add vpn-transit-gateway

CHANGELOG.md

@@ -101,4 +101,8 @@
   - vpc-interface-endpoint
     - permit use of aws.* name in service
 
+* 1.6.0 -- 20220226
+  - vpn-transit-gateway
+    - setup vpn configurations for the transit gateway
+
 ## Version 2.x

common/defaults.tf

@@ -46,5 +46,6 @@ locals {
       "additional" = []
       "peers"      = []
     }
+    "transit-gateway-environments" = ["services", "dev", "test", "stage", "prod", "cre"]
   }
 }

common/prefixes.tf

@@ -9,20 +9,25 @@ locals {
     "group"          = "g-"
     "security-group" = "" # "sg-"
     # VPC
-    "vpc"              = ""
-    "dhcp-options"     = ""
-    "vpc-peer"         = "vpcp-"
-    "route-table"      = "route-"
-    "subnet"           = ""
-    "vpc-endpoint"     = "vpce-"
-    "elastic-ip"       = "eip-"
-    "nat-gateway"      = "nat-"
-    "internet-gateway" = "igw-"
-    "network-acl"      = "nacl-"
-    "customer-gateway" = "cgw-"
-    "vpn-gateway"      = "vpcg-"
-    "vpn-connection"   = "vpn_"
-    "log-group"        = "lg-"
-    "log-stream"       = "lgs-"
+    "vpc"                         = ""
+    "dhcp-options"                = ""
+    "vpc-peer"                    = "vpcp-"
+    "route-table"                 = "route-"
+    "subnet"                      = ""
+    "vpc-endpoint"                = "vpce-"
+    "elastic-ip"                  = "eip-"
+    "nat-gateway"                 = "nat-"
+    "internet-gateway"            = "igw-"
+    "network-acl"                 = "nacl-"
+    "customer-gateway"            = "cgw-"
+    "vpn-gateway"                 = "vpcg-"
+    "vpn-connection"              = "vpn_"
+    "log-group"                   = "lg-"
+    "log-stream"                  = "lgs-"
+    "transit-gateway"             = "tgw-"
+    "transit-gateway-peer"        = "tgwp-"
+    "transit-gateway-route-table" = "tgwr-"
+    "transit-gateway-attachment"  = "tgwa-"
+    "transit-gateway-vpn"         = "tgwv-"
   }
 }

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.5.1"
+  _module_version = "1.6.0"
 }

examples/dns-vpc-region-vpcN/apps/dns/zones.tf

@@ -21,8 +21,10 @@ locals {
 #   need to pull this ando ther forward zones up to vpc/apps/dns
 #---
 data "aws_route53_zone" "domain_zone" {
-  count = var.dns_zone_create ? 0 : 1
-  name  = local.domain_name
+  #  provider = aws.east
+  count        = var.dns_zone_create ? 0 : 1
+  name         = local.domain_name
+  private_zone = true
 }
 
 resource "aws_route53_zone" "domain_zone" {
@@ -50,15 +52,16 @@ resource "aws_route53_zone" "domain_zone" {
 
 resource "aws_route53_vpc_association_authorization" "west_domain_zone" {
   #  provider = aws.west_main_dns
-  for_each   = tomap({ "zone" = var.dns_zone_create ? aws_route53_zone.domain_zone[0] : data.aws_route53_zone.domain_zone[0] })
+  #  for_each   = tomap({ "zone" = var.dns_zone_create ? aws_route53_zone.domain_zone[0] : data.aws_route53_zone.domain_zone[0] })
+  for_each   = var.dns_zone_create ? { "zone" = aws_route53_zone.domain_zone[0] } : {}
   zone_id    = each.value.zone_id
   vpc_region = "us-gov-west-1"
   vpc_id     = var.main_dns_vpcs["us-gov-west-1"]
 }
 
 resource "aws_route53_zone_association" "west_domain_zone" {
   provider = aws.west_main_dns
-  for_each = aws_route53_vpc_association_authorization.west_domain_zone
+  for_each = var.dns_zone_create ? aws_route53_vpc_association_authorization.west_domain_zone : {}
 
   zone_id    = each.value.zone_id
   vpc_id     = each.value.vpc_id
@@ -74,7 +77,8 @@ resource "aws_route53_zone_association" "west_domain_zone" {
 
 resource "aws_route53_vpc_association_authorization" "east_domain_zone" {
   #  provider = aws.east_main_dns
-  for_each = tomap({ "zone" = var.dns_zone_create ? aws_route53_zone.domain_zone[0] : data.aws_route53_zone.domain_zone[0] })
+  #  for_each = tomap({ "zone" = var.dns_zone_create ? aws_route53_zone.domain_zone[0] : data.aws_route53_zone.domain_zone[0] })
+  for_each = var.dns_zone_create ? { "zone" = aws_route53_zone.domain_zone[0] } : {}
 
   zone_id    = each.value.zone_id
   vpc_region = "us-gov-east-1"
@@ -83,7 +87,7 @@ resource "aws_route53_vpc_association_authorization" "east_domain_zone" {
 
 resource "aws_route53_zone_association" "east_domain_zone" {
   provider   = aws.east_main_dns
-  for_each   = aws_route53_vpc_association_authorization.east_domain_zone
+  for_each   = var.dns_zone_create ? aws_route53_vpc_association_authorization.east_domain_zone : {}
   zone_id    = each.value.zone_id
   vpc_id     = each.value.vpc_id
   vpc_region = each.value.vpc_region

