From 40b88f010041737ee503dc6b1b8ba96df9cdaeae Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Tue, 8 Mar 2022 23:59:58 +0900 Subject: [PATCH 01/73] Add dependabot.yml (#8) --- .github/dependabot.yml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..759819d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: +- package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" From 9b104f9c36ea571689608f08ecfe07a991df74d9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Mar 2022 01:17:34 +0900 Subject: [PATCH 02/73] Bump actions/checkout from 2 to 3 (#10) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/integration.yaml | 6 +++--- .github/workflows/sync-labels.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index 5011772..be3a023 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 0 @@ -66,7 +66,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Set-up terraform uses: hashicorp/setup-terraform@v1 @@ -93,7 +93,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Lint YAML Files id: yaml-lint diff --git a/.github/workflows/sync-labels.yaml b/.github/workflows/sync-labels.yaml index 210f935..764747a 100644 --- a/.github/workflows/sync-labels.yaml +++ b/.github/workflows/sync-labels.yaml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Sync labels uses: crazy-max/ghaction-github-labeler@v3 From a8d4ca7ba4bbe870daa98c2c8523ae132d393a11 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 9 Mar 2022 01:17:42 +0900 Subject: [PATCH 03/73] Bump actions/labeler from 3 to 4 (#9) Bumps [actions/labeler](https://github.com/actions/labeler) from 3 to 4. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](https://github.com/actions/labeler/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/labeler dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pull-request-labeler.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull-request-labeler.yaml b/.github/workflows/pull-request-labeler.yaml index 9ceef35..1784c72 100644 --- a/.github/workflows/pull-request-labeler.yaml +++ b/.github/workflows/pull-request-labeler.yaml @@ -9,7 +9,7 @@ jobs: steps: - name: Add Labels for PR - uses: actions/labeler@v3 + uses: actions/labeler@v4 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" configuration-path: .github/labeler.yaml From f9386dd138e01947a633c8c827bb11edb072e9cb Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Wed, 9 Mar 2022 02:10:15 +0900 Subject: [PATCH 04/73] Support manual trigger for sync-labels action (#11) --- .github/workflows/sync-labels.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sync-labels.yaml b/.github/workflows/sync-labels.yaml index 764747a..6e8bb1d 100644 --- a/.github/workflows/sync-labels.yaml +++ b/.github/workflows/sync-labels.yaml @@ -6,6 +6,7 @@ on: - main paths: - .github/labels.yaml + workflow_dispatch: {} jobs: sync-labels: From dff4f567f632806e16f3f2605339756392946a8f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Apr 2022 16:28:42 +0900 Subject: [PATCH 05/73] Bump hashicorp/setup-terraform from 1 to 2 (#13) Bumps [hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) from 1 to 2. - [Release notes](https://github.com/hashicorp/setup-terraform/releases) - [Changelog](https://github.com/hashicorp/setup-terraform/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/setup-terraform/compare/v1...v2) --- updated-dependencies: - dependency-name: hashicorp/setup-terraform dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/integration.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index be3a023..e915d59 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -69,7 +69,7 @@ jobs: uses: actions/checkout@v3 - name: Set-up terraform - uses: hashicorp/setup-terraform@v1 + uses: hashicorp/setup-terraform@v2 - name: Terraform fmt id: terraform-fmt From aed9d90df84c10cf3b3df8f7bc26b7fec091280a Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Mon, 2 May 2022 23:11:00 +0900 Subject: [PATCH 06/73] Fix and upgrade pre-commit config (#14) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 98ab081..aa33d01 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: -- repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.58.0 +- repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.70.1 hooks: - id: terraform_fmt - id: terraform_validate From 1d23a4fc42381dd998cf036f7678f40c26e142d7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 27 May 2022 01:26:24 +0900 Subject: [PATCH 07/73] Bump crazy-max/ghaction-github-labeler from 3 to 4 (#15) Bumps [crazy-max/ghaction-github-labeler](https://github.com/crazy-max/ghaction-github-labeler) from 3 to 4. - [Release notes](https://github.com/crazy-max/ghaction-github-labeler/releases) - [Changelog](https://github.com/crazy-max/ghaction-github-labeler/blob/master/CHANGELOG.md) - [Commits](https://github.com/crazy-max/ghaction-github-labeler/compare/v3...v4) --- updated-dependencies: - dependency-name: crazy-max/ghaction-github-labeler dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/sync-labels.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync-labels.yaml b/.github/workflows/sync-labels.yaml index 6e8bb1d..5d0805f 100644 --- a/.github/workflows/sync-labels.yaml +++ b/.github/workflows/sync-labels.yaml @@ -17,7 +17,7 @@ jobs: uses: actions/checkout@v3 - name: Sync labels - uses: crazy-max/ghaction-github-labeler@v3 + uses: crazy-max/ghaction-github-labeler@v4 with: github-token: ${{ secrets.GITHUB_TOKEN }} yaml-file: .github/labels.yaml From 575ecd9e358abc092bbff4319673f89e2453075a Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Tue, 19 Jul 2022 01:54:41 +0900 Subject: [PATCH 08/73] Update route-table module (#16) --- modules/route-table/README.md | 36 +++++++++++++-------------- modules/route-table/main.tf | 8 +++--- modules/route-table/variables.tf | 42 ++++++++++++++++++++------------ modules/route-table/versions.tf | 4 +-- 4 files changed, 52 insertions(+), 38 deletions(-) diff --git a/modules/route-table/README.md b/modules/route-table/README.md index 6e94ff1..33fa92a 100644 --- a/modules/route-table/README.md +++ b/modules/route-table/README.md @@ -14,14 +14,14 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.15 | -| [aws](#requirement\_aws) | >= 3.45 | +| [terraform](#requirement\_terraform) | >= 1.2 | +| [aws](#requirement\_aws) | >= 4.22 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 3.45.0 | +| [aws](#provider\_aws) | 4.22.0 | ## Modules @@ -46,21 +46,21 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [name](#input\_name) | Desired name for the route table resources. | `string` | n/a | yes | -| [vpc\_id](#input\_vpc\_id) | The ID of the VPC which the route table belongs to. | `string` | n/a | yes | -| [gateways](#input\_gateways) | A list of gateway IDs to associate with the route table. Only support Internet Gateway and Virtual Private Gateway. | `list(string)` | `[]` | no | -| [ipv4\_routes](#input\_ipv4\_routes) | A list of route rules for IPv4 CIDRs. | `list(map(string))` | `[]` | no | -| [ipv6\_routes](#input\_ipv6\_routes) | A list of route rules for IPv6 CIDRs. | `list(map(string))` | `[]` | no | -| [is\_main](#input\_is\_main) | Whether to set this route table as the main route table. | `bool` | `false` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [prefix\_list\_routes](#input\_prefix\_list\_routes) | A list of route rules for Managed Prefix List. | `list(map(string))` | `[]` | no | -| [propagating\_vpn\_gateways](#input\_propagating\_vpn\_gateways) | A list of Virtual Private Gateway IDs to propagate routes from. | `list(string)` | `[]` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [subnets](#input\_subnets) | A list of subnet IDs to associate with the route table. | `list(string)` | `[]` | no | -| [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | -| [vpc\_gateway\_endpoints](#input\_vpc\_gateway\_endpoints) | A list of the VPC Endpoint IDs with which the Route Table will be associated. | `list(string)` | `[]` | no | +| [name](#input\_name) | (Required) Desired name for the route table resources. | `string` | n/a | yes | +| [vpc\_id](#input\_vpc\_id) | (Required) The ID of the VPC which the route table belongs to. | `string` | n/a | yes | +| [gateways](#input\_gateways) | (Optional) A list of gateway IDs to associate with the route table. Only support Internet Gateway and Virtual Private Gateway. | `list(string)` | `[]` | no | +| [ipv4\_routes](#input\_ipv4\_routes) | (Optional) A list of route rules for IPv4 CIDRs. | `list(map(string))` | `[]` | no | +| [ipv6\_routes](#input\_ipv6\_routes) | (Optional) A list of route rules for IPv6 CIDRs. | `list(map(string))` | `[]` | no | +| [is\_main](#input\_is\_main) | (Optional) Whether to set this route table as the main route table. | `bool` | `false` | no | +| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | +| [prefix\_list\_routes](#input\_prefix\_list\_routes) | (Optional) A list of route rules for Managed Prefix List. | `list(map(string))` | `[]` | no | +| [propagating\_vpn\_gateways](#input\_propagating\_vpn\_gateways) | (Optional) A list of Virtual Private Gateway IDs to propagate routes from. | `list(string)` | `[]` | no | +| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | +| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [subnets](#input\_subnets) | (Optional) A list of subnet IDs to associate with the route table. | `list(string)` | `[]` | no | +| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | +| [vpc\_gateway\_endpoints](#input\_vpc\_gateway\_endpoints) | (Optional) A list of the VPC Endpoint IDs with which the Route Table will be associated. | `list(string)` | `[]` | no | ## Outputs diff --git a/modules/route-table/main.tf b/modules/route-table/main.tf index d9047cf..bf45d07 100644 --- a/modules/route-table/main.tf +++ b/modules/route-table/main.tf @@ -38,6 +38,8 @@ resource "aws_main_route_table_association" "this" { # Routes ################################################### +# INFO: Not supported attributes +# - `instance_id` (Deprecated) resource "aws_route" "ipv4" { for_each = { for route in var.ipv4_routes : @@ -48,9 +50,9 @@ resource "aws_route" "ipv4" { destination_cidr_block = each.key carrier_gateway_id = try(each.value.carrier_gateway_id, null) + core_network_arn = try(each.value.core_network_arn, null) egress_only_gateway_id = try(each.value.egress_only_gateway_id, null) gateway_id = try(each.value.gateway_id, null) - instance_id = try(each.value.instance_id, null) local_gateway_id = try(each.value.local_gateway_id, null) nat_gateway_id = try(each.value.nat_gateway_id, null) network_interface_id = try(each.value.network_interface_id, null) @@ -69,9 +71,9 @@ resource "aws_route" "ipv6" { destination_ipv6_cidr_block = each.key carrier_gateway_id = try(each.value.carrier_gateway_id, null) + core_network_arn = try(each.value.core_network_arn, null) egress_only_gateway_id = try(each.value.egress_only_gateway_id, null) gateway_id = try(each.value.gateway_id, null) - instance_id = try(each.value.instance_id, null) local_gateway_id = try(each.value.local_gateway_id, null) nat_gateway_id = try(each.value.nat_gateway_id, null) network_interface_id = try(each.value.network_interface_id, null) @@ -90,9 +92,9 @@ resource "aws_route" "prefix_list" { destination_prefix_list_id = each.key carrier_gateway_id = try(each.value.carrier_gateway_id, null) + core_network_arn = try(each.value.core_network_arn, null) egress_only_gateway_id = try(each.value.egress_only_gateway_id, null) gateway_id = try(each.value.gateway_id, null) - instance_id = try(each.value.instance_id, null) local_gateway_id = try(each.value.local_gateway_id, null) nat_gateway_id = try(each.value.nat_gateway_id, null) network_interface_id = try(each.value.network_interface_id, null) diff --git a/modules/route-table/variables.tf b/modules/route-table/variables.tf index edc7b37..4ae9bfd 100644 --- a/modules/route-table/variables.tf +++ b/modules/route-table/variables.tf @@ -1,71 +1,83 @@ variable "name" { - description = "Desired name for the route table resources." + description = "(Required) Desired name for the route table resources." type = string + nullable = false } variable "vpc_id" { - description = "The ID of the VPC which the route table belongs to." + description = "(Required) The ID of the VPC which the route table belongs to." type = string + nullable = false } variable "subnets" { - description = "A list of subnet IDs to associate with the route table." + description = "(Optional) A list of subnet IDs to associate with the route table." type = list(string) default = [] + nullable = false } variable "gateways" { - description = "A list of gateway IDs to associate with the route table. Only support Internet Gateway and Virtual Private Gateway." + description = "(Optional) A list of gateway IDs to associate with the route table. Only support Internet Gateway and Virtual Private Gateway." type = list(string) default = [] + nullable = false } variable "vpc_gateway_endpoints" { - description = "A list of the VPC Endpoint IDs with which the Route Table will be associated." + description = "(Optional) A list of the VPC Endpoint IDs with which the Route Table will be associated." type = list(string) default = [] + nullable = false } variable "propagating_vpn_gateways" { - description = "A list of Virtual Private Gateway IDs to propagate routes from." + description = "(Optional) A list of Virtual Private Gateway IDs to propagate routes from." type = list(string) default = [] + nullable = false } variable "is_main" { - description = "Whether to set this route table as the main route table." + description = "(Optional) Whether to set this route table as the main route table." type = bool default = false + nullable = false } variable "ipv4_routes" { - description = "A list of route rules for IPv4 CIDRs." + description = "(Optional) A list of route rules for IPv4 CIDRs." type = list(map(string)) default = [] + nullable = false } variable "ipv6_routes" { - description = "A list of route rules for IPv6 CIDRs." + description = "(Optional) A list of route rules for IPv6 CIDRs." type = list(map(string)) default = [] + nullable = false } variable "prefix_list_routes" { - description = "A list of route rules for Managed Prefix List." + description = "(Optional) A list of route rules for Managed Prefix List." type = list(map(string)) default = [] + nullable = false } variable "tags" { - description = "A map of tags to add to all resources." + description = "(Optional) A map of tags to add to all resources." type = map(string) default = {} + nullable = false } variable "module_tags_enabled" { - description = "Whether to create AWS Resource Tags for the module informations." + description = "(Optional) Whether to create AWS Resource Tags for the module informations." type = bool default = true + nullable = false } @@ -74,19 +86,19 @@ variable "module_tags_enabled" { ################################################### variable "resource_group_enabled" { - description = "Whether to create Resource Group to find and group AWS resources which are created by this module." + description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module." type = bool default = true } variable "resource_group_name" { - description = "The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." + description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." type = string default = "" } variable "resource_group_description" { - description = "The description of Resource Group." + description = "(Optional) The description of Resource Group." type = string default = "Managed by Terraform." } diff --git a/modules/route-table/versions.tf b/modules/route-table/versions.tf index 6078ceb..341c2f1 100644 --- a/modules/route-table/versions.tf +++ b/modules/route-table/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.15" + required_version = ">= 1.2" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.45" + version = ">= 4.22" } } } From 428b91199ecf361b74bb93b46f49c4be4d56313d Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Tue, 19 Jul 2022 01:55:04 +0900 Subject: [PATCH 09/73] Bump to v0.26.1 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 4e8f395..30f6cf8 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.26.0 +0.26.1 From 61163bc8a42c555fabe9d37ba7d9c6686f550aff Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Fri, 3 Feb 2023 00:55:29 +0900 Subject: [PATCH 10/73] Use module instead of resource for resource group (#23) --- modules/dx-gateway/README.md | 4 +-- modules/dx-gateway/versions.tf | 2 +- modules/nacl/README.md | 9 +++--- modules/nacl/migrations.tf | 5 ++++ modules/nacl/resource-group.tf | 29 +++++-------------- modules/nacl/versions.tf | 2 +- modules/nat-gateway/README.md | 9 +++--- modules/nat-gateway/migrations.tf | 5 ++++ modules/nat-gateway/resource-group.tf | 29 +++++-------------- modules/nat-gateway/versions.tf | 2 +- modules/route-table/README.md | 5 ++-- modules/route-table/migrations.tf | 5 ++++ modules/route-table/resource-group.tf | 29 +++++-------------- modules/security-group/README.md | 9 +++--- modules/security-group/migrations.tf | 5 ++++ modules/security-group/resource-group.tf | 29 +++++-------------- modules/security-group/versions.tf | 2 +- modules/subnet-group/README.md | 9 +++--- modules/subnet-group/resource-group.tf | 29 +++++-------------- modules/subnet-group/versions.tf | 2 +- modules/vpc-endpoint-service/README.md | 9 +++--- modules/vpc-endpoint-service/migrations.tf | 5 ++++ .../vpc-endpoint-service/resource-group.tf | 29 +++++-------------- modules/vpc-endpoint-service/versions.tf | 2 +- modules/vpc-gateway-endpoint/README.md | 9 +++--- modules/vpc-gateway-endpoint/migrations.tf | 5 ++++ .../vpc-gateway-endpoint/resource-group.tf | 29 +++++-------------- modules/vpc-gateway-endpoint/versions.tf | 2 +- modules/vpc-interface-endpoint/README.md | 6 ++-- modules/vpc-interface-endpoint/migrations.tf | 5 ++++ .../vpc-interface-endpoint/resource-group.tf | 29 +++++-------------- modules/vpc-interface-endpoint/versions.tf | 2 +- modules/vpc-peering-accepter/README.md | 9 +++--- modules/vpc-peering-accepter/migrations.tf | 5 ++++ .../vpc-peering-accepter/resource-group.tf | 29 +++++-------------- modules/vpc-peering-accepter/versions.tf | 2 +- modules/vpc-peering-requester/README.md | 9 +++--- modules/vpc-peering-requester/migrations.tf | 5 ++++ .../vpc-peering-requester/resource-group.tf | 29 +++++-------------- modules/vpc-peering-requester/versions.tf | 2 +- modules/vpc-peering/README.md | 9 +++--- modules/vpc-peering/migrations.tf | 5 ++++ modules/vpc-peering/resource-group.tf | 29 +++++-------------- modules/vpc-peering/versions.tf | 2 +- modules/vpc/README.md | 9 +++--- modules/vpc/migrations.tf | 5 ++++ modules/vpc/resource-group.tf | 29 +++++-------------- modules/vpc/versions.tf | 2 +- 48 files changed, 221 insertions(+), 311 deletions(-) create mode 100644 modules/nacl/migrations.tf create mode 100644 modules/nat-gateway/migrations.tf create mode 100644 modules/route-table/migrations.tf create mode 100644 modules/security-group/migrations.tf create mode 100644 modules/vpc-endpoint-service/migrations.tf create mode 100644 modules/vpc-gateway-endpoint/migrations.tf create mode 100644 modules/vpc-interface-endpoint/migrations.tf create mode 100644 modules/vpc-peering-accepter/migrations.tf create mode 100644 modules/vpc-peering-requester/migrations.tf create mode 100644 modules/vpc-peering/migrations.tf create mode 100644 modules/vpc/migrations.tf diff --git a/modules/dx-gateway/README.md b/modules/dx-gateway/README.md index f6d2954..e43d7b5 100644 --- a/modules/dx-gateway/README.md +++ b/modules/dx-gateway/README.md @@ -10,14 +10,14 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.15 | +| [terraform](#requirement\_terraform) | >= 1.2 | | [aws](#requirement\_aws) | >= 3.45 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 3.49.0 | +| [aws](#provider\_aws) | 4.52.0 | ## Modules diff --git a/modules/dx-gateway/versions.tf b/modules/dx-gateway/versions.tf index 6078ceb..dd959fc 100644 --- a/modules/dx-gateway/versions.tf +++ b/modules/dx-gateway/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.15" + required_version = ">= 1.2" required_providers { aws = { diff --git a/modules/nacl/README.md b/modules/nacl/README.md index 35fcf9c..347f30d 100644 --- a/modules/nacl/README.md +++ b/modules/nacl/README.md @@ -10,18 +10,20 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.15 | +| [terraform](#requirement\_terraform) | >= 1.2 | | [aws](#requirement\_aws) | >= 3.45 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 3.45.0 | +| [aws](#provider\_aws) | 4.52.0 | ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | ## Resources @@ -30,7 +32,6 @@ No modules. | [aws_network_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | | [aws_network_acl_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | | [aws_network_acl_rule.ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | -| [aws_resourcegroups_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | ## Inputs diff --git a/modules/nacl/migrations.tf b/modules/nacl/migrations.tf new file mode 100644 index 0000000..83a0f7e --- /dev/null +++ b/modules/nacl/migrations.tf @@ -0,0 +1,5 @@ +# 2023-02-01 +moved { + from = aws_resourcegroups_group.this[0] + to = module.resource_group[0].aws_resourcegroups_group.this +} diff --git a/modules/nacl/resource-group.tf b/modules/nacl/resource-group.tf index af108f9..7487ba0 100644 --- a/modules/nacl/resource-group.tf +++ b/modules/nacl/resource-group.tf @@ -7,37 +7,24 @@ locals { replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), ]) ) - resource_group_filters = [ - for key, value in local.module_tags : { - "Key" = key - "Values" = [value] - } - ] - resource_group_query = <<-JSON - { - "ResourceTypeFilters": [ - "AWS::AllSupported" - ], - "TagFilters": ${jsonencode(local.resource_group_filters)} - } - JSON } -resource "aws_resourcegroups_group" "this" { + +module "resource_group" { + source = "tedilabs/misc/aws//modules/resource-group" + version = "~> 0.10.0" + count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 name = local.resource_group_name description = var.resource_group_description - resource_query { - type = "TAG_FILTERS_1_0" - query = local.resource_group_query + query = { + resource_tags = local.module_tags } + module_tags_enabled = false tags = merge( - { - "Name" = local.resource_group_name - }, local.module_tags, var.tags, ) diff --git a/modules/nacl/versions.tf b/modules/nacl/versions.tf index 6078ceb..dd959fc 100644 --- a/modules/nacl/versions.tf +++ b/modules/nacl/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.15" + required_version = ">= 1.2" required_providers { aws = { diff --git a/modules/nat-gateway/README.md b/modules/nat-gateway/README.md index 479b914..0bdbd2d 100644 --- a/modules/nat-gateway/README.md +++ b/modules/nat-gateway/README.md @@ -10,18 +10,20 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.15 | +| [terraform](#requirement\_terraform) | >= 1.2 | | [aws](#requirement\_aws) | >= 3.45 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 3.45.0 | +| [aws](#provider\_aws) | 4.52.0 | ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | ## Resources @@ -29,7 +31,6 @@ No modules. |------|------| | [aws_eip.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource | | [aws_nat_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource | -| [aws_resourcegroups_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | ## Inputs diff --git a/modules/nat-gateway/migrations.tf b/modules/nat-gateway/migrations.tf new file mode 100644 index 0000000..83a0f7e --- /dev/null +++ b/modules/nat-gateway/migrations.tf @@ -0,0 +1,5 @@ +# 2023-02-01 +moved { + from = aws_resourcegroups_group.this[0] + to = module.resource_group[0].aws_resourcegroups_group.this +} diff --git a/modules/nat-gateway/resource-group.tf b/modules/nat-gateway/resource-group.tf index af108f9..7487ba0 100644 --- a/modules/nat-gateway/resource-group.tf +++ b/modules/nat-gateway/resource-group.tf @@ -7,37 +7,24 @@ locals { replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), ]) ) - resource_group_filters = [ - for key, value in local.module_tags : { - "Key" = key - "Values" = [value] - } - ] - resource_group_query = <<-JSON - { - "ResourceTypeFilters": [ - "AWS::AllSupported" - ], - "TagFilters": ${jsonencode(local.resource_group_filters)} - } - JSON } -resource "aws_resourcegroups_group" "this" { + +module "resource_group" { + source = "tedilabs/misc/aws//modules/resource-group" + version = "~> 0.10.0" + count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 name = local.resource_group_name description = var.resource_group_description - resource_query { - type = "TAG_FILTERS_1_0" - query = local.resource_group_query + query = { + resource_tags = local.module_tags } + module_tags_enabled = false tags = merge( - { - "Name" = local.resource_group_name - }, local.module_tags, var.tags, ) diff --git a/modules/nat-gateway/versions.tf b/modules/nat-gateway/versions.tf index 6078ceb..dd959fc 100644 --- a/modules/nat-gateway/versions.tf +++ b/modules/nat-gateway/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.15" + required_version = ">= 1.2" required_providers { aws = { diff --git a/modules/route-table/README.md b/modules/route-table/README.md index 33fa92a..8ca2520 100644 --- a/modules/route-table/README.md +++ b/modules/route-table/README.md @@ -25,14 +25,15 @@ This module creates following resources. ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | ## Resources | Name | Type | |------|------| | [aws_main_route_table_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/main_route_table_association) | resource | -| [aws_resourcegroups_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | | [aws_route.ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | | [aws_route.ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | | [aws_route.prefix_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | diff --git a/modules/route-table/migrations.tf b/modules/route-table/migrations.tf new file mode 100644 index 0000000..83a0f7e --- /dev/null +++ b/modules/route-table/migrations.tf @@ -0,0 +1,5 @@ +# 2023-02-01 +moved { + from = aws_resourcegroups_group.this[0] + to = module.resource_group[0].aws_resourcegroups_group.this +} diff --git a/modules/route-table/resource-group.tf b/modules/route-table/resource-group.tf index af108f9..7487ba0 100644 --- a/modules/route-table/resource-group.tf +++ b/modules/route-table/resource-group.tf @@ -7,37 +7,24 @@ locals { replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), ]) ) - resource_group_filters = [ - for key, value in local.module_tags : { - "Key" = key - "Values" = [value] - } - ] - resource_group_query = <<-JSON - { - "ResourceTypeFilters": [ - "AWS::AllSupported" - ], - "TagFilters": ${jsonencode(local.resource_group_filters)} - } - JSON } -resource "aws_resourcegroups_group" "this" { + +module "resource_group" { + source = "tedilabs/misc/aws//modules/resource-group" + version = "~> 0.10.0" + count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 name = local.resource_group_name description = var.resource_group_description - resource_query { - type = "TAG_FILTERS_1_0" - query = local.resource_group_query + query = { + resource_tags = local.module_tags } + module_tags_enabled = false tags = merge( - { - "Name" = local.resource_group_name - }, local.module_tags, var.tags, ) diff --git a/modules/security-group/README.md b/modules/security-group/README.md index c11d75c..4a918bd 100644 --- a/modules/security-group/README.md +++ b/modules/security-group/README.md @@ -10,24 +10,25 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.15 | +| [terraform](#requirement\_terraform) | >= 1.2 | | [aws](#requirement\_aws) | >= 3.45 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 3.45.0 | +| [aws](#provider\_aws) | 4.52.0 | ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | ## Resources | Name | Type | |------|------| -| [aws_resourcegroups_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | | [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | diff --git a/modules/security-group/migrations.tf b/modules/security-group/migrations.tf new file mode 100644 index 0000000..83a0f7e --- /dev/null +++ b/modules/security-group/migrations.tf @@ -0,0 +1,5 @@ +# 2023-02-01 +moved { + from = aws_resourcegroups_group.this[0] + to = module.resource_group[0].aws_resourcegroups_group.this +} diff --git a/modules/security-group/resource-group.tf b/modules/security-group/resource-group.tf index af108f9..7487ba0 100644 --- a/modules/security-group/resource-group.tf +++ b/modules/security-group/resource-group.tf @@ -7,37 +7,24 @@ locals { replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), ]) ) - resource_group_filters = [ - for key, value in local.module_tags : { - "Key" = key - "Values" = [value] - } - ] - resource_group_query = <<-JSON - { - "ResourceTypeFilters": [ - "AWS::AllSupported" - ], - "TagFilters": ${jsonencode(local.resource_group_filters)} - } - JSON } -resource "aws_resourcegroups_group" "this" { + +module "resource_group" { + source = "tedilabs/misc/aws//modules/resource-group" + version = "~> 0.10.0" + count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 name = local.resource_group_name description = var.resource_group_description - resource_query { - type = "TAG_FILTERS_1_0" - query = local.resource_group_query + query = { + resource_tags = local.module_tags } + module_tags_enabled = false tags = merge( - { - "Name" = local.resource_group_name - }, local.module_tags, var.tags, ) diff --git a/modules/security-group/versions.tf b/modules/security-group/versions.tf index 6078ceb..dd959fc 100644 --- a/modules/security-group/versions.tf +++ b/modules/security-group/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.15" + required_version = ">= 1.2" required_providers { aws = { diff --git a/modules/subnet-group/README.md b/modules/subnet-group/README.md index 60b9ae0..4b46748 100644 --- a/modules/subnet-group/README.md +++ b/modules/subnet-group/README.md @@ -16,18 +16,20 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.15 | +| [terraform](#requirement\_terraform) | >= 1.2 | | [aws](#requirement\_aws) | >= 3.71 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.1.0 | +| [aws](#provider\_aws) | 4.52.0 | ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | ## Resources @@ -41,7 +43,6 @@ No modules. | [aws_memorydb_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/memorydb_subnet_group) | resource | | [aws_neptune_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_subnet_group) | resource | | [aws_redshift_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_subnet_group) | resource | -| [aws_resourcegroups_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | | [aws_subnet.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | ## Inputs diff --git a/modules/subnet-group/resource-group.tf b/modules/subnet-group/resource-group.tf index af108f9..7487ba0 100644 --- a/modules/subnet-group/resource-group.tf +++ b/modules/subnet-group/resource-group.tf @@ -7,37 +7,24 @@ locals { replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), ]) ) - resource_group_filters = [ - for key, value in local.module_tags : { - "Key" = key - "Values" = [value] - } - ] - resource_group_query = <<-JSON - { - "ResourceTypeFilters": [ - "AWS::AllSupported" - ], - "TagFilters": ${jsonencode(local.resource_group_filters)} - } - JSON } -resource "aws_resourcegroups_group" "this" { + +module "resource_group" { + source = "tedilabs/misc/aws//modules/resource-group" + version = "~> 0.10.0" + count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 name = local.resource_group_name description = var.resource_group_description - resource_query { - type = "TAG_FILTERS_1_0" - query = local.resource_group_query + query = { + resource_tags = local.module_tags } + module_tags_enabled = false tags = merge( - { - "Name" = local.resource_group_name - }, local.module_tags, var.tags, ) diff --git a/modules/subnet-group/versions.tf b/modules/subnet-group/versions.tf index c24cebf..d677476 100644 --- a/modules/subnet-group/versions.tf +++ b/modules/subnet-group/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.15" + required_version = ">= 1.2" required_providers { aws = { diff --git a/modules/vpc-endpoint-service/README.md b/modules/vpc-endpoint-service/README.md index c177b0e..0912332 100644 --- a/modules/vpc-endpoint-service/README.md +++ b/modules/vpc-endpoint-service/README.md @@ -11,24 +11,25 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.15 | +| [terraform](#requirement\_terraform) | >= 1.2 | | [aws](#requirement\_aws) | >= 3.45 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 3.50.0 | +| [aws](#provider\_aws) | 4.52.0 | ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | ## Resources | Name | Type | |------|------| -| [aws_resourcegroups_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | | [aws_vpc_endpoint_connection_notification.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_connection_notification) | resource | | [aws_vpc_endpoint_service.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_service) | resource | | [aws_vpc_endpoint_service_allowed_principal.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_service_allowed_principal) | resource | diff --git a/modules/vpc-endpoint-service/migrations.tf b/modules/vpc-endpoint-service/migrations.tf new file mode 100644 index 0000000..83a0f7e --- /dev/null +++ b/modules/vpc-endpoint-service/migrations.tf @@ -0,0 +1,5 @@ +# 2023-02-01 +moved { + from = aws_resourcegroups_group.this[0] + to = module.resource_group[0].aws_resourcegroups_group.this +} diff --git a/modules/vpc-endpoint-service/resource-group.tf b/modules/vpc-endpoint-service/resource-group.tf index af108f9..7487ba0 100644 --- a/modules/vpc-endpoint-service/resource-group.tf +++ b/modules/vpc-endpoint-service/resource-group.tf @@ -7,37 +7,24 @@ locals { replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), ]) ) - resource_group_filters = [ - for key, value in local.module_tags : { - "Key" = key - "Values" = [value] - } - ] - resource_group_query = <<-JSON - { - "ResourceTypeFilters": [ - "AWS::AllSupported" - ], - "TagFilters": ${jsonencode(local.resource_group_filters)} - } - JSON } -resource "aws_resourcegroups_group" "this" { + +module "resource_group" { + source = "tedilabs/misc/aws//modules/resource-group" + version = "~> 0.10.0" + count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 name = local.resource_group_name description = var.resource_group_description - resource_query { - type = "TAG_FILTERS_1_0" - query = local.resource_group_query + query = { + resource_tags = local.module_tags } + module_tags_enabled = false tags = merge( - { - "Name" = local.resource_group_name - }, local.module_tags, var.tags, ) diff --git a/modules/vpc-endpoint-service/versions.tf b/modules/vpc-endpoint-service/versions.tf index 6078ceb..dd959fc 100644 --- a/modules/vpc-endpoint-service/versions.tf +++ b/modules/vpc-endpoint-service/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.15" + required_version = ">= 1.2" required_providers { aws = { diff --git a/modules/vpc-gateway-endpoint/README.md b/modules/vpc-gateway-endpoint/README.md index a332f96..e47228b 100644 --- a/modules/vpc-gateway-endpoint/README.md +++ b/modules/vpc-gateway-endpoint/README.md @@ -10,24 +10,25 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.15 | +| [terraform](#requirement\_terraform) | >= 1.2 | | [aws](#requirement\_aws) | >= 3.45 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 3.50.0 | +| [aws](#provider\_aws) | 4.52.0 | ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | ## Resources | Name | Type | |------|------| -| [aws_resourcegroups_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | | [aws_vpc_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | | [aws_vpc_endpoint_connection_notification.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_connection_notification) | resource | diff --git a/modules/vpc-gateway-endpoint/migrations.tf b/modules/vpc-gateway-endpoint/migrations.tf new file mode 100644 index 0000000..83a0f7e --- /dev/null +++ b/modules/vpc-gateway-endpoint/migrations.tf @@ -0,0 +1,5 @@ +# 2023-02-01 +moved { + from = aws_resourcegroups_group.this[0] + to = module.resource_group[0].aws_resourcegroups_group.this +} diff --git a/modules/vpc-gateway-endpoint/resource-group.tf b/modules/vpc-gateway-endpoint/resource-group.tf index af108f9..7487ba0 100644 --- a/modules/vpc-gateway-endpoint/resource-group.tf +++ b/modules/vpc-gateway-endpoint/resource-group.tf @@ -7,37 +7,24 @@ locals { replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), ]) ) - resource_group_filters = [ - for key, value in local.module_tags : { - "Key" = key - "Values" = [value] - } - ] - resource_group_query = <<-JSON - { - "ResourceTypeFilters": [ - "AWS::AllSupported" - ], - "TagFilters": ${jsonencode(local.resource_group_filters)} - } - JSON } -resource "aws_resourcegroups_group" "this" { + +module "resource_group" { + source = "tedilabs/misc/aws//modules/resource-group" + version = "~> 0.10.0" + count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 name = local.resource_group_name description = var.resource_group_description - resource_query { - type = "TAG_FILTERS_1_0" - query = local.resource_group_query + query = { + resource_tags = local.module_tags } + module_tags_enabled = false tags = merge( - { - "Name" = local.resource_group_name - }, local.module_tags, var.tags, ) diff --git a/modules/vpc-gateway-endpoint/versions.tf b/modules/vpc-gateway-endpoint/versions.tf index 6078ceb..dd959fc 100644 --- a/modules/vpc-gateway-endpoint/versions.tf +++ b/modules/vpc-gateway-endpoint/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.15" + required_version = ">= 1.2" required_providers { aws = { diff --git a/modules/vpc-interface-endpoint/README.md b/modules/vpc-interface-endpoint/README.md index 416b817..a6b77db 100644 --- a/modules/vpc-interface-endpoint/README.md +++ b/modules/vpc-interface-endpoint/README.md @@ -10,26 +10,26 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.15 | +| [terraform](#requirement\_terraform) | >= 1.2 | | [aws](#requirement\_aws) | >= 3.45 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 3.50.0 | +| [aws](#provider\_aws) | 4.52.0 | ## Modules | Name | Source | Version | |------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | | [security\_group](#module\_security\_group) | ../security-group | n/a | ## Resources | Name | Type | |------|------| -| [aws_resourcegroups_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | | [aws_vpc_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | | [aws_vpc_endpoint_connection_notification.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_connection_notification) | resource | diff --git a/modules/vpc-interface-endpoint/migrations.tf b/modules/vpc-interface-endpoint/migrations.tf new file mode 100644 index 0000000..83a0f7e --- /dev/null +++ b/modules/vpc-interface-endpoint/migrations.tf @@ -0,0 +1,5 @@ +# 2023-02-01 +moved { + from = aws_resourcegroups_group.this[0] + to = module.resource_group[0].aws_resourcegroups_group.this +} diff --git a/modules/vpc-interface-endpoint/resource-group.tf b/modules/vpc-interface-endpoint/resource-group.tf index af108f9..7487ba0 100644 --- a/modules/vpc-interface-endpoint/resource-group.tf +++ b/modules/vpc-interface-endpoint/resource-group.tf @@ -7,37 +7,24 @@ locals { replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), ]) ) - resource_group_filters = [ - for key, value in local.module_tags : { - "Key" = key - "Values" = [value] - } - ] - resource_group_query = <<-JSON - { - "ResourceTypeFilters": [ - "AWS::AllSupported" - ], - "TagFilters": ${jsonencode(local.resource_group_filters)} - } - JSON } -resource "aws_resourcegroups_group" "this" { + +module "resource_group" { + source = "tedilabs/misc/aws//modules/resource-group" + version = "~> 0.10.0" + count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 name = local.resource_group_name description = var.resource_group_description - resource_query { - type = "TAG_FILTERS_1_0" - query = local.resource_group_query + query = { + resource_tags = local.module_tags } + module_tags_enabled = false tags = merge( - { - "Name" = local.resource_group_name - }, local.module_tags, var.tags, ) diff --git a/modules/vpc-interface-endpoint/versions.tf b/modules/vpc-interface-endpoint/versions.tf index 6078ceb..dd959fc 100644 --- a/modules/vpc-interface-endpoint/versions.tf +++ b/modules/vpc-interface-endpoint/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.15" + required_version = ">= 1.2" required_providers { aws = { diff --git a/modules/vpc-peering-accepter/README.md b/modules/vpc-peering-accepter/README.md index c79dc96..4c04bbd 100644 --- a/modules/vpc-peering-accepter/README.md +++ b/modules/vpc-peering-accepter/README.md @@ -10,24 +10,25 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.15 | +| [terraform](#requirement\_terraform) | >= 1.2 | | [aws](#requirement\_aws) | >= 3.45 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 3.45.0 | +| [aws](#provider\_aws) | 4.52.0 | ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | ## Resources | Name | Type | |------|------| -| [aws_resourcegroups_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | | [aws_vpc_peering_connection_accepter.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection_accepter) | resource | | [aws_vpc_peering_connection_options.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection_options) | resource | | [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | diff --git a/modules/vpc-peering-accepter/migrations.tf b/modules/vpc-peering-accepter/migrations.tf new file mode 100644 index 0000000..83a0f7e --- /dev/null +++ b/modules/vpc-peering-accepter/migrations.tf @@ -0,0 +1,5 @@ +# 2023-02-01 +moved { + from = aws_resourcegroups_group.this[0] + to = module.resource_group[0].aws_resourcegroups_group.this +} diff --git a/modules/vpc-peering-accepter/resource-group.tf b/modules/vpc-peering-accepter/resource-group.tf index af108f9..7487ba0 100644 --- a/modules/vpc-peering-accepter/resource-group.tf +++ b/modules/vpc-peering-accepter/resource-group.tf @@ -7,37 +7,24 @@ locals { replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), ]) ) - resource_group_filters = [ - for key, value in local.module_tags : { - "Key" = key - "Values" = [value] - } - ] - resource_group_query = <<-JSON - { - "ResourceTypeFilters": [ - "AWS::AllSupported" - ], - "TagFilters": ${jsonencode(local.resource_group_filters)} - } - JSON } -resource "aws_resourcegroups_group" "this" { + +module "resource_group" { + source = "tedilabs/misc/aws//modules/resource-group" + version = "~> 0.10.0" + count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 name = local.resource_group_name description = var.resource_group_description - resource_query { - type = "TAG_FILTERS_1_0" - query = local.resource_group_query + query = { + resource_tags = local.module_tags } + module_tags_enabled = false tags = merge( - { - "Name" = local.resource_group_name - }, local.module_tags, var.tags, ) diff --git a/modules/vpc-peering-accepter/versions.tf b/modules/vpc-peering-accepter/versions.tf index 6078ceb..dd959fc 100644 --- a/modules/vpc-peering-accepter/versions.tf +++ b/modules/vpc-peering-accepter/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.15" + required_version = ">= 1.2" required_providers { aws = { diff --git a/modules/vpc-peering-requester/README.md b/modules/vpc-peering-requester/README.md index e56c9bf..6eb3b88 100644 --- a/modules/vpc-peering-requester/README.md +++ b/modules/vpc-peering-requester/README.md @@ -10,24 +10,25 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.15 | +| [terraform](#requirement\_terraform) | >= 1.2 | | [aws](#requirement\_aws) | >= 3.45 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 3.45.0 | +| [aws](#provider\_aws) | 4.52.0 | ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | ## Resources | Name | Type | |------|------| -| [aws_resourcegroups_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | | [aws_vpc_peering_connection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection) | resource | | [aws_vpc_peering_connection_options.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection_options) | resource | | [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | diff --git a/modules/vpc-peering-requester/migrations.tf b/modules/vpc-peering-requester/migrations.tf new file mode 100644 index 0000000..83a0f7e --- /dev/null +++ b/modules/vpc-peering-requester/migrations.tf @@ -0,0 +1,5 @@ +# 2023-02-01 +moved { + from = aws_resourcegroups_group.this[0] + to = module.resource_group[0].aws_resourcegroups_group.this +} diff --git a/modules/vpc-peering-requester/resource-group.tf b/modules/vpc-peering-requester/resource-group.tf index af108f9..7487ba0 100644 --- a/modules/vpc-peering-requester/resource-group.tf +++ b/modules/vpc-peering-requester/resource-group.tf @@ -7,37 +7,24 @@ locals { replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), ]) ) - resource_group_filters = [ - for key, value in local.module_tags : { - "Key" = key - "Values" = [value] - } - ] - resource_group_query = <<-JSON - { - "ResourceTypeFilters": [ - "AWS::AllSupported" - ], - "TagFilters": ${jsonencode(local.resource_group_filters)} - } - JSON } -resource "aws_resourcegroups_group" "this" { + +module "resource_group" { + source = "tedilabs/misc/aws//modules/resource-group" + version = "~> 0.10.0" + count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 name = local.resource_group_name description = var.resource_group_description - resource_query { - type = "TAG_FILTERS_1_0" - query = local.resource_group_query + query = { + resource_tags = local.module_tags } + module_tags_enabled = false tags = merge( - { - "Name" = local.resource_group_name - }, local.module_tags, var.tags, ) diff --git a/modules/vpc-peering-requester/versions.tf b/modules/vpc-peering-requester/versions.tf index 6078ceb..dd959fc 100644 --- a/modules/vpc-peering-requester/versions.tf +++ b/modules/vpc-peering-requester/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.15" + required_version = ">= 1.2" required_providers { aws = { diff --git a/modules/vpc-peering/README.md b/modules/vpc-peering/README.md index 9a7f528..c5a8c35 100644 --- a/modules/vpc-peering/README.md +++ b/modules/vpc-peering/README.md @@ -9,24 +9,25 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.15 | +| [terraform](#requirement\_terraform) | >= 1.2 | | [aws](#requirement\_aws) | >= 3.45 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 3.45.0 | +| [aws](#provider\_aws) | 4.52.0 | ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | ## Resources | Name | Type | |------|------| -| [aws_resourcegroups_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | | [aws_vpc_peering_connection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection) | resource | | [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | diff --git a/modules/vpc-peering/migrations.tf b/modules/vpc-peering/migrations.tf new file mode 100644 index 0000000..83a0f7e --- /dev/null +++ b/modules/vpc-peering/migrations.tf @@ -0,0 +1,5 @@ +# 2023-02-01 +moved { + from = aws_resourcegroups_group.this[0] + to = module.resource_group[0].aws_resourcegroups_group.this +} diff --git a/modules/vpc-peering/resource-group.tf b/modules/vpc-peering/resource-group.tf index af108f9..7487ba0 100644 --- a/modules/vpc-peering/resource-group.tf +++ b/modules/vpc-peering/resource-group.tf @@ -7,37 +7,24 @@ locals { replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), ]) ) - resource_group_filters = [ - for key, value in local.module_tags : { - "Key" = key - "Values" = [value] - } - ] - resource_group_query = <<-JSON - { - "ResourceTypeFilters": [ - "AWS::AllSupported" - ], - "TagFilters": ${jsonencode(local.resource_group_filters)} - } - JSON } -resource "aws_resourcegroups_group" "this" { + +module "resource_group" { + source = "tedilabs/misc/aws//modules/resource-group" + version = "~> 0.10.0" + count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 name = local.resource_group_name description = var.resource_group_description - resource_query { - type = "TAG_FILTERS_1_0" - query = local.resource_group_query + query = { + resource_tags = local.module_tags } + module_tags_enabled = false tags = merge( - { - "Name" = local.resource_group_name - }, local.module_tags, var.tags, ) diff --git a/modules/vpc-peering/versions.tf b/modules/vpc-peering/versions.tf index 6078ceb..dd959fc 100644 --- a/modules/vpc-peering/versions.tf +++ b/modules/vpc-peering/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.15" + required_version = ">= 1.2" required_providers { aws = { diff --git a/modules/vpc/README.md b/modules/vpc/README.md index 7655075..73c415e 100644 --- a/modules/vpc/README.md +++ b/modules/vpc/README.md @@ -16,18 +16,20 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.15 | +| [terraform](#requirement\_terraform) | >= 1.2 | | [aws](#requirement\_aws) | >= 3.45 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 3.45.0 | +| [aws](#provider\_aws) | 4.52.0 | ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | ## Resources @@ -35,7 +37,6 @@ No modules. |------|------| | [aws_egress_only_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/egress_only_internet_gateway) | resource | | [aws_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource | -| [aws_resourcegroups_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | | [aws_route53_resolver_dnssec_config.