rework to exclude public subnets from route table associations

terraform-modules · Jun 1, 2021 · fd89d1a · fd89d1a
1 parent b6e24b8
commit fd89d1a
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 4 deletions.
diff --git a/peer/README.md b/peer/README.md
@@ -53,6 +53,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
 | <a name="provider_aws.peer"></a> [aws.peer](#provider\_aws.peer) | n/a |
 | <a name="provider_aws.self"></a> [aws.self](#provider\_aws.self) | n/a |
 
@@ -83,6 +84,8 @@ No requirements.
 | [aws_route_table.self_route_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source |
 | [aws_route_tables.default_peer_route_tables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source |
 | [aws_route_tables.default_self_route_tables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source |
+| [aws_subnet.peer_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
+| [aws_subnet.self_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
 | [aws_vpc.peer_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 | [aws_vpc.self_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 

diff --git a/peer/data.peer.tf b/peer/data.peer.tf
@@ -34,7 +34,8 @@ data "aws_route_table" "peer_route_table" {
 }
 
 locals {
-  peer_subnets = flatten([for rt in data.aws_route_table.peer_route_table : [for a in rt.associations : a.subnet_id]])
+  peer_subnet_associations = flatten([for rt in data.aws_route_table.peer_route_table : [for a in rt.associations : a.subnet_id]])
+  peer_subnets             = [for sn in data.aws_subnet.peer_subnets : sn.id if length(regexall("public", sn.tags.Name)) == 0]
 }
 
 # get network acls associated with subnets in route table
@@ -43,6 +44,11 @@ data "aws_network_acls" "default_peer_network_acls" {
   vpc_id   = local.peer_vpc_id
   filter {
     name   = "association.subnet-id"
-    values = local.peer_subnets
+    values = local.peer_subnet_associations
   }
 }
+
+data "aws_subnet" "peer_subnets" {
+  for_each = toset(local.peer_subnet_associations)
+  id       = each.key
+}
diff --git a/peer/data.self.tf b/peer/data.self.tf
@@ -34,7 +34,8 @@ data "aws_route_table" "self_route_table" {
 }
 
 locals {
-  self_subnets = flatten([for rt in data.aws_route_table.self_route_table : [for a in rt.associations : a.subnet_id]])
+  self_subnet_associations = flatten([for rt in data.aws_route_table.self_route_table : [for a in rt.associations : a.subnet_id]])
+  self_subnets             = [for sn in data.aws_subnet.self_subnets : sn.id if length(regexall("public", sn.tags.Name)) == 0]
 }
 
 # get network acls associated with subnets in route table
@@ -43,6 +44,11 @@ data "aws_network_acls" "default_self_network_acls" {
   vpc_id   = local.self_vpc_id
   filter {
     name   = "association.subnet-id"
-    values = local.self_subnets
+    values = local.self_subnet_associations
   }
 }
+
+data "aws_subnet" "self_subnets" {
+  for_each = toset(local.self_subnet_associations)
+  id       = each.key
+}