add associations, routing

terraform-modules · Oct 14, 2022 · f4d0e29 · f4d0e29
1 parent db940fe
commit f4d0e29
Show file tree

Hide file tree

Showing 5 changed files with 64 additions and 9 deletions.
diff --git a/vpc-transit-gateway-association/README.md b/vpc-transit-gateway-association/README.md
@@ -1,13 +1,15 @@
 # About aws-vpc-setup ::  vpc-transit-gateway-association
 
-# Usage
+This sets up the necessary transit gateway configuration for attaching a VPC with all of the components.  It does the following:
 
-```hcl
-module "vpc_tgw" {
-  source                  = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-transit-gateway-association?ref=tf-upgrade"
-  network_account_profile = "057445207498-ent-gov-network-sa"
-}
-```
+* gets transit gateway ID shared to this account and region
+* gets transit gateway route tables
+* creates routes for the attachment subnets to the transit gatewway
+* creates routes to all other things on the transit gateway through a network prefix
+* attaches the VPC to the transit gateway
+* propagates the route to the associated route tables for the envirornment/VRF
+  * services is propagated to all
+* creates static routes for transit gateway route tables in a peer region
 
 ## Requirements
 
@@ -40,6 +42,13 @@ module "vpc_tgw" {
 
 | Name | Type |
 |------|------|
+| [aws_ec2_transit_gateway_route.vpc_peer_all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route) | resource |
+| [aws_ec2_transit_gateway_route.vpc_peer_common](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route) | resource |
+| [aws_ec2_transit_gateway_route.vpc_peer_own_rt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route) | resource |
+| [aws_ec2_transit_gateway_route_table_association.route_table_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource |
+| [aws_ec2_transit_gateway_route_table_propagation.vpc_self_common](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |
+| [aws_ec2_transit_gateway_route_table_propagation.vpc_self_own_rt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |
+| [aws_ec2_transit_gateway_vpc_attachment.vpc_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment) | resource |
 | [aws_route.gateway_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
@@ -51,6 +60,8 @@ module "vpc_tgw" {
 | [aws_ec2_managed_prefix_lists.tgw_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_lists) | data source |
 | [aws_ec2_transit_gateway.gateway_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
 | [aws_ec2_transit_gateway.gateway_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
+| [aws_ec2_transit_gateway_peering_attachment.attachment_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source |
+| [aws_ec2_transit_gateway_peering_attachment.attachment_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_peering_attachment) | data source |
 | [aws_ec2_transit_gateway_route_table.route_tables_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_table) | data source |
 | [aws_ec2_transit_gateway_route_table.route_tables_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_table) | data source |
 | [aws_ec2_transit_gateway_route_tables.route_tables_peer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_route_tables) | data source |
@@ -73,6 +84,7 @@ module "vpc_tgw" {
 | <a name="input_route_table_label"></a> [route\_table\_label](#input\_route\_table\_label) | Route table lable for the attachment subnets | `string` | `"attachment"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_transit_gateway_environment"></a> [transit\_gateway\_environment](#input\_transit\_gateway\_environment) | Transit Gateway Environment (aka, VRF) to which to connnect this VPC | `string` | n/a | yes |
+| <a name="input_transit_gateway_routing_type"></a> [transit\_gateway\_routing\_type](#input\_transit\_gateway\_routing\_type) | Transit Gateway routing type, to select either self or peer (where we may have many peers) | `string` | n/a | yes |
 | <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
 | <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |

diff --git a/vpc-transit-gateway-association/data.transit-gateway.tf b/vpc-transit-gateway-association/data.transit-gateway.tf
@@ -62,3 +62,23 @@ locals {
 # These two hold a map of VRF => route table
 # * transit_gateway_route_table_ids_self
 # * transit_gateway_route_table_ids_peer
+
+#---
+# peering attachments
+#---
+data "aws_ec2_transit_gateway_peering_attachment" "attachment_self" {
+  provider = aws.self
+  filter {
+    name   = "transit-gateway-id"
+    values = [data.aws_ec2_transit_gateway.gateway_self.id]
+  }
+}
+
+data "aws_ec2_transit_gateway_peering_attachment" "attachment_peer" {
+  provider = aws.peer
+  filter {
+    name   = "transit-gateway-id"
+    values = [data.aws_ec2_transit_gateway.gateway_peer.id]
+  }
+}
+
diff --git a/vpc-transit-gateway-association/main.tf b/vpc-transit-gateway-association/main.tf
@@ -1,6 +1,17 @@
 /*
 * # About aws-vpc-setup ::  vpc-transit-gateway-association
 * 
+* This sets up the necessary transit gateway configuration for attaching a VPC with all of the components.  It does the following:
+*
+* * gets transit gateway ID shared to this account and region
+* * gets transit gateway route tables
+* * creates routes for the attachment subnets to the transit gatewway
+* * creates routes to all other things on the transit gateway through a network prefix
+* * attaches the VPC to the transit gateway
+* * propagates the route to the associated route tables for the envirornment/VRF
+*   * services is propagated to all
+* * creates static routes for transit gateway route tables in a peer region
+
 * # Usage
 * 
 * ```hcl

diff --git a/vpc-transit-gateway-association/routing.tf b/vpc-transit-gateway-association/routing.tf
@@ -2,8 +2,9 @@ module "routing_attachment_ipv4" {
   source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//routing?ref=tf-upgrade"
   vpc_id = var.vpc_id
 
-  vpc_full_name                = var.vpc_full_name
-  availability_zones           = var.availability_zones
+  vpc_full_name      = var.vpc_full_name
+  availability_zones = var.availability_zones
+  #  private_subnets_ids                                      = [for sn in module.subnets.private_subnets_ids : sn.id if lookup(sn.tags, "boc:vpc:route-table", null) == "attachment"]
   private_subnets_ids          = var.private_subnets_ids
   create_public_route_table    = false
   private_route_table_label    = var.route_table_label
@@ -35,6 +36,7 @@ data "aws_ec2_managed_prefix_list" "tgw_ipv4" {
   id       = each.key
 }
 
+# pick the first prefix list found, either NAME or NAME.ipv4
 resource "aws_route" "gateway_ipv4" {
   for_each = module.routing_ipv4.private_route_table_ids
 

diff --git a/vpc-transit-gateway-association/variables.tf b/vpc-transit-gateway-association/variables.tf
@@ -13,6 +13,16 @@ variable "transit_gateway_environment" {
   }
 }
 
+variable "transit_gateway_routing_type" {
+  description = "Transit Gateway routing type, to select either self or peer (where we may have many peers)"
+  type        = string
+
+  validation {
+    condition     = contains(["self", "peer"], var.transit_gateway_routing_type)
+    error_message = "transit_gateway_routing_type must be either self or peer"
+  }
+}
+
 ## variable "subnet_ids" {
 ##   description = "List of subnet IDs for this VPC for the TGW attachment. This should be not public, and should be a separate attachment set of /28 subnets with no other use"
 ##   type        = list(string)