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_dnssec_config) | resource | | [aws_route53_zone_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource | | [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource | diff --git a/modules/vpc/migrations.tf b/modules/vpc/migrations.tf new file mode 100644 index 0000000..83a0f7e --- /dev/null +++ b/modules/vpc/migrations.tf @@ -0,0 +1,5 @@ +# 2023-02-01 +moved { + from = aws_resourcegroups_group.this[0] + to = module.resource_group[0].aws_resourcegroups_group.this +} diff --git a/modules/vpc/resource-group.tf b/modules/vpc/resource-group.tf index af108f9..7487ba0 100644 --- a/modules/vpc/resource-group.tf +++ b/modules/vpc/resource-group.tf @@ -7,37 +7,24 @@ locals { replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), ]) ) - resource_group_filters = [ - for key, value in local.module_tags : { - "Key" = key - "Values" = [value] - } - ] - resource_group_query = <<-JSON - { - "ResourceTypeFilters": [ - "AWS::AllSupported" - ], - "TagFilters": ${jsonencode(local.resource_group_filters)} - } - JSON } -resource "aws_resourcegroups_group" "this" { + +module "resource_group" { + source = "tedilabs/misc/aws//modules/resource-group" + version = "~> 0.10.0" + count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 name = local.resource_group_name description = var.resource_group_description - resource_query { - type = "TAG_FILTERS_1_0" - query = local.resource_group_query + query = { + resource_tags = local.module_tags } + module_tags_enabled = false tags = merge( - { - "Name" = local.resource_group_name - }, local.module_tags, var.tags, ) diff --git a/modules/vpc/versions.tf b/modules/vpc/versions.tf index 6078ceb..dd959fc 100644 --- a/modules/vpc/versions.tf +++ b/modules/vpc/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.15" + required_version = ">= 1.2" required_providers { aws = { From 49108b92e156e9410ca81989d26acad31b9be9bc Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Fri, 3 Feb 2023 01:04:08 +0900 Subject: [PATCH 11/73] Add missing migrations for subnet-group --- modules/subnet-group/migrations.tf | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 modules/subnet-group/migrations.tf diff --git a/modules/subnet-group/migrations.tf b/modules/subnet-group/migrations.tf new file mode 100644 index 0000000..83a0f7e --- /dev/null +++ b/modules/subnet-group/migrations.tf @@ -0,0 +1,5 @@ +# 2023-02-01 +moved { + from = aws_resourcegroups_group.this[0] + to = module.resource_group[0].aws_resourcegroups_group.this +} From f5601e7d0ff7d39729e190fc3b88c6f62dbc5b80 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Fri, 24 Feb 2023 02:16:09 +0900 Subject: [PATCH 12/73] Hello, 2023 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 83c2d6a..6a11baa 100644 --- a/README.md +++ b/README.md @@ -16,4 +16,4 @@ Like this project? Follow the repository on [GitHub](https://github.com/tedilabs Provided under the terms of the [Apache License](LICENSE). -Copyright © 2021-2022, [Byungjin Park](https://www.posquit0.com). +Copyright © 2021-2023, [Byungjin Park](https://www.posquit0.com). From 5e71627a269974fa5295d584df71ed753aad4eb1 Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Fri, 24 Feb 2023 03:07:24 +0900 Subject: [PATCH 13/73] Introduce tflint (#24) --- .github/workflows/integration.yaml | 101 ------------------ .github/workflows/terraform.integration.yaml | 104 +++++++++++++++++++ .github/workflows/yaml.integration.yaml | 58 +++++++++++ .pre-commit-config.yaml | 14 ++- .tflint.hcl | 77 ++++++++++++++ 5 files changed, 252 insertions(+), 102 deletions(-) delete mode 100644 .github/workflows/integration.yaml create mode 100644 .github/workflows/terraform.integration.yaml create mode 100644 .github/workflows/yaml.integration.yaml create mode 100644 .tflint.hcl diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml deleted file mode 100644 index e915d59..0000000 --- a/.github/workflows/integration.yaml +++ /dev/null @@ -1,101 +0,0 @@ -name: Integration - -on: - push: - branches: - - main - pull_request: {} - -concurrency: - group: integration-${{ github.ref }} - cancel-in-progress: true - -jobs: - changed: - runs-on: ubuntu-latest - - outputs: - terraform_modules_changed: ${{ steps.filter-terraform-modules.outputs.changed }} - terraform_modules_files: ${{ steps.filter-terraform-modules.outputs.files }} - terraform_modules_dirs: ${{ steps.filter-terraform-modules.outputs.dirs }} - yaml_changed: ${{ steps.filter-yaml.outputs.changed }} - yaml_files: ${{ steps.filter-yaml.outputs.files }} - - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Get Changed Files - id: changed-files - uses: dorny/paths-filter@v2 - with: - list-files: json - filters: | - modules: - - 'modules/**' - yaml: - - '**/*.yaml' - - '**/*.yml' - - - name: Filter changed Terraform Modules files to outputs - id: filter-terraform-modules - run: | - dirs=$(echo '${{ steps.changed-files.outputs.modules_files }}' | jq '[.[] | match("modules/[^/]+").string] | unique') - echo ::set-output name=changed::${{ steps.changed-files.outputs.modules }} - echo ::set-output name=files::${{ steps.changed-files.outputs.modules_files }} - echo ::set-output name=dirs::$dirs - - - name: Filter changed YAML files to outputs - id: filter-yaml - run: | - echo ::set-output name=changed::${{ steps.changed-files.outputs.yaml }} - echo ::set-output name=files::${{ steps.changed-files.outputs.yaml_files }} - - - terraform: - needs: - - changed - if: ${{ needs.changed.outputs.terraform_modules_changed != 'false' }} - runs-on: ubuntu-latest - - strategy: - matrix: - path: ${{ fromJson(needs.changed.outputs.terraform_modules_dirs) }} - - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Set-up terraform - uses: hashicorp/setup-terraform@v2 - - - name: Terraform fmt - id: terraform-fmt - working-directory: ${{ matrix.path }} - run: terraform fmt -check - continue-on-error: true - - - name: Terraform Validate - id: terraform-validate - working-directory: ${{ matrix.path }} - run: | - terraform init -backend=false - terraform validate -no-color - - - yaml: - needs: - - changed - if: ${{ needs.changed.outputs.yaml_changed != 'false' }} - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Lint YAML Files - id: yaml-lint - run: | - yamllint . diff --git a/.github/workflows/terraform.integration.yaml b/.github/workflows/terraform.integration.yaml new file mode 100644 index 0000000..b4cfa94 --- /dev/null +++ b/.github/workflows/terraform.integration.yaml @@ -0,0 +1,104 @@ +name: Integration (Terraform) + +on: + push: + branches: + - main + pull_request: {} + +concurrency: + group: terraform-integration-${{ github.ref }} + cancel-in-progress: true + +jobs: + changed: + name: Filter Changed Files and Directories + runs-on: ubuntu-latest + + outputs: + changed: ${{ steps.set-outputs.outputs.changed }} + modified: ${{ steps.set-outputs.outputs.modified }} + changed_files: ${{ steps.set-outputs.outputs.changed_files }} + modified_files: ${{ steps.set-outputs.outputs.modified_files }} + changed_directories: ${{ steps.set-outputs.outputs.changed_directories }} + modified_directories: ${{ steps.set-outputs.outputs.modified_directories }} + + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Get Changed Files + id: changed-files + uses: tj-actions/changed-files@v35 + with: + files: | + modules/** + json: true + + - name: Get Changed Directories + id: changed-directories + uses: tj-actions/changed-files@v35 + with: + files: | + modules/** + examples/** + dir_names: "true" + dir_names_max_depth: 2 + json: true + + - name: Set outputs + id: set-outputs + run: | + echo "changed=${{ steps.changed-directories.outputs.any_changed }}" >> $GITHUB_OUTPUT + echo "modified=${{ steps.changed-directories.outputs.any_modified }}" >> $GITHUB_OUTPUT + + echo "changed_files=${{ steps.changed-files.outputs.all_changed_files }}" >> $GITHUB_OUTPUT + echo "modified_files=${{ steps.changed-files.outputs.all_modified_files }}" >> $GITHUB_OUTPUT + + echo "changed_directories=${{ steps.changed-directories.outputs.all_changed_files }}" >> $GITHUB_OUTPUT + echo "modified_directories=${{ steps.changed-directories.outputs.all_modified_files }}" >> $GITHUB_OUTPUT + + + terraform: + name: Lint (terraform) + needs: + - changed + if: ${{ needs.changed.outputs.modified == 'true' }} + uses: tedilabs/.github/.github/workflows/terraform.terraform.yaml@main + + strategy: + matrix: + path: ${{ fromJson(needs.changed.outputs.modified_directories) }} + + with: + terraform_target_dir: ${{ matrix.path }} + terraform_version: latest + terraform_host: app.terraform.io + secrets: + terraform_token: ${{ secrets.TERRAFORM_TOKEN }} + + + tflint: + name: Lint (tflint) + needs: + - changed + if: ${{ needs.changed.outputs.modified == 'true' }} + uses: tedilabs/.github/.github/workflows/terraform.tflint.yaml@main + + strategy: + matrix: + path: ${{ fromJson(needs.changed.outputs.modified_directories) }} + + with: + tflint_version: latest + tflint_config_file: .tflint.hcl + tflint_target_dir: ${{ matrix.path }} + tflint_recursive_enabled: false + tflint_terraform_init_enabled: true + terraform_version: latest + terraform_host: app.terraform.io + secrets: + token: ${{ secrets.GITHUB_TOKEN }} + terraform_token: ${{ secrets.TERRAFORM_TOKEN }} diff --git a/.github/workflows/yaml.integration.yaml b/.github/workflows/yaml.integration.yaml new file mode 100644 index 0000000..20342a1 --- /dev/null +++ b/.github/workflows/yaml.integration.yaml @@ -0,0 +1,58 @@ +name: Integration (YAML) + +on: + push: + branches: + - main + pull_request: {} + +concurrency: + group: yaml-integration-${{ github.ref }} + cancel-in-progress: true + +jobs: + changed: + name: Filter Changed Files and Directories + runs-on: ubuntu-latest + + outputs: + changed: ${{ steps.set-outputs.outputs.changed }} + modified: ${{ steps.set-outputs.outputs.modified }} + changed_files: ${{ steps.set-outputs.outputs.changed_files }} + modified_files: ${{ steps.set-outputs.outputs.modified_files }} + + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Get Changed Files + id: changed-files + uses: tj-actions/changed-files@v35 + with: + files: | + **/*.yaml + **/*.yml + json: true + + - name: Set outputs + id: set-outputs + run: | + echo "changed=${{ steps.changed-files.outputs.any_changed }}" >> $GITHUB_OUTPUT + echo "modified=${{ steps.changed-files.outputs.any_modified }}" >> $GITHUB_OUTPUT + + echo "changed_files=${{ steps.changed-files.outputs.all_changed_files }}" >> $GITHUB_OUTPUT + echo "modified_files=${{ steps.changed-files.outputs.all_modified_files }}" >> $GITHUB_OUTPUT + + lint: + name: Lint (yamllint) + needs: + - changed + if: ${{ needs.changed.outputs.modified == 'true' }} + uses: tedilabs/.github/.github/workflows/yaml.yamllint.yaml@main + + with: + yamllint_version: latest + yamllint_config_file: .yamllint.yaml + yamllint_target_dir: ./ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index aa33d01..d0b1fea 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,8 +1,20 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.70.1 + rev: v1.77.1 hooks: - id: terraform_fmt + args: + - --args=-diff - id: terraform_validate + args: + - --hook-config=--retry-once-with-cleanup=true + - id: terraform_tflint + args: + - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl + files: ^modules/ - id: terraform_docs args: ["--args=--sort-by required"] +- repo: https://github.com/adrienverge/yamllint + rev: v1.29.0 + hooks: + - id: yamllint diff --git a/.tflint.hcl b/.tflint.hcl new file mode 100644 index 0000000..0788789 --- /dev/null +++ b/.tflint.hcl @@ -0,0 +1,77 @@ +config { + plugin_dir = "~/.tflint.d/plugins" + + format = "compact" + module = true + force = false + disabled_by_default = false + + ignore_module = {} +} + + +################################################### +# Rule Sets - Terraform +################################################### + +plugin "terraform" { + enabled = true + preset = "recommended" +} + +rule "terraform_comment_syntax" { + enabled = true +} + +rule "terraform_documented_variables" { + enabled = true +} + +rule "terraform_documented_outputs" { + enabled = true +} + +rule "terraform_naming_convention" { + enabled = true + format = "snake_case" + + custom_formats = { + extended_snake_case = { + description = "Extended snake_case Format which allows double underscore like `a__b`." + regex = "^[a-z][a-z0-9]+([_]{1,2}[a-z0-9]+)*$" + } + } + + module { + format = "extended_snake_case" + } + + resource { + format = "extended_snake_case" + } + + data { + format = "extended_snake_case" + } +} + +rule "terraform_unused_declarations" { + enabled = false +} + +rule "terraform_unused_required_providers" { + enabled = true +} + + +################################################### +# Rule Sets - AWS +################################################### + +plugin "aws" { + source = "github.com/terraform-linters/tflint-ruleset-aws" + version = "0.21.1" + + enabled = true + deep_check = false +} From e6cfe842fdb5b78ed2cb3507e79a4567e83129e3 Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Fri, 24 Feb 2023 16:47:32 +0900 Subject: [PATCH 14/73] Fix tflint failed code (#25) --- modules/security-group/README.md | 2 +- modules/security-group/variables.tf | 4 ++-- modules/subnet-group/outputs.tf | 32 ++++++++++++++--------------- modules/vpc/README.md | 2 +- modules/vpc/outputs.tf | 18 ++++++++-------- modules/vpc/variables.tf | 3 ++- 6 files changed, 31 insertions(+), 30 deletions(-) diff --git a/modules/security-group/README.md b/modules/security-group/README.md index 4a918bd..e6241d9 100644 --- a/modules/security-group/README.md +++ b/modules/security-group/README.md @@ -37,12 +37,12 @@ This module creates following resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [name](#input\_name) | (Required) The name of the security group. | `string` | n/a | yes | | [vpc\_id](#input\_vpc\_id) | (Required) The ID of the associated VPC. | `string` | n/a | yes | | [description](#input\_description) | (Optional) The security group description. This field maps to the AWS `GroupDescription` attribute, for which there is no Update API. | `string` | `"Managed by Terraform."` | no | | [egress\_rules](#input\_egress\_rules) | (Optional) A list of egress rules in a security group. | `any` | `[]` | no | | [ingress\_rules](#input\_ingress\_rules) | (Optional) A list of ingress rules in a security group. | `any` | `[]` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [name](#input\_name) | (Optional) The name of the security group. If omitted, Terraform will assign a random, unique name. | `string` | `null` | no | | [name\_prefix](#input\_name\_prefix) | (Optional) Creates a unique name beginning with the specified prefix. Conflicts with `name`. | `string` | `null` | no | | [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | | [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | diff --git a/modules/security-group/variables.tf b/modules/security-group/variables.tf index 16d0e67..be593d2 100644 --- a/modules/security-group/variables.tf +++ b/modules/security-group/variables.tf @@ -1,7 +1,7 @@ variable "name" { - description = "(Optional) The name of the security group. If omitted, Terraform will assign a random, unique name." + description = "(Required) The name of the security group." type = string - default = null + nullable = false } variable "name_prefix" { diff --git a/modules/subnet-group/outputs.tf b/modules/subnet-group/outputs.tf index 3150a0b..381c981 100644 --- a/modules/subnet-group/outputs.tf +++ b/modules/subnet-group/outputs.tf @@ -53,83 +53,83 @@ output "subnets_by_az" { output "db_subnet_group_id" { description = "The ID of the RDS Subnet Group." - value = try(aws_db_subnet_group.this.*.id[0], null) + value = one(aws_db_subnet_group.this[*].id) } output "db_subnet_group_arn" { description = "The ARN of the RDS Subnet Group." - value = try(aws_db_subnet_group.this.*.arn[0], null) + value = one(aws_db_subnet_group.this[*].arn) } output "cache_subnet_group_id" { description = "The ID of the Elasticache Subnet Group." - value = try(aws_elasticache_subnet_group.this.*.id[0], null) + value = one(aws_elasticache_subnet_group.this[*].id) } # INFO: Not support arn output # output "cache_subnet_group_arn" { # description = "The ARN of the Elasticache Subnet Group." -# value = try(aws_elasticache_subnet_group.this.*.arn[0], null) +# value = one(aws_elasticache_subnet_group.this[*].arn) # } output "redshift_subnet_group_id" { description = "The ID of the Redshift Subnet Group." - value = try(aws_redshift_subnet_group.this.*.id[0], null) + value = one(aws_redshift_subnet_group.this[*].id) } output "redshift_subnet_group_arn" { description = "The ARN of the Redshift Subnet Group." - value = try(aws_redshift_subnet_group.this.*.arn[0], null) + value = one(aws_redshift_subnet_group.this[*].arn) } output "neptune_subnet_group_id" { description = "The ID of the Neptune DB Subnet Group." - value = try(aws_neptune_subnet_group.this.*.id[0], null) + value = one(aws_neptune_subnet_group.this[*].id) } output "neptune_subnet_group_arn" { description = "The ARN of the Neptune Subnet Group." - value = try(aws_neptune_subnet_group.this.*.arn[0], null) + value = one(aws_neptune_subnet_group.this[*].arn) } output "docdb_subnet_group_id" { description = "The ID of the DocumentDB Subnet Group." - value = try(aws_docdb_subnet_group.this.*.id[0], null) + value = one(aws_docdb_subnet_group.this[*].id) } output "docdb_subnet_group_arn" { description = "The ARN of the DocumentDB Subnet Group." - value = try(aws_docdb_subnet_group.this.*.arn[0], null) + value = one(aws_docdb_subnet_group.this[*].arn) } output "dax_subnet_group_id" { description = "The ID of the DAX Subnet Group." - value = try(aws_dax_subnet_group.this.*.id[0], null) + value = one(aws_dax_subnet_group.this[*].id) } # INFO: Not support arn output # output "dax_subnet_group_arn" { # description = "The ARN of the DAX Subnet Group." -# value = try(aws_dax_subnet_group.this.*.arn[0], null) +# value = one(aws_dax_subnet_group.this[*].arn) # } output "dms_replication_subnet_group_id" { description = "The ID of the DMS Replication Subnet Group." - value = try(aws_dms_replication_subnet_group.this.*.id[0], null) + value = one(aws_dms_replication_subnet_group.this[*].id) } # INFO: Not support arn output # output "dms_replication_subnet_group_arn" { # description = "The ARN of the DMS Replication Subnet Group." -# value = try(aws_dms_replication_subnet_group.this.*.arn[0], null) +# value = one(aws_dms_replication_subnet_group.this[*].arn) # } output "memorydb_subnet_group_id" { description = "The ID of the MemoryDB Subnet Group." - value = try(aws_memorydb_subnet_group.this.*.id[0], null) + value = one(aws_memorydb_subnet_group.this[*].id) } output "memorydb_subnet_group_arn" { description = "The ARN of the MemoryDB Subnet Group." - value = try(aws_memorydb_subnet_group.this.*.arn[0], null) + value = one(aws_memorydb_subnet_group.this[*].arn) } diff --git a/modules/vpc/README.md b/modules/vpc/README.md index 73c415e..69de423 100644 --- a/modules/vpc/README.md +++ b/modules/vpc/README.md @@ -72,7 +72,7 @@ This module creates following resources. | [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | | [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool. | `list(string)` | `[]` | no | | [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | -| [vpn\_gateway\_asn](#input\_vpn\_gateway\_asn) | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | `string` | `"64512"` | no | +| [vpn\_gateway\_asn](#input\_vpn\_gateway\_asn) | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | `number` | `64512` | no | | [vpn\_gateway\_enabled](#input\_vpn\_gateway\_enabled) | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC. | `bool` | `false` | no | ## Outputs diff --git a/modules/vpc/outputs.tf b/modules/vpc/outputs.tf index e9c1cdf..4ee925f 100644 --- a/modules/vpc/outputs.tf +++ b/modules/vpc/outputs.tf @@ -55,7 +55,7 @@ output "dns_dnssec_validation_enabled" { output "dns_dnssec_validation_id" { description = "The ID of a configuration for DNSSEC validation." - value = try(aws_route53_resolver_dnssec_config.this.*.id[0], null) + value = one(aws_route53_resolver_dnssec_config.this[*].id) } output "private_hosted_zones" { @@ -90,12 +90,12 @@ output "dhcp_options_enabled" { output "dhcp_options_id" { description = "The ID of the DHCP Options Set." - value = try(aws_vpc_dhcp_options.this.*.id[0], null) + value = one(aws_vpc_dhcp_options.this[*].id) } output "dhcp_options_arn" { description = "The ARN of the DHCP Options Set." - value = try(aws_vpc_dhcp_options.this.*.arn[0], null) + value = one(aws_vpc_dhcp_options.this[*].arn) } output "internet_gateway_enabled" { @@ -105,12 +105,12 @@ output "internet_gateway_enabled" { output "internet_gateway_id" { description = "The ID of the Internet Gateway." - value = try(aws_internet_gateway.this.*.id[0], null) + value = one(aws_internet_gateway.this[*].id) } output "internet_gateway_arn" { description = "The ARN of the Internet Gateway." - value = try(aws_internet_gateway.this.*.arn[0], null) + value = one(aws_internet_gateway.this[*].arn) } output "egress_only_internet_gateway_enabled" { @@ -120,7 +120,7 @@ output "egress_only_internet_gateway_enabled" { output "egress_only_internet_gateway_id" { description = "The ID of the Egress Only Internet Gateway." - value = try(aws_egress_only_internet_gateway.this.*.id[0], null) + value = one(aws_egress_only_internet_gateway.this[0].id) } output "vpn_gateway_enabled" { @@ -130,15 +130,15 @@ output "vpn_gateway_enabled" { output "vpn_gateway_id" { description = "The ID of the Virtual Private Gateway." - value = try(aws_vpn_gateway.this.*.id[0], null) + value = one(aws_vpn_gateway.this[*].id) } output "vpn_gateway_arn" { description = "The ARN of the Virtual Private Gateway." - value = try(aws_vpn_gateway.this.*.arn[0], null) + value = one(aws_vpn_gateway.this[*].arn) } output "vpn_gateway_asn" { description = "The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN." - value = try(aws_vpn_gateway.this.*.amazon_side_asn[0], null) + value = one(aws_vpn_gateway.this[*].amazon_side_asn) } diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf index 0daba0a..582c4f0 100644 --- a/modules/vpc/variables.tf +++ b/modules/vpc/variables.tf @@ -107,7 +107,8 @@ variable "vpn_gateway_enabled" { variable "vpn_gateway_asn" { description = "The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN." - default = "64512" + type = number + default = 64512 } variable "tags" { From 4c04f2478b8c14859569d4dc16a989aac51bafc1 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Sun, 26 Feb 2023 22:46:01 +0900 Subject: [PATCH 15/73] Update workflow --- .github/workflows/terraform.integration.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/terraform.integration.yaml b/.github/workflows/terraform.integration.yaml index b4cfa94..2fc3c46 100644 --- a/.github/workflows/terraform.integration.yaml +++ b/.github/workflows/terraform.integration.yaml @@ -35,6 +35,7 @@ jobs: with: files: | modules/** + examples/** json: true - name: Get Changed Directories From 5db5e9c601ae5257cf2a67e86e8c47fc3867626a Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Mon, 6 Mar 2023 02:39:41 +0900 Subject: [PATCH 16/73] Update github workflows --- .github/workflows/terraform.integration.yaml | 3 +++ .github/workflows/yaml.integration.yaml | 2 ++ 2 files changed, 5 insertions(+) diff --git a/.github/workflows/terraform.integration.yaml b/.github/workflows/terraform.integration.yaml index 2fc3c46..a1ad44f 100644 --- a/.github/workflows/terraform.integration.yaml +++ b/.github/workflows/terraform.integration.yaml @@ -78,6 +78,8 @@ jobs: terraform_version: latest terraform_host: app.terraform.io secrets: + gh_token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} terraform_token: ${{ secrets.TERRAFORM_TOKEN }} @@ -101,5 +103,6 @@ jobs: terraform_version: latest terraform_host: app.terraform.io secrets: + gh_token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }} terraform_token: ${{ secrets.TERRAFORM_TOKEN }} diff --git a/.github/workflows/yaml.integration.yaml b/.github/workflows/yaml.integration.yaml index 20342a1..751ecf9 100644 --- a/.github/workflows/yaml.integration.yaml +++ b/.github/workflows/yaml.integration.yaml @@ -56,3 +56,5 @@ jobs: yamllint_version: latest yamllint_config_file: .yamllint.yaml yamllint_target_dir: ./ + secrets: + token: ${{ secrets.GITHUB_TOKEN }} From 7cdcf402136ae8c31a7657422219804270cb719c Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Tue, 14 Mar 2023 03:59:43 +0900 Subject: [PATCH 17/73] Add prefix-list module (#26) * Add prefix-list module * Add prefix-lists example * Add prefix-list labels * Update README --- .github/labeler.yaml | 3 + .github/labels.yaml | 3 + README.md | 48 +++++++++++++++- examples/prefix-lists/main.tf | 54 ++++++++++++++++++ examples/prefix-lists/outputs.tf | 7 +++ examples/prefix-lists/versions.tf | 10 ++++ modules/prefix-list/README.md | 60 ++++++++++++++++++++ modules/prefix-list/main.tf | 44 ++++++++++++++ modules/prefix-list/outputs.tf | 39 +++++++++++++ modules/prefix-list/resource-group.tf | 31 ++++++++++ modules/prefix-list/variables.tf | 82 +++++++++++++++++++++++++++ modules/prefix-list/versions.tf | 10 ++++ 12 files changed, 390 insertions(+), 1 deletion(-) create mode 100644 examples/prefix-lists/main.tf create mode 100644 examples/prefix-lists/outputs.tf create mode 100644 examples/prefix-lists/versions.tf create mode 100644 modules/prefix-list/README.md create mode 100644 modules/prefix-list/main.tf create mode 100644 modules/prefix-list/outputs.tf create mode 100644 modules/prefix-list/resource-group.tf create mode 100644 modules/prefix-list/variables.tf create mode 100644 modules/prefix-list/versions.tf diff --git a/.github/labeler.yaml b/.github/labeler.yaml index 9fc1fce..d2ef933 100644 --- a/.github/labeler.yaml +++ b/.github/labeler.yaml @@ -8,6 +8,9 @@ ":floppy_disk: nat-gateway": - modules/nat-gateway/**/* +":floppy_disk: prefix-list": +- modules/prefix-list/**/* + ":floppy_disk: route-table": - modules/route-table/**/* diff --git a/.github/labels.yaml b/.github/labels.yaml index 6400449..6b3dbfc 100644 --- a/.github/labels.yaml +++ b/.github/labels.yaml @@ -49,6 +49,9 @@ - color: "fbca04" description: "This issue or pull request is related to nat-gateway module." name: ":floppy_disk: nat-gateway" +- color: "fbca04" + description: "This issue or pull request is related to prefix-list module." + name: ":floppy_disk: prefix-list" - color: "fbca04" description: "This issue or pull request is related to route-table module." name: ":floppy_disk: route-table" diff --git a/README.md b/README.md index 6a11baa..2077657 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,53 @@ ![GitHub](https://img.shields.io/github/license/tedilabs/terraform-aws-network?color=blue&style=flat-square) [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white&style=flat-square)](https://github.com/pre-commit/pre-commit) -Terraform module which creates VPC related resources on AWS. +Terraform module which creates network related resources on AWS. + +- [dx-gateway](./modules/dx-gateway) +- [nacl](./modules/nacl) +- [nat-gateway](./modules/nat-gateway) +- [prefix-list](./modules/prefix-list) +- [route-table](./modules/route-table) +- [security-group](./modules/security-group) +- [subnet-group](./modules/subnet-group) +- [vpc](./modules/vpc) +- [vpc-endpoint-service](./modules/vpc-endpoint-service) +- [vpc-gateway-endpoint](./modules/vpc-gateway-endpoint) +- [vpc-interface-endpoint](./modules/vpc-interface-endpoint) +- [vpc-peering](./modules/vpc-peering) +- [vpc-peering-accepter](./modules/vpc-peering-accepter) +- [vpc-peering-requester](./modules/vpc-peering-requester) + + +## Target AWS Services + +Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws-network) were written to manage the following AWS Services with Terraform. + +- **AWS VPC (Virtual Private Cloud)** + - VPC + - Subnet + - Route Table + - NACL (Network ACL) + - Security Group + - Prefix List + - Elastic IP + - Gateways + - Internet Gateway + - NAT Gateway + - Peering + - PrivateLink + - Endpoint Service + - Gateway Endpoint + - Interface Endpoint +- **AWS DX (Direct Connect)** + - DX Gateway + + +## Examples + +### VPC + +- [prefix-lists](./examples/prefix-lists) ## Self Promotion diff --git a/examples/prefix-lists/main.tf b/examples/prefix-lists/main.tf new file mode 100644 index 0000000..a3268cc --- /dev/null +++ b/examples/prefix-lists/main.tf @@ -0,0 +1,54 @@ +provider "aws" { + region = "us-east-1" +} + + +################################################### +# Prefix List +################################################### + +module "ipv4" { + source = "../../modules/prefix-list" + # source = "tedilabs/network/aws//modules/prefix-list" + # version = "~> 0.26.0" + + name = "test-ipv4" + address_family = "IPv4" + + entries = [ + { + cidr = "10.1.2.3/32" + description = "my server 1" + }, + { + cidr = "10.1.2.4/32" + }, + ] + + tags = { + "project" = "terraform-aws-network-examples" + } +} + +module "ipv6" { + source = "../../modules/prefix-list" + # source = "tedilabs/network/aws//modules/prefix-list" + # version = "~> 0.26.0" + + name = "test-ipv6" + address_family = "IPv6" + + entries = [ + { + cidr = "2001:0db8:85a3:0000:0000:8a2e:0370:7334/128" + description = "my server 1" + }, + { + cidr = "2001:db8:85a3::/64" + }, + ] + + tags = { + "project" = "terraform-aws-network-examples" + } +} diff --git a/examples/prefix-lists/outputs.tf b/examples/prefix-lists/outputs.tf new file mode 100644 index 0000000..0b58aa8 --- /dev/null +++ b/examples/prefix-lists/outputs.tf @@ -0,0 +1,7 @@ +output "ipv4" { + value = module.ipv4 +} + +output "ipv6" { + value = module.ipv6 +} diff --git a/examples/prefix-lists/versions.tf b/examples/prefix-lists/versions.tf new file mode 100644 index 0000000..3c3b4cf --- /dev/null +++ b/examples/prefix-lists/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.3" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + } +} diff --git a/modules/prefix-list/README.md b/modules/prefix-list/README.md new file mode 100644 index 0000000..a79cc36 --- /dev/null +++ b/modules/prefix-list/README.md @@ -0,0 +1,60 @@ +# prefix-list + +This module creates following resources. + +- `aws_ec2_managed_prefix_list` +- `aws_ec2_managed_prefix_list_entry` (optional) + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 4.58 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.52.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_ec2_managed_prefix_list.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_managed_prefix_list) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [address\_family](#input\_address\_family) | Address family of this prefix list. Valid values are `IPv4` or `IPv6`. | `string` | n/a | yes | +| [name](#input\_name) | The name of the prefix list. The name must not start with `com.amazonaws`. | `string` | n/a | yes | +| [entries](#input\_entries) | (Optional) A set of prefix list entries. Each block of `entries` as defined below.
(Required) `cidr` - The CIDR block of this entry.
(Optional) `description` - The description of this entry. Due to API limitations, updating only the description of an existing entry requires temporarily removing and re-adding the entry. | 
set(object({
    cidr        = string
    description = optional(string, "Managed by Terraform.")
  }))
| `[]` | no | +| [max\_entries](#input\_max\_entries) | Maximum number of entries that this prefix list can contain. Configured the length of `entries` if not provided. | `number` | `null` | no | +| [module\_tags\_enabled](#input\_module\_tags\_enabled) | Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | +| [resource\_group\_description](#input\_resource\_group\_description) | The description of Resource Group. | `string` | `"Managed by Terraform."` | no | +| [resource\_group\_enabled](#input\_resource\_group\_enabled) | Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [address\_family](#output\_address\_family) | The address family of the prefix list. | +| [arn](#output\_arn) | The ARN of the prefix list. | +| [entries](#output\_entries) | A set of prefix list entries. | +| [id](#output\_id) | The ID of the prefix list. | +| [max\_entries](#output\_max\_entries) | The maximum number of entries of this prefix list. | +| [name](#output\_name) | The name of the prefix list. | +| [owner\_id](#output\_owner\_id) | The ID of the AWS account that owns this prefix list. | +| [version](#output\_version) | Latest version of this prefix list. | + diff --git a/modules/prefix-list/main.tf b/modules/prefix-list/main.tf new file mode 100644 index 0000000..fafa552 --- /dev/null +++ b/modules/prefix-list/main.tf @@ -0,0 +1,44 @@ +locals { + metadata = { + package = "terraform-aws-network" + version = trimspace(file("${path.module}/../../VERSION")) + module = basename(path.module) + name = var.name + } + module_tags = var.module_tags_enabled ? { + "module.terraform.io/package" = local.metadata.package + "module.terraform.io/version" = local.metadata.version + "module.terraform.io/name" = local.metadata.module + "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" + "module.terraform.io/instance" = local.metadata.name + } : {} +} + +locals { + max_entries = coalesce(var.max_entries, length(var.entries)) +} + +# INFO: Not support `aws_ec2_managed_prefix_list_entry` +# To improved execution times on larger updates, if you plan to create a prefix list with more than 100 entries, it is recommended that you use the inline entry block as part of the Managed Prefix List resource resource instead. +resource "aws_ec2_managed_prefix_list" "this" { + name = var.name + address_family = var.address_family + max_entries = local.max_entries + + dynamic "entry" { + for_each = var.entries + + content { + cidr = entry.value.cidr + description = entry.value.description + } + } + + tags = merge( + { + "Name" = local.metadata.name + }, + local.module_tags, + var.tags, + ) +} diff --git a/modules/prefix-list/outputs.tf b/modules/prefix-list/outputs.tf new file mode 100644 index 0000000..7cd14e9 --- /dev/null +++ b/modules/prefix-list/outputs.tf @@ -0,0 +1,39 @@ +output "id" { + description = "The ID of the prefix list." + value = aws_ec2_managed_prefix_list.this.id +} + +output "arn" { + description = "The ARN of the prefix list." + value = aws_ec2_managed_prefix_list.this.arn +} + +output "owner_id" { + description = "The ID of the AWS account that owns this prefix list." + value = aws_ec2_managed_prefix_list.this.owner_id +} + +output "name" { + description = "The name of the prefix list." + value = aws_ec2_managed_prefix_list.this.name +} + +output "address_family" { + description = "The address family of the prefix list." + value = aws_ec2_managed_prefix_list.this.address_family +} + +output "version" { + description = "Latest version of this prefix list." + value = aws_ec2_managed_prefix_list.this.version +} + +output "max_entries" { + description = "The maximum number of entries of this prefix list." + value = aws_ec2_managed_prefix_list.this.max_entries +} + +output "entries" { + description = "A set of prefix list entries." + value = aws_ec2_managed_prefix_list.this.entry +} diff --git a/modules/prefix-list/resource-group.tf b/modules/prefix-list/resource-group.tf new file mode 100644 index 0000000..7487ba0 --- /dev/null +++ b/modules/prefix-list/resource-group.tf @@ -0,0 +1,31 @@ +locals { + resource_group_name = (var.resource_group_name != "" + ? var.resource_group_name + : join(".", [ + local.metadata.package, + local.metadata.module, + replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), + ]) + ) +} + + +module "resource_group" { + source = "tedilabs/misc/aws//modules/resource-group" + version = "~> 0.10.0" + + count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 + + name = local.resource_group_name + description = var.resource_group_description + + query = { + resource_tags = local.module_tags + } + + module_tags_enabled = false + tags = merge( + local.module_tags, + var.tags, + ) +} diff --git a/modules/prefix-list/variables.tf b/modules/prefix-list/variables.tf new file mode 100644 index 0000000..88c9c14 --- /dev/null +++ b/modules/prefix-list/variables.tf @@ -0,0 +1,82 @@ +variable "name" { + description = "The name of the prefix list. The name must not start with `com.amazonaws`." + type = string + nullable = false + + validation { + condition = !startswith("com.amazonaws", var.name) + error_message = "The name must not start with `com.amazonaws`." + } +} + +variable "address_family" { + description = "Address family of this prefix list. Valid values are `IPv4` or `IPv6`." + type = string + nullable = false + + validation { + condition = contains(["IPv4", "IPv6"], var.address_family) + error_message = "Valid values for `address_family` are `IPv4` or `IPv6`." + } +} + +variable "max_entries" { + description = "Maximum number of entries that this prefix list can contain. Configured the length of `entries` if not provided." + type = number + default = null + nullable = true +} + +variable "entries" { + description = < Date: Wed, 15 Mar 2023 00:49:16 +0900 Subject: [PATCH 18/73] Add `reachability-analyzer-path` module (#27) * Add reachability-analyzer-path module * Add github labels * Add reachability-analyzer examples --- .github/labeler.yaml | 3 + .github/labels.yaml | 3 + README.md | 9 ++ examples/prefix-lists/outputs.tf | 6 +- examples/reachability-analyzer/main.tf | 142 ++++++++++++++++++ examples/reachability-analyzer/outputs.tf | 7 + examples/reachability-analyzer/versions.tf | 10 ++ modules/reachability-analyzer-path/README.md | 61 ++++++++ modules/reachability-analyzer-path/main.tf | 64 ++++++++ modules/reachability-analyzer-path/outputs.tf | 68 +++++++++ .../resource-group.tf | 31 ++++ .../reachability-analyzer-path/variables.tf | 102 +++++++++++++ .../reachability-analyzer-path/versions.tf | 10 ++ 13 files changed, 514 insertions(+), 2 deletions(-) create mode 100644 examples/reachability-analyzer/main.tf create mode 100644 examples/reachability-analyzer/outputs.tf create mode 100644 examples/reachability-analyzer/versions.tf create mode 100644 modules/reachability-analyzer-path/README.md create mode 100644 modules/reachability-analyzer-path/main.tf create mode 100644 modules/reachability-analyzer-path/outputs.tf create mode 100644 modules/reachability-analyzer-path/resource-group.tf create mode 100644 modules/reachability-analyzer-path/variables.tf create mode 100644 modules/reachability-analyzer-path/versions.tf diff --git a/.github/labeler.yaml b/.github/labeler.yaml index d2ef933..de51c5f 100644 --- a/.github/labeler.yaml +++ b/.github/labeler.yaml @@ -11,6 +11,9 @@ ":floppy_disk: prefix-list": - modules/prefix-list/**/* +":floppy_disk: reachability-analyzer-path": +- modules/reachability-analyzer-path/**/* + ":floppy_disk: route-table": - modules/route-table/**/* diff --git a/.github/labels.yaml b/.github/labels.yaml index 6b3dbfc..284330c 100644 --- a/.github/labels.yaml +++ b/.github/labels.yaml @@ -52,6 +52,9 @@ - color: "fbca04" description: "This issue or pull request is related to prefix-list module." name: ":floppy_disk: prefix-list" +- color: "fbca04" + description: "This issue or pull request is related to reachability-analyzer-path module." + name: ":floppy_disk: reachability-analyzer-path" - color: "fbca04" description: "This issue or pull request is related to route-table module." name: ":floppy_disk: route-table" diff --git a/README.md b/README.md index 2077657..59c101f 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,7 @@ Terraform module which creates network related resources on AWS. - [nacl](./modules/nacl) - [nat-gateway](./modules/nat-gateway) - [prefix-list](./modules/prefix-list) +- [reachability-analyzer-path](./modules/reachability-analyzer-path) - [route-table](./modules/route-table) - [security-group](./modules/security-group) - [subnet-group](./modules/subnet-group) @@ -44,6 +45,10 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws- - Interface Endpoint - **AWS DX (Direct Connect)** - DX Gateway +- **AWS Network Manager** + - Reachability Analyzer + - Path + - Analysis ## Examples @@ -52,6 +57,10 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws- - [prefix-lists](./examples/prefix-lists) +### Network Manager + +- [reachability-analyzer](./examples/reachability-analyzer) + ## Self Promotion diff --git a/examples/prefix-lists/outputs.tf b/examples/prefix-lists/outputs.tf index 0b58aa8..3a6f830 100644 --- a/examples/prefix-lists/outputs.tf +++ b/examples/prefix-lists/outputs.tf @@ -1,7 +1,9 @@ output "ipv4" { - value = module.ipv4 + description = "The IPv4 prefix list for example." + value = module.ipv4 } output "ipv6" { - value = module.ipv6 + description = "The IPv6 prefix list for example." + value = module.ipv6 } diff --git a/examples/reachability-analyzer/main.tf b/examples/reachability-analyzer/main.tf new file mode 100644 index 0000000..46223d9 --- /dev/null +++ b/examples/reachability-analyzer/main.tf @@ -0,0 +1,142 @@ +provider "aws" { + region = "us-east-1" +} + +data "aws_vpc" "default" { + default = true +} + +data "aws_internet_gateway" "default" { + filter { + name = "attachment.vpc-id" + values = [data.aws_vpc.default.id] + } +} + +################################################### +# Reachability Analyzer +################################################### + +module "reachability_analyzer_path__success" { + source = "../../modules/reachability-analyzer-path" + # source = "tedilabs/network/aws//modules/reachability-analyzer-path" + # version = "~> 0.26.0" + + name = "test-success" + + protocol = "TCP" + source_network = { + id = data.aws_internet_gateway.default.internet_gateway_id + } + destination_network = { + id = module.instance.id + ip_address = module.instance.network.private_ip + } + + analyses = [ + { + name = "analysis-01" + } + ] + + tags = { + "project" = "terraform-aws-network-examples" + } +} + +module "reachability_analyzer_path__fail" { + source = "../../modules/reachability-analyzer-path" + # source = "tedilabs/network/aws//modules/reachability-analyzer-path" + # version = "~> 0.26.0" + + name = "test-fail" + + protocol = "TCP" + source_network = { + id = data.aws_internet_gateway.default.internet_gateway_id + } + destination_network = { + id = module.instance.id + ip_address = module.instance.network.private_ip + port = 22 + } + + analyses = [ + { + name = "analysis-01" + } + ] + + tags = { + "project" = "terraform-aws-network-examples" + } +} + + +################################################### +# EC2 Instance +################################################### + +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] +} + +module "security_group" { + source = "../../modules/security-group" + # source = "tedilabs/network/aws//modules/security-group" + # version = "~> 0.26.0" + + name = "reachability-analyzer-test" + + vpc_id = data.aws_vpc.default.id + + ingress_rules = [ + { + id = "http/all" + protocol = "tcp" + from_port = 80 + to_port = 80 + cidr_blocks = ["0.0.0.0/0"] + } + ] + egress_rules = [ + { + id = "all/all" + protocol = "-1" + from_port = 0 + to_port = 0 + cidr_blocks = ["0.0.0.0/0"] + } + ] + + tags = { + "project" = "terraform-aws-network-examples" + } +} + +module "instance" { + source = "tedilabs/ec2/aws//modules/instance" + version = "~> 0.2.0" + + name = "reachability-analyzer-test" + type = "t2.micro" + ami = data.aws_ami.ubuntu.image_id + + security_groups = [module.security_group.id] + + tags = { + "project" = "terraform-aws-network-examples" + } +} diff --git a/examples/reachability-analyzer/outputs.tf b/examples/reachability-analyzer/outputs.tf new file mode 100644 index 0000000..34772c2 --- /dev/null +++ b/examples/reachability-analyzer/outputs.tf @@ -0,0 +1,7 @@ +output "paths" { + description = "The reachability analyzer paths for example." + value = { + success = module.reachability_analyzer_path__success + fail = module.reachability_analyzer_path__fail + } +} diff --git a/examples/reachability-analyzer/versions.tf b/examples/reachability-analyzer/versions.tf new file mode 100644 index 0000000..3c3b4cf --- /dev/null +++ b/examples/reachability-analyzer/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.3" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + } +} diff --git a/modules/reachability-analyzer-path/README.md b/modules/reachability-analyzer-path/README.md new file mode 100644 index 0000000..ffa8906 --- /dev/null +++ b/modules/reachability-analyzer-path/README.md @@ -0,0 +1,61 @@ +# reachability-analyzer-path + +This module creates following resources. + +- `aws_ec2_network_insights_path` +- `aws_ec2_network_insights_analysis` (optional) + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 4.58 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.52.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_ec2_network_insights_analysis.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_network_insights_analysis) | resource | +| [aws_ec2_network_insights_path.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_network_insights_path) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [destination\_network](#input\_destination\_network) | (Required) The configuration of destination network for analysis. `destination_network` as defined below.
(Required) `id` - The ID of resource which is the destination of the path. Can be an Instance, Internet Gateway, Network Interface, Transit Gateway, VPC Endpoint, VPC Peering Connection or VPN Gateway.
(Optional) `ip_address` - The IP address of the destination resource.
(Optional) `port` - The port number of destination to analyze access to. | 
object({
    id         = string
    ip_address = optional(string)
    port       = optional(number)
  })
| n/a | yes | +| [name](#input\_name) | The name of the reachability analyzer path. | `string` | n/a | yes | +| [source\_network](#input\_source\_network) | (Required) The configuration of source network for analysis. `source_network` as defined below.
(Required) `id` - The ID of resource which is the source of the path. Can be an Instance, Internet Gateway, Network Interface, Transit Gateway, VPC Endpoint, VPC Peering Connection or VPN Gateway.
(Optional) `ip_address` - The IP address of the source resource. | 
object({
    id         = string
    ip_address = optional(string)
  })
| n/a | yes | +| [analyses](#input\_analyses) | (Optional) The configuration of analyses to run with the reachability analyzer path. Each block of `analyses` as defined below.
(Required) `name` - A name of the analysis with the reachability analyzer path.
(Optional) `required_intermediate_components` - A list of ARNs for resources the path must traverse. Intermediate components include load balancers, NAT gateways, and peering connections. You cannot use security groups, network access control lists, network interfaces, or route tables as intermediate components.
(Optional) `wait_for_completion` - Whether to wait for the analysis status to change to `succeeded` or `failed`. Setting this to `false` will skip the process. Defaults to `true`. | 
list(object({
    name = string