examples/ec2-vpc-region-vpcN-new/apps/test-instances/ec2.tf

@@ -18,7 +18,7 @@ resource "aws_instance" "test" {
   for_each = var.enable_instances ? { for k in local.private_subnets_id_list : k => local.private_subnets_id_map[k] } : {}
 
   ami                    = local.ami
-  instance_type          = local.my_instance_type
+  instance_type          = local.instance_type
   availability_zone      = each.value.availability_zone
   key_name               = local.key_name
   subnet_id              = each.value.id

vpn-transit-gateway/README.md

@@ -0,0 +1,107 @@
+# About aws-vpc-setup :: vpn-transit-gateway
+
+This sets up a VPN for the specified site (hq or bcc) and all the necessary related components:
+* customer gateway per site, environment and sequence
+* vpn connection to the transit gateway
+
+It generates a password for each site and uses the same one for each of the site's two tunnels.
+
+To download the configuration, follow these directions [page 24 from AWS docs](https://docs.aws.amazon.com/vpn/latest/s2svpn/s2s-vpn-user-guide.pdf):
+
+> To download the configuration file
+> 1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
+> 1. In the navigation pane, choose Site-to-Site VPN Connections.
+> 1. Select your VPN connection and choose Download Configuration.
+> 1. Select the vendor, platform, and software that corresponds to your customer gateway device or
+> 1oftware. If your device is not listed, choose Generic. Choose Download.
+>    * Vendor: Cisco Systems, Inc.
+>    * Platform: Cisco ASR 1000
+>    * Software: IOS 12.4+
+
+# Usage
+
+```hcl
+module "vpn_transit-gateway" {
+  source          = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpn-transit-gateway"
+  create          = true
+  vpc_id          = "vpc-1234568"
+  transit_gateway_id = "tgw-12345678"
+  tgw_environment = "dev"
+  vpn_settings = [
+    { site = "hq",   environment = "dev", sequence = 1, "bgp_asn_id" = 65510, "ip_address" = "148.129.160.100" },
+    { site = "bcc",  environment = "dev", sequence = 1, "bgp_asn_id" = 65511, "ip_address" = "148.129.90.100" },
+  ]
+  tgw_route_table_association = "tgw-rtb-123123123123"
+  tgw_route_table_propagation = [ "tgw-rtb-123123123123", "tgw-rtb-234234234234" ]
+  tags            = {}
+
+ # optional
+ # use_tgw_prefixes = true
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
+| <a name="requirement_template"></a> [template](#requirement\_template) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_customer_gateway.vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/customer_gateway) | resource |
+| [aws_ec2_tag.vpn_tag_created_by](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.vpn_tag_environment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.vpn_tag_name](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_transit_gateway_route_table_association.route_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource |
+| [aws_ec2_transit_gateway_route_table_propagation.propagate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |
+| [aws_vpn_connection.vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_connection) | resource |
+| [random_string.tunnel_preshared_key](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_create"></a> [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_route_table_ids"></a> [route\_table\_ids](#input\_route\_table\_ids) | List of created route table IDs for privating routing to be used for VPN route propagation | `list(string)` | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_tgw_environment"></a> [tgw\_environment](#input\_tgw\_environment) | Transit Gatewway environment purpose (services, dev, test, stage, prod, cre) | `string` | `null` | no |
+| <a name="input_tgw_route_table_association"></a> [tgw\_route\_table\_association](#input\_tgw\_route\_table\_association) | Transit Gateway Route Table to associate the VPN attachments with.  Only one route table may be associated with a VPN attachment. | `string` | `null` | no |
+| <a name="input_tgw_route_table_propagation"></a> [tgw\_route\_table\_propagation](#input\_tgw\_route\_table\_propagation) | Transit Gateway Route Tables to propagate the VPN attachments.  Multiple route tables may be selected. | `list(string)` | `[]` | no |
+| <a name="input_tgw_vpn_settings"></a> [tgw\_vpn\_settings](#input\_tgw\_vpn\_settings) | Transit Gateway VPN Connection details array of objects | <pre>list(object(<br>    {<br>      site           = string<br>      environment    = string<br>      sequence       = number<br>      bgp_asn_id     = number<br>      ip_address     = string<br>      tunnel_ips     = list(string)<br>      preshared_keys = list(string)<br>    }<br>  ))</pre> | `[]` | no |
+| <a name="input_transit_gateway_id"></a> [transit\_gateway\_id](#input\_transit\_gateway\_id) | Transit Gateway ID | `string` | n/a | yes |
+| <a name="input_use_tgw_prefixes"></a> [use\_tgw\_prefixes](#input\_use\_tgw\_prefixes) | Flag to enable or disable the use of Transit Gateway prefixes (default: false) | `bool` | `false` | no |
+| <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
+| <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |
+| <a name="input_vpc_index"></a> [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
+| <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
+| <a name="input_vpc_short_name"></a> [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_vpn_labels"></a> [vpn\_labels](#output\_vpn\_labels) | VPN Labels for Description field of Endpoint device (Cisco ASR) |
+| <a name="output_vpn_tunnel_endpoints"></a> [vpn\_tunnel\_endpoints](#output\_vpn\_tunnel\_endpoints) | VPN Tunnel Endpoint IP Addresses |

vpn-transit-gateway/data.tf

@@ -0,0 +1 @@
+../common/data.tf

vpn-transit-gateway/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf