From f0b66e22ec7c02adfb5563a0530e84b85762da5e Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 4 Feb 2022 11:48:52 -0500 Subject: [PATCH 1/7] update --- CHANGELOG.md | 44 ++++++++++--------- common/version.tf | 2 +- .../apps/test-instances/ec2.tf | 15 ++++++- .../apps/test-instances/variables.tf | 12 +++++ routing/README.md | 13 +++++- routing/main.tf | 23 +++++----- routing/variables.routing.tf | 23 ++++++++++ 7 files changed, 98 insertions(+), 34 deletions(-) create mode 100644 routing/variables.routing.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index f552e04..f53799b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,10 +2,10 @@ ## Version 1.x -* v1.0.0 -- 20210502 +* 1.0.0 -- 20210502 - initial creation -* v1.0.1 -- 20210504 +* 1.0.1 -- 20210504 - security-groups - add default security group - vpc @@ -13,70 +13,70 @@ - vpn - add bgp_asn to output -* v1.0.2 -- 20210505 +* 1.0.2 -- 20210505 - add nacls, nacls-rules - move variables into more common things and make links -* v1.0.3 -- 20210512 +* 1.0.3 -- 20210512 - security-groups - add output of security_groups map(object{name,id,arn}) -* v1.0.4 -- 20210514 +* 1.0.4 -- 20210514 - flowlogs - setup flow logs -* v1.0.5 -- 20210531 +* 1.0.5 -- 20210531 - peer - setup peer -* v1.1.0 -- 20210625 +* 1.1.0 -- 20210625 - vpc - add enable_aws_dns to use the AmazonDNS Route53 DNS -* v1.1.1 -- 20210629 +* 1.1.1 -- 20210629 - peer - add output of nacl_info -* v1.1.2 -- 20210702 +* 1.1.2 -- 20210702 - routing - export vpc s3 and dynamodb cidr blocks too, change the way the structure is constructed -* v1.1.3 -- 20210708 +* 1.1.3 -- 20210708 - subnets - add per-subnet tags -* v1.1.4 -- 20210709 +* 1.1.4 -- 20210709 - vpn - add custom_preshared_keys -* v1.1.5 -- 20210712 +* 1.1.5 -- 20210712 - flowlogs - change template input name -* v1.1.6 -- 20210714 +* 1.1.6 -- 20210714 - flowlogs - add tags to resources -* v1.2.0 -- 20211019 +* 1.2.0 -- 20211019 - vpn - add create variable to create/not-create the resources -* v1.3.0 -- 20211020 +* 1.3.0 -- 20211020 - peer - add peer_network_acl_filter -* v1.4.0 -- 20211109 +* 1.4.0 -- 20211109 - vpc-interface-endpoint - create new submodule for setting up an interface endpoint -* v1.4.1 -- 20211109 +* 1.4.1 -- 20211109 - vpc-interface-endpoint - minor change to tagging on name * (no version) -- 20211119 - add example for full-setup -* v1.4.2 -- 20220109 +* 1.4.2 -- 20220109 - add common/versions.tf to prep for tf 0.13+ - common/defaults.tf - add 10/8 to enteprise list and make the default, due to a max of 40 nacl entries in a nacl @@ -85,12 +85,16 @@ - peers - add variables enable_nacl_entry_self and enable_nacl_entry_peer to determine whether to create the rule local/remote (default false) -* v1.4.3 -- 20220118 +* 1.4.3 -- 20220118 - vpc-interface-endpoint - add to output: subnet_ids, network_interface_ids -* v1.4.4 -- 20220119 +* 1.4.4 -- 20220119 - vpc-interface-endpoint - add vpc-interface-type=Interface filter +* 1.5.0 -- 20220204 + - routing + - add lables for private, public route tables + ## Version 2.x diff --git a/common/version.tf b/common/version.tf index c7fced2..cf11f54 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.4.4" + _module_version = "1.5.0" } diff --git a/examples/ec2-vpc-region-vpcN/apps/test-instances/ec2.tf b/examples/ec2-vpc-region-vpcN/apps/test-instances/ec2.tf index 57ea481..efff5ab 100644 --- a/examples/ec2-vpc-region-vpcN/apps/test-instances/ec2.tf +++ b/examples/ec2-vpc-region-vpcN/apps/test-instances/ec2.tf @@ -1,3 +1,16 @@ +locals { + bootstrap_commands = [ + # "sudo bash /tmp/bootstrap.sh /tmp/${var.git_deploy_path} ${local.bootstrap_args} |& tee /tmp/bootstrap.log", + "sleep 60", + "sudo yum install -y iperf3 bind-utils curl nc awscli", + # set region in default profile + "aws configure --profile default set region ${local.region}", + "aws configure --profile default set output json", + "sudo aws configure --profile default set region ${local.region}", + "sudo aws configure --profile default set output json", + ] +} + resource "aws_instance" "test" { for_each = var.enable_instances ? local.private_subnets_id_map : {} @@ -46,7 +59,7 @@ resource "aws_instance" "test" { tags = merge( local.common_tags, - tomap({ "Name" = format("%v-test-%v", local.vpc_short_name, each.value.label) }), + tomap({ "Name" = format("%v-test-%v.%v", local.vpc_short_name, each.value.label, var.vpc_domain_name) }), ) } diff --git a/examples/ec2-vpc-region-vpcN/apps/test-instances/variables.tf b/examples/ec2-vpc-region-vpcN/apps/test-instances/variables.tf index dc58f3d..a2c9cda 100644 --- a/examples/ec2-vpc-region-vpcN/apps/test-instances/variables.tf +++ b/examples/ec2-vpc-region-vpcN/apps/test-instances/variables.tf @@ -4,3 +4,15 @@ variable "enable_instances" { default = true } +variable "enable_bootstrap" { + description = "Flag to enable or disable bootstrap (yum and awscli setup)" + type = bool + default = true +} + +variable "instance_count" { + description = "Number to indicate how many instances (up to subnet-count x az-count)" + type = number + default = null +} + diff --git a/routing/README.md b/routing/README.md index 3f69546..5b41902 100644 --- a/routing/README.md +++ b/routing/README.md @@ -24,13 +24,18 @@ module "routing" { ## Requirements -No requirements. +| Name | Version | +|------|---------| +| [aws](#requirement\_aws) | >= 3.66.0 | +| [null](#requirement\_null) | >= 3.0 | +| [random](#requirement\_random) | >= 3.0 | +| [template](#requirement\_template) | >= 2.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | n/a | +| [aws](#provider\_aws) | >= 3.66.0 | ## Modules @@ -68,12 +73,16 @@ No modules. | [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | | [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | | [availability\_zones](#input\_availability\_zones) | AWS Availability Zones to use (by default will use all available) | `list(string)` | `[]` | no | +| [create\_private\_route\_table](#input\_create\_private\_route\_table) | Flag to enable creation of private route tables (default: true) | `bool` | `true` | no | +| [create\_public\_route\_table](#input\_create\_public\_route\_table) | Flag to enable creation of public route tables (default: true) | `bool` | `true` | no | | [enable\_igw](#input\_enable\_igw) | Flag to enable AWS Internet Gateway (IGW) in the VPC (default: false) | `bool` | `false` | no | | [enable\_nat](#input\_enable\_nat) | Flag to enable AWS NAT Gateway in the VPC (default: false) | `bool` | `false` | no | | [enable\_vpc\_endpoint\_dynamodb](#input\_enable\_vpc\_endpoint\_dynamodb) | Flag to enable\|disable DynamoDB VPC Endpoint (default: true) | `bool` | `true` | no | | [enable\_vpc\_endpoint\_s3](#input\_enable\_vpc\_endpoint\_s3) | Flag to enable\|disable S3 VPC Endpoint (default: true) | `bool` | `true` | no | | [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [private\_route\_table\_label](#input\_private\_route\_table\_label) | Label to include in the route table description for private subnets (default: private) | `string` | `"private"` | no | | [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | 
list(object({
    subnet            = string
    label             = string
    availability_zone = string
    id                = string
  }))
| `[]` | no | +| [public\_route\_table\_label](#input\_public\_route\_table\_label) | Label to include in the route table description for public subnets (default: public) | `string` | `"public"` | no | | [public\_subnets\_ids](#input\_public\_subnets\_ids) | List of public subnet objects including: subnet, label, availability\_zone, id | 
list(object({
    subnet            = string
    label             = string
    availability_zone = string
    id                = string
  }))