    required_intermediate_components = optional(list(string), [])
    wait_for_completion              = optional(bool, true)
  }))
| `[]` | no | +| [module\_tags\_enabled](#input\_module\_tags\_enabled) | Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | +| [protocol](#input\_protocol) | The protocol to use for analysis. Valid values are `TCP` or `UDP`. | `string` | `"TCP"` | no | +| [resource\_group\_description](#input\_resource\_group\_description) | The description of Resource Group. | `string` | `"Managed by Terraform."` | no | +| [resource\_group\_enabled](#input\_resource\_group\_enabled) | Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [analyses](#output\_analyses) | A list of histories of the analysis with the reachability analyzer path. | +| [arn](#output\_arn) | The ARN of the reachability analyzer path. | +| [destination\_network](#output\_destination\_network) | The configuration of destination network for analysis. | +| [id](#output\_id) | The ID of the reachability analyzer path. | +| [name](#output\_name) | The name of the reachability analyzer path. | +| [protocol](#output\_protocol) | The protocol to use for analysis. | +| [source\_network](#output\_source\_network) | The configuration of source network for analysis. | + diff --git a/modules/reachability-analyzer-path/main.tf b/modules/reachability-analyzer-path/main.tf new file mode 100644 index 0000000..58c3ba5 --- /dev/null +++ b/modules/reachability-analyzer-path/main.tf @@ -0,0 +1,64 @@ +locals { + metadata = { + package = "terraform-aws-network" + version = trimspace(file("${path.module}/../../VERSION")) + module = basename(path.module) + name = var.name + } + module_tags = var.module_tags_enabled ? { + "module.terraform.io/package" = local.metadata.package + "module.terraform.io/version" = local.metadata.version + "module.terraform.io/name" = local.metadata.module + "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" + "module.terraform.io/instance" = local.metadata.name + } : {} +} + + +################################################### +# Reachability Analyzer Path +################################################### + +resource "aws_ec2_network_insights_path" "this" { + protocol = lower(var.protocol) + + source = var.source_network.id + source_ip = var.source_network.ip_address + + destination = var.destination_network.id + destination_ip = var.destination_network.ip_address + destination_port = var.destination_network.port + + tags = merge( + { + "Name" = local.metadata.name + }, + local.module_tags, + var.tags, + ) +} + + +################################################### +# Reachability Analyzer Analysis +################################################### + +resource "aws_ec2_network_insights_analysis" "this" { + for_each = { + for analysis in var.analyses : + analysis.name => analysis + } + + network_insights_path_id = aws_ec2_network_insights_path.this.id + + filter_in_arns = each.value.required_intermediate_components + wait_for_completion = each.value.wait_for_completion + + tags = merge( + { + "Name" = each.key + }, + local.module_tags, + var.tags, + ) +} diff --git a/modules/reachability-analyzer-path/outputs.tf b/modules/reachability-analyzer-path/outputs.tf new file mode 100644 index 0000000..d3a493c --- /dev/null +++ b/modules/reachability-analyzer-path/outputs.tf @@ -0,0 +1,68 @@ +output "id" { + description = "The ID of the reachability analyzer path." + value = aws_ec2_network_insights_path.this.id +} + +output "arn" { + description = "The ARN of the reachability analyzer path." + value = aws_ec2_network_insights_path.this.arn +} + +output "name" { + description = "The name of the reachability analyzer path." + value = local.metadata.name +} + +output "protocol" { + description = "The protocol to use for analysis." + value = upper(aws_ec2_network_insights_path.this.protocol) +} + +output "source_network" { + description = "The configuration of source network for analysis." + value = { + id = aws_ec2_network_insights_path.this.source + ip_address = aws_ec2_network_insights_path.this.source_ip + } +} + +output "destination_network" { + description = "The configuration of destination network for analysis." + value = { + id = aws_ec2_network_insights_path.this.destination + ip_address = aws_ec2_network_insights_path.this.destination_ip + port = aws_ec2_network_insights_path.this.destination_port + } +} + +output "analyses" { + description = "A list of histories of the analysis with the reachability analyzer path." + value = [ + for name, analysis in aws_ec2_network_insights_analysis.this : { + name = name + id = analysis.id + arn = analysis.arn + + path_found = analysis.path_found + status = analysis.status + started_at = analysis.start_date + + # INFO: https://docs.aws.amazon.com/vpc/latest/reachability/explanation-codes.html + explanation_codes = [ + for explanation in analysis.explanations : + explanation.explanation_code + ] + # status_message = analysis.status_message + # warning_message = analysis.warning_message + + forward_path_components = [ + for c in analysis.forward_path_components : + one(c.component) + ] + return_path_components = [ + for c in analysis.return_path_components : + one(c.component) + ] + } + ] +} diff --git a/modules/reachability-analyzer-path/resource-group.tf b/modules/reachability-analyzer-path/resource-group.tf new file mode 100644 index 0000000..7487ba0 --- /dev/null +++ b/modules/reachability-analyzer-path/resource-group.tf @@ -0,0 +1,31 @@ +locals { + resource_group_name = (var.resource_group_name != "" + ? var.resource_group_name + : join(".", [ + local.metadata.package, + local.metadata.module, + replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), + ]) + ) +} + + +module "resource_group" { + source = "tedilabs/misc/aws//modules/resource-group" + version = "~> 0.10.0" + + count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 + + name = local.resource_group_name + description = var.resource_group_description + + query = { + resource_tags = local.module_tags + } + + module_tags_enabled = false + tags = merge( + local.module_tags, + var.tags, + ) +} diff --git a/modules/reachability-analyzer-path/variables.tf b/modules/reachability-analyzer-path/variables.tf new file mode 100644 index 0000000..5196eef --- /dev/null +++ b/modules/reachability-analyzer-path/variables.tf @@ -0,0 +1,102 @@ +variable "name" { + description = "The name of the reachability analyzer path." + type = string + nullable = false +} + +variable "protocol" { + description = "The protocol to use for analysis. Valid values are `TCP` or `UDP`." + type = string + default = "TCP" + nullable = false + + validation { + condition = contains(["TCP", "UDP"], var.protocol) + error_message = "Valid values for `protocol` are `TCP` or `UDP`." + } +} + +variable "source_network" { + description = < Date: Wed, 15 Mar 2023 01:17:33 +0900 Subject: [PATCH 19/73] Support ram sharing for prefix-list module (#28) --- modules/prefix-list/README.md | 5 ++++- modules/prefix-list/outputs.tf | 12 ++++++++++++ modules/prefix-list/ram-share.tf | 32 ++++++++++++++++++++++++++++++++ modules/prefix-list/variables.tf | 21 +++++++++++++++++++++ 4 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 modules/prefix-list/ram-share.tf diff --git a/modules/prefix-list/README.md b/modules/prefix-list/README.md index a79cc36..8a3aca6 100644 --- a/modules/prefix-list/README.md +++ b/modules/prefix-list/README.md @@ -17,13 +17,14 @@ This module creates following resources. | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.52.0 | +| [aws](#provider\_aws) | 4.58.0 | ## Modules | Name | Source | Version | |------|--------|---------| | [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | +| [share](#module\_share) | tedilabs/account/aws//modules/ram-share | ~> 0.24.0 | ## Resources @@ -43,6 +44,7 @@ This module creates following resources. | [resource\_group\_description](#input\_resource\_group\_description) | The description of Resource Group. | `string` | `"Managed by Terraform."` | no | | [resource\_group\_enabled](#input\_resource\_group\_enabled) | Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | | [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [shares](#input\_shares) | (Optional) A list of resource shares via RAM (Resource Access Manager). | 
list(object({
    name = optional(string)

    permissions = optional(set(string), ["AWSRAMDefaultPermissionPrefixList"])

    external_principals_allowed = optional(bool, false)
    principals                  = optional(set(string), [])

    tags = optional(map(string), {})
  }))
| `[]` | no | | [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | ## Outputs @@ -56,5 +58,6 @@ This module creates following resources. | [max\_entries](#output\_max\_entries) | The maximum number of entries of this prefix list. | | [name](#output\_name) | The name of the prefix list. | | [owner\_id](#output\_owner\_id) | The ID of the AWS account that owns this prefix list. | +| [sharing](#output\_sharing) | The configuration for sharing of the VPC prefix list.
`status` - An indication of whether the rule group is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are `NOT_SHARED`, `SHARED_BY_ME` or `SHARED_WITH_ME`.
`shares` - The list of resource shares via RAM (Resource Access Manager). | | [version](#output\_version) | Latest version of this prefix list. | diff --git a/modules/prefix-list/outputs.tf b/modules/prefix-list/outputs.tf index 7cd14e9..813d9fc 100644 --- a/modules/prefix-list/outputs.tf +++ b/modules/prefix-list/outputs.tf @@ -37,3 +37,15 @@ output "entries" { description = "A set of prefix list entries." value = aws_ec2_managed_prefix_list.this.entry } + +output "sharing" { + description = < 0 ? "SHARED_BY_ME" : "NOT_SHARED" + shares = module.share + } +} diff --git a/modules/prefix-list/ram-share.tf b/modules/prefix-list/ram-share.tf new file mode 100644 index 0000000..46e2f49 --- /dev/null +++ b/modules/prefix-list/ram-share.tf @@ -0,0 +1,32 @@ +################################################### +# Resource Sharing by RAM (Resource Access Manager) +################################################### + +module "share" { + source = "tedilabs/account/aws//modules/ram-share" + version = "~> 0.24.0" + + for_each = { + for share in var.shares : + share.name => share + } + + name = "vpc.prefix-list.${var.name}.${each.key}" + + resources = [ + aws_ec2_managed_prefix_list.this.arn, + ] + permissions = each.value.permissions + + external_principals_allowed = each.value.external_principals_allowed + principals = each.value.principals + + resource_group_enabled = false + module_tags_enabled = false + + tags = merge( + local.module_tags, + var.tags, + each.value.tags, + ) +} diff --git a/modules/prefix-list/variables.tf b/modules/prefix-list/variables.tf index 88c9c14..e0733db 100644 --- a/modules/prefix-list/variables.tf +++ b/modules/prefix-list/variables.tf @@ -80,3 +80,24 @@ variable "resource_group_description" { default = "Managed by Terraform." nullable = false } + + +################################################### +# Resource Sharing by RAM (Resource Access Manager) +################################################### + +variable "shares" { + description = "(Optional) A list of resource shares via RAM (Resource Access Manager)." + type = list(object({ + name = optional(string) + + permissions = optional(set(string), ["AWSRAMDefaultPermissionPrefixList"]) + + external_principals_allowed = optional(bool, false) + principals = optional(set(string), []) + + tags = optional(map(string), {}) + })) + default = [] + nullable = false +} From e66ebbea67d9141dd22b22c7aeac9da41450bd48 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Thu, 16 Mar 2023 04:09:53 +0900 Subject: [PATCH 20/73] Update variables --- modules/prefix-list/README.md | 16 ++++++++-------- modules/prefix-list/variables.tf | 16 ++++++++-------- modules/reachability-analyzer-path/README.md | 14 +++++++------- modules/reachability-analyzer-path/variables.tf | 14 +++++++------- 4 files changed, 30 insertions(+), 30 deletions(-) diff --git a/modules/prefix-list/README.md b/modules/prefix-list/README.md index 8a3aca6..a50928d 100644 --- a/modules/prefix-list/README.md +++ b/modules/prefix-list/README.md @@ -36,16 +36,16 @@ This module creates following resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [address\_family](#input\_address\_family) | Address family of this prefix list. Valid values are `IPv4` or `IPv6`. | `string` | n/a | yes | -| [name](#input\_name) | The name of the prefix list. The name must not start with `com.amazonaws`. | `string` | n/a | yes | +| [address\_family](#input\_address\_family) | (Required) Address family of this prefix list. Valid values are `IPv4` or `IPv6`. | `string` | n/a | yes | +| [name](#input\_name) | (Required) The name of the prefix list. The name must not start with `com.amazonaws`. | `string` | n/a | yes | | [entries](#input\_entries) | (Optional) A set of prefix list entries. Each block of `entries` as defined below.
(Required) `cidr` - The CIDR block of this entry.
(Optional) `description` - The description of this entry. Due to API limitations, updating only the description of an existing entry requires temporarily removing and re-adding the entry. | 
set(object({
    cidr        = string
    description = optional(string, "Managed by Terraform.")
  }))
| `[]` | no | -| [max\_entries](#input\_max\_entries) | Maximum number of entries that this prefix list can contain. Configured the length of `entries` if not provided. | `number` | `null` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [max\_entries](#input\_max\_entries) | (Optional) Maximum number of entries that this prefix list can contain. Configured the length of `entries` if not provided. | `number` | `null` | no | +| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | +| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | +| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | | [shares](#input\_shares) | (Optional) A list of resource shares via RAM (Resource Access Manager). | 
list(object({
    name = optional(string)

    permissions = optional(set(string), ["AWSRAMDefaultPermissionPrefixList"])

    external_principals_allowed = optional(bool, false)
    principals                  = optional(set(string), [])

    tags = optional(map(string), {})
  }))
| `[]` | no | -| [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | +| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | ## Outputs diff --git a/modules/prefix-list/variables.tf b/modules/prefix-list/variables.tf index e0733db..44742ba 100644 --- a/modules/prefix-list/variables.tf +++ b/modules/prefix-list/variables.tf @@ -1,5 +1,5 @@ variable "name" { - description = "The name of the prefix list. The name must not start with `com.amazonaws`." + description = "(Required) The name of the prefix list. The name must not start with `com.amazonaws`." type = string nullable = false @@ -10,7 +10,7 @@ variable "name" { } variable "address_family" { - description = "Address family of this prefix list. Valid values are `IPv4` or `IPv6`." + description = "(Required) Address family of this prefix list. Valid values are `IPv4` or `IPv6`." type = string nullable = false @@ -21,7 +21,7 @@ variable "address_family" { } variable "max_entries" { - description = "Maximum number of entries that this prefix list can contain. Configured the length of `entries` if not provided." + description = "(Optional) Maximum number of entries that this prefix list can contain. Configured the length of `entries` if not provided." type = number default = null nullable = true @@ -42,14 +42,14 @@ variable "entries" { } variable "tags" { - description = "A map of tags to add to all resources." + description = "(Optional) A map of tags to add to all resources." type = map(string) default = {} nullable = false } variable "module_tags_enabled" { - description = "Whether to create AWS Resource Tags for the module informations." + description = "(Optional) Whether to create AWS Resource Tags for the module informations." type = bool default = true nullable = false @@ -61,21 +61,21 @@ variable "module_tags_enabled" { ################################################### variable "resource_group_enabled" { - description = "Whether to create Resource Group to find and group AWS resources which are created by this module." + description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module." type = bool default = true nullable = false } variable "resource_group_name" { - description = "The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." + description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." type = string default = "" nullable = false } variable "resource_group_description" { - description = "The description of Resource Group." + description = "(Optional) The description of Resource Group." type = string default = "Managed by Terraform." nullable = false diff --git a/modules/reachability-analyzer-path/README.md b/modules/reachability-analyzer-path/README.md index ffa8906..547df30 100644 --- a/modules/reachability-analyzer-path/README.md +++ b/modules/reachability-analyzer-path/README.md @@ -37,15 +37,15 @@ This module creates following resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [destination\_network](#input\_destination\_network) | (Required) The configuration of destination network for analysis. `destination_network` as defined below.
(Required) `id` - The ID of resource which is the destination of the path. Can be an Instance, Internet Gateway, Network Interface, Transit Gateway, VPC Endpoint, VPC Peering Connection or VPN Gateway.
(Optional) `ip_address` - The IP address of the destination resource.
(Optional) `port` - The port number of destination to analyze access to. | 
object({
    id         = string
    ip_address = optional(string)
    port       = optional(number)
  })
| n/a | yes | -| [name](#input\_name) | The name of the reachability analyzer path. | `string` | n/a | yes | +| [name](#input\_name) | (Required) The name of the reachability analyzer path. | `string` | n/a | yes | | [source\_network](#input\_source\_network) | (Required) The configuration of source network for analysis. `source_network` as defined below.
(Required) `id` - The ID of resource which is the source of the path. Can be an Instance, Internet Gateway, Network Interface, Transit Gateway, VPC Endpoint, VPC Peering Connection or VPN Gateway.
(Optional) `ip_address` - The IP address of the source resource. | 
object({
    id         = string
    ip_address = optional(string)
  })
| n/a | yes | | [analyses](#input\_analyses) | (Optional) The configuration of analyses to run with the reachability analyzer path. Each block of `analyses` as defined below.
(Required) `name` - A name of the analysis with the reachability analyzer path.
(Optional) `required_intermediate_components` - A list of ARNs for resources the path must traverse. Intermediate components include load balancers, NAT gateways, and peering connections. You cannot use security groups, network access control lists, network interfaces, or route tables as intermediate components.
(Optional) `wait_for_completion` - Whether to wait for the analysis status to change to `succeeded` or `failed`. Setting this to `false` will skip the process. Defaults to `true`. | 
list(object({
    name = string

    required_intermediate_components = optional(list(string), [])
    wait_for_completion              = optional(bool, true)
  }))
| `[]` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [protocol](#input\_protocol) | The protocol to use for analysis. Valid values are `TCP` or `UDP`. | `string` | `"TCP"` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | +| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | +| [protocol](#input\_protocol) | (Optional) The protocol to use for analysis. Valid values are `TCP` or `UDP`. | `string` | `"TCP"` | no | +| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | +| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | ## Outputs diff --git a/modules/reachability-analyzer-path/variables.tf b/modules/reachability-analyzer-path/variables.tf index 5196eef..6b9cd17 100644 --- a/modules/reachability-analyzer-path/variables.tf +++ b/modules/reachability-analyzer-path/variables.tf @@ -1,11 +1,11 @@ variable "name" { - description = "The name of the reachability analyzer path." + description = "(Required) The name of the reachability analyzer path." type = string nullable = false } variable "protocol" { - description = "The protocol to use for analysis. Valid values are `TCP` or `UDP`." + description = "(Optional) The protocol to use for analysis. Valid values are `TCP` or `UDP`." type = string default = "TCP" nullable = false @@ -62,14 +62,14 @@ variable "analyses" { } variable "tags" { - description = "A map of tags to add to all resources." + description = "(Optional) A map of tags to add to all resources." type = map(string) default = {} nullable = false } variable "module_tags_enabled" { - description = "Whether to create AWS Resource Tags for the module informations." + description = "(Optional) Whether to create AWS Resource Tags for the module informations." type = bool default = true nullable = false @@ -81,21 +81,21 @@ variable "module_tags_enabled" { ################################################### variable "resource_group_enabled" { - description = "Whether to create Resource Group to find and group AWS resources which are created by this module." + description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module." type = bool default = true nullable = false } variable "resource_group_name" { - description = "The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." + description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." type = string default = "" nullable = false } variable "resource_group_description" { - description = "The description of Resource Group." + description = "(Optional) The description of Resource Group." type = string default = "Managed by Terraform." nullable = false From 2dbce94dd18074a148001bc91708b115f486742c Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Mon, 20 Mar 2023 02:56:12 +0900 Subject: [PATCH 21/73] Add ipam module (#29) --- .github/labeler.yaml | 3 + .github/labels.yaml | 3 + README.md | 6 ++ modules/ipam/README.md | 69 +++++++++++++++++++++ modules/ipam/main.tf | 106 +++++++++++++++++++++++++++++++++ modules/ipam/outputs.tf | 94 +++++++++++++++++++++++++++++ modules/ipam/resource-group.tf | 31 ++++++++++ modules/ipam/variables.tf | 96 +++++++++++++++++++++++++++++ modules/ipam/versions.tf | 10 ++++ modules/prefix-list/README.md | 2 +- modules/prefix-list/outputs.tf | 2 +- 11 files changed, 420 insertions(+), 2 deletions(-) create mode 100644 modules/ipam/README.md create mode 100644 modules/ipam/main.tf create mode 100644 modules/ipam/outputs.tf create mode 100644 modules/ipam/resource-group.tf create mode 100644 modules/ipam/variables.tf create mode 100644 modules/ipam/versions.tf diff --git a/.github/labeler.yaml b/.github/labeler.yaml index de51c5f..aec6e98 100644 --- a/.github/labeler.yaml +++ b/.github/labeler.yaml @@ -2,6 +2,9 @@ ":floppy_disk: dx-gateway": - modules/dx-gateway/**/* +":floppy_disk: ipam": +- modules/ipam/**/* + ":floppy_disk: nacl": - modules/nacl/**/* diff --git a/.github/labels.yaml b/.github/labels.yaml index 284330c..b1babb5 100644 --- a/.github/labels.yaml +++ b/.github/labels.yaml @@ -43,6 +43,9 @@ - color: "fbca04" description: "This issue or pull request is related to dx-gateway module." name: ":floppy_disk: dx-gateway" +- color: "fbca04" + description: "This issue or pull request is related to ipam module." + name: ":floppy_disk: ipam" - color: "fbca04" description: "This issue or pull request is related to nacl module." name: ":floppy_disk: nacl" diff --git a/README.md b/README.md index 59c101f..aeae7c1 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,7 @@ Terraform module which creates network related resources on AWS. - [dx-gateway](./modules/dx-gateway) +- [ipam](./modules/ipam) - [nacl](./modules/nacl) - [nat-gateway](./modules/nat-gateway) - [prefix-list](./modules/prefix-list) @@ -43,6 +44,11 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws- - Endpoint Service - Gateway Endpoint - Interface Endpoint +- **AWS VPC IPAM(IP Address Manager)** + - IPAM + - Scope + - Pool + - Resource Discovery - **AWS DX (Direct Connect)** - DX Gateway - **AWS Network Manager** diff --git a/modules/ipam/README.md b/modules/ipam/README.md new file mode 100644 index 0000000..c7f51f1 --- /dev/null +++ b/modules/ipam/README.md @@ -0,0 +1,69 @@ +# ipam + +This module creates following resources. + +- `aws_vpc_ipam` +- `aws_vpc_ipam_scope` (optional) +- `aws_vpc_ipam_resource_discovery_association` (optional) + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 4.58 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.58.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_vpc_ipam.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam) | resource | +| [aws_vpc_ipam_resource_discovery_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_resource_discovery_association) | resource | +| [aws_vpc_ipam_scope.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_scope) | resource | +| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [name](#input\_name) | (Required) The name of the IPAM. | `string` | n/a | yes | +| [additional\_private\_scopes](#input\_additional\_private\_scopes) | (Optional) A list of additional scopes to create and manage by the IPAM. A scope is the highest-level container within IPAM. When you create an IPAM, IPAM creates two default scopes for you. Each scope represents the IP space for a single network. Each block of `additional_scopes` as defined below.
(Required) `name` - A name of the scope in the IPAM.
(Optional) `description` - A description of the scope in the IPAM. | 
list(object({
    name        = string
    description = optional(string, "Managed by Terraform.")
  }))
| `[]` | no | +| [additional\_resource\_discovery\_associations](#input\_additional\_resource\_discovery\_associations) | (Optional) A list of additional associations to an IPAM resource discovery with an Amazon VPC IPAM. A resource discovery is an IPAM component that enables IPAM to manage and monitor resources that belong to the owning account. Each block of `additional_resource_discovery_associations` as defined below.
(Required) `resource_discovery` - The ID of the Resource Discovery to associate.
(Optional) `tags` - A map of tags to add to the IPAM resource discovery association resource. | 
list(object({
    resource_discovery = string
    tags               = optional(map(string), {})
  }))
| `[]` | no | +| [cascade\_deletion\_enabled](#input\_cascade\_deletion\_enabled) | (Optional) Whether to enable you to quickly delete an IPAM, private scopes, pools in private scopes, and any allocations in the pools in private scopes. Defaults to `true`. | `bool` | `true` | no | +| [description](#input\_description) | (Optional) A description for the IPAM. | `string` | `"Managed by Terraform."` | no | +| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | +| [operating\_regions](#input\_operating\_regions) | (Optional) A set of operating regions for the IPAM. Operating Regions are AWS Regions where the IPAM is allowed to manage IP address CIDRs. IPAM only discovers and monitors resources in the AWS Regions you select as operating Regions. The current region is required to include. | `set(string)` | `[]` | no | +| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | +| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [additional\_private\_scopes](#output\_additional\_private\_scopes) | The additional private scopes in the IPAM. You can create additional private scopes if you require support for multiple disconnected private networks. Additional private scopes allow you to create pools and manage resources that use the same IP space. You cannot create additional public scopes.
`id` - The ID of the scope.
`arn` - The Amazon Resource Name (ARN) of the scope.
`name` - The name of the scope.
`description` - The description of the scope.
`type` - The type of the scope.
`is_default` - Whether the scope is the default scope or not.
`pool_count` - The number of pools in the scope. | +| [additional\_resource\_discoveries](#output\_additional\_resource\_discoveries) | The additional resource discoveries in the IPAM.
`id` - The ID of resource discovery.
`association_id` - The resource discovery association ID.
`state` - The lifecycle state of the association when you associate or disassociate a resource discovery. | +| [arn](#output\_arn) | The ARN of the IPAM. | +| [default\_resource\_discovery](#output\_default\_resource\_discovery) | The default resource discovery in the IPAM.
`id` - The IPAM's default resource discovery ID.
`association_id` - The IPAM's default resource discovery association ID. | +| [default\_scopes](#output\_default\_scopes) | The default scopes in the IPAM. A scope is a top-level container in IPAM. Each scope represents an IP-independent network. Scopes enable you to represent networks where you have overlapping IP space. When you create an IPAM, IPAM automatically creates two scopes: `public` and `private`. The `private` scope is intended for private IP space. The `public` scope is intended for all internet-routable IP space.
`private` - The ID of the IPAM's private scope.
`public` - The ID of the IPAM's public scope. | +| [description](#output\_description) | The description of the IPAM. | +| [id](#output\_id) | The ID of the IPAM. | +| [name](#output\_name) | The name of the IPAM. | +| [operating\_regions](#output\_operating\_regions) | A set of operating regions for the IPAM. | +| [scope\_count](#output\_scope\_count) | The number of scopes in the IPAM. | + diff --git a/modules/ipam/main.tf b/modules/ipam/main.tf new file mode 100644 index 0000000..3ac5e43 --- /dev/null +++ b/modules/ipam/main.tf @@ -0,0 +1,106 @@ +locals { + metadata = { + package = "terraform-aws-network" + version = trimspace(file("${path.module}/../../VERSION")) + module = basename(path.module) + name = var.name + } + module_tags = var.module_tags_enabled ? { + "module.terraform.io/package" = local.metadata.package + "module.terraform.io/version" = local.metadata.version + "module.terraform.io/name" = local.metadata.module + "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" + "module.terraform.io/instance" = local.metadata.name + } : {} +} + +data "aws_region" "this" {} +data "aws_regions" "this" { + all_regions = true +} + +locals { + region = data.aws_region.this.name + all_regions = data.aws_regions.this.names +} + + +################################################### +# IPAM (IP Address Manager) +################################################### + +resource "aws_vpc_ipam" "this" { + description = var.description + cascade = var.cascade_deletion_enabled + + dynamic "operating_regions" { + for_each = var.operating_regions + + content { + region_name = operating_regions.value + } + } + + tags = merge( + { + "Name" = local.metadata.name + }, + local.module_tags, + var.tags, + ) + + lifecycle { + precondition { + condition = contains(var.operating_regions, local.region) + error_message = "The current region is required to include in `operating_regions`." + } + + precondition { + condition = alltrue([ + for region in var.operating_regions : + contains(local.all_regions, region) + ]) + error_message = "There is invalid AWS region name." + } + } +} + + +################################################### +# Scopes of IPAM (IP Address Manager) +################################################### + +resource "aws_vpc_ipam_scope" "this" { + for_each = { + for scope in var.additional_private_scopes : + scope.name => scope + } + + ipam_id = aws_vpc_ipam.this.id + description = each.value.description + + tags = merge( + { + "Name" = each.key + }, + local.module_tags, + var.tags, + ) +} + + +################################################### +# Associations of IPAM Resource Discoveries +################################################### + +resource "aws_vpc_ipam_resource_discovery_association" "this" { + count = length(var.additional_resource_discovery_associations) + + ipam_id = aws_vpc_ipam.this.id + ipam_resource_discovery_id = var.additional_resource_discovery_associations[count.index].resource_discovery + + tags = merge( + local.module_tags, + var.additional_resource_discovery_associations[count.index].tags, + ) +} diff --git a/modules/ipam/outputs.tf b/modules/ipam/outputs.tf new file mode 100644 index 0000000..f54ace9 --- /dev/null +++ b/modules/ipam/outputs.tf @@ -0,0 +1,94 @@ +output "id" { + description = "The ID of the IPAM." + value = aws_vpc_ipam.this.id +} + +output "arn" { + description = "The ARN of the IPAM." + value = aws_vpc_ipam.this.arn +} + +output "name" { + description = "The name of the IPAM." + value = local.metadata.name +} + +output "description" { + description = "The description of the IPAM." + value = aws_vpc_ipam.this.description +} + +output "operating_regions" { + description = "A set of operating regions for the IPAM." + value = aws_vpc_ipam.this.operating_regions[*].region_name +} + +output "scope_count" { + description = "The number of scopes in the IPAM." + value = aws_vpc_ipam.this.scope_count +} + +output "default_scopes" { + description = < { + id = scope.id + arn = scope.arn + name = name + description = scope.description + type = scope.ipam_scope_type + is_default = scope.is_default + pool_count = scope.pool_count + } + } +} + +output "default_resource_discovery" { + description = < [max\_entries](#output\_max\_entries) | The maximum number of entries of this prefix list. | | [name](#output\_name) | The name of the prefix list. | | [owner\_id](#output\_owner\_id) | The ID of the AWS account that owns this prefix list. | -| [sharing](#output\_sharing) | The configuration for sharing of the VPC prefix list.
`status` - An indication of whether the rule group is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are `NOT_SHARED`, `SHARED_BY_ME` or `SHARED_WITH_ME`.
`shares` - The list of resource shares via RAM (Resource Access Manager). | +| [sharing](#output\_sharing) | The configuration for sharing of the VPC prefix list.
`status` - An indication of whether the VPC prefix list is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are `NOT_SHARED`, `SHARED_BY_ME` or `SHARED_WITH_ME`.
`shares` - The list of resource shares via RAM (Resource Access Manager). | | [version](#output\_version) | Latest version of this prefix list. | diff --git a/modules/prefix-list/outputs.tf b/modules/prefix-list/outputs.tf index 813d9fc..a3bb19d 100644 --- a/modules/prefix-list/outputs.tf +++ b/modules/prefix-list/outputs.tf @@ -41,7 +41,7 @@ output "entries" { output "sharing" { description = < Date: Mon, 20 Mar 2023 03:00:17 +0900 Subject: [PATCH 22/73] Add ipam-resource-discovery module (#30) --- .github/labeler.yaml | 3 + .github/labels.yaml | 3 + README.md | 1 + modules/ipam-resource-discovery/README.md | 65 +++++++++++++++ modules/ipam-resource-discovery/main.tf | 65 +++++++++++++++ modules/ipam-resource-discovery/outputs.tf | 51 ++++++++++++ modules/ipam-resource-discovery/ram-share.tf | 32 ++++++++ .../ipam-resource-discovery/resource-group.tf | 31 +++++++ modules/ipam-resource-discovery/variables.tf | 82 +++++++++++++++++++ modules/ipam-resource-discovery/versions.tf | 10 +++ 10 files changed, 343 insertions(+) create mode 100644 modules/ipam-resource-discovery/README.md create mode 100644 modules/ipam-resource-discovery/main.tf create mode 100644 modules/ipam-resource-discovery/outputs.tf create mode 100644 modules/ipam-resource-discovery/ram-share.tf create mode 100644 modules/ipam-resource-discovery/resource-group.tf create mode 100644 modules/ipam-resource-discovery/variables.tf create mode 100644 modules/ipam-resource-discovery/versions.tf diff --git a/.github/labeler.yaml b/.github/labeler.yaml index aec6e98..e2af0b1 100644 --- a/.github/labeler.yaml +++ b/.github/labeler.yaml @@ -5,6 +5,9 @@ ":floppy_disk: ipam": - modules/ipam/**/* +":floppy_disk: ipam-resource-discovery": +- modules/ipam-resource-discovery/**/* + ":floppy_disk: nacl": - modules/nacl/**/* diff --git a/.github/labels.yaml b/.github/labels.yaml index b1babb5..5fd198c 100644 --- a/.github/labels.yaml +++ b/.github/labels.yaml @@ -46,6 +46,9 @@ - color: "fbca04" description: "This issue or pull request is related to ipam module." name: ":floppy_disk: ipam" +- color: "fbca04" + description: "This issue or pull request is related to ipam-resource-discovery module." + name: ":floppy_disk: ipam-resource-discovery" - color: "fbca04" description: "This issue or pull request is related to nacl module." name: ":floppy_disk: nacl" diff --git a/README.md b/README.md index aeae7c1..cdff074 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ Terraform module which creates network related resources on AWS. - [dx-gateway](./modules/dx-gateway) - [ipam](./modules/ipam) +- [ipam-resource-discovery](./modules/ipam-resource-discovery) - [nacl](./modules/nacl) - [nat-gateway](./modules/nat-gateway) - [prefix-list](./modules/prefix-list) diff --git a/modules/ipam-resource-discovery/README.md b/modules/ipam-resource-discovery/README.md new file mode 100644 index 0000000..07555f0 --- /dev/null +++ b/modules/ipam-resource-discovery/README.md @@ -0,0 +1,65 @@ +# ipam-resource-discovery + +Creates an IPAM resource discovery. A resource discovery is an IPAM component that enables IPAM to manage and monitor resources that belong to the owning account. + +This module creates following resources. + +- `aws_vpc_ipam_resource_discovery` + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 4.58 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.58.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | +| [share](#module\_share) | tedilabs/account/aws//modules/ram-share | ~> 0.24.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_vpc_ipam_resource_discovery.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_resource_discovery) | resource | +| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [name](#input\_name) | (Required) The name of the IPAM resource discovery. | `string` | n/a | yes | +| [description](#input\_description) | (Optional) A description for the IPAM resource discovery. | `string` | `"Managed by Terraform."` | no | +| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | +| [operating\_regions](#input\_operating\_regions) | (Optional) A set of operating regions for the IPAM resource discovery. Operating Regions are AWS Regions where the IPAM is allowed to manage IP address CIDRs. IPAM only discovers and monitors resources in the AWS Regions you select as operating Regions. The current region is required to include. | `set(string)` | `[]` | no | +| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | +| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [shares](#input\_shares) | (Optional) A list of resource shares via RAM (Resource Access Manager). | 
list(object({
    name = optional(string)

    permissions = optional(set(string), ["AWSRAMPermissionIpamResourceDiscovery"])

    external_principals_allowed = optional(bool, false)
    principals                  = optional(set(string), [])

    tags = optional(map(string), {})
  }))
| `[]` | no | +| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [arn](#output\_arn) | The ARN of the IPAM resource discovery. | +| [description](#output\_description) | The description of the IPAM resource discovery. | +| [id](#output\_id) | The ID of the IPAM resource discovery. | +| [is\_default](#output\_is\_default) | Whether the resource discovery is the default. The default resource discovery is the resource discovery automatically created when you create an IPAM. | +| [name](#output\_name) | The name of the IPAM resource discovery. | +| [operating\_regions](#output\_operating\_regions) | A set of operating regions for the IPAM resource discovery. | +| [owner\_id](#output\_owner\_id) | The account ID for the account that manages the Resource Discovery. | +| [region](#output\_region) | The home region of the Resource Discovery. | +| [sharing](#output\_sharing) | The configuration for sharing of the IPAM resource discovery resource discovery.
`status` - An indication of whether the IPAM resource discovery resource discovery is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are `NOT_SHARED`, `SHARED_BY_ME` or `SHARED_WITH_ME`.
`shares` - The list of resource shares via RAM (Resource Access Manager). | + diff --git a/modules/ipam-resource-discovery/main.tf b/modules/ipam-resource-discovery/main.tf new file mode 100644 index 0000000..b4de284 --- /dev/null +++ b/modules/ipam-resource-discovery/main.tf @@ -0,0 +1,65 @@ +locals { + metadata = { + package = "terraform-aws-network" + version = trimspace(file("${path.module}/../../VERSION")) + module = basename(path.module) + name = var.name + } + module_tags = var.module_tags_enabled ? { + "module.terraform.io/package" = local.metadata.package + "module.terraform.io/version" = local.metadata.version + "module.terraform.io/name" = local.metadata.module + "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" + "module.terraform.io/instance" = local.metadata.name + } : {} +} + +data "aws_region" "this" {} +data "aws_regions" "this" { + all_regions = true +} + +locals { + region = data.aws_region.this.name + all_regions = data.aws_regions.this.names +} + + +################################################### +# Resource Discovery of IPAM (IP Address Manager) +################################################### + +resource "aws_vpc_ipam_resource_discovery" "this" { + description = var.description + + dynamic "operating_regions" { + for_each = var.operating_regions + + content { + region_name = operating_regions.value + } + } + + tags = merge( + { + "Name" = local.metadata.name + }, + local.module_tags, + var.tags, + ) + + lifecycle { + precondition { + condition = contains(var.operating_regions, local.region) + error_message = "The current region is required to include in `operating_regions`." + } + + precondition { + condition = alltrue([ + for region in var.operating_regions : + contains(local.all_regions, region) + ]) + error_message = "There is invalid AWS region name." + } + } +} diff --git a/modules/ipam-resource-discovery/outputs.tf b/modules/ipam-resource-discovery/outputs.tf new file mode 100644 index 0000000..b734e69 --- /dev/null +++ b/modules/ipam-resource-discovery/outputs.tf @@ -0,0 +1,51 @@ +output "id" { + description = "The ID of the IPAM resource discovery." + value = aws_vpc_ipam_resource_discovery.this.id +} + +output "arn" { + description = "The ARN of the IPAM resource discovery." + value = aws_vpc_ipam_resource_discovery.this.arn +} + +output "owner_id" { + description = "The account ID for the account that manages the Resource Discovery." + value = aws_vpc_ipam_resource_discovery.this.owner_id +} + +output "region" { + description = "The home region of the Resource Discovery." + value = aws_vpc_ipam_resource_discovery.this.ipam_resource_discovery_region +} + +output "name" { + description = "The name of the IPAM resource discovery." + value = local.metadata.name +} + +output "description" { + description = "The description of the IPAM resource discovery." + value = aws_vpc_ipam_resource_discovery.this.description +} + +output "operating_regions" { + description = "A set of operating regions for the IPAM resource discovery." + value = aws_vpc_ipam_resource_discovery.this.operating_regions[*].region_name +} + +output "is_default" { + description = "Whether the resource discovery is the default. The default resource discovery is the resource discovery automatically created when you create an IPAM." + value = aws_vpc_ipam_resource_discovery.this.is_default +} + +output "sharing" { + description = < 0 ? "SHARED_BY_ME" : "NOT_SHARED" + shares = module.share + } +} diff --git a/modules/ipam-resource-discovery/ram-share.tf b/modules/ipam-resource-discovery/ram-share.tf new file mode 100644 index 0000000..d36ec20 --- /dev/null +++ b/modules/ipam-resource-discovery/ram-share.tf @@ -0,0 +1,32 @@ +################################################### +# Resource Sharing by RAM (Resource Access Manager) +################################################### + +module "share" { + source = "tedilabs/account/aws//modules/ram-share" + version = "~> 0.24.0" + + for_each = { + for share in var.shares : + share.name => share + } + + name = "ipam.resource-discovery.${var.name}.${each.key}" + + resources = [ + aws_vpc_ipam_resource_discovery.this.arn + ] + permissions = each.value.permissions + + external_principals_allowed = each.value.external_principals_allowed + principals = each.value.principals + + resource_group_enabled = false + module_tags_enabled = false + + tags = merge( + local.module_tags, + var.tags, + each.value.tags, + ) +} diff --git a/modules/ipam-resource-discovery/resource-group.tf b/modules/ipam-resource-discovery/resource-group.tf new file mode 100644 index 0000000..7487ba0 --- /dev/null +++ b/modules/ipam-resource-discovery/resource-group.tf @@ -0,0 +1,31 @@ +locals { + resource_group_name = (var.resource_group_name != "" + ? var.resource_group_name + : join(".", [ + local.metadata.package, + local.metadata.module, + replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), + ]) + ) +} + + +module "resource_group" { + source = "tedilabs/misc/aws//modules/resource-group" + version = "~> 0.10.0" + + count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 + + name = local.resource_group_name + description = var.resource_group_description + + query = { + resource_tags = local.module_tags + } + + module_tags_enabled = false + tags = merge( + local.module_tags, + var.tags, + ) +} diff --git a/modules/ipam-resource-discovery/variables.tf b/modules/ipam-resource-discovery/variables.tf new file mode 100644 index 0000000..c08cacf --- /dev/null +++ b/modules/ipam-resource-discovery/variables.tf @@ -0,0 +1,82 @@ +variable "name" { + description = "(Required) The name of the IPAM resource discovery." + type = string + nullable = false +} + +variable "description" { + description = "(Optional) A description for the IPAM resource discovery." + type = string + default = "Managed by Terraform." + nullable = false +} + +variable "operating_regions" { + description = < Date: Fri, 24 Mar 2023 01:47:29 +0900 Subject: [PATCH 23/73] Update reachability-analyzer-path --- modules/reachability-analyzer-path/README.md | 6 +++--- modules/reachability-analyzer-path/variables.tf | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/reachability-analyzer-path/README.md b/modules/reachability-analyzer-path/README.md index 547df30..13834ad 100644 --- a/modules/reachability-analyzer-path/README.md +++ b/modules/reachability-analyzer-path/README.md @@ -36,10 +36,10 @@ This module creates following resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [destination\_network](#input\_destination\_network) | (Required) The configuration of destination network for analysis. `destination_network` as defined below.
(Required) `id` - The ID of resource which is the destination of the path. Can be an Instance, Internet Gateway, Network Interface, Transit Gateway, VPC Endpoint, VPC Peering Connection or VPN Gateway.
(Optional) `ip_address` - The IP address of the destination resource.
(Optional) `port` - The port number of destination to analyze access to. | 
object({
    id         = string
    ip_address = optional(string)
    port       = optional(number)
  })
| n/a | yes | +| [destination\_network](#input\_destination\_network) | (Required) The configuration of destination network for analysis. `destination_network` as defined below.
(Required) `id` - The ID of resource which is the destination of the path. Can be an Instance, Internet Gateway, Network Interface, Transit Gateway, Transit Gateway Attachment, VPC Endpoint Service, VPC Endpoint, VPC Peering Connection or VPN Gateway.
(Optional) `ip_address` - The IP address of the destination resource.
(Optional) `port` - The port number of destination to analyze access to. | 
object({
    id         = string
    ip_address = optional(string)
    port       = optional(number)
  })
| n/a | yes | | [name](#input\_name) | (Required) The name of the reachability analyzer path. | `string` | n/a | yes | -| [source\_network](#input\_source\_network) | (Required) The configuration of source network for analysis. `source_network` as defined below.
(Required) `id` - The ID of resource which is the source of the path. Can be an Instance, Internet Gateway, Network Interface, Transit Gateway, VPC Endpoint, VPC Peering Connection or VPN Gateway.
(Optional) `ip_address` - The IP address of the source resource. | 
object({
    id         = string
    ip_address = optional(string)
  })
| n/a | yes | -| [analyses](#input\_analyses) | (Optional) The configuration of analyses to run with the reachability analyzer path. Each block of `analyses` as defined below.
(Required) `name` - A name of the analysis with the reachability analyzer path.
(Optional) `required_intermediate_components` - A list of ARNs for resources the path must traverse. Intermediate components include load balancers, NAT gateways, and peering connections. You cannot use security groups, network access control lists, network interfaces, or route tables as intermediate components.
(Optional) `wait_for_completion` - Whether to wait for the analysis status to change to `succeeded` or `failed`. Setting this to `false` will skip the process. Defaults to `true`. | 
list(object({
    name = string

    required_intermediate_components = optional(list(string), [])
    wait_for_completion              = optional(bool, true)
  }))
| `[]` | no | +| [source\_network](#input\_source\_network) | (Required) The configuration of source network for analysis. `source_network` as defined below.
(Required) `id` - The ID of resource which is the source of the path. Can be an Instance, Internet Gateway, Network Interface, Transit Gateway, Transit Gateway Attachment, VPC Endpoint Service, VPC Endpoint, VPC Peering Connection or VPN Gateway.
(Optional) `ip_address` - The IP address of the source resource. | 
object({
    id         = string
    ip_address = optional(string)
  })
| n/a | yes | +| [analyses](#input\_analyses) | (Optional) The configuration of analyses to run with the reachability analyzer path. Each block of `analyses` as defined below.
(Required) `name` - A name of the analysis with the reachability analyzer path.
(Optional) `required_intermediate_components` - A list of ARNs for resources the path must traverse. Intermediate components include Load Balancers, NAT Gateways, and Network Firewall, Transit Gateways, Transit Gateway Attachments, VPC Peering Connections. You cannot use security groups, network access control lists, network interfaces, or route tables as intermediate components.
(Optional) `wait_for_completion` - Whether to wait for the analysis status to change to `succeeded` or `failed`. Setting this to `false` will skip the process. Defaults to `true`. | 
list(object({
    name = string

