "vpc_self_own_env" {
provider = aws.self
- for_each = { for k in local.selected_rt : k => var.data_input.map_route_tables_self[k] if k == var.transit_gateway_environment }
+ for_each = local.create_prefix_list_routing ? { for k in local.selected_rt : k => var.data_input.map_route_tables_self[k] if k == var.transit_gateway_environment } : {}
prefix_list_id = data.aws_ec2_managed_prefix_list.tgw_crossregion_env[each.key].id
transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
@@ -99,7 +99,7 @@ resource "aws_ec2_transit_gateway_prefix_list_reference" "vpc_self_own_env" {
#--
resource "aws_ec2_transit_gateway_prefix_list_reference" "vpc_self_all" {
provider = aws.self
- for_each = contains(local.propagate_all_rt, var.transit_gateway_environment) ? { for k in local.selected_rt : k => var.data_input.map_route_tables_self[k] } : {}
+ for_each = local.create_prefix_list_routing && contains(local.propagate_all_rt, var.transit_gateway_environment) ? { for k in local.selected_rt : k => var.data_input.map_route_tables_self[k] } : {}
prefix_list_id = data.aws_ec2_managed_prefix_list.tgw_crossregion_env[each.key].id
transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.attachment_peer.id
diff --git a/vpc-transit-gateway-association/self/variables.routing.tf b/vpc-transit-gateway-association/self/variables.routing.tf
new file mode 120000
index 0000000..81753b7
--- /dev/null
+++ b/vpc-transit-gateway-association/self/variables.routing.tf
@@ -0,0 +1 @@
+../common/variables.routing.tf
\ No newline at end of file