| `[]` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | | [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | VPC CIDR Block | `string` | n/a | yes | diff --git a/routing/main.tf b/routing/main.tf index 8182ddc..2dc4cd4 100644 --- a/routing/main.tf +++ b/routing/main.tf @@ -44,18 +44,18 @@ locals { # route table: public #--- resource "aws_route_table" "public" { - for_each = local.availability_zones + for_each = var.create_public_route_table ? local.availability_zones : {} vpc_id = var.vpc_id tags = merge( local.base_tags, var.tags, - map("Name", format("%v%v-%v-%v", local._prefixes["route-table"], var.vpc_full_name, "public", each.key)) + map("Name", format("%v%v-%v-%v", local._prefixes["route-table"], var.vpc_full_name, var.public_route_table_label, each.key)) ) } resource "aws_route_table_association" "public" { - for_each = { for subnet in var.public_subnets_ids : subnet.label => subnet } + for_each = var.create_public_route_table ? { for subnet in var.public_subnets_ids : subnet.label => subnet } : {} subnet_id = each.value.id route_table_id = aws_route_table.public[each.value.availability_zone].id } @@ -64,18 +64,18 @@ resource "aws_route_table_association" "public" { # route table: private #--- resource "aws_route_table" "private" { - for_each = local.availability_zones + for_each = var.create_private_route_table ? local.availability_zones : {} vpc_id = var.vpc_id tags = merge( local.base_tags, var.tags, - map("Name", format("%v%v-%v-%v", local._prefixes["route-table"], var.vpc_full_name, "private", each.key)) + map("Name", format("%v%v-%v-%v", local._prefixes["route-table"], var.vpc_full_name, var.private_route_table_label, each.key)) ) } resource "aws_route_table_association" "private" { - for_each = { for subnet in var.private_subnets_ids : subnet.label => subnet } + for_each = var.create_private_route_table ? { for subnet in var.private_subnets_ids : subnet.label => subnet } : {} subnet_id = each.value.id route_table_id = aws_route_table.private[each.value.availability_zone].id } @@ -87,7 +87,7 @@ resource "aws_route_table_association" "private" { # NATGW #--- resource "aws_eip" "nat" { - for_each = var.enable_igw && var.enable_nat ? local.availability_zones : local.empty + for_each = var.enable_igw && var.enable_nat ? local.availability_zones : {} vpc = true tags = merge( @@ -97,6 +97,9 @@ resource "aws_eip" "nat" { ) } +# might want to disalbe creation of igw and natgw if not creating public or private route tables +# or pass in the table names + resource "aws_internet_gateway" "gateway" { count = var.enable_igw ? 1 : 0 vpc_id = var.vpc_id @@ -115,7 +118,7 @@ locals { } resource "aws_nat_gateway" "nat" { - for_each = var.enable_igw && var.enable_nat ? zipmap(local.availability_zones, local.public_subnets_ids_az) : local.empty + for_each = var.enable_igw && var.enable_nat ? zipmap(local.availability_zones, local.public_subnets_ids_az) : {} allocation_id = aws_eip.nat[each.key].id subnet_id = each.value # depends_on = [aws_internet_gateway.gateway] @@ -128,14 +131,14 @@ resource "aws_nat_gateway" "nat" { } resource "aws_route" "nat_public" { - for_each = var.enable_igw && var.enable_nat ? local.availability_zones : local.empty + for_each = var.create_public_route_table && var.enable_igw && var.enable_nat ? local.availability_zones : {} route_table_id = aws_route_table.public[each.key].id destination_cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.gateway[0].id } resource "aws_route" "nat_private" { - for_each = var.enable_igw && var.enable_nat ? local.availability_zones : local.empty + for_each = var.create_private_route_table && var.enable_igw && var.enable_nat ? local.availability_zones : {} route_table_id = aws_route_table.private[each.key].id destination_cidr_block = "0.0.0.0/0" nat_gateway_id = aws_nat_gateway.nat[each.key].id diff --git a/routing/variables.routing.tf b/routing/variables.routing.tf new