    required_intermediate_components = optional(list(string), [])
    wait_for_completion              = optional(bool, true)
  }))
| `[]` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | | [protocol](#input\_protocol) | (Optional) The protocol to use for analysis. Valid values are `TCP` or `UDP`. | `string` | `"TCP"` | no | | [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | diff --git a/modules/reachability-analyzer-path/variables.tf b/modules/reachability-analyzer-path/variables.tf index 6b9cd17..76587f6 100644 --- a/modules/reachability-analyzer-path/variables.tf +++ b/modules/reachability-analyzer-path/variables.tf @@ -19,7 +19,7 @@ variable "protocol" { variable "source_network" { description = < Date: Fri, 31 Mar 2023 23:47:40 +0900 Subject: [PATCH 24/73] Refactor dx-gateway module (#32) --- modules/dx-gateway/README.md | 8 ++++---- modules/dx-gateway/main.tf | 8 ++++---- modules/dx-gateway/outputs.tf | 21 +++++++++++++++++-- modules/dx-gateway/variables.tf | 36 +++++++++++++++++++++++++-------- 4 files changed, 55 insertions(+), 18 deletions(-) diff --git a/modules/dx-gateway/README.md b/modules/dx-gateway/README.md index e43d7b5..43c5c6d 100644 --- a/modules/dx-gateway/README.md +++ b/modules/dx-gateway/README.md @@ -35,10 +35,10 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [asn](#input\_asn) | The ASN to be configured on the Amazon side of the connection. The ASN must be in the private range of 64,512 to 65,534 or 4,200,000,000 to 4,294,967,294. | `number` | n/a | yes | -| [name](#input\_name) | Desired name for the DX Gateway resources. | `string` | n/a | yes | -| [cross\_account\_gateway\_associations](#input\_cross\_account\_gateway\_associations) | The configurations to associate VPN Gateway or Transit Gateway with a Direct Connect Gateway in cross account. | `list(any)` | `[]` | no | -| [gateway\_associations](#input\_gateway\_associations) | The configurations to associate VPN Gateway or Transit Gateway with a Direct Connect Gateway in same account. | `list(any)` | `[]` | no | +| [asn](#input\_asn) | (Required) The ASN to be configured on the Amazon side of the connection. The ASN must be in the private range of 64,512 to 65,534 or 4,200,000,000 to 4,294,967,294. | `number` | n/a | yes | +| [name](#input\_name) | (Required) Desired name for the DX Gateway resources. | `string` | n/a | yes | +| [cross\_account\_gateway\_associations](#input\_cross\_account\_gateway\_associations) | (Optional) The configuration to associate a list of VPN Gateway or Transit Gateway with a Direct Connect Gateway in cross account. Each block of `cross_account_gateway_associations` as defined below.
(Required) `account_id` - The ID of the AWS account that owns the Virtual Private Gateway or Transit Gateway.
(Required) `proposal_id` - The ID of the request proposal.
(Optional) `allowed_prefixes` - A list of VPC prefixes (CIDRs) to advertise to the Direct Connect gateway. Defaults to the CIDR block of the VPC associated with the Virtual Gateway. To enable drift detection, must be configured. | 
list(object({
    account_id       = string
    proposal_id      = string
    allowed_prefixes = optional(list(string), [])
  }))
| `[]` | no | +| [gateway\_associations](#input\_gateway\_associations) | (Optional) The configuration to associate a list of VPN Gateway or Transit Gateway with a Direct Connect Gateway in same account. Each block of `gateway_associations` as defined below.
(Required) `gateway_id` - The ID of the VPN Gateway or Transit Gateway with which to associate. Used for single account Direct Connect gateway associations.
(Optional) `allowed_prefixes` - A list of VPC prefixes (CIDRs) to advertise to the Direct Connect gateway. Defaults to the CIDR block of the VPC associated with the Virtual Gateway. To enable drift detection, must be configured. | 
list(object({
    gateway_id       = string
    allowed_prefixes = optional(list(string), [])
  }))
| `[]` | no | ## Outputs diff --git a/modules/dx-gateway/main.tf b/modules/dx-gateway/main.tf index 04c6454..d7d621e 100644 --- a/modules/dx-gateway/main.tf +++ b/modules/dx-gateway/main.tf @@ -21,18 +21,18 @@ resource "aws_dx_gateway_association" "this" { dx_gateway_id = aws_dx_gateway.this.id associated_gateway_id = each.key - allowed_prefixes = try(each.value.allowed_prefixes, null) + allowed_prefixes = each.value.allowed_prefixes } resource "aws_dx_gateway_association" "external" { for_each = { for association in var.cross_account_gateway_associations : - association.gateway_id => association + association.proposal_id => association } dx_gateway_id = aws_dx_gateway.this.id associated_gateway_owner_account_id = each.value.account_id - proposal_id = each.value.proposal_id - allowed_prefixes = try(each.value.allowed_prefixes, null) + proposal_id = each.key + allowed_prefixes = each.value.allowed_prefixes } diff --git a/modules/dx-gateway/outputs.tf b/modules/dx-gateway/outputs.tf index d8d8916..e0e8b3b 100644 --- a/modules/dx-gateway/outputs.tf +++ b/modules/dx-gateway/outputs.tf @@ -20,10 +20,27 @@ output "owner_account_id" { output "gateway_associations" { description = "Associated VGW or Transit gateway with a Direct Connect Gateway in same account." - value = aws_dx_gateway_association.this + value = [ + for assoc in aws_dx_gateway_association.this : { + id = assoc.id + gateway_id = assoc.associated_gateway_id + gateway_type = assoc.associated_gateway_type + owner_account_id = assoc.associated_gateway_owner_account_id + allowed_prefixes = assoc.allowed_prefixes + } + ] } output "cross_account_gateway_associations" { description = "Associated VGW or Transit gateway with a Direct Connect Gateway in cross account." - value = aws_dx_gateway_association.external + value = [ + for assoc in aws_dx_gateway_association.external : { + id = assoc.id + gateway_id = assoc.associated_gateway_id + gateway_type = assoc.associated_gateway_type + owner_account_id = assoc.associated_gateway_owner_account_id + proposal_id = assoc.proposal_id + allowed_prefixes = assoc.allowed_prefixes + } + ] } diff --git a/modules/dx-gateway/variables.tf b/modules/dx-gateway/variables.tf index 5d3d6df..4bdae38 100644 --- a/modules/dx-gateway/variables.tf +++ b/modules/dx-gateway/variables.tf @@ -1,21 +1,41 @@ variable "name" { - description = "Desired name for the DX Gateway resources." + description = "(Required) Desired name for the DX Gateway resources." type = string + nullable = false } variable "asn" { - description = "The ASN to be configured on the Amazon side of the connection. The ASN must be in the private range of 64,512 to 65,534 or 4,200,000,000 to 4,294,967,294." + description = "(Required) The ASN to be configured on the Amazon side of the connection. The ASN must be in the private range of 64,512 to 65,534 or 4,200,000,000 to 4,294,967,294." type = number + nullable = false } variable "gateway_associations" { - description = "The configurations to associate VPN Gateway or Transit Gateway with a Direct Connect Gateway in same account." - type = list(any) - default = [] + description = < Date: Sun, 2 Apr 2023 16:01:53 +0900 Subject: [PATCH 25/73] Add dx-connection module (#33) --- .github/labeler.yaml | 3 + .github/labels.yaml | 3 + README.md | 2 + modules/dx-connection/README.md | 67 +++++++++++++++++ modules/dx-connection/main.tf | 74 +++++++++++++++++++ modules/dx-connection/outputs.tf | 73 +++++++++++++++++++ modules/dx-connection/resource-group.tf | 31 ++++++++ modules/dx-connection/variables.tf | 96 +++++++++++++++++++++++++ modules/dx-connection/versions.tf | 10 +++ modules/dx-gateway/README.md | 6 +- modules/dx-gateway/versions.tf | 4 +- 11 files changed, 364 insertions(+), 5 deletions(-) create mode 100644 modules/dx-connection/README.md create mode 100644 modules/dx-connection/main.tf create mode 100644 modules/dx-connection/outputs.tf create mode 100644 modules/dx-connection/resource-group.tf create mode 100644 modules/dx-connection/variables.tf create mode 100644 modules/dx-connection/versions.tf diff --git a/.github/labeler.yaml b/.github/labeler.yaml index e2af0b1..3a00c7d 100644 --- a/.github/labeler.yaml +++ b/.github/labeler.yaml @@ -1,4 +1,7 @@ # Modules +":floppy_disk: dx-connection": +- modules/dx-connection/**/* + ":floppy_disk: dx-gateway": - modules/dx-gateway/**/* diff --git a/.github/labels.yaml b/.github/labels.yaml index 5fd198c..223cd60 100644 --- a/.github/labels.yaml +++ b/.github/labels.yaml @@ -40,6 +40,9 @@ name: "size/XL" # Modules +- color: "fbca04" + description: "This issue or pull request is related to dx-connection module." + name: ":floppy_disk: dx-connection" - color: "fbca04" description: "This issue or pull request is related to dx-gateway module." name: ":floppy_disk: dx-gateway" diff --git a/README.md b/README.md index cdff074..73dcb19 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ Terraform module which creates network related resources on AWS. +- [dx-connection](./modules/dx-connection) - [dx-gateway](./modules/dx-gateway) - [ipam](./modules/ipam) - [ipam-resource-discovery](./modules/ipam-resource-discovery) @@ -51,6 +52,7 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws- - Pool - Resource Discovery - **AWS DX (Direct Connect)** + - DX Connection - DX Gateway - **AWS Network Manager** - Reachability Analyzer diff --git a/modules/dx-connection/README.md b/modules/dx-connection/README.md new file mode 100644 index 0000000..2bfb21c --- /dev/null +++ b/modules/dx-connection/README.md @@ -0,0 +1,67 @@ +# dx-connection + +This module creates following resources. + +- `aws_dx_connection` +- `aws_dx_macsec_key_association` (optional) + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 4.60 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.61.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_dx_connection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dx_connection) | resource | +| [aws_dx_macsec_key_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dx_macsec_key_association) | resource | +| [aws_dx_location.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/dx_location) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [bandwidth](#input\_bandwidth) | (Required) The bandwidth of the DX connection. Valid values for dedicated connections: 1Gbps, 10Gbps. Valid values for hosted connections: 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, 500Mbps, 1Gbps, 2Gbps, 5Gbps, 10Gbps and 100Gbps. Case sensitive. | `string` | n/a | yes | +| [location\_code](#input\_location\_code) | (Required) The location code of AWS Direct Connect location where the connection is located. See `DescribeLocations` API for the list of AWS Direct Connect locations. | `string` | n/a | yes | +| [name](#input\_name) | (Required) The name of the DX connection. | `string` | n/a | yes | +| [encryption](#input\_encryption) | (Optional) The configuration for MACsec encryption of the AWS Direct Connect connection. MACsec is supported on 10 Gbps and 100 Gbps dedicated Direct Connect connections at selected points of presence. `encryption` as defined below.
(Optional) `request_macsec_capable_port` - Indicate whether you want the connection to support MAC Security (MACsec). MAC Security (MACsec) is only available on dedicated connections. See MACsec prerequisites for more information about MAC Security (MACsec) prerequisites. Defaults to `false`. Changing the value will cause the resource to be destroyed and re-created.
(Optional) `mode` - The connection MAC Security (MACsec) encryption mode. MAC Security (MACsec) is only available on dedicated connections. Valid values are `NO_ENCRYPT`, `SHOULD_ENCRYPT` and `MUST_ENCRYPT`. You can only specify the encryption\_mode argument once the connection is in an Available state.
(Optional) `macsec_key_pair` - The values in this pair are used to generate the MACsec secret key. The MACsec secret key is generated by the devices at the ends of the connection using the CKN/CAK pair that you provide to AWS. `macsec_key_pair` as defined below.
(Required) `ckn` - The Connection Key Name (CKN) to associate with the dedicated connection. The valid values are 64 hexadecimal characters.
(Required) `cak` - The Connectivity Association Key (CAK) to associate with the dedicated connection. The valid values are 64 hexadecimal characters. | 
object({
    request_macsec_capable_port = optional(bool, false)
    mode                        = optional(string)
    macsec_key_pair = optional(object({
      ckn = string
      cak = string
    }))
  })
| `{}` | no | +| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | +| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | +| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [service\_provider](#input\_service\_provider) | (Optional) The name of the service provider associated with the connection. | `string` | `null` | no | +| [skip\_destroy](#input\_skip\_destroy) | (Optional) Set to `true` if you do not wish the connection to be deleted at destroy time, and instead just removed from the Terraform state. | `bool` | `false` | no | +| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [arn](#output\_arn) | The ARN of the DX connection. | +| [aws\_device](#output\_aws\_device) | The Direct Connect endpoint on which the physical connection terminates. | +| [bandwidth](#output\_bandwidth) | The bandwidth of the DX connection. | +| [encryption](#output\_encryption) | The configuration for MACsec encryption of the AWS Direct Connect connection.
`macsec_capable` - Whether the connection supports MAC Security (MACsec).
`mode` - The connection MAC Security (MACsec) encryption mode.
`status` - The MAC Security (MACsec) port link status of the connection. | +| [id](#output\_id) | The ID of the DX connection. | +| [jumbo\_frame\_capable](#output\_jumbo\_frame\_capable) | Whether jumbo frames (9001 MTU) are supported. | +| [location](#output\_location) | The information of the AWS Direct Connect location where the connection is located. | +| [logical\_redundancy\_capable](#output\_logical\_redundancy\_capable) | Indicate whether the connection supports a secondary BGP peer in the same address family (IPv4/IPv6). | +| [name](#output\_name) | The name of the DX connection. | +| [service\_provider](#output\_service\_provider) | The name of the service provider associated with the connection. | +| [vlan](#output\_vlan) | The ID of the VLAN. | + diff --git a/modules/dx-connection/main.tf b/modules/dx-connection/main.tf new file mode 100644 index 0000000..24e36d9 --- /dev/null +++ b/modules/dx-connection/main.tf @@ -0,0 +1,74 @@ +locals { + metadata = { + package = "terraform-aws-network" + version = trimspace(file("${path.module}/../../VERSION")) + module = basename(path.module) + name = var.name + } + module_tags = var.module_tags_enabled ? { + "module.terraform.io/package" = local.metadata.package + "module.terraform.io/version" = local.metadata.version + "module.terraform.io/name" = local.metadata.module + "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" + "module.terraform.io/instance" = local.metadata.name + } : {} +} + +locals { + encryption_mode = { + "NO_ENCRYPT" = "no_encrypt" + "SHOULD_ENCRYPT" = "should_encrypt" + "MUST_ENCRYPT" = "must_encrypt" + } +} + + +################################################### +# Direct Connect Location +################################################### + +data "aws_dx_location" "this" { + location_code = var.location_code +} + + +################################################### +# Direct Connect Connection +################################################### + +resource "aws_dx_connection" "this" { + name = local.metadata.name + skip_destroy = var.skip_destroy + bandwidth = var.bandwidth + + location = data.aws_dx_location.this.location_code + provider_name = var.service_provider + + request_macsec = var.encryption.request_macsec_capable_port + encryption_mode = (var.encryption.mode != null + ? local.encryption_mode[var.encryption.mode] + : null + ) + + tags = merge( + { + "Name" = local.metadata.name + }, + local.module_tags, + var.tags, + ) +} + +# INFO: Not supported attributes +# - `secret_arn` +resource "aws_dx_macsec_key_association" "this" { + count = alltrue([ + var.encryption.request_macsec_capable_port, + var.encryption.macsec_key_pair != null, + ]) ? 1 : 0 + + connection_id = aws_dx_connection.this.id + + ckn = try(var.encryption.macsec_key_pair.ckn, null) + cak = try(var.encryption.macsec_key_pair.cak, null) +} diff --git a/modules/dx-connection/outputs.tf b/modules/dx-connection/outputs.tf new file mode 100644 index 0000000..4488d2b --- /dev/null +++ b/modules/dx-connection/outputs.tf @@ -0,0 +1,73 @@ +output "id" { + description = "The ID of the DX connection." + value = aws_dx_connection.this.id +} + +output "arn" { + description = "The ARN of the DX connection." + value = aws_dx_connection.this.arn +} + +output "name" { + description = "The name of the DX connection." + value = aws_dx_connection.this.name +} + +output "aws_device" { + description = "The Direct Connect endpoint on which the physical connection terminates." + value = aws_dx_connection.this.aws_device +} + +output "bandwidth" { + description = "The bandwidth of the DX connection." + value = aws_dx_connection.this.bandwidth +} + +output "vlan" { + description = "The ID of the VLAN." + value = aws_dx_connection.this.vlan_id +} + +output "jumbo_frame_capable" { + description = "Whether jumbo frames (9001 MTU) are supported." + value = aws_dx_connection.this.jumbo_frame_capable +} + +output "logical_redundancy_capable" { + description = "Indicate whether the connection supports a secondary BGP peer in the same address family (IPv4/IPv6)." + value = aws_dx_connection.this.has_logical_redundancy != "no" +} + +output "location" { + description = < [terraform](#requirement\_terraform) | >= 1.2 | -| [aws](#requirement\_aws) | >= 3.45 | +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 4.60 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.52.0 | +| [aws](#provider\_aws) | 4.61.0 | ## Modules diff --git a/modules/dx-gateway/versions.tf b/modules/dx-gateway/versions.tf index dd959fc..6ad78ff 100644 --- a/modules/dx-gateway/versions.tf +++ b/modules/dx-gateway/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.2" + required_version = ">= 1.3" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.45" + version = ">= 4.60" } } } From d31cb805236509be884e5da1dac0f558c41be299 Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Sun, 2 Apr 2023 21:43:09 +0900 Subject: [PATCH 26/73] Add dx-private-virtual-interface module (#34) --- .github/labeler.yaml | 3 + .github/labels.yaml | 3 + README.md | 7 +- .../dx-private-virtual-interface/README.md | 71 +++++++++ modules/dx-private-virtual-interface/main.tf | 111 +++++++++++++ .../dx-private-virtual-interface/outputs.tf | 107 +++++++++++++ .../resource-group.tf | 31 ++++ .../dx-private-virtual-interface/routers.json | 74 +++++++++ .../dx-private-virtual-interface/variables.tf | 147 ++++++++++++++++++ .../dx-private-virtual-interface/versions.tf | 10 ++ 10 files changed, 562 insertions(+), 2 deletions(-) create mode 100644 modules/dx-private-virtual-interface/README.md create mode 100644 modules/dx-private-virtual-interface/main.tf create mode 100644 modules/dx-private-virtual-interface/outputs.tf create mode 100644 modules/dx-private-virtual-interface/resource-group.tf create mode 100644 modules/dx-private-virtual-interface/routers.json create mode 100644 modules/dx-private-virtual-interface/variables.tf create mode 100644 modules/dx-private-virtual-interface/versions.tf diff --git a/.github/labeler.yaml b/.github/labeler.yaml index 3a00c7d..20275e3 100644 --- a/.github/labeler.yaml +++ b/.github/labeler.yaml @@ -5,6 +5,9 @@ ":floppy_disk: dx-gateway": - modules/dx-gateway/**/* +":floppy_disk: dx-private-virtual-interface": +- modules/dx-private-virtual-interface/**/* + ":floppy_disk: ipam": - modules/ipam/**/* diff --git a/.github/labels.yaml b/.github/labels.yaml index 223cd60..02a16ae 100644 --- a/.github/labels.yaml +++ b/.github/labels.yaml @@ -46,6 +46,9 @@ - color: "fbca04" description: "This issue or pull request is related to dx-gateway module." name: ":floppy_disk: dx-gateway" +- color: "fbca04" + description: "This issue or pull request is related to dx-private-virtual-interface module." + name: ":floppy_disk: dx-private-virtual-interface" - color: "fbca04" description: "This issue or pull request is related to ipam module." name: ":floppy_disk: ipam" diff --git a/README.md b/README.md index 73dcb19..2088979 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ Terraform module which creates network related resources on AWS. - [dx-connection](./modules/dx-connection) - [dx-gateway](./modules/dx-gateway) +- [dx-private-virtual-interface](./modules/dx-private-virtual-interface) - [ipam](./modules/ipam) - [ipam-resource-discovery](./modules/ipam-resource-discovery) - [nacl](./modules/nacl) @@ -52,8 +53,10 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws- - Pool - Resource Discovery - **AWS DX (Direct Connect)** - - DX Connection - - DX Gateway + - Connection + - Gateway + - Virtual Interface + - Private Virtual Interface - **AWS Network Manager** - Reachability Analyzer - Path diff --git a/modules/dx-private-virtual-interface/README.md b/modules/dx-private-virtual-interface/README.md new file mode 100644 index 0000000..ee3e68c --- /dev/null +++ b/modules/dx-private-virtual-interface/README.md @@ -0,0 +1,71 @@ +# dx-private-virtual-interface + +This module creates following resources. + +- `aws_dx_private_virtual_interface` +- `aws_dx_bgp_peer` (optional) + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 4.60 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.61.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_dx_bgp_peer.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dx_bgp_peer) | resource | +| [aws_dx_private_virtual_interface.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dx_private_virtual_interface) | resource | +| [aws_dx_router_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/dx_router_configuration) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [bgp\_peerings](#input\_bgp\_peerings) | (Required) The configuration for BGP(Border Gateway Protocol) Peerings of the virtual interface. You must create a BGP peer for the corresponding address family (IPv4/IPv6) in order to access AWS resources that also use that address family. If logical redundancy is not supported by the connection, interconnect, or LAG, the BGP peer cannot be in the same address family as an existing BGP peer on the virtual interface. When creating a IPv6 BGP peer, omit the Amazon address and customer address. IPv6 addresses are automatically assigned from the Amazon pool of IPv6 addresses; you cannot specify custom IPv6 addresses. Each block of `bgp_peerings` as defined below.
(Required) `address_family` - The address family for the BGP peer. Valid values are `IPV4` or `IPV6`. Defaults to `IPV4`.
(Required) `bgp_asn` - The Border Gateway Protocol (BGP) Autonomous System Number (ASN) of your on-premises router for the new virtual interface. Valid ranges are 1 - 2147483647.
(Optional) `bgp_auth_key` - The password that will be used to authenticate the BGP session.
(Optional) `amazon_address` - The BGP peer IP configured on the AWS endpoint. Required for IPv4 BGP peering.
(Optional) `customer_address` - The BGP peer IP configured on your endpoint. Required for IPv4 BGP peering. | 
list(object({
    address_family   = string
    bgp_asn          = number
    bgp_auth_key     = optional(string)
    amazon_address   = optional(string)
    customer_address = optional(string)
  }))
| n/a | yes | +| [connection](#input\_connection) | (Required) The ID of the Direct Connect connection (or LAG) on which the new virtual interface will be provisioned. | `string` | n/a | yes | +| [gateway](#input\_gateway) | (Required) The gateway configuration to connect to VPCs and Regions for this virtual interface. `gateway` as defined below.
(Required) `type` - A gateway type for this virtual interface.
- `DIRECT_CONNECT_GATEWAY`: Allow connections to multiple VPCs and Regions.
- `VIRTUAL_PRIVATE_GATEWAY`: Allow connections to a single VPC in the same Region.
(Required) `id` - The ID of the Direct Connect Gateway or Virtual Private Gateway to which to connect the virtual interface. | 
object({
    type = string
    id   = string
  })
| n/a | yes | +| [name](#input\_name) | (Required) The name of the virtual interface assigned by the customer network. The name has a maximum of 100 characters. The following are valid characters: a-z, 0-9 and a hyphen (-). | `string` | n/a | yes | +| [vlan](#input\_vlan) | (Required) The Virtual Local Area Network number for the new virtual interface. Valid ranges are 1 - 4094. | `number` | n/a | yes | +| [jumbo\_frame\_enabled](#input\_jumbo\_frame\_enabled) | (Optional) Whether to allow MTU size of `9001` on virtual interface. The MTU of a virtual private interface can be either `1500` or `9001` (jumbo frames). Defaults to `false`. | `bool` | `false` | no | +| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | +| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | +| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [router](#input\_router) | (Optional) The ID of the Router Type to get the sample router configuration. For example: `CiscoSystemsInc-2900SeriesRouters-IOS124` | `string` | `null` | no | +| [sitelink\_enabled](#input\_sitelink\_enabled) | (Optional) Indicate whether to enable SiteLink. Control direct connectivity between Direct Connect points of presence. Subject to additional charges. Defaults to `false`. | `bool` | `false` | no | +| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [arn](#output\_arn) | The ARN of the virtual interface. | +| [aws\_device](#output\_aws\_device) | The Direct Connect endpoint on which the virtual interface terminates. | +| [bgp\_peerings](#output\_bgp\_peerings) | The configuration for BGP(Border Gateway Protocol) Peerings of the virtual interface.
`address_family` - The address family for the BGP peer.
`bgp_asn` - The Border Gateway Protocol (BGP) Autonomous System Number (ASN) of your on-premises router.
`bgp_auth_key` - The password that will be used to authenticate the BGP session.
`amazon_address` - The BGP peer IP configured on the AWS endpoint.
`customer_address` - The BGP peer IP configured on your endpoint. | +| [connection](#output\_connection) | The ID of the Direct Connect connection. | +| [gateway](#output\_gateway) | The ID of the Direct Connect connection. | +| [id](#output\_id) | The ID of the virtual interface. | +| [jumbo\_frame\_capable](#output\_jumbo\_frame\_capable) | Whether jumbo frames (9001 MTU) are supported. | +| [jumbo\_frame\_enabled](#output\_jumbo\_frame\_enabled) | Whether jumbo frames (9001 MTU) are enabled. | +| [mtu](#output\_mtu) | The MTU of the virtual interface. | +| [name](#output\_name) | The name of the virtual interface. | +| [sample\_configuration](#output\_sample\_configuration) | The sample router configuration for the virtual interface. | +| [sitelink\_enabled](#output\_sitelink\_enabled) | Indicate whether to enable SiteLink. | +| [vlan](#output\_vlan) | The ID of the VLAN. | + diff --git a/modules/dx-private-virtual-interface/main.tf b/modules/dx-private-virtual-interface/main.tf new file mode 100644 index 0000000..09e6508 --- /dev/null +++ b/modules/dx-private-virtual-interface/main.tf @@ -0,0 +1,111 @@ +locals { + metadata = { + package = "terraform-aws-network" + version = trimspace(file("${path.module}/../../VERSION")) + module = basename(path.module) + name = var.name + } + module_tags = var.module_tags_enabled ? { + "module.terraform.io/package" = local.metadata.package + "module.terraform.io/version" = local.metadata.version + "module.terraform.io/name" = local.metadata.module + "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" + "module.terraform.io/instance" = local.metadata.name + } : {} +} + +locals { + address_family = { + "IPV4" = "ipv4" + "IPV6" = "ipv6" + } + + primary_peering = var.bgp_peerings[0] + secondary_peerings = slice(var.bgp_peerings, 1, length(var.bgp_peerings)) + + routers = jsondecode(file("${path.module}/routers.json")) + router_ids = local.routers[*].id +} + + +################################################### +# Private VIF (Virtual Interface) of Direct Connect +################################################### + +resource "aws_dx_private_virtual_interface" "this" { + name = var.name + + connection_id = var.connection + + dx_gateway_id = (var.gateway.type == "DIRECT_CONNECT_GATEWAY" + ? var.gateway.id + : null + ) + vpn_gateway_id = (var.gateway.type == "VIRTUAL_PRIVATE_GATEWAY" + ? var.gateway.id + : null + ) + + vlan = var.vlan + mtu = var.jumbo_frame_enabled ? 9001 : 1500 + sitelink_enabled = var.sitelink_enabled + + ## BGP Peering + address_family = local.address_family[local.primary_peering.address_family] + bgp_asn = local.primary_peering.bgp_asn + bgp_auth_key = local.primary_peering.bgp_auth_key + + amazon_address = local.primary_peering.amazon_address + customer_address = local.primary_peering.customer_address + + tags = merge( + { + "Name" = local.metadata.name + }, + local.module_tags, + var.tags, + ) +} + + +################################################### +# Additional BGP Peerings for Private VIF +################################################### + +# INFO: Not supported attributes +# - `netmask_length` +resource "aws_dx_bgp_peer" "this" { + for_each = { + for peering in local.secondary_peerings : + "${peering.address_family}/${peering.bgp_asn}" => peering + } + + virtual_interface_id = aws_dx_private_virtual_interface.this.id + + address_family = local.address_family[each.value.address_family] + + bgp_asn = each.value.bgp_asn + bgp_auth_key = each.value.bgp_auth_key + + amazon_address = each.value.amazon_address + customer_address = each.value.customer_address +} + + +################################################### +# Sample Router Configuration for Private VIF (Virtual Interface) +################################################### + +data "aws_dx_router_configuration" "this" { + count = var.router != null ? 1 : 0 + + virtual_interface_id = aws_dx_private_virtual_interface.this.id + router_type_identifier = var.router + + lifecycle { + precondition { + condition = contains(local.router_ids, var.router) + error_message = "Not supported router ID: ${var.router}." + } + } +} diff --git a/modules/dx-private-virtual-interface/outputs.tf b/modules/dx-private-virtual-interface/outputs.tf new file mode 100644 index 0000000..66b1384 --- /dev/null +++ b/modules/dx-private-virtual-interface/outputs.tf @@ -0,0 +1,107 @@ +output "id" { + description = "The ID of the virtual interface." + value = aws_dx_private_virtual_interface.this.id +} + +output "arn" { + description = "The ARN of the virtual interface." + value = aws_dx_private_virtual_interface.this.arn +} + +output "name" { + description = "The name of the virtual interface." + value = aws_dx_private_virtual_interface.this.name +} + +output "connection" { + description = "The ID of the Direct Connect connection." + value = aws_dx_private_virtual_interface.this.connection_id +} + +output "gateway" { + description = "The ID of the Direct Connect connection." + value = { + type = var.gateway.type + id = { + "DIRECT_CONNECT_GATEWAY" = aws_dx_private_virtual_interface.this.dx_gateway_id + "VIRTUAL_PRIVATE_GATEWAY" = aws_dx_private_virtual_interface.this.vpn_gateway_id + }[var.gateway.type] + } +} + +output "vlan" { + description = "The ID of the VLAN." + value = aws_dx_private_virtual_interface.this.vlan +} + +output "aws_device" { + description = "The Direct Connect endpoint on which the virtual interface terminates." + value = aws_dx_private_virtual_interface.this.aws_device +} + +output "jumbo_frame_capable" { + description = "Whether jumbo frames (9001 MTU) are supported." + value = aws_dx_private_virtual_interface.this.jumbo_frame_capable +} + +output "jumbo_frame_enabled" { + description = "Whether jumbo frames (9001 MTU) are enabled." + value = aws_dx_private_virtual_interface.this.mtu == 9001 +} + +output "mtu" { + description = "The MTU of the virtual interface." + value = aws_dx_private_virtual_interface.this.mtu +} + +output "sitelink_enabled" { + description = "Indicate whether to enable SiteLink." + value = aws_dx_private_virtual_interface.this.sitelink_enabled +} + +output "bgp_peerings" { + description = < k + }[aws_dx_private_virtual_interface.this.address_family] + bgp_asn = aws_dx_private_virtual_interface.this.bgp_asn + bgp_auth_key = aws_dx_private_virtual_interface.this.bgp_auth_key + amazon_address = aws_dx_private_virtual_interface.this.amazon_address + customer_address = aws_dx_private_virtual_interface.this.customer_address + }], + [ + for peering in aws_dx_bgp_peer.this : { + address_family = { + for k, v in local.address_family : + v => k + }[peering.address_family] + bgp_asn = peering.bgp_asn + bgp_auth_key = peering.bgp_auth_key + amazon_address = peering.amazon_address + customer_address = peering.customer_address + } + ] + ) +} + +output "sample_configuration" { + description = "The sample router configuration for the virtual interface." + value = { + router = one([ + for router in local.routers : + router + if router.id == var.router + ]) + config = one(data.aws_dx_router_configuration.this[*].customer_router_config) + } +} diff --git a/modules/dx-private-virtual-interface/resource-group.tf b/modules/dx-private-virtual-interface/resource-group.tf new file mode 100644 index 0000000..7487ba0 --- /dev/null +++ b/modules/dx-private-virtual-interface/resource-group.tf @@ -0,0 +1,31 @@ +locals { + resource_group_name = (var.resource_group_name != "" + ? var.resource_group_name + : join(".", [ + local.metadata.package, + local.metadata.module, + replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), + ]) + ) +} + + +module "resource_group" { + source = "tedilabs/misc/aws//modules/resource-group" + version = "~> 0.10.0" + + count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 + + name = local.resource_group_name + description = var.resource_group_description + + query = { + resource_tags = local.module_tags + } + + module_tags_enabled = false + tags = merge( + local.module_tags, + var.tags, + ) +} diff --git a/modules/dx-private-virtual-interface/routers.json b/modules/dx-private-virtual-interface/routers.json new file mode 100644 index 0000000..e485615 --- /dev/null +++ b/modules/dx-private-virtual-interface/routers.json @@ -0,0 +1,74 @@ +[ + { + "id": "CiscoSystemsInc-2900SeriesRouters-IOS124", + "platform": "2900 Series Routers", + "software": "IOS 12.4+", + "vendor": "Cisco Systems, Inc.", + "xsltTemplateName": "customer-router-cisco-generic.xslt", + "xsltTemplateNameForMacSec": "" + }, + { + "id": "CiscoSystemsInc-3700SeriesRouters-IOS124", + "platform": "3700 Series Routers", + "software": "IOS 12.4+", + "vendor": "Cisco Systems, Inc.", + "xsltTemplateName": "customer-router-cisco-generic.xslt", + "xsltTemplateNameForMacSec": "" + }, + { + "id": "CiscoSystemsInc-7200SeriesRouters-IOS124", + "platform": "7200 Series Routers", + "software": "IOS 12.4+", + "vendor": "Cisco Systems, Inc.", + "xsltTemplateName": "customer-router-cisco-generic.xslt", + "xsltTemplateNameForMacSec": "" + }, + { + "id": "CiscoSystemsInc-Nexus7000SeriesSwitches-NXOS51", + "platform": "Nexus 7000 Series Switches", + "software": "NX-OS 5.1+", + "vendor": "Cisco Systems, Inc.", + "xsltTemplateName": "customer-switch-cisco-nexus-generic.xslt", + "xsltTemplateNameForMacSec": "" + }, + { + "id": "CiscoSystemsInc-Nexus9KSeriesSwitches-NXOS93", + "platform": "Nexus 9K+ Series Switches", + "software": "NX-OS 9.3+", + "vendor": "Cisco Systems, Inc.", + "xsltTemplateName": "customer-switch-cisco-nexus-generic.xslt", + "xsltTemplateNameForMacSec": "customer-switch-cisco-nexus-generic-macsec.xslt" + }, + { + "id": "JuniperNetworksInc-MMXSeriesRouters-JunOS95", + "platform": "M/MX Series Routers", + "software": "JunOS 9.5+", + "vendor": "Juniper Networks, Inc.", + "xsltTemplateName": "customer-router-juniper-generic.xslt", + "xsltTemplateNameForMacSec": "customer-router-juniper-generic-macsec.xslt" + }, + { + "id": "JuniperNetworksInc-SRXSeriesRouters-JunOS95", + "platform": "SRX Series Routers", + "software": "JunOS 9.5+", + "vendor": "Juniper Networks, Inc.", + "xsltTemplateName": "customer-router-juniper-generic.xslt", + "xsltTemplateNameForMacSec": "" + }, + { + "id": "JuniperNetworksInc-TSeriesRouters-JunOS95", + "platform": "T Series Routers", + "software": "JunOS 9.5+", + "vendor": "Juniper Networks, Inc.", + "xsltTemplateName": "customer-router-juniper-generic.xslt", + "xsltTemplateNameForMacSec": "" + }, + { + "id": "PaloAltoNetworks-PA3000and5000series-PANOS803", + "platform": "PA-3000+ and 5000+ series", + "software": "PAN-OS 8.0.3+", + "vendor": "Palo Alto Networks", + "xsltTemplateName": "customer-router-palo-alto-generic.xslt", + "xsltTemplateNameForMacSec": "" + } +] diff --git a/modules/dx-private-virtual-interface/variables.tf b/modules/dx-private-virtual-interface/variables.tf new file mode 100644 index 0000000..772bd87 --- /dev/null +++ b/modules/dx-private-virtual-interface/variables.tf @@ -0,0 +1,147 @@ +variable "name" { + description = "(Required) The name of the virtual interface assigned by the customer network. The name has a maximum of 100 characters. The following are valid characters: a-z, 0-9 and a hyphen (-)." + type = string + nullable = false +} + +variable "connection" { + description = "(Required) The ID of the Direct Connect connection (or LAG) on which the new virtual interface will be provisioned." + type = string + nullable = false +} + +variable "gateway" { + description = <= 1, + var.vlan <= 4094, + ]) + error_message = "Valid ranges are 1 - 4094." + } +} + +variable "jumbo_frame_enabled" { + description = "(Optional) Whether to allow MTU size of `9001` on virtual interface. The MTU of a virtual private interface can be either `1500` or `9001` (jumbo frames). Defaults to `false`." + type = bool + default = false + nullable = false +} + +variable "sitelink_enabled" { + description = "(Optional) Indicate whether to enable SiteLink. Control direct connectivity between Direct Connect points of presence. Subject to additional charges. Defaults to `false`." + type = bool + default = false + nullable = false +} + +variable "bgp_peerings" { + description = < 0 + error_message = "At least 1 BGP peering is required." + } + validation { + condition = alltrue([ + for peering in var.bgp_peerings : + contains(["IPV4", "IPV6"], peering.address_family) + ]) + error_message = "Valid values for `address_family` are `IPV4` and `IPV6`." + } + validation { + condition = alltrue([ + for peering in var.bgp_peerings : + alltrue([ + peering.bgp_asn >= 1, + peering.bgp_asn <= 2147483647, + ]) + ]) + error_message = "Valid ranges for `bgp_asn` are 1 - 2147483647." + } +} + +variable "router" { + description = "(Optional) The ID of the Router Type to get the sample router configuration. For example: `CiscoSystemsInc-2900SeriesRouters-IOS124`" + type = string + default = null + nullable = true +} + +variable "tags" { + description = "(Optional) A map of tags to add to all resources." + type = map(string) + default = {} + nullable = false +} + +variable "module_tags_enabled" { + description = "(Optional) Whether to create AWS Resource Tags for the module informations." + type = bool + default = true + nullable = false +} + + +################################################### +# Resource Group +################################################### + +variable "resource_group_enabled" { + description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module." + type = bool + default = true + nullable = false +} + +variable "resource_group_name" { + description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." + type = string + default = "" + nullable = false +} + +variable "resource_group_description" { + description = "(Optional) The description of Resource Group." + type = string + default = "Managed by Terraform." + nullable = false +} diff --git a/modules/dx-private-virtual-interface/versions.tf b/modules/dx-private-virtual-interface/versions.tf new file mode 100644 index 0000000..6ad78ff --- /dev/null +++ b/modules/dx-private-virtual-interface/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.3" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.60" + } + } +} From 4e6c05dbd40160fe023ed3e03151cbd3d8abeefd Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Sun, 2 Apr 2023 21:46:45 +0900 Subject: [PATCH 27/73] Remove unused comment --- modules/dx-private-virtual-interface/main.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/dx-private-virtual-interface/main.tf b/modules/dx-private-virtual-interface/main.tf index 09e6508..21de847 100644 --- a/modules/dx-private-virtual-interface/main.tf +++ b/modules/dx-private-virtual-interface/main.tf @@ -72,8 +72,6 @@ resource "aws_dx_private_virtual_interface" "this" { # Additional BGP Peerings for Private VIF ################################################### -# INFO: Not supported attributes -# - `netmask_length` resource "aws_dx_bgp_peer" "this" { for_each = { for peering in local.secondary_peerings : From f04cffd9954b9e3387666429a16790a184e1437a Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Wed, 5 Apr 2023 22:52:18 +0900 Subject: [PATCH 28/73] Save router configuration to local file in dx-private-virtual-interface module --- modules/dx-private-virtual-interface/README.md | 7 +++++-- modules/dx-private-virtual-interface/main.tf | 16 ++++++++++++---- modules/dx-private-virtual-interface/outputs.tf | 6 +++--- .../dx-private-virtual-interface/variables.tf | 17 ++++++++++++----- .../dx-private-virtual-interface/versions.tf | 4 ++++ 5 files changed, 36 insertions(+), 14 deletions(-) diff --git a/modules/dx-private-virtual-interface/README.md b/modules/dx-private-virtual-interface/README.md index ee3e68c..3ec918e 100644 --- a/modules/dx-private-virtual-interface/README.md +++ b/modules/dx-private-virtual-interface/README.md @@ -12,12 +12,14 @@ This module creates following resources. |------|---------| | [terraform](#requirement\_terraform) | >= 1.3 | | [aws](#requirement\_aws) | >= 4.60 | +| [local](#requirement\_local) | >= 2.4 | ## Providers | Name | Version | |------|---------| | [aws](#provider\_aws) | 4.61.0 | +| [local](#provider\_local) | 2.4.0 | ## Modules @@ -31,6 +33,7 @@ This module creates following resources. |------|------| | [aws_dx_bgp_peer.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dx_bgp_peer) | resource | | [aws_dx_private_virtual_interface.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dx_private_virtual_interface) | resource | +| [local_file.this](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | | [aws_dx_router_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/dx_router_configuration) | data source | ## Inputs @@ -47,7 +50,7 @@ This module creates following resources. | [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | | [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | | [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [router](#input\_router) | (Optional) The ID of the Router Type to get the sample router configuration. For example: `CiscoSystemsInc-2900SeriesRouters-IOS124` | `string` | `null` | no | +| [router\_configuration](#input\_router\_configuration) | (Optional) The configuration to retrieve a sample router configuration for the virtual interface. `router_configuration` as defined below.
(Optional) `router` - The ID of the Router Type to get the sample router configuration. For example: `CiscoSystemsInc-2900SeriesRouters-IOS124`.
(Optional) `output_path` - The path to save sample router configuration. | 
object({
    router      = optional(string)
    output_path = optional(string)
  })
| `{}` | no | | [sitelink\_enabled](#input\_sitelink\_enabled) | (Optional) Indicate whether to enable SiteLink. Control direct connectivity between Direct Connect points of presence. Subject to additional charges. Defaults to `false`. | `bool` | `false` | no | | [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | @@ -65,7 +68,7 @@ This module creates following resources. | [jumbo\_frame\_enabled](#output\_jumbo\_frame\_enabled) | Whether jumbo frames (9001 MTU) are enabled. | | [mtu](#output\_mtu) | The MTU of the virtual interface. | | [name](#output\_name) | The name of the virtual interface. | -| [sample\_configuration](#output\_sample\_configuration) | The sample router configuration for the virtual interface. | +| [router\_configuration](#output\_router\_configuration) | The sample router configuration for the virtual interface. | | [sitelink\_enabled](#output\_sitelink\_enabled) | Indicate whether to enable SiteLink. | | [vlan](#output\_vlan) | The ID of the VLAN. | diff --git a/modules/dx-private-virtual-interface/main.tf b/modules/dx-private-virtual-interface/main.tf index 21de847..3259fc3 100644 --- a/modules/dx-private-virtual-interface/main.tf +++ b/modules/dx-private-virtual-interface/main.tf @@ -95,15 +95,23 @@ resource "aws_dx_bgp_peer" "this" { ################################################### data "aws_dx_router_configuration" "this" { - count = var.router != null ? 1 : 0 + count = var.router_configuration.router != null ? 1 : 0 virtual_interface_id = aws_dx_private_virtual_interface.this.id - router_type_identifier = var.router + router_type_identifier = var.router_configuration.router lifecycle { precondition { - condition = contains(local.router_ids, var.router) - error_message = "Not supported router ID: ${var.router}." + condition = contains(local.router_ids, var.router_configuration.router) + error_message = "Not supported router ID: ${var.router_configuration.router}." } } } + +resource "local_file" "this" { + count = var.router_configuration.router != null ? 1 : 0 + + filename = coalesce(var.router_configuration.output_path, + "${path.root}/outputs/${var.name}.${var.router_configuration.router}.conf") + content = one(data.aws_dx_router_configuration.this[*].customer_router_config) +} diff --git a/modules/dx-private-virtual-interface/outputs.tf b/modules/dx-private-virtual-interface/outputs.tf index 66b1384..4ad3b0e 100644 --- a/modules/dx-private-virtual-interface/outputs.tf +++ b/modules/dx-private-virtual-interface/outputs.tf @@ -94,14 +94,14 @@ output "bgp_peerings" { ) } -output "sample_configuration" { +output "router_configuration" { description = "The sample router configuration for the virtual interface." value = { router = one([ for router in local.routers : router - if router.id == var.router + if router.id == var.router_configuration.router ]) - config = one(data.aws_dx_router_configuration.this[*].customer_router_config) + output_path = var.router_configuration.output_path } } diff --git a/modules/dx-private-virtual-interface/variables.tf b/modules/dx-private-virtual-interface/variables.tf index 772bd87..ef1e221 100644 --- a/modules/dx-private-virtual-interface/variables.tf +++ b/modules/dx-private-virtual-interface/variables.tf @@ -99,11 +99,18 @@ variable "bgp_peerings" { } } -variable "router" { - description = "(Optional) The ID of the Router Type to get the sample router configuration. For example: `CiscoSystemsInc-2900SeriesRouters-IOS124`" - type = string - default = null - nullable = true +variable "router_configuration" { + description = < Date: Wed, 5 Apr 2023 23:10:48 +0900 Subject: [PATCH 29/73] Bump to v0.27.0 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 30f6cf8..1b58cc1 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.26.1 +0.27.0 From 11d461bcfa08fcb9936003a8b2668c04f677b111 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 25 Jun 2023 23:56:53 +0900 Subject: [PATCH 30/73] Bump tj-actions/changed-files from 35 to 36 (#35) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/terraform.integration.yaml | 4 ++-- .github/workflows/yaml.integration.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/terraform.integration.yaml b/.github/workflows/terraform.integration.yaml index a1ad44f..50829f3 100644 --- a/.github/workflows/terraform.integration.yaml +++ b/.github/workflows/terraform.integration.yaml @@ -31,7 +31,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v35 + uses: tj-actions/changed-files@v36 with: files: | modules/** @@ -40,7 +40,7 @@ jobs: - name: Get Changed Directories id: changed-directories - uses: tj-actions/changed-files@v35 + uses: tj-actions/changed-files@v36 with: files: | modules/** diff --git a/.github/workflows/yaml.integration.yaml b/.github/workflows/yaml.integration.yaml index 751ecf9..003bc41 100644 --- a/.github/workflows/yaml.integration.yaml +++ b/.github/workflows/yaml.integration.yaml @@ -29,7 +29,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v35 + uses: tj-actions/changed-files@v36 with: files: | **/*.yaml From 88935f1d74a2e03bc1a3498ea58cd6b738960b34 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Tue, 27 Jun 2023 23:19:24 +0900 Subject: [PATCH 31/73] Update pre-commit config --- .pre-commit-config.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d0b1fea..10bde48 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,12 +1,13 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.77.1 + rev: v1.81.0 hooks: - id: terraform_fmt args: - --args=-diff - id: terraform_validate args: + - --tf-init-args=-upgrade - --hook-config=--retry-once-with-cleanup=true - id: terraform_tflint args: @@ -14,7 +15,8 @@ repos: files: ^modules/ - id: terraform_docs args: ["--args=--sort-by required"] + - repo: https://github.com/adrienverge/yamllint - rev: v1.29.0 + rev: v1.32.0 hooks: - id: yamllint From 0cae76c568d819de2a1b6d44ded5535a35230687 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 4 Jul 2023 22:48:12 +0900 Subject: [PATCH 32/73] Bump tj-actions/changed-files from 36 to 37 (#37) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 36 to 37. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/v36...v37) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: posquit0 --- .github/workflows/terraform.integration.yaml | 4 ++-- .github/workflows/yaml.integration.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/terraform.integration.yaml b/.github/workflows/terraform.integration.yaml index 50829f3..1572c19 100644 --- a/.github/workflows/terraform.integration.yaml +++ b/.github/workflows/terraform.integration.yaml @@ -31,7 +31,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v36 + uses: tj-actions/changed-files@v37 with: files: | modules/** @@ -40,7 +40,7 @@ jobs: - name: Get Changed Directories id: changed-directories - uses: tj-actions/changed-files@v36 + uses: tj-actions/changed-files@v37 with: files: | modules/** diff --git a/.github/workflows/yaml.integration.yaml b/.github/workflows/yaml.integration.yaml index 003bc41..a81b49e 100644 --- a/.github/workflows/yaml.integration.yaml +++ b/.github/workflows/yaml.integration.yaml @@ -29,7 +29,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v36 + uses: tj-actions/changed-files@v37 with: files: | **/*.yaml From 63d86b678d443420e8ffeacdec66e5c53c1b479c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 26 Aug 2023 19:40:18 +0900 Subject: [PATCH 33/73] Bump tj-actions/changed-files from 37 to 38 (#38) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 37 to 38. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/v37...v38) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Byungjin Park (Claud) --- .github/workflows/terraform.integration.yaml | 4 ++-- .github/workflows/yaml.integration.