file mode 100644 index 0000000..f49585a --- /dev/null +++ b/routing/variables.routing.tf @@ -0,0 +1,23 @@ +variable "private_route_table_label" { + description = "Label to include in the route table description for private subnets (default: private)" + type = string + default = "private" +} + +variable "public_route_table_label" { + description = "Label to include in the route table description for public subnets (default: public)" + type = string + default = "public" +} + +variable "create_private_route_table" { + description = "Flag to enable creation of private route tables (default: true)" + type = bool + default = true +} + +variable "create_public_route_table" { + description = "Flag to enable creation of public route tables (default: true)" + type = bool + default = true +} From edcc6261b05795357f7d8ec9ef34697340138354 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 4 Feb 2022 11:54:58 -0500 Subject: [PATCH 2/7] fix --- routing/main.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/routing/main.tf b/routing/main.tf index 2dc4cd4..3d9eb1d 100644 --- a/routing/main.tf +++ b/routing/main.tf @@ -44,7 +44,7 @@ locals { # route table: public #--- resource "aws_route_table" "public" { - for_each = var.create_public_route_table ? local.availability_zones : {} + for_each = var.create_public_route_table ? local.availability_zones : toset([]) vpc_id = var.vpc_id tags = merge( @@ -64,7 +64,7 @@ resource "aws_route_table_association" "public" { # route table: private #--- resource "aws_route_table" "private" { - for_each = var.create_private_route_table ? local.availability_zones : {} + for_each = var.create_private_route_table ? local.availability_zones : toset([]) vpc_id = var.vpc_id tags = merge( @@ -87,7 +87,7 @@ resource "aws_route_table_association" "private" { # NATGW #--- resource "aws_eip" "nat" { - for_each = var.enable_igw && var.enable_nat ? local.availability_zones : {} + for_each = var.enable_igw && var.enable_nat ? local.availability_zones : toset([]) vpc = true tags = merge( @@ -131,14 +131,14 @@ resource "aws_nat_gateway" "nat" { } resource "aws_route" "nat_public" { - for_each = var.create_public_route_table && var.enable_igw && var.enable_nat ? local.availability_zones : {} + for_each = var.create_public_route_table && var.enable_igw && var.enable_nat ? local.availability_zones : toset([]) route_table_id = aws_route_table.public[each.key].id destination_cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.gateway[0].id } resource "aws_route" "nat_private" { - for_each = var.create_private_route_table && var.enable_igw && var.enable_nat ? local.availability_zones : {} + for_each = var.create_private_route_table && var.enable_igw && var.enable_nat ? local.availability_zones : toset([]) route_table_id = aws_route_table.private[each.key].id destination_cidr_block = "0.0.0.0/0" nat_gateway_id = aws_nat_gateway.nat[each.key].id From 680128d0beda50d5e600037e7fdb11dd16e530a1 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 4 Feb 2022 12:12:57 -0500 Subject: [PATCH 3/7] fix outputs --- routing/outputs.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/routing/outputs.tf b/routing/outputs.tf index 0ea51b8..c49a148 100644 --- a/routing/outputs.tf +++ b/routing/outputs.tf @@ -40,12 +40,12 @@ output "public_route_table_ids" { description = "Public route table IDs map by availability zone" - value = { for k in local.availability_zones : k => aws_route_table.public[k].id } + value = var.create_public_route_table ? { for k in local.availability_zones : k => aws_route_table.public[k].id } : {} } output "private_route_table_ids" { description = "Private route table IDs map by availability zone" - value = { for k in local.availability_zones : k => aws_route_table.private[k].id } + value = var.create_private_route_table ? { for k in local.availability_zones : k => aws_route_table.private[k].id } : {} } output "vpc_endpoint_s3_id" { From 716f360528d0600d0a0ceab7e01940af528a0e64 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 8 Feb 2022 12:40:30 -0500 Subject: [PATCH 4/7] update vpc-endpoint service name --- vpc-interface-endpoint/main.tf | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/vpc-interface-endpoint/main.tf b/vpc-interface-endpoint/main.tf index c2d11ee..ce33981 100644 --- a/vpc-interface-endpoint/main.tf +++ b/vpc-interface-endpoint/main.tf @@ -57,8 +57,12 @@ locals { account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" region = data.aws_region.current.name - service = length(regexall("^com.amazonaws", var.service)) == 0 ? var.service : format("com.amazonaws.%v.%v", local.region, var.service) - short_service = length(regexall("^com.amazonaws", var.service)) == 0 ? var.service : replace(local.service, format("com.amazonaws.%v.", local.region), "") + service_parts = split(".", var.service) + service = length(local.service_parts) == 1 ? format("com.amazonaws.%v.%v", local.region, var.service) : var.services + full_service_parts = split(".", local.service) + + # short_service = length(regexall("^com.amazonaws", var.service)) == 0 ? var.service : replace(local.service, format("com.amazonaws.%v.", local.region), "") + short_service = element(local.full_service_parts, local.full_service_parts[0] == "com" ? length(local.full_service_parts) - 1 : 0) base_tags = { "boc:tf_module_version" = local._module_version From c04020a7f8df9567c117cb19372ce9ff6204d30d Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 8 Feb 2022 12:42:16 -0500 Subject: [PATCH 5/7] fix --- vpc-interface-endpoint/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vpc-interface-endpoint/main.tf b/vpc-interface-endpoint/main.tf index ce33981..208eb89 100644 --- a/vpc-interface-endpoint/main.tf +++ b/vpc-interface-endpoint/main.tf @@ -58,7 +58,7 @@ locals { region = data.aws_region.current.name service_parts = split(".", var.service) - service = length(local.service_parts) == 1 ? format("com.amazonaws.%v.%v", local.region, var.service) : var.services + service = length(local.service_parts) == 1 ? format("com.amazonaws.%v.%v", local.region, var.service) : var.service full_service_parts = split(".", local.service) # short_service = length(regexall("^com.amazonaws", var.service)) == 0 ? var.service : replace(local.service, format("com.amazonaws.%v.", local.region), "") From 008050d3f99745d634f413617fc149aa185133f5 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 8 Feb 2022 13:21:26 -0500 Subject: [PATCH 6/7] fix service discovery --- vpc-interface-endpoint/main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vpc-interface-endpoint/main.tf b/vpc-interface-endpoint/main.tf index 208eb89..1b5aa3e 100644 --- a/vpc-interface-endpoint/main.tf +++ b/vpc-interface-endpoint/main.tf @@ -74,7 +74,8 @@ locals { # https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcEndpoints.html data "aws_vpc_endpoint_service" "interface_endpoint" { - service = local.service + service = local.full_service_parts[0] == "com" ? local.service : null + service_name = local.full_service_parts[0] != "com" ? local.service : null filter { name = "service-type" values = ["Interface"] From cf11d3261fd4584da4afe98dc3b91fb95b86a9dc Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 8 Feb 2022 13:23:01 -0500 Subject: [PATCH 7/7] update readme --- CHANGELOG.md | 4 ++++ common/version.tf | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f53799b..8cc0b14 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -97,4 +97,8 @@ - routing - add lables for private, public route tables +* 1.5.1 -- 20220208 + - vpc-interface-endpoint + - permit use of aws.* name in service + ## Version 2.x diff --git a/common/version.tf b/common/version.tf index cf11f54..34b1108 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.5.0" + _module_version = "1.5.1" }