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/terraform.integration.yaml b/.github/workflows/terraform.integration.yaml index 1572c19..8cfe55e 100644 --- a/.github/workflows/terraform.integration.yaml +++ b/.github/workflows/terraform.integration.yaml @@ -31,7 +31,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v37 + uses: tj-actions/changed-files@v38 with: files: | modules/** @@ -40,7 +40,7 @@ jobs: - name: Get Changed Directories id: changed-directories - uses: tj-actions/changed-files@v37 + uses: tj-actions/changed-files@v38 with: files: | modules/** diff --git a/.github/workflows/yaml.integration.yaml b/.github/workflows/yaml.integration.yaml index a81b49e..5149a2d 100644 --- a/.github/workflows/yaml.integration.yaml +++ b/.github/workflows/yaml.integration.yaml @@ -29,7 +29,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v37 + uses: tj-actions/changed-files@v38 with: files: | **/*.yaml From 89b094249de70ed32e239b6a938ea1ee9e3f3fa5 Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Sat, 26 Aug 2023 23:36:58 +0900 Subject: [PATCH 34/73] Fix null value of vlan output in dx-connection module (#45) --- modules/dx-connection/versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/dx-connection/versions.tf b/modules/dx-connection/versions.tf index 6ad78ff..422d051 100644 --- a/modules/dx-connection/versions.tf +++ b/modules/dx-connection/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.60" + version = ">= 5.2" } } } From 06c0a2219b40a3b8800ffa7c080c01e21dc3a0d6 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Tue, 19 Sep 2023 00:07:10 +0900 Subject: [PATCH 35/73] Migrate ipam and vpc-connectivity modules to individual repositories --- .github/labeler.yaml | 39 ----- .github/labels.yaml | 39 ----- README.md | 40 +---- examples/prefix-lists/main.tf | 54 ------ examples/prefix-lists/outputs.tf | 9 - examples/prefix-lists/versions.tf | 10 -- examples/reachability-analyzer/main.tf | 142 ---------------- examples/reachability-analyzer/outputs.tf | 7 - examples/reachability-analyzer/versions.tf | 10 -- modules/dx-connection/README.md | 67 -------- modules/dx-connection/main.tf | 74 --------- modules/dx-connection/outputs.tf | 73 --------- modules/dx-connection/resource-group.tf | 31 ---- modules/dx-connection/variables.tf | 96 ----------- modules/dx-connection/versions.tf | 10 -- modules/dx-gateway/README.md | 53 ------ modules/dx-gateway/main.tf | 38 ----- modules/dx-gateway/outputs.tf | 46 ------ modules/dx-gateway/variables.tf | 41 ----- modules/dx-gateway/versions.tf | 10 -- .../dx-private-virtual-interface/README.md | 74 --------- modules/dx-private-virtual-interface/main.tf | 117 ------------- .../dx-private-virtual-interface/outputs.tf | 107 ------------ .../resource-group.tf | 31 ---- .../dx-private-virtual-interface/routers.json | 74 --------- .../dx-private-virtual-interface/variables.tf | 154 ------------------ .../dx-private-virtual-interface/versions.tf | 14 -- modules/ipam-resource-discovery/README.md | 65 -------- modules/ipam-resource-discovery/main.tf | 65 -------- modules/ipam-resource-discovery/outputs.tf | 51 ------ modules/ipam-resource-discovery/ram-share.tf | 32 ---- .../ipam-resource-discovery/resource-group.tf | 31 ---- modules/ipam-resource-discovery/variables.tf | 82 ---------- modules/ipam-resource-discovery/versions.tf | 10 -- modules/ipam/README.md | 69 -------- modules/ipam/main.tf | 106 ------------ modules/ipam/outputs.tf | 94 ----------- modules/ipam/resource-group.tf | 31 ---- modules/ipam/variables.tf | 96 ----------- modules/ipam/versions.tf | 10 -- modules/prefix-list/README.md | 63 ------- modules/prefix-list/main.tf | 44 ----- modules/prefix-list/outputs.tf | 51 ------ modules/prefix-list/ram-share.tf | 32 ---- modules/prefix-list/resource-group.tf | 31 ---- modules/prefix-list/variables.tf | 103 ------------ modules/prefix-list/versions.tf | 10 -- modules/reachability-analyzer-path/README.md | 61 ------- modules/reachability-analyzer-path/main.tf | 64 -------- modules/reachability-analyzer-path/outputs.tf | 68 -------- .../resource-group.tf | 31 ---- .../reachability-analyzer-path/variables.tf | 102 ------------ .../reachability-analyzer-path/versions.tf | 10 -- modules/vpc-endpoint-service/README.md | 73 --------- modules/vpc-endpoint-service/main.tf | 60 ------- modules/vpc-endpoint-service/migrations.tf | 5 - modules/vpc-endpoint-service/outputs.tf | 74 --------- .../vpc-endpoint-service/resource-group.tf | 31 ---- modules/vpc-endpoint-service/variables.tf | 78 --------- modules/vpc-endpoint-service/versions.tf | 10 -- modules/vpc-gateway-endpoint/README.md | 67 -------- modules/vpc-gateway-endpoint/main.tf | 49 ------ modules/vpc-gateway-endpoint/migrations.tf | 5 - modules/vpc-gateway-endpoint/outputs.tf | 59 ------- .../vpc-gateway-endpoint/resource-group.tf | 31 ---- modules/vpc-gateway-endpoint/variables.tf | 70 -------- modules/vpc-gateway-endpoint/versions.tf | 10 -- modules/vpc-interface-endpoint/README.md | 75 --------- modules/vpc-interface-endpoint/main.tf | 55 ------- modules/vpc-interface-endpoint/migrations.tf | 5 - modules/vpc-interface-endpoint/outputs.tf | 82 ---------- .../vpc-interface-endpoint/resource-group.tf | 31 ---- .../vpc-interface-endpoint/security-group.tf | 72 -------- modules/vpc-interface-endpoint/variables.tf | 101 ------------ modules/vpc-interface-endpoint/versions.tf | 10 -- modules/vpc-peering-accepter/README.md | 60 ------- modules/vpc-peering-accepter/main.tf | 73 --------- modules/vpc-peering-accepter/migrations.tf | 5 - modules/vpc-peering-accepter/outputs.tf | 24 --- .../vpc-peering-accepter/resource-group.tf | 31 ---- modules/vpc-peering-accepter/variables.tf | 51 ------ modules/vpc-peering-accepter/versions.tf | 10 -- modules/vpc-peering-requester/README.md | 63 ------- modules/vpc-peering-requester/main.tf | 67 -------- modules/vpc-peering-requester/migrations.tf | 5 - modules/vpc-peering-requester/outputs.tf | 38 ----- .../vpc-peering-requester/resource-group.tf | 31 ---- modules/vpc-peering-requester/variables.tf | 67 -------- modules/vpc-peering-requester/versions.tf | 10 -- modules/vpc-peering/README.md | 61 ------- modules/vpc-peering/main.tf | 78 --------- modules/vpc-peering/migrations.tf | 5 - modules/vpc-peering/outputs.tf | 24 --- modules/vpc-peering/resource-group.tf | 31 ---- modules/vpc-peering/variables.tf | 61 ------- modules/vpc-peering/versions.tf | 10 -- modules/vpc/versions.tf | 4 +- 97 files changed, 3 insertions(+), 4731 deletions(-) delete mode 100644 examples/prefix-lists/main.tf delete mode 100644 examples/prefix-lists/outputs.tf delete mode 100644 examples/prefix-lists/versions.tf delete mode 100644 examples/reachability-analyzer/main.tf delete mode 100644 examples/reachability-analyzer/outputs.tf delete mode 100644 examples/reachability-analyzer/versions.tf delete mode 100644 modules/dx-connection/README.md delete mode 100644 modules/dx-connection/main.tf delete mode 100644 modules/dx-connection/outputs.tf delete mode 100644 modules/dx-connection/resource-group.tf delete mode 100644 modules/dx-connection/variables.tf delete mode 100644 modules/dx-connection/versions.tf delete mode 100644 modules/dx-gateway/README.md delete mode 100644 modules/dx-gateway/main.tf delete mode 100644 modules/dx-gateway/outputs.tf delete mode 100644 modules/dx-gateway/variables.tf delete mode 100644 modules/dx-gateway/versions.tf delete mode 100644 modules/dx-private-virtual-interface/README.md delete mode 100644 modules/dx-private-virtual-interface/main.tf delete mode 100644 modules/dx-private-virtual-interface/outputs.tf delete mode 100644 modules/dx-private-virtual-interface/resource-group.tf delete mode 100644 modules/dx-private-virtual-interface/routers.json delete mode 100644 modules/dx-private-virtual-interface/variables.tf delete mode 100644 modules/dx-private-virtual-interface/versions.tf delete mode 100644 modules/ipam-resource-discovery/README.md delete mode 100644 modules/ipam-resource-discovery/main.tf delete mode 100644 modules/ipam-resource-discovery/outputs.tf delete mode 100644 modules/ipam-resource-discovery/ram-share.tf delete mode 100644 modules/ipam-resource-discovery/resource-group.tf delete mode 100644 modules/ipam-resource-discovery/variables.tf delete mode 100644 modules/ipam-resource-discovery/versions.tf delete mode 100644 modules/ipam/README.md delete mode 100644 modules/ipam/main.tf delete mode 100644 modules/ipam/outputs.tf delete mode 100644 modules/ipam/resource-group.tf delete mode 100644 modules/ipam/variables.tf delete mode 100644 modules/ipam/versions.tf delete mode 100644 modules/prefix-list/README.md delete mode 100644 modules/prefix-list/main.tf delete mode 100644 modules/prefix-list/outputs.tf delete mode 100644 modules/prefix-list/ram-share.tf delete mode 100644 modules/prefix-list/resource-group.tf delete mode 100644 modules/prefix-list/variables.tf delete mode 100644 modules/prefix-list/versions.tf delete mode 100644 modules/reachability-analyzer-path/README.md delete mode 100644 modules/reachability-analyzer-path/main.tf delete mode 100644 modules/reachability-analyzer-path/outputs.tf delete mode 100644 modules/reachability-analyzer-path/resource-group.tf delete mode 100644 modules/reachability-analyzer-path/variables.tf delete mode 100644 modules/reachability-analyzer-path/versions.tf delete mode 100644 modules/vpc-endpoint-service/README.md delete mode 100644 modules/vpc-endpoint-service/main.tf delete mode 100644 modules/vpc-endpoint-service/migrations.tf delete mode 100644 modules/vpc-endpoint-service/outputs.tf delete mode 100644 modules/vpc-endpoint-service/resource-group.tf delete mode 100644 modules/vpc-endpoint-service/variables.tf delete mode 100644 modules/vpc-endpoint-service/versions.tf delete mode 100644 modules/vpc-gateway-endpoint/README.md delete mode 100644 modules/vpc-gateway-endpoint/main.tf delete mode 100644 modules/vpc-gateway-endpoint/migrations.tf delete mode 100644 modules/vpc-gateway-endpoint/outputs.tf delete mode 100644 modules/vpc-gateway-endpoint/resource-group.tf delete mode 100644 modules/vpc-gateway-endpoint/variables.tf delete mode 100644 modules/vpc-gateway-endpoint/versions.tf delete mode 100644 modules/vpc-interface-endpoint/README.md delete mode 100644 modules/vpc-interface-endpoint/main.tf delete mode 100644 modules/vpc-interface-endpoint/migrations.tf delete mode 100644 modules/vpc-interface-endpoint/outputs.tf delete mode 100644 modules/vpc-interface-endpoint/resource-group.tf delete mode 100644 modules/vpc-interface-endpoint/security-group.tf delete mode 100644 modules/vpc-interface-endpoint/variables.tf delete mode 100644 modules/vpc-interface-endpoint/versions.tf delete mode 100644 modules/vpc-peering-accepter/README.md delete mode 100644 modules/vpc-peering-accepter/main.tf delete mode 100644 modules/vpc-peering-accepter/migrations.tf delete mode 100644 modules/vpc-peering-accepter/outputs.tf delete mode 100644 modules/vpc-peering-accepter/resource-group.tf delete mode 100644 modules/vpc-peering-accepter/variables.tf delete mode 100644 modules/vpc-peering-accepter/versions.tf delete mode 100644 modules/vpc-peering-requester/README.md delete mode 100644 modules/vpc-peering-requester/main.tf delete mode 100644 modules/vpc-peering-requester/migrations.tf delete mode 100644 modules/vpc-peering-requester/outputs.tf delete mode 100644 modules/vpc-peering-requester/resource-group.tf delete mode 100644 modules/vpc-peering-requester/variables.tf delete mode 100644 modules/vpc-peering-requester/versions.tf delete mode 100644 modules/vpc-peering/README.md delete mode 100644 modules/vpc-peering/main.tf delete mode 100644 modules/vpc-peering/migrations.tf delete mode 100644 modules/vpc-peering/outputs.tf delete mode 100644 modules/vpc-peering/resource-group.tf delete mode 100644 modules/vpc-peering/variables.tf delete mode 100644 modules/vpc-peering/versions.tf diff --git a/.github/labeler.yaml b/.github/labeler.yaml index 20275e3..bb352d2 100644 --- a/.github/labeler.yaml +++ b/.github/labeler.yaml @@ -1,31 +1,10 @@ # Modules -":floppy_disk: dx-connection": -- modules/dx-connection/**/* - -":floppy_disk: dx-gateway": -- modules/dx-gateway/**/* - -":floppy_disk: dx-private-virtual-interface": -- modules/dx-private-virtual-interface/**/* - -":floppy_disk: ipam": -- modules/ipam/**/* - -":floppy_disk: ipam-resource-discovery": -- modules/ipam-resource-discovery/**/* - ":floppy_disk: nacl": - modules/nacl/**/* ":floppy_disk: nat-gateway": - modules/nat-gateway/**/* -":floppy_disk: prefix-list": -- modules/prefix-list/**/* - -":floppy_disk: reachability-analyzer-path": -- modules/reachability-analyzer-path/**/* - ":floppy_disk: route-table": - modules/route-table/**/* @@ -34,21 +13,3 @@ ":floppy_disk: vpc": - modules/vpc/**/* - -":floppy_disk: vpc-endpoint-service": -- modules/vpc-endpoint-service/**/* - -":floppy_disk: vpc-gateway-endpoint": -- modules/vpc-gateway-endpoint/**/* - -":floppy_disk: vpc-interface-endpoint": -- modules/vpc-interface-endpoint/**/* - -":floppy_disk: vpc-peering": -- modules/vpc-peering/**/* - -":floppy_disk: vpc-peering-accepter": -- modules/vpc-peering-accepter/**/* - -":floppy_disk: vpc-peering-requester": -- modules/vpc-peering-requester/**/* diff --git a/.github/labels.yaml b/.github/labels.yaml index 02a16ae..42055ae 100644 --- a/.github/labels.yaml +++ b/.github/labels.yaml @@ -40,33 +40,12 @@ name: "size/XL" # Modules -- color: "fbca04" - description: "This issue or pull request is related to dx-connection module." - name: ":floppy_disk: dx-connection" -- color: "fbca04" - description: "This issue or pull request is related to dx-gateway module." - name: ":floppy_disk: dx-gateway" -- color: "fbca04" - description: "This issue or pull request is related to dx-private-virtual-interface module." - name: ":floppy_disk: dx-private-virtual-interface" -- color: "fbca04" - description: "This issue or pull request is related to ipam module." - name: ":floppy_disk: ipam" -- color: "fbca04" - description: "This issue or pull request is related to ipam-resource-discovery module." - name: ":floppy_disk: ipam-resource-discovery" - color: "fbca04" description: "This issue or pull request is related to nacl module." name: ":floppy_disk: nacl" - color: "fbca04" description: "This issue or pull request is related to nat-gateway module." name: ":floppy_disk: nat-gateway" -- color: "fbca04" - description: "This issue or pull request is related to prefix-list module." - name: ":floppy_disk: prefix-list" -- color: "fbca04" - description: "This issue or pull request is related to reachability-analyzer-path module." - name: ":floppy_disk: reachability-analyzer-path" - color: "fbca04" description: "This issue or pull request is related to route-table module." name: ":floppy_disk: route-table" @@ -79,21 +58,3 @@ - color: "fbca04" description: "This issue or pull request is related to vpc module." name: ":floppy_disk: vpc" -- color: "fbca04" - description: "This issue or pull request is related to vpc-endpoint-service module." - name: ":floppy_disk: vpc-endpoint-service" -- color: "fbca04" - description: "This issue or pull request is related to vpc-gateway-endpoint module." - name: ":floppy_disk: vpc-gateway-endpoint" -- color: "fbca04" - description: "This issue or pull request is related to vpc-interface-endpoint module." - name: ":floppy_disk: vpc-interface-endpoint" -- color: "fbca04" - description: "This issue or pull request is related to vpc-peering module." - name: ":floppy_disk: vpc-peering" -- color: "fbca04" - description: "This issue or pull request is related to vpc-peering-accepter module." - name: ":floppy_disk: vpc-peering-accepter" -- color: "fbca04" - description: "This issue or pull request is related to vpc-peering-requester module." - name: ":floppy_disk: vpc-peering-requester" diff --git a/README.md b/README.md index 2088979..8783486 100644 --- a/README.md +++ b/README.md @@ -6,25 +6,12 @@ Terraform module which creates network related resources on AWS. -- [dx-connection](./modules/dx-connection) -- [dx-gateway](./modules/dx-gateway) -- [dx-private-virtual-interface](./modules/dx-private-virtual-interface) -- [ipam](./modules/ipam) -- [ipam-resource-discovery](./modules/ipam-resource-discovery) - [nacl](./modules/nacl) - [nat-gateway](./modules/nat-gateway) -- [prefix-list](./modules/prefix-list) -- [reachability-analyzer-path](./modules/reachability-analyzer-path) - [route-table](./modules/route-table) - [security-group](./modules/security-group) - [subnet-group](./modules/subnet-group) - [vpc](./modules/vpc) -- [vpc-endpoint-service](./modules/vpc-endpoint-service) -- [vpc-gateway-endpoint](./modules/vpc-gateway-endpoint) -- [vpc-interface-endpoint](./modules/vpc-interface-endpoint) -- [vpc-peering](./modules/vpc-peering) -- [vpc-peering-accepter](./modules/vpc-peering-accepter) -- [vpc-peering-requester](./modules/vpc-peering-requester) ## Target AWS Services @@ -37,41 +24,16 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws- - Route Table - NACL (Network ACL) - Security Group - - Prefix List - - Elastic IP - Gateways - Internet Gateway - NAT Gateway - - Peering - - PrivateLink - - Endpoint Service - - Gateway Endpoint - - Interface Endpoint -- **AWS VPC IPAM(IP Address Manager)** - - IPAM - - Scope - - Pool - - Resource Discovery -- **AWS DX (Direct Connect)** - - Connection - - Gateway - - Virtual Interface - - Private Virtual Interface -- **AWS Network Manager** - - Reachability Analyzer - - Path - - Analysis ## Examples ### VPC -- [prefix-lists](./examples/prefix-lists) - -### Network Manager - -- [reachability-analyzer](./examples/reachability-analyzer) +- To be added ## Self Promotion diff --git a/examples/prefix-lists/main.tf b/examples/prefix-lists/main.tf deleted file mode 100644 index a3268cc..0000000 --- a/examples/prefix-lists/main.tf +++ /dev/null @@ -1,54 +0,0 @@ -provider "aws" { - region = "us-east-1" -} - - -################################################### -# Prefix List -################################################### - -module "ipv4" { - source = "../../modules/prefix-list" - # source = "tedilabs/network/aws//modules/prefix-list" - # version = "~> 0.26.0" - - name = "test-ipv4" - address_family = "IPv4" - - entries = [ - { - cidr = "10.1.2.3/32" - description = "my server 1" - }, - { - cidr = "10.1.2.4/32" - }, - ] - - tags = { - "project" = "terraform-aws-network-examples" - } -} - -module "ipv6" { - source = "../../modules/prefix-list" - # source = "tedilabs/network/aws//modules/prefix-list" - # version = "~> 0.26.0" - - name = "test-ipv6" - address_family = "IPv6" - - entries = [ - { - cidr = "2001:0db8:85a3:0000:0000:8a2e:0370:7334/128" - description = "my server 1" - }, - { - cidr = "2001:db8:85a3::/64" - }, - ] - - tags = { - "project" = "terraform-aws-network-examples" - } -} diff --git a/examples/prefix-lists/outputs.tf b/examples/prefix-lists/outputs.tf deleted file mode 100644 index 3a6f830..0000000 --- a/examples/prefix-lists/outputs.tf +++ /dev/null @@ -1,9 +0,0 @@ -output "ipv4" { - description = "The IPv4 prefix list for example." - value = module.ipv4 -} - -output "ipv6" { - description = "The IPv6 prefix list for example." - value = module.ipv6 -} diff --git a/examples/prefix-lists/versions.tf b/examples/prefix-lists/versions.tf deleted file mode 100644 index 3c3b4cf..0000000 --- a/examples/prefix-lists/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = "~> 1.3" - - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 4.0" - } - } -} diff --git a/examples/reachability-analyzer/main.tf b/examples/reachability-analyzer/main.tf deleted file mode 100644 index 46223d9..0000000 --- a/examples/reachability-analyzer/main.tf +++ /dev/null @@ -1,142 +0,0 @@ -provider "aws" { - region = "us-east-1" -} - -data "aws_vpc" "default" { - default = true -} - -data "aws_internet_gateway" "default" { - filter { - name = "attachment.vpc-id" - values = [data.aws_vpc.default.id] - } -} - -################################################### -# Reachability Analyzer -################################################### - -module "reachability_analyzer_path__success" { - source = "../../modules/reachability-analyzer-path" - # source = "tedilabs/network/aws//modules/reachability-analyzer-path" - # version = "~> 0.26.0" - - name = "test-success" - - protocol = "TCP" - source_network = { - id = data.aws_internet_gateway.default.internet_gateway_id - } - destination_network = { - id = module.instance.id - ip_address = module.instance.network.private_ip - } - - analyses = [ - { - name = "analysis-01" - } - ] - - tags = { - "project" = "terraform-aws-network-examples" - } -} - -module "reachability_analyzer_path__fail" { - source = "../../modules/reachability-analyzer-path" - # source = "tedilabs/network/aws//modules/reachability-analyzer-path" - # version = "~> 0.26.0" - - name = "test-fail" - - protocol = "TCP" - source_network = { - id = data.aws_internet_gateway.default.internet_gateway_id - } - destination_network = { - id = module.instance.id - ip_address = module.instance.network.private_ip - port = 22 - } - - analyses = [ - { - name = "analysis-01" - } - ] - - tags = { - "project" = "terraform-aws-network-examples" - } -} - - -################################################### -# EC2 Instance -################################################### - -data "aws_ami" "ubuntu" { - most_recent = true - - filter { - name = "name" - values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"] - } - - filter { - name = "virtualization-type" - values = ["hvm"] - } - - owners = ["099720109477"] -} - -module "security_group" { - source = "../../modules/security-group" - # source = "tedilabs/network/aws//modules/security-group" - # version = "~> 0.26.0" - - name = "reachability-analyzer-test" - - vpc_id = data.aws_vpc.default.id - - ingress_rules = [ - { - id = "http/all" - protocol = "tcp" - from_port = 80 - to_port = 80 - cidr_blocks = ["0.0.0.0/0"] - } - ] - egress_rules = [ - { - id = "all/all" - protocol = "-1" - from_port = 0 - to_port = 0 - cidr_blocks = ["0.0.0.0/0"] - } - ] - - tags = { - "project" = "terraform-aws-network-examples" - } -} - -module "instance" { - source = "tedilabs/ec2/aws//modules/instance" - version = "~> 0.2.0" - - name = "reachability-analyzer-test" - type = "t2.micro" - ami = data.aws_ami.ubuntu.image_id - - security_groups = [module.security_group.id] - - tags = { - "project" = "terraform-aws-network-examples" - } -} diff --git a/examples/reachability-analyzer/outputs.tf b/examples/reachability-analyzer/outputs.tf deleted file mode 100644 index 34772c2..0000000 --- a/examples/reachability-analyzer/outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "paths" { - description = "The reachability analyzer paths for example." - value = { - success = module.reachability_analyzer_path__success - fail = module.reachability_analyzer_path__fail - } -} diff --git a/examples/reachability-analyzer/versions.tf b/examples/reachability-analyzer/versions.tf deleted file mode 100644 index 3c3b4cf..0000000 --- a/examples/reachability-analyzer/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = "~> 1.3" - - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 4.0" - } - } -} diff --git a/modules/dx-connection/README.md b/modules/dx-connection/README.md deleted file mode 100644 index 2bfb21c..0000000 --- a/modules/dx-connection/README.md +++ /dev/null @@ -1,67 +0,0 @@ -# dx-connection - -This module creates following resources. - -- `aws_dx_connection` -- `aws_dx_macsec_key_association` (optional) - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.3 | -| [aws](#requirement\_aws) | >= 4.60 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 4.61.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_dx_connection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dx_connection) | resource | -| [aws_dx_macsec_key_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dx_macsec_key_association) | resource | -| [aws_dx_location.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/dx_location) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [bandwidth](#input\_bandwidth) | (Required) The bandwidth of the DX connection. Valid values for dedicated connections: 1Gbps, 10Gbps. Valid values for hosted connections: 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, 500Mbps, 1Gbps, 2Gbps, 5Gbps, 10Gbps and 100Gbps. Case sensitive. | `string` | n/a | yes | -| [location\_code](#input\_location\_code) | (Required) The location code of AWS Direct Connect location where the connection is located. See `DescribeLocations` API for the list of AWS Direct Connect locations. | `string` | n/a | yes | -| [name](#input\_name) | (Required) The name of the DX connection. | `string` | n/a | yes | -| [encryption](#input\_encryption) | (Optional) The configuration for MACsec encryption of the AWS Direct Connect connection. MACsec is supported on 10 Gbps and 100 Gbps dedicated Direct Connect connections at selected points of presence. `encryption` as defined below.
(Optional) `request_macsec_capable_port` - Indicate whether you want the connection to support MAC Security (MACsec). MAC Security (MACsec) is only available on dedicated connections. See MACsec prerequisites for more information about MAC Security (MACsec) prerequisites. Defaults to `false`. Changing the value will cause the resource to be destroyed and re-created.
(Optional) `mode` - The connection MAC Security (MACsec) encryption mode. MAC Security (MACsec) is only available on dedicated connections. Valid values are `NO_ENCRYPT`, `SHOULD_ENCRYPT` and `MUST_ENCRYPT`. You can only specify the encryption\_mode argument once the connection is in an Available state.
(Optional) `macsec_key_pair` - The values in this pair are used to generate the MACsec secret key. The MACsec secret key is generated by the devices at the ends of the connection using the CKN/CAK pair that you provide to AWS. `macsec_key_pair` as defined below.
(Required) `ckn` - The Connection Key Name (CKN) to associate with the dedicated connection. The valid values are 64 hexadecimal characters.
(Required) `cak` - The Connectivity Association Key (CAK) to associate with the dedicated connection. The valid values are 64 hexadecimal characters. | 
object({
    request_macsec_capable_port = optional(bool, false)
    mode                        = optional(string)
    macsec_key_pair = optional(object({
      ckn = string
      cak = string
    }))
  })
| `{}` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [service\_provider](#input\_service\_provider) | (Optional) The name of the service provider associated with the connection. | `string` | `null` | no | -| [skip\_destroy](#input\_skip\_destroy) | (Optional) Set to `true` if you do not wish the connection to be deleted at destroy time, and instead just removed from the Terraform state. | `bool` | `false` | no | -| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [arn](#output\_arn) | The ARN of the DX connection. | -| [aws\_device](#output\_aws\_device) | The Direct Connect endpoint on which the physical connection terminates. | -| [bandwidth](#output\_bandwidth) | The bandwidth of the DX connection. | -| [encryption](#output\_encryption) | The configuration for MACsec encryption of the AWS Direct Connect connection.
`macsec_capable` - Whether the connection supports MAC Security (MACsec).
`mode` - The connection MAC Security (MACsec) encryption mode.
`status` - The MAC Security (MACsec) port link status of the connection. | -| [id](#output\_id) | The ID of the DX connection. | -| [jumbo\_frame\_capable](#output\_jumbo\_frame\_capable) | Whether jumbo frames (9001 MTU) are supported. | -| [location](#output\_location) | The information of the AWS Direct Connect location where the connection is located. | -| [logical\_redundancy\_capable](#output\_logical\_redundancy\_capable) | Indicate whether the connection supports a secondary BGP peer in the same address family (IPv4/IPv6). | -| [name](#output\_name) | The name of the DX connection. | -| [service\_provider](#output\_service\_provider) | The name of the service provider associated with the connection. | -| [vlan](#output\_vlan) | The ID of the VLAN. | - diff --git a/modules/dx-connection/main.tf b/modules/dx-connection/main.tf deleted file mode 100644 index 24e36d9..0000000 --- a/modules/dx-connection/main.tf +++ /dev/null @@ -1,74 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-network" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = var.name - } - module_tags = var.module_tags_enabled ? { - "module.terraform.io/package" = local.metadata.package - "module.terraform.io/version" = local.metadata.version - "module.terraform.io/name" = local.metadata.module - "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" - "module.terraform.io/instance" = local.metadata.name - } : {} -} - -locals { - encryption_mode = { - "NO_ENCRYPT" = "no_encrypt" - "SHOULD_ENCRYPT" = "should_encrypt" - "MUST_ENCRYPT" = "must_encrypt" - } -} - - -################################################### -# Direct Connect Location -################################################### - -data "aws_dx_location" "this" { - location_code = var.location_code -} - - -################################################### -# Direct Connect Connection -################################################### - -resource "aws_dx_connection" "this" { - name = local.metadata.name - skip_destroy = var.skip_destroy - bandwidth = var.bandwidth - - location = data.aws_dx_location.this.location_code - provider_name = var.service_provider - - request_macsec = var.encryption.request_macsec_capable_port - encryption_mode = (var.encryption.mode != null - ? local.encryption_mode[var.encryption.mode] - : null - ) - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, - ) -} - -# INFO: Not supported attributes -# - `secret_arn` -resource "aws_dx_macsec_key_association" "this" { - count = alltrue([ - var.encryption.request_macsec_capable_port, - var.encryption.macsec_key_pair != null, - ]) ? 1 : 0 - - connection_id = aws_dx_connection.this.id - - ckn = try(var.encryption.macsec_key_pair.ckn, null) - cak = try(var.encryption.macsec_key_pair.cak, null) -} diff --git a/modules/dx-connection/outputs.tf b/modules/dx-connection/outputs.tf deleted file mode 100644 index 4488d2b..0000000 --- a/modules/dx-connection/outputs.tf +++ /dev/null @@ -1,73 +0,0 @@ -output "id" { - description = "The ID of the DX connection." - value = aws_dx_connection.this.id -} - -output "arn" { - description = "The ARN of the DX connection." - value = aws_dx_connection.this.arn -} - -output "name" { - description = "The name of the DX connection." - value = aws_dx_connection.this.name -} - -output "aws_device" { - description = "The Direct Connect endpoint on which the physical connection terminates." - value = aws_dx_connection.this.aws_device -} - -output "bandwidth" { - description = "The bandwidth of the DX connection." - value = aws_dx_connection.this.bandwidth -} - -output "vlan" { - description = "The ID of the VLAN." - value = aws_dx_connection.this.vlan_id -} - -output "jumbo_frame_capable" { - description = "Whether jumbo frames (9001 MTU) are supported." - value = aws_dx_connection.this.jumbo_frame_capable -} - -output "logical_redundancy_capable" { - description = "Indicate whether the connection supports a secondary BGP peer in the same address family (IPv4/IPv6)." - value = aws_dx_connection.this.has_logical_redundancy != "no" -} - -output "location" { - description = < -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.3 | -| [aws](#requirement\_aws) | >= 4.60 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 4.61.0 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [aws_dx_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dx_gateway) | resource | -| [aws_dx_gateway_association.external](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dx_gateway_association) | resource | -| [aws_dx_gateway_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dx_gateway_association) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [asn](#input\_asn) | (Required) The ASN to be configured on the Amazon side of the connection. The ASN must be in the private range of 64,512 to 65,534 or 4,200,000,000 to 4,294,967,294. | `number` | n/a | yes | -| [name](#input\_name) | (Required) Desired name for the DX Gateway resources. | `string` | n/a | yes | -| [cross\_account\_gateway\_associations](#input\_cross\_account\_gateway\_associations) | (Optional) The configuration to associate a list of VPN Gateway or Transit Gateway with a Direct Connect Gateway in cross account. Each block of `cross_account_gateway_associations` as defined below.
(Required) `account_id` - The ID of the AWS account that owns the Virtual Private Gateway or Transit Gateway.
(Required) `proposal_id` - The ID of the request proposal.
(Optional) `allowed_prefixes` - A list of VPC prefixes (CIDRs) to advertise to the Direct Connect gateway. Defaults to the CIDR block of the VPC associated with the Virtual Gateway. To enable drift detection, must be configured. | 
list(object({
    account_id       = string
    proposal_id      = string
    allowed_prefixes = optional(list(string), [])
  }))
| `[]` | no | -| [gateway\_associations](#input\_gateway\_associations) | (Optional) The configuration to associate a list of VPN Gateway or Transit Gateway with a Direct Connect Gateway in same account. Each block of `gateway_associations` as defined below.
(Required) `gateway_id` - The ID of the VPN Gateway or Transit Gateway with which to associate. Used for single account Direct Connect gateway associations.
(Optional) `allowed_prefixes` - A list of VPC prefixes (CIDRs) to advertise to the Direct Connect gateway. Defaults to the CIDR block of the VPC associated with the Virtual Gateway. To enable drift detection, must be configured. | 
list(object({
    gateway_id       = string
    allowed_prefixes = optional(list(string), [])
  }))
| `[]` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [asn](#output\_asn) | The ASN of the Amazon side of the connection. | -| [cross\_account\_gateway\_associations](#output\_cross\_account\_gateway\_associations) | Associated VGW or Transit gateway with a Direct Connect Gateway in cross account. | -| [gateway\_associations](#output\_gateway\_associations) | Associated VGW or Transit gateway with a Direct Connect Gateway in same account. | -| [id](#output\_id) | The ID of the DX Gateway. | -| [name](#output\_name) | The name of the DX Gateway. | -| [owner\_account\_id](#output\_owner\_account\_id) | AWS Account ID of the gateway. | - diff --git a/modules/dx-gateway/main.tf b/modules/dx-gateway/main.tf deleted file mode 100644 index d7d621e..0000000 --- a/modules/dx-gateway/main.tf +++ /dev/null @@ -1,38 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-network" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = var.name - } -} - -resource "aws_dx_gateway" "this" { - name = local.metadata.name - amazon_side_asn = var.asn -} - -resource "aws_dx_gateway_association" "this" { - for_each = { - for association in var.gateway_associations : - association.gateway_id => association - } - - dx_gateway_id = aws_dx_gateway.this.id - - associated_gateway_id = each.key - allowed_prefixes = each.value.allowed_prefixes -} - -resource "aws_dx_gateway_association" "external" { - for_each = { - for association in var.cross_account_gateway_associations : - association.proposal_id => association - } - - dx_gateway_id = aws_dx_gateway.this.id - - associated_gateway_owner_account_id = each.value.account_id - proposal_id = each.key - allowed_prefixes = each.value.allowed_prefixes -} diff --git a/modules/dx-gateway/outputs.tf b/modules/dx-gateway/outputs.tf deleted file mode 100644 index e0e8b3b..0000000 --- a/modules/dx-gateway/outputs.tf +++ /dev/null @@ -1,46 +0,0 @@ -output "id" { - description = "The ID of the DX Gateway." - value = aws_dx_gateway.this.id -} - -output "name" { - description = "The name of the DX Gateway." - value = aws_dx_gateway.this.name -} - -output "asn" { - description = "The ASN of the Amazon side of the connection." - value = aws_dx_gateway.this.amazon_side_asn -} - -output "owner_account_id" { - description = "AWS Account ID of the gateway." - value = aws_dx_gateway.this.owner_account_id -} - -output "gateway_associations" { - description = "Associated VGW or Transit gateway with a Direct Connect Gateway in same account." - value = [ - for assoc in aws_dx_gateway_association.this : { - id = assoc.id - gateway_id = assoc.associated_gateway_id - gateway_type = assoc.associated_gateway_type - owner_account_id = assoc.associated_gateway_owner_account_id - allowed_prefixes = assoc.allowed_prefixes - } - ] -} - -output "cross_account_gateway_associations" { - description = "Associated VGW or Transit gateway with a Direct Connect Gateway in cross account." - value = [ - for assoc in aws_dx_gateway_association.external : { - id = assoc.id - gateway_id = assoc.associated_gateway_id - gateway_type = assoc.associated_gateway_type - owner_account_id = assoc.associated_gateway_owner_account_id - proposal_id = assoc.proposal_id - allowed_prefixes = assoc.allowed_prefixes - } - ] -} diff --git a/modules/dx-gateway/variables.tf b/modules/dx-gateway/variables.tf deleted file mode 100644 index 4bdae38..0000000 --- a/modules/dx-gateway/variables.tf +++ /dev/null @@ -1,41 +0,0 @@ -variable "name" { - description = "(Required) Desired name for the DX Gateway resources." - type = string - nullable = false -} - -variable "asn" { - description = "(Required) The ASN to be configured on the Amazon side of the connection. The ASN must be in the private range of 64,512 to 65,534 or 4,200,000,000 to 4,294,967,294." - type = number - nullable = false -} - -variable "gateway_associations" { - description = < -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.3 | -| [aws](#requirement\_aws) | >= 4.60 | -| [local](#requirement\_local) | >= 2.4 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 4.61.0 | -| [local](#provider\_local) | 2.4.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_dx_bgp_peer.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dx_bgp_peer) | resource | -| [aws_dx_private_virtual_interface.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dx_private_virtual_interface) | resource | -| [local_file.this](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | -| [aws_dx_router_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/dx_router_configuration) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [bgp\_peerings](#input\_bgp\_peerings) | (Required) The configuration for BGP(Border Gateway Protocol) Peerings of the virtual interface. You must create a BGP peer for the corresponding address family (IPv4/IPv6) in order to access AWS resources that also use that address family. If logical redundancy is not supported by the connection, interconnect, or LAG, the BGP peer cannot be in the same address family as an existing BGP peer on the virtual interface. When creating a IPv6 BGP peer, omit the Amazon address and customer address. IPv6 addresses are automatically assigned from the Amazon pool of IPv6 addresses; you cannot specify custom IPv6 addresses. Each block of `bgp_peerings` as defined below.
(Required) `address_family` - The address family for the BGP peer. Valid values are `IPV4` or `IPV6`. Defaults to `IPV4`.
(Required) `bgp_asn` - The Border Gateway Protocol (BGP) Autonomous System Number (ASN) of your on-premises router for the new virtual interface. Valid ranges are 1 - 2147483647.
(Optional) `bgp_auth_key` - The password that will be used to authenticate the BGP session.
(Optional) `amazon_address` - The BGP peer IP configured on the AWS endpoint. Required for IPv4 BGP peering.
(Optional) `customer_address` - The BGP peer IP configured on your endpoint. Required for IPv4 BGP peering. | 
list(object({
    address_family   = string
    bgp_asn          = number
    bgp_auth_key     = optional(string)
    amazon_address   = optional(string)
    customer_address = optional(string)
  }))
| n/a | yes | -| [connection](#input\_connection) | (Required) The ID of the Direct Connect connection (or LAG) on which the new virtual interface will be provisioned. | `string` | n/a | yes | -| [gateway](#input\_gateway) | (Required) The gateway configuration to connect to VPCs and Regions for this virtual interface. `gateway` as defined below.
(Required) `type` - A gateway type for this virtual interface.
- `DIRECT_CONNECT_GATEWAY`: Allow connections to multiple VPCs and Regions.
- `VIRTUAL_PRIVATE_GATEWAY`: Allow connections to a single VPC in the same Region.
(Required) `id` - The ID of the Direct Connect Gateway or Virtual Private Gateway to which to connect the virtual interface. | 
object({
    type = string
    id   = string
  })
| n/a | yes | -| [name](#input\_name) | (Required) The name of the virtual interface assigned by the customer network. The name has a maximum of 100 characters. The following are valid characters: a-z, 0-9 and a hyphen (-). | `string` | n/a | yes | -| [vlan](#input\_vlan) | (Required) The Virtual Local Area Network number for the new virtual interface. Valid ranges are 1 - 4094. | `number` | n/a | yes | -| [jumbo\_frame\_enabled](#input\_jumbo\_frame\_enabled) | (Optional) Whether to allow MTU size of `9001` on virtual interface. The MTU of a virtual private interface can be either `1500` or `9001` (jumbo frames). Defaults to `false`. | `bool` | `false` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [router\_configuration](#input\_router\_configuration) | (Optional) The configuration to retrieve a sample router configuration for the virtual interface. `router_configuration` as defined below.
(Optional) `router` - The ID of the Router Type to get the sample router configuration. For example: `CiscoSystemsInc-2900SeriesRouters-IOS124`.
(Optional) `output_path` - The path to save sample router configuration. | 
object({
    router      = optional(string)
    output_path = optional(string)
  })
| `{}` | no | -| [sitelink\_enabled](#input\_sitelink\_enabled) | (Optional) Indicate whether to enable SiteLink. Control direct connectivity between Direct Connect points of presence. Subject to additional charges. Defaults to `false`. | `bool` | `false` | no | -| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [arn](#output\_arn) | The ARN of the virtual interface. | -| [aws\_device](#output\_aws\_device) | The Direct Connect endpoint on which the virtual interface terminates. | -| [bgp\_peerings](#output\_bgp\_peerings) | The configuration for BGP(Border Gateway Protocol) Peerings of the virtual interface.
`address_family` - The address family for the BGP peer.
`bgp_asn` - The Border Gateway Protocol (BGP) Autonomous System Number (ASN) of your on-premises router.
`bgp_auth_key` - The password that will be used to authenticate the BGP session.
`amazon_address` - The BGP peer IP configured on the AWS endpoint.
`customer_address` - The BGP peer IP configured on your endpoint. | -| [connection](#output\_connection) | The ID of the Direct Connect connection. | -| [gateway](#output\_gateway) | The ID of the Direct Connect connection. | -| [id](#output\_id) | The ID of the virtual interface. | -| [jumbo\_frame\_capable](#output\_jumbo\_frame\_capable) | Whether jumbo frames (9001 MTU) are supported. | -| [jumbo\_frame\_enabled](#output\_jumbo\_frame\_enabled) | Whether jumbo frames (9001 MTU) are enabled. | -| [mtu](#output\_mtu) | The MTU of the virtual interface. | -| [name](#output\_name) | The name of the virtual interface. | -| [router\_configuration](#output\_router\_configuration) | The sample router configuration for the virtual interface. | -| [sitelink\_enabled](#output\_sitelink\_enabled) | Indicate whether to enable SiteLink. | -| [vlan](#output\_vlan) | The ID of the VLAN. | - diff --git a/modules/dx-private-virtual-interface/main.tf b/modules/dx-private-virtual-interface/main.tf deleted file mode 100644 index 3259fc3..0000000 --- a/modules/dx-private-virtual-interface/main.tf +++ /dev/null @@ -1,117 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-network" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = var.name - } - module_tags = var.module_tags_enabled ? { - "module.terraform.io/package" = local.metadata.package - "module.terraform.io/version" = local.metadata.version - "module.terraform.io/name" = local.metadata.module - "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" - "module.terraform.io/instance" = local.metadata.name - } : {} -} - -locals { - address_family = { - "IPV4" = "ipv4" - "IPV6" = "ipv6" - } - - primary_peering = var.bgp_peerings[0] - secondary_peerings = slice(var.bgp_peerings, 1, length(var.bgp_peerings)) - - routers = jsondecode(file("${path.module}/routers.json")) - router_ids = local.routers[*].id -} - - -################################################### -# Private VIF (Virtual Interface) of Direct Connect -################################################### - -resource "aws_dx_private_virtual_interface" "this" { - name = var.name - - connection_id = var.connection - - dx_gateway_id = (var.gateway.type == "DIRECT_CONNECT_GATEWAY" - ? var.gateway.id - : null - ) - vpn_gateway_id = (var.gateway.type == "VIRTUAL_PRIVATE_GATEWAY" - ? var.gateway.id - : null - ) - - vlan = var.vlan - mtu = var.jumbo_frame_enabled ? 9001 : 1500 - sitelink_enabled = var.sitelink_enabled - - ## BGP Peering - address_family = local.address_family[local.primary_peering.address_family] - bgp_asn = local.primary_peering.bgp_asn - bgp_auth_key = local.primary_peering.bgp_auth_key - - amazon_address = local.primary_peering.amazon_address - customer_address = local.primary_peering.customer_address - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, - ) -} - - -################################################### -# Additional BGP Peerings for Private VIF -################################################### - -resource "aws_dx_bgp_peer" "this" { - for_each = { - for peering in local.secondary_peerings : - "${peering.address_family}/${peering.bgp_asn}" => peering - } - - virtual_interface_id = aws_dx_private_virtual_interface.this.id - - address_family = local.address_family[each.value.address_family] - - bgp_asn = each.value.bgp_asn - bgp_auth_key = each.value.bgp_auth_key - - amazon_address = each.value.amazon_address - customer_address = each.value.customer_address -} - - -################################################### -# Sample Router Configuration for Private VIF (Virtual Interface) -################################################### - -data "aws_dx_router_configuration" "this" { - count = var.router_configuration.router != null ? 1 : 0 - - virtual_interface_id = aws_dx_private_virtual_interface.this.id - router_type_identifier = var.router_configuration.router - - lifecycle { - precondition { - condition = contains(local.router_ids, var.router_configuration.router) - error_message = "Not supported router ID: ${var.router_configuration.router}." - } - } -} - -resource "local_file" "this" { - count = var.router_configuration.router != null ? 1 : 0 - - filename = coalesce(var.router_configuration.output_path, - "${path.root}/outputs/${var.name}.${var.router_configuration.router}.conf") - content = one(data.aws_dx_router_configuration.this[*].customer_router_config) -} diff --git a/modules/dx-private-virtual-interface/outputs.tf b/modules/dx-private-virtual-interface/outputs.tf deleted file mode 100644 index 4ad3b0e..0000000 --- a/modules/dx-private-virtual-interface/outputs.tf +++ /dev/null @@ -1,107 +0,0 @@ -output "id" { - description = "The ID of the virtual interface." - value = aws_dx_private_virtual_interface.this.id -} - -output "arn" { - description = "The ARN of the virtual interface." - value = aws_dx_private_virtual_interface.this.arn -} - -output "name" { - description = "The name of the virtual interface." - value = aws_dx_private_virtual_interface.this.name -} - -output "connection" { - description = "The ID of the Direct Connect connection." - value = aws_dx_private_virtual_interface.this.connection_id -} - -output "gateway" { - description = "The ID of the Direct Connect connection." - value = { - type = var.gateway.type - id = { - "DIRECT_CONNECT_GATEWAY" = aws_dx_private_virtual_interface.this.dx_gateway_id - "VIRTUAL_PRIVATE_GATEWAY" = aws_dx_private_virtual_interface.this.vpn_gateway_id - }[var.gateway.type] - } -} - -output "vlan" { - description = "The ID of the VLAN." - value = aws_dx_private_virtual_interface.this.vlan -} - -output "aws_device" { - description = "The Direct Connect endpoint on which the virtual interface terminates." - value = aws_dx_private_virtual_interface.this.aws_device -} - -output "jumbo_frame_capable" { - description = "Whether jumbo frames (9001 MTU) are supported." - value = aws_dx_private_virtual_interface.this.jumbo_frame_capable -} - -output "jumbo_frame_enabled" { - description = "Whether jumbo frames (9001 MTU) are enabled." - value = aws_dx_private_virtual_interface.this.mtu == 9001 -} - -output "mtu" { - description = "The MTU of the virtual interface." - value = aws_dx_private_virtual_interface.this.mtu -} - -output "sitelink_enabled" { - description = "Indicate whether to enable SiteLink." - value = aws_dx_private_virtual_interface.this.sitelink_enabled -} - -output "bgp_peerings" { - description = < k - }[aws_dx_private_virtual_interface.this.address_family] - bgp_asn = aws_dx_private_virtual_interface.this.bgp_asn - bgp_auth_key = aws_dx_private_virtual_interface.this.bgp_auth_key - amazon_address = aws_dx_private_virtual_interface.this.amazon_address - customer_address = aws_dx_private_virtual_interface.this.customer_address - }], - [ - for peering in aws_dx_bgp_peer.this : { - address_family = { - for k, v in local.address_family : - v => k - }[peering.address_family] - bgp_asn = peering.bgp_asn - bgp_auth_key = peering.bgp_auth_key - amazon_address = peering.amazon_address - customer_address = peering.customer_address - } - ] - ) -} - -output "router_configuration" { - description = "The sample router configuration for the virtual interface." - value = { - router = one([ - for router in local.routers : - router - if router.id == var.router_configuration.router - ]) - output_path = var.router_configuration.output_path - } -} diff --git a/modules/dx-private-virtual-interface/resource-group.tf b/modules/dx-private-virtual-interface/resource-group.tf deleted file mode 100644 index 7487ba0..0000000 --- a/modules/dx-private-virtual-interface/resource-group.tf +++ /dev/null @@ -1,31 +0,0 @@ -locals { - resource_group_name = (var.resource_group_name != "" - ? var.resource_group_name - : join(".", [ - local.metadata.package, - local.metadata.module, - replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), - ]) - ) -} - - -module "resource_group" { - source = "tedilabs/misc/aws//modules/resource-group" - version = "~> 0.10.0" - - count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 - - name = local.resource_group_name - description = var.resource_group_description - - query = { - resource_tags = local.module_tags - } - - module_tags_enabled = false - tags = merge( - local.module_tags, - var.tags, - ) -} diff --git a/modules/dx-private-virtual-interface/routers.json b/modules/dx-private-virtual-interface/routers.json deleted file mode 100644 index e485615..0000000 --- a/modules/dx-private-virtual-interface/routers.json +++ /dev/null @@ -1,74 +0,0 @@ -[ - { - "id": "CiscoSystemsInc-2900SeriesRouters-IOS124", - "platform": "2900 Series Routers", - "software": "IOS 12.4+", - "vendor": "Cisco Systems, Inc.", - "xsltTemplateName": "customer-router-cisco-generic.xslt", - "xsltTemplateNameForMacSec": "" - }, - { - "id": "CiscoSystemsInc-3700SeriesRouters-IOS124", - "platform": "3700 Series Routers", - "software": "IOS 12.4+", - "vendor": "Cisco Systems, Inc.", - "xsltTemplateName": "customer-router-cisco-generic.xslt", - "xsltTemplateNameForMacSec": "" - }, - { - "id": "CiscoSystemsInc-7200SeriesRouters-IOS124", - "platform": "7200 Series Routers", - "software": "IOS 12.4+", - "vendor": "Cisco Systems, Inc.", - "xsltTemplateName": "customer-router-cisco-generic.xslt", - "xsltTemplateNameForMacSec": "" - }, - { - "id": "CiscoSystemsInc-Nexus7000SeriesSwitches-NXOS51", - "platform": "Nexus 7000 Series Switches", - "software": "NX-OS 5.1+", - "vendor": "Cisco Systems, Inc.", - "xsltTemplateName": "customer-switch-cisco-nexus-generic.xslt", - "xsltTemplateNameForMacSec": "" - }, - { - "id": "CiscoSystemsInc-Nexus9KSeriesSwitches-NXOS93", - "platform": "Nexus 9K+ Series Switches", - "software": "NX-OS 9.3+", - "vendor": "Cisco Systems, Inc.", - "xsltTemplateName": "customer-switch-cisco-nexus-generic.xslt", - "xsltTemplateNameForMacSec": "customer-switch-cisco-nexus-generic-macsec.xslt" - }, - { - "id": "JuniperNetworksInc-MMXSeriesRouters-JunOS95", - "platform": "M/MX Series Routers", - "software": "JunOS 9.5+", - "vendor": "Juniper Networks, Inc.", - "xsltTemplateName": "customer-router-juniper-generic.xslt", - "xsltTemplateNameForMacSec": "customer-router-juniper-generic-macsec.xslt" - }, - { - "id": "JuniperNetworksInc-SRXSeriesRouters-JunOS95", - "platform": "SRX Series Routers", - "software": "JunOS 9.5+", - "vendor": "Juniper Networks, Inc.", - "xsltTemplateName": "customer-router-juniper-generic.xslt", - "xsltTemplateNameForMacSec": "" - }, - { - "id": "JuniperNetworksInc-TSeriesRouters-JunOS95", - "platform": "T Series Routers", - "software": "JunOS 9.5+", - "vendor": "Juniper Networks, Inc.", - "xsltTemplateName": "customer-router-juniper-generic.xslt", - "xsltTemplateNameForMacSec": "" - }, - { - "id": "PaloAltoNetworks-PA3000and5000series-PANOS803", - "platform": "PA-3000+ and 5000+ series", - "software": "PAN-OS 8.0.3+", - "vendor": "Palo Alto Networks", - "xsltTemplateName": "customer-router-palo-alto-generic.xslt", - "xsltTemplateNameForMacSec": "" - } -] diff --git a/modules/dx-private-virtual-interface/variables.tf b/modules/dx-private-virtual-interface/variables.tf deleted file mode 100644 index ef1e221..0000000 --- a/modules/dx-private-virtual-interface/variables.tf +++ /dev/null @@ -1,154 +0,0 @@ -variable "name" { - description = "(Required) The name of the virtual interface assigned by the customer network. The name has a maximum of 100 characters. The following are valid characters: a-z, 0-9 and a hyphen (-)." - type = string - nullable = false -} - -variable "connection" { - description = "(Required) The ID of the Direct Connect connection (or LAG) on which the new virtual interface will be provisioned." - type = string - nullable = false -} - -variable "gateway" { - description = <= 1, - var.vlan <= 4094, - ]) - error_message = "Valid ranges are 1 - 4094." - } -} - -variable "jumbo_frame_enabled" { - description = "(Optional) Whether to allow MTU size of `9001` on virtual interface. The MTU of a virtual private interface can be either `1500` or `9001` (jumbo frames). Defaults to `false`." - type = bool - default = false - nullable = false -} - -variable "sitelink_enabled" { - description = "(Optional) Indicate whether to enable SiteLink. Control direct connectivity between Direct Connect points of presence. Subject to additional charges. Defaults to `false`." - type = bool - default = false - nullable = false -} - -variable "bgp_peerings" { - description = < 0 - error_message = "At least 1 BGP peering is required." - } - validation { - condition = alltrue([ - for peering in var.bgp_peerings : - contains(["IPV4", "IPV6"], peering.address_family) - ]) - error_message = "Valid values for `address_family` are `IPV4` and `IPV6`." - } - validation { - condition = alltrue([ - for peering in var.bgp_peerings : - alltrue([ - peering.bgp_asn >= 1, - peering.bgp_asn <= 2147483647, - ]) - ]) - error_message = "Valid ranges for `bgp_asn` are 1 - 2147483647." - } -} - -variable "router_configuration" { - description = < -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.3 | -| [aws](#requirement\_aws) | >= 4.58 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 4.58.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | -| [share](#module\_share) | tedilabs/account/aws//modules/ram-share | ~> 0.24.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_vpc_ipam_resource_discovery.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_resource_discovery) | resource | -| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_regions.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [name](#input\_name) | (Required) The name of the IPAM resource discovery. | `string` | n/a | yes | -| [description](#input\_description) | (Optional) A description for the IPAM resource discovery. | `string` | `"Managed by Terraform."` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [operating\_regions](#input\_operating\_regions) | (Optional) A set of operating regions for the IPAM resource discovery. Operating Regions are AWS Regions where the IPAM is allowed to manage IP address CIDRs. IPAM only discovers and monitors resources in the AWS Regions you select as operating Regions. The current region is required to include. | `set(string)` | `[]` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [shares](#input\_shares) | (Optional) A list of resource shares via RAM (Resource Access Manager). | 
list(object({
    name = optional(string)

    permissions = optional(set(string), ["AWSRAMPermissionIpamResourceDiscovery"])

    external_principals_allowed = optional(bool, false)
    principals                  = optional(set(string), [])

    tags = optional(map(string), {})
  }))
| `[]` | no | -| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [arn](#output\_arn) | The ARN of the IPAM resource discovery. | -| [description](#output\_description) | The description of the IPAM resource discovery. | -| [id](#output\_id) | The ID of the IPAM resource discovery. | -| [is\_default](#output\_is\_default) | Whether the resource discovery is the default. The default resource discovery is the resource discovery automatically created when you create an IPAM. | -| [name](#output\_name) | The name of the IPAM resource discovery. | -| [operating\_regions](#output\_operating\_regions) | A set of operating regions for the IPAM resource discovery. | -| [owner\_id](#output\_owner\_id) | The account ID for the account that manages the Resource Discovery. | -| [region](#output\_region) | The home region of the Resource Discovery. | -| [sharing](#output\_sharing) | The configuration for sharing of the IPAM resource discovery resource discovery.
`status` - An indication of whether the IPAM resource discovery resource discovery is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are `NOT_SHARED`, `SHARED_BY_ME` or `SHARED_WITH_ME`.
`shares` - The list of resource shares via RAM (Resource Access Manager). | - diff --git a/modules/ipam-resource-discovery/main.tf b/modules/ipam-resource-discovery/main.tf deleted file mode 100644 index b4de284..0000000 --- a/modules/ipam-resource-discovery/main.tf +++ /dev/null @@ -1,65 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-network" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = var.name - } - module_tags = var.module_tags_enabled ? { - "module.terraform.io/package" = local.metadata.package - "module.terraform.io/version" = local.metadata.version - "module.terraform.io/name" = local.metadata.module - "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" - "module.terraform.io/instance" = local.metadata.name - } : {} -} - -data "aws_region" "this" {} -data "aws_regions" "this" { - all_regions = true -} - -locals { - region = data.aws_region.this.name - all_regions = data.aws_regions.this.names -} - - -################################################### -# Resource Discovery of IPAM (IP Address Manager) -################################################### - -resource "aws_vpc_ipam_resource_discovery" "this" { - description = var.description - - dynamic "operating_regions" { - for_each = var.operating_regions - - content { - region_name = operating_regions.value - } - } - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, - ) - - lifecycle { - precondition { - condition = contains(var.operating_regions, local.region) - error_message = "The current region is required to include in `operating_regions`." - } - - precondition { - condition = alltrue([ - for region in var.operating_regions : - contains(local.all_regions, region) - ]) - error_message = "There is invalid AWS region name." - } - } -} diff --git a/modules/ipam-resource-discovery/outputs.tf b/modules/ipam-resource-discovery/outputs.tf deleted file mode 100644 index b734e69..0000000 --- a/modules/ipam-resource-discovery/outputs.tf +++ /dev/null @@ -1,51 +0,0 @@ -output "id" { - description = "The ID of the IPAM resource discovery." - value = aws_vpc_ipam_resource_discovery.this.id -} - -output "arn" { - description = "The ARN of the IPAM resource discovery." - value = aws_vpc_ipam_resource_discovery.this.arn -} - -output "owner_id" { - description = "The account ID for the account that manages the Resource Discovery." - value = aws_vpc_ipam_resource_discovery.this.owner_id -} - -output "region" { - description = "The home region of the Resource Discovery." - value = aws_vpc_ipam_resource_discovery.this.ipam_resource_discovery_region -} - -output "name" { - description = "The name of the IPAM resource discovery." - value = local.metadata.name -} - -output "description" { - description = "The description of the IPAM resource discovery." - value = aws_vpc_ipam_resource_discovery.this.description -} - -output "operating_regions" { - description = "A set of operating regions for the IPAM resource discovery." - value = aws_vpc_ipam_resource_discovery.this.operating_regions[*].region_name -} - -output "is_default" { - description = "Whether the resource discovery is the default. The default resource discovery is the resource discovery automatically created when you create an IPAM." - value = aws_vpc_ipam_resource_discovery.this.is_default -} - -output "sharing" { - description = < 0 ? "SHARED_BY_ME" : "NOT_SHARED" - shares = module.share - } -} diff --git a/modules/ipam-resource-discovery/ram-share.tf b/modules/ipam-resource-discovery/ram-share.tf deleted file mode 100644 index d36ec20..0000000 --- a/modules/ipam-resource-discovery/ram-share.tf +++ /dev/null @@ -1,32 +0,0 @@ -################################################### -# Resource Sharing by RAM (Resource Access Manager) -################################################### - -module "share" { - source = "tedilabs/account/aws//modules/ram-share" - version = "~> 0.24.0" - - for_each = { - for share in var.shares : - share.name => share - } - - name = "ipam.resource-discovery.${var.name}.${each.key}" - - resources = [ - aws_vpc_ipam_resource_discovery.this.arn - ] - permissions = each.value.permissions - - external_principals_allowed = each.value.external_principals_allowed - principals = each.value.principals - - resource_group_enabled = false - module_tags_enabled = false - - tags = merge( - local.module_tags, - var.tags, - each.value.tags, - ) -} diff --git a/modules/ipam-resource-discovery/resource-group.tf b/modules/ipam-resource-discovery/resource-group.tf deleted file mode 100644 index 7487ba0..0000000 --- a/modules/ipam-resource-discovery/resource-group.tf +++ /dev/null @@ -1,31 +0,0 @@ -locals { - resource_group_name = (var.resource_group_name != "" - ? var.resource_group_name - : join(".", [ - local.metadata.package, - local.metadata.module, - replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), - ]) - ) -} - - -module "resource_group" { - source = "tedilabs/misc/aws//modules/resource-group" - version = "~> 0.10.0" - - count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 - - name = local.resource_group_name - description = var.resource_group_description - - query = { - resource_tags = local.module_tags - } - - module_tags_enabled = false - tags = merge( - local.module_tags, - var.tags, - ) -} diff --git a/modules/ipam-resource-discovery/variables.tf b/modules/ipam-resource-discovery/variables.tf deleted file mode 100644 index c08cacf..0000000 --- a/modules/ipam-resource-discovery/variables.tf +++ /dev/null @@ -1,82 +0,0 @@ -variable "name" { - description = "(Required) The name of the IPAM resource discovery." - type = string - nullable = false -} - -variable "description" { - description = "(Optional) A description for the IPAM resource discovery." - type = string - default = "Managed by Terraform." - nullable = false -} - -variable "operating_regions" { - description = < -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.3 | -| [aws](#requirement\_aws) | >= 4.58 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 4.58.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_vpc_ipam.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam) | resource | -| [aws_vpc_ipam_resource_discovery_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_resource_discovery_association) | resource | -| [aws_vpc_ipam_scope.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_scope) | resource | -| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_regions.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [name](#input\_name) | (Required) The name of the IPAM. | `string` | n/a | yes | -| [additional\_private\_scopes](#input\_additional\_private\_scopes) | (Optional) A list of additional scopes to create and manage by the IPAM. A scope is the highest-level container within IPAM. When you create an IPAM, IPAM creates two default scopes for you. Each scope represents the IP space for a single network. Each block of `additional_scopes` as defined below.
(Required) `name` - A name of the scope in the IPAM.
(Optional) `description` - A description of the scope in the IPAM. | 
list(object({
    name        = string
    description = optional(string, "Managed by Terraform.")
  }))
| `[]` | no | -| [additional\_resource\_discovery\_associations](#input\_additional\_resource\_discovery\_associations) | (Optional) A list of additional associations to an IPAM resource discovery with an Amazon VPC IPAM. A resource discovery is an IPAM component that enables IPAM to manage and monitor resources that belong to the owning account. Each block of `additional_resource_discovery_associations` as defined below.
(Required) `resource_discovery` - The ID of the Resource Discovery to associate.
(Optional) `tags` - A map of tags to add to the IPAM resource discovery association resource. | 
list(object({
    resource_discovery = string
    tags               = optional(map(string), {})
  }))
| `[]` | no | -| [cascade\_deletion\_enabled](#input\_cascade\_deletion\_enabled) | (Optional) Whether to enable you to quickly delete an IPAM, private scopes, pools in private scopes, and any allocations in the pools in private scopes. Defaults to `true`. | `bool` | `true` | no | -| [description](#input\_description) | (Optional) A description for the IPAM. | `string` | `"Managed by Terraform."` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [operating\_regions](#input\_operating\_regions) | (Optional) A set of operating regions for the IPAM. Operating Regions are AWS Regions where the IPAM is allowed to manage IP address CIDRs. IPAM only discovers and monitors resources in the AWS Regions you select as operating Regions. The current region is required to include. | `set(string)` | `[]` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [additional\_private\_scopes](#output\_additional\_private\_scopes) | The additional private scopes in the IPAM. You can create additional private scopes if you require support for multiple disconnected private networks. Additional private scopes allow you to create pools and manage resources that use the same IP space. You cannot create additional public scopes.
`id` - The ID of the scope.
`arn` - The Amazon Resource Name (ARN) of the scope.
`name` - The name of the scope.
`description` - The description of the scope.
`type` - The type of the scope.
`is_default` - Whether the scope is the default scope or not.
`pool_count` - The number of pools in the scope. | -| [additional\_resource\_discoveries](#output\_additional\_resource\_discoveries) | The additional resource discoveries in the IPAM.
`id` - The ID of resource discovery.
`association_id` - The resource discovery association ID.
`state` - The lifecycle state of the association when you associate or disassociate a resource discovery. | -| [arn](#output\_arn) | The ARN of the IPAM. | -| [default\_resource\_discovery](#output\_default\_resource\_discovery) | The default resource discovery in the IPAM.
`id` - The IPAM's default resource discovery ID.
`association_id` - The IPAM's default resource discovery association ID. | -| [default\_scopes](#output\_default\_scopes) | The default scopes in the IPAM. A scope is a top-level container in IPAM. Each scope represents an IP-independent network. Scopes enable you to represent networks where you have overlapping IP space. When you create an IPAM, IPAM automatically creates two scopes: `public` and `private`. The `private` scope is intended for private IP space. The `public` scope is intended for all internet-routable IP space.
`private` - The ID of the IPAM's private scope.
`public` - The ID of the IPAM's public scope. | -| [description](#output\_description) | The description of the IPAM. | -| [id](#output\_id) | The ID of the IPAM. | -| [name](#output\_name) | The name of the IPAM. | -| [operating\_regions](#output\_operating\_regions) | A set of operating regions for the IPAM. | -| [scope\_count](#output\_scope\_count) | The number of scopes in the IPAM. | - diff --git a/modules/ipam/main.tf b/modules/ipam/main.tf deleted file mode 100644 index 3ac5e43..0000000 --- a/modules/ipam/main.tf +++ /dev/null @@ -1,106 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-network" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = var.name - } - module_tags = var.module_tags_enabled ? { - "module.terraform.io/package" = local.metadata.package - "module.terraform.io/version" = local.metadata.version - "module.terraform.io/name" = local.metadata.module - "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" - "module.terraform.io/instance" = local.metadata.name - } : {} -} - -data "aws_region" "this" {} -data "aws_regions" "this" { - all_regions = true -} - -locals { - region = data.aws_region.this.name - all_regions = data.aws_regions.this.names -} - - -################################################### -# IPAM (IP Address Manager) -################################################### - -resource "aws_vpc_ipam" "this" { - description = var.description - cascade = var.cascade_deletion_enabled - - dynamic "operating_regions" { - for_each = var.operating_regions - - content { - region_name = operating_regions.value - } - } - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, - ) - - lifecycle { - precondition { - condition = contains(var.operating_regions, local.region) - error_message = "The current region is required to include in `operating_regions`." - } - - precondition { - condition = alltrue([ - for region in var.operating_regions : - contains(local.all_regions, region) - ]) - error_message = "There is invalid AWS region name." - } - } -} - - -################################################### -# Scopes of IPAM (IP Address Manager) -################################################### - -resource "aws_vpc_ipam_scope" "this" { - for_each = { - for scope in var.additional_private_scopes : - scope.name => scope - } - - ipam_id = aws_vpc_ipam.this.id - description = each.value.description - - tags = merge( - { - "Name" = each.key - }, - local.module_tags, - var.tags, - ) -} - - -################################################### -# Associations of IPAM Resource Discoveries -################################################### - -resource "aws_vpc_ipam_resource_discovery_association" "this" { - count = length(var.additional_resource_discovery_associations) - - ipam_id = aws_vpc_ipam.this.id - ipam_resource_discovery_id = var.additional_resource_discovery_associations[count.index].resource_discovery - - tags = merge( - local.module_tags, - var.additional_resource_discovery_associations[count.index].tags, - ) -} diff --git a/modules/ipam/outputs.tf b/modules/ipam/outputs.tf deleted file mode 100644 index f54ace9..0000000 --- a/modules/ipam/outputs.tf +++ /dev/null @@ -1,94 +0,0 @@ -output "id" { - description = "The ID of the IPAM." - value = aws_vpc_ipam.this.id -} - -output "arn" { - description = "The ARN of the IPAM." - value = aws_vpc_ipam.this.arn -} - -output "name" { - description = "The name of the IPAM." - value = local.metadata.name -} - -output "description" { - description = "The description of the IPAM." - value = aws_vpc_ipam.this.description -} - -output "operating_regions" { - description = "A set of operating regions for the IPAM." - value = aws_vpc_ipam.this.operating_regions[*].region_name -} - -output "scope_count" { - description = "The number of scopes in the IPAM." - value = aws_vpc_ipam.this.scope_count -} - -output "default_scopes" { - description = < { - id = scope.id - arn = scope.arn - name = name - description = scope.description - type = scope.ipam_scope_type - is_default = scope.is_default - pool_count = scope.pool_count - } - } -} - -output "default_resource_discovery" { - description = < -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.3 | -| [aws](#requirement\_aws) | >= 4.58 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 4.58.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | -| [share](#module\_share) | tedilabs/account/aws//modules/ram-share | ~> 0.24.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_ec2_managed_prefix_list.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_managed_prefix_list) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [address\_family](#input\_address\_family) | (Required) Address family of this prefix list. Valid values are `IPv4` or `IPv6`. | `string` | n/a | yes | -| [name](#input\_name) | (Required) The name of the prefix list. The name must not start with `com.amazonaws`. | `string` | n/a | yes | -| [entries](#input\_entries) | (Optional) A set of prefix list entries. Each block of `entries` as defined below.
(Required) `cidr` - The CIDR block of this entry.
(Optional) `description` - The description of this entry. Due to API limitations, updating only the description of an existing entry requires temporarily removing and re-adding the entry. | 
set(object({
    cidr        = string
    description = optional(string, "Managed by Terraform.")
  }))
| `[]` | no | -| [max\_entries](#input\_max\_entries) | (Optional) Maximum number of entries that this prefix list can contain. Configured the length of `entries` if not provided. | `number` | `null` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [shares](#input\_shares) | (Optional) A list of resource shares via RAM (Resource Access Manager). | 
list(object({
    name = optional(string)

    permissions = optional(set(string), ["AWSRAMDefaultPermissionPrefixList"])

    external_principals_allowed = optional(bool, false)
    principals                  = optional(set(string), [])

    tags = optional(map(string), {})
  }))
| `[]` | no | -| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [address\_family](#output\_address\_family) | The address family of the prefix list. | -| [arn](#output\_arn) | The ARN of the prefix list. | -| [entries](#output\_entries) | A set of prefix list entries. | -| [id](#output\_id) | The ID of the prefix list. | -| [max\_entries](#output\_max\_entries) | The maximum number of entries of this prefix list. | -| [name](#output\_name) | The name of the prefix list. | -| [owner\_id](#output\_owner\_id) | The ID of the AWS account that owns this prefix list. | -| [sharing](#output\_sharing) | The configuration for sharing of the VPC prefix list.
`status` - An indication of whether the VPC prefix list is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are `NOT_SHARED`, `SHARED_BY_ME` or `SHARED_WITH_ME`.
`shares` - The list of resource shares via RAM (Resource Access Manager). | -| [version](#output\_version) | Latest version of this prefix list. | - diff --git a/modules/prefix-list/main.tf b/modules/prefix-list/main.tf deleted file mode 100644 index fafa552..0000000 --- a/modules/prefix-list/main.tf +++ /dev/null @@ -1,44 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-network" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = var.name - } - module_tags = var.module_tags_enabled ? { - "module.terraform.io/package" = local.metadata.package - "module.terraform.io/version" = local.metadata.version - "module.terraform.io/name" = local.metadata.module - "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" - "module.terraform.io/instance" = local.metadata.name - } : {} -} - -locals { - max_entries = coalesce(var.max_entries, length(var.entries)) -} - -# INFO: Not support `aws_ec2_managed_prefix_list_entry` -# To improved execution times on larger updates, if you plan to create a prefix list with more than 100 entries, it is recommended that you use the inline entry block as part of the Managed Prefix List resource resource instead. -resource "aws_ec2_managed_prefix_list" "this" { - name = var.name - address_family = var.address_family - max_entries = local.max_entries - - dynamic "entry" { - for_each = var.entries - - content { - cidr = entry.value.cidr - description = entry.value.description - } - } - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, - ) -} diff --git a/modules/prefix-list/outputs.tf b/modules/prefix-list/outputs.tf deleted file mode 100644 index a3bb19d..0000000 --- a/modules/prefix-list/outputs.tf +++ /dev/null @@ -1,51 +0,0 @@ -output "id" { - description = "The ID of the prefix list." - value = aws_ec2_managed_prefix_list.this.id -} - -output "arn" { - description = "The ARN of the prefix list." - value = aws_ec2_managed_prefix_list.this.arn -} - -output "owner_id" { - description = "The ID of the AWS account that owns this prefix list." - value = aws_ec2_managed_prefix_list.this.owner_id -} - -output "name" { - description = "The name of the prefix list." - value = aws_ec2_managed_prefix_list.this.name -} - -output "address_family" { - description = "The address family of the prefix list." - value = aws_ec2_managed_prefix_list.this.address_family -} - -output "version" { - description = "Latest version of this prefix list." - value = aws_ec2_managed_prefix_list.this.version -} - -output "max_entries" { - description = "The maximum number of entries of this prefix list." - value = aws_ec2_managed_prefix_list.this.max_entries -} - -output "entries" { - description = "A set of prefix list entries." - value = aws_ec2_managed_prefix_list.this.entry -} - -output "sharing" { - description = < 0 ? "SHARED_BY_ME" : "NOT_SHARED" - shares = module.share - } -} diff --git a/modules/prefix-list/ram-share.tf b/modules/prefix-list/ram-share.tf deleted file mode 100644 index 46e2f49..0000000 --- a/modules/prefix-list/ram-share.tf +++ /dev/null @@ -1,32 +0,0 @@ -################################################### -# Resource Sharing by RAM (Resource Access Manager) -################################################### - -module "share" { - source = "tedilabs/account/aws//modules/ram-share" - version = "~> 0.24.0" - - for_each = { - for share in var.shares : - share.name => share - } - - name = "vpc.prefix-list.${var.name}.${each.key}" - - resources = [ - aws_ec2_managed_prefix_list.this.arn, - ] - permissions = each.value.permissions - - external_principals_allowed = each.value.external_principals_allowed - principals = each.value.principals - - resource_group_enabled = false - module_tags_enabled = false - - tags = merge( - local.module_tags, - var.tags, - each.value.tags, - ) -} diff --git a/modules/prefix-list/resource-group.tf b/modules/prefix-list/resource-group.tf deleted file mode 100644 index 7487ba0..0000000 --- a/modules/prefix-list/resource-group.tf +++ /dev/null @@ -1,31 +0,0 @@ -locals { - resource_group_name = (var.resource_group_name != "" - ? var.resource_group_name - : join(".", [ - local.metadata.package, - local.metadata.module, - replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), - ]) - ) -} - - -module "resource_group" { - source = "tedilabs/misc/aws//modules/resource-group" - version = "~> 0.10.0" - - count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 - - name = local.resource_group_name - description = var.resource_group_description - - query = { - resource_tags = local.module_tags - } - - module_tags_enabled = false - tags = merge( - local.module_tags, - var.tags, - ) -} diff --git a/modules/prefix-list/variables.tf b/modules/prefix-list/variables.tf deleted file mode 100644 index 44742ba..0000000 --- a/modules/prefix-list/variables.tf +++ /dev/null @@ -1,103 +0,0 @@ -variable "name" { - description = "(Required) The name of the prefix list. The name must not start with `com.amazonaws`." - type = string - nullable = false - - validation { - condition = !startswith("com.amazonaws", var.name) - error_message = "The name must not start with `com.amazonaws`." - } -} - -variable "address_family" { - description = "(Required) Address family of this prefix list. Valid values are `IPv4` or `IPv6`." - type = string - nullable = false - - validation { - condition = contains(["IPv4", "IPv6"], var.address_family) - error_message = "Valid values for `address_family` are `IPv4` or `IPv6`." - } -} - -variable "max_entries" { - description = "(Optional) Maximum number of entries that this prefix list can contain. Configured the length of `entries` if not provided." - type = number - default = null - nullable = true -} - -variable "entries" { - description = < -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.3 | -| [aws](#requirement\_aws) | >= 4.58 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 4.52.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_ec2_network_insights_analysis.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_network_insights_analysis) | resource | -| [aws_ec2_network_insights_path.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_network_insights_path) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [destination\_network](#input\_destination\_network) | (Required) The configuration of destination network for analysis. `destination_network` as defined below.
(Required) `id` - The ID of resource which is the destination of the path. Can be an Instance, Internet Gateway, Network Interface, Transit Gateway, Transit Gateway Attachment, VPC Endpoint Service, VPC Endpoint, VPC Peering Connection or VPN Gateway.
(Optional) `ip_address` - The IP address of the destination resource.
(Optional) `port` - The port number of destination to analyze access to. | 
object({
    id         = string
    ip_address = optional(string)
    port       = optional(number)
  })
| n/a | yes | -| [name](#input\_name) | (Required) The name of the reachability analyzer path. | `string` | n/a | yes | -| [source\_network](#input\_source\_network) | (Required) The configuration of source network for analysis. `source_network` as defined below.
(Required) `id` - The ID of resource which is the source of the path. Can be an Instance, Internet Gateway, Network Interface, Transit Gateway, Transit Gateway Attachment, VPC Endpoint Service, VPC Endpoint, VPC Peering Connection or VPN Gateway.
(Optional) `ip_address` - The IP address of the source resource. | 
object({
    id         = string
    ip_address = optional(string)
  })
| n/a | yes | -| [analyses](#input\_analyses) | (Optional) The configuration of analyses to run with the reachability analyzer path. Each block of `analyses` as defined below.
(Required) `name` - A name of the analysis with the reachability analyzer path.
(Optional) `required_intermediate_components` - A list of ARNs for resources the path must traverse. Intermediate components include Load Balancers, NAT Gateways, and Network Firewall, Transit Gateways, Transit Gateway Attachments, VPC Peering Connections. You cannot use security groups, network access control lists, network interfaces, or route tables as intermediate components.
(Optional) `wait_for_completion` - Whether to wait for the analysis status to change to `succeeded` or `failed`. Setting this to `false` will skip the process. Defaults to `true`. | 
list(object({
    name = string

    required_intermediate_components = optional(list(string), [])
    wait_for_completion              = optional(bool, true)
  }))
| `[]` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [protocol](#input\_protocol) | (Optional) The protocol to use for analysis. Valid values are `TCP` or `UDP`. | `string` | `"TCP"` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [analyses](#output\_analyses) | A list of histories of the analysis with the reachability analyzer path. | -| [arn](#output\_arn) | The ARN of the reachability analyzer path. | -| [destination\_network](#output\_destination\_network) | The configuration of destination network for analysis. | -| [id](#output\_id) | The ID of the reachability analyzer path. | -| [name](#output\_name) | The name of the reachability analyzer path. | -| [protocol](#output\_protocol) | The protocol to use for analysis. | -| [source\_network](#output\_source\_network) | The configuration of source network for analysis. | - diff --git a/modules/reachability-analyzer-path/main.tf b/modules/reachability-analyzer-path/main.tf deleted file mode 100644 index 58c3ba5..0000000 --- a/modules/reachability-analyzer-path/main.tf +++ /dev/null @@ -1,64 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-network" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = var.name - } - module_tags = var.module_tags_enabled ? { - "module.terraform.io/package" = local.metadata.package - "module.terraform.io/version" = local.metadata.version - "module.terraform.io/name" = local.metadata.module - "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" - "module.terraform.io/instance" = local.metadata.name - } : {} -} - - -################################################### -# Reachability Analyzer Path -################################################### - -resource "aws_ec2_network_insights_path" "this" { - protocol = lower(var.protocol) - - source = var.source_network.id - source_ip = var.source_network.ip_address - - destination = var.destination_network.id - destination_ip = var.destination_network.ip_address - destination_port = var.destination_network.port - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, - ) -} - - -################################################### -# Reachability Analyzer Analysis -################################################### - -resource "aws_ec2_network_insights_analysis" "this" { - for_each = { - for analysis in var.analyses : - analysis.name => analysis - } - - network_insights_path_id = aws_ec2_network_insights_path.this.id - - filter_in_arns = each.value.required_intermediate_components - wait_for_completion = each.value.wait_for_completion - - tags = merge( - { - "Name" = each.key - }, - local.module_tags, - var.tags, - ) -} diff --git a/modules/reachability-analyzer-path/outputs.tf b/modules/reachability-analyzer-path/outputs.tf deleted file mode 100644 index d3a493c..0000000 --- a/modules/reachability-analyzer-path/outputs.tf +++ /dev/null @@ -1,68 +0,0 @@ -output "id" { - description = "The ID of the reachability analyzer path." - value = aws_ec2_network_insights_path.this.id -} - -output "arn" { - description = "The ARN of the reachability analyzer path." - value = aws_ec2_network_insights_path.this.arn -} - -output "name" { - description = "The name of the reachability analyzer path." - value = local.metadata.name -} - -output "protocol" { - description = "The protocol to use for analysis." - value = upper(aws_ec2_network_insights_path.this.protocol) -} - -output "source_network" { - description = "The configuration of source network for analysis." - value = { - id = aws_ec2_network_insights_path.this.source - ip_address = aws_ec2_network_insights_path.this.source_ip - } -} - -output "destination_network" { - description = "The configuration of destination network for analysis." - value = { - id = aws_ec2_network_insights_path.this.destination - ip_address = aws_ec2_network_insights_path.this.destination_ip - port = aws_ec2_network_insights_path.this.destination_port - } -} - -output "analyses" { - description = "A list of histories of the analysis with the reachability analyzer path." - value = [ - for name, analysis in aws_ec2_network_insights_analysis.this : { - name = name - id = analysis.id - arn = analysis.arn - - path_found = analysis.path_found - status = analysis.status - started_at = analysis.start_date - - # INFO: https://docs.aws.amazon.com/vpc/latest/reachability/explanation-codes.html - explanation_codes = [ - for explanation in analysis.explanations : - explanation.explanation_code - ] - # status_message = analysis.status_message - # warning_message = analysis.warning_message - - forward_path_components = [ - for c in analysis.forward_path_components : - one(c.component) - ] - return_path_components = [ - for c in analysis.return_path_components : - one(c.component) - ] - } - ] -} diff --git a/modules/reachability-analyzer-path/resource-group.tf b/modules/reachability-analyzer-path/resource-group.tf deleted file mode 100644 index 7487ba0..0000000 --- a/modules/reachability-analyzer-path/resource-group.tf +++ /dev/null @@ -1,31 +0,0 @@ -locals { - resource_group_name = (var.resource_group_name != "" - ? var.resource_group_name - : join(".", [ - local.metadata.package, - local.metadata.module, - replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), - ]) - ) -} - - -module "resource_group" { - source = "tedilabs/misc/aws//modules/resource-group" - version = "~> 0.10.0" - - count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 - - name = local.resource_group_name - description = var.resource_group_description - - query = { - resource_tags = local.module_tags - } - - module_tags_enabled = false - tags = merge( - local.module_tags, - var.tags, - ) -} diff --git a/modules/reachability-analyzer-path/variables.tf b/modules/reachability-analyzer-path/variables.tf deleted file mode 100644 index 76587f6..0000000 --- a/modules/reachability-analyzer-path/variables.tf +++ /dev/null @@ -1,102 +0,0 @@ -variable "name" { - description = "(Required) The name of the reachability analyzer path." - type = string - nullable = false -} - -variable "protocol" { - description = "(Optional) The protocol to use for analysis. Valid values are `TCP` or `UDP`." - type = string - default = "TCP" - nullable = false - - validation { - condition = contains(["TCP", "UDP"], var.protocol) - error_message = "Valid values for `protocol` are `TCP` or `UDP`." - } -} - -variable "source_network" { - description = < -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.2 | -| [aws](#requirement\_aws) | >= 3.45 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 4.52.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_vpc_endpoint_connection_notification.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_connection_notification) | resource | -| [aws_vpc_endpoint_service.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_service) | resource | -| [aws_vpc_endpoint_service_allowed_principal.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_service_allowed_principal) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [name](#input\_name) | Desired name for the VPC Endpoint Service. | `string` | n/a | yes | -| [acceptance\_required](#input\_acceptance\_required) | Whether or not VPC endpoint connection requests to the service must be accepted by the service owner. | `bool` | `false` | no | -| [allowed\_principals](#input\_allowed\_principals) | A list of the ARNs of principal to allow to discover a VPC endpoint service. | `list(string)` | `[]` | no | -| [gateway\_load\_balancer\_arns](#input\_gateway\_load\_balancer\_arns) | List of Amazon Resource Names of one or more Gateway Load Balancers for the endpoint service. | `list(string)` | `null` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [network\_load\_balancer\_arns](#input\_network\_load\_balancer\_arns) | List of Amazon Resource Names of one or more Network Load Balancers for the endpoint service. | `list(string)` | `null` | no | -| [notification\_configurations](#input\_notification\_configurations) | A list of configurations of Endpoint Connection Notifications for VPC Endpoint events. | 
list(object({
    sns_arn = string
    events  = list(string)
  }))
| `[]` | no | -| [private\_domain](#input\_private\_domain) | The private domain name for the service. | `string` | `null` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [allowed\_principals](#output\_allowed\_principals) | A list of the ARNs of allowed principals to discover a VPC endpoint service. | -| [arn](#output\_arn) | The Amazon Resource Name (ARN) of the VPC endpoint service. | -| [availability\_zones](#output\_availability\_zones) | The Availability Zones in which the service is available. | -| [base\_domain\_names](#output\_base\_domain\_names) | The DNS names for the service. | -| [gateway\_load\_balancer\_arns](#output\_gateway\_load\_balancer\_arns) | ARNs of Gateway Load Balancers which is associated to the endpoint service. | -| [id](#output\_id) | The ID of the VPC endpoint service. | -| [manages\_vpc\_endpoints](#output\_manages\_vpc\_endpoints) | Whether or not the service manages its VPC endpoints | -| [name](#output\_name) | The VPC Endpoint Service name. | -| [network\_load\_balancer\_arns](#output\_network\_load\_balancer\_arns) | ARNs of Network Load Balancers which is associated to the endpoint service. | -| [notification\_configurations](#output\_notification\_configurations) | A list of Endpoint Connection Notifications for VPC Endpoint events. | -| [private\_domain](#output\_private\_domain) | The private DNS name for the service. | -| [private\_domain\_configurations](#output\_private\_domain\_configurations) | List of objects containing information about the endpoint service private DNS name configuration. | -| [service\_name](#output\_service\_name) | The service name. | -| [service\_type](#output\_service\_type) | The service type, `Gateway` or `Interface`. | -| [state](#output\_state) | The state of the VPC endpoint service. | - diff --git a/modules/vpc-endpoint-service/main.tf b/modules/vpc-endpoint-service/main.tf deleted file mode 100644 index 69d7ab2..0000000 --- a/modules/vpc-endpoint-service/main.tf +++ /dev/null @@ -1,60 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-network" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = var.name - } - module_tags = var.module_tags_enabled ? { - "module.terraform.io/package" = local.metadata.package - "module.terraform.io/version" = local.metadata.version - "module.terraform.io/name" = local.metadata.module - "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" - "module.terraform.io/instance" = local.metadata.name - } : {} -} - -resource "aws_vpc_endpoint_service" "this" { - gateway_load_balancer_arns = var.gateway_load_balancer_arns - network_load_balancer_arns = var.network_load_balancer_arns - - private_dns_name = var.private_domain - acceptance_required = var.acceptance_required - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, - ) -} - - -################################################### -# Allowed Principals -################################################### - -resource "aws_vpc_endpoint_service_allowed_principal" "this" { - for_each = toset(var.allowed_principals) - - vpc_endpoint_service_id = aws_vpc_endpoint_service.this.id - principal_arn = each.value -} - - -################################################### -# Notification -################################################### - -resource "aws_vpc_endpoint_connection_notification" "this" { - for_each = { - for config in try(var.notification_configurations, []) : - config.sns_arn => config - } - - vpc_endpoint_service_id = aws_vpc_endpoint_service.this.id - - connection_notification_arn = each.key - connection_events = try(each.value.events, []) -} diff --git a/modules/vpc-endpoint-service/migrations.tf b/modules/vpc-endpoint-service/migrations.tf deleted file mode 100644 index 83a0f7e..0000000 --- a/modules/vpc-endpoint-service/migrations.tf +++ /dev/null @@ -1,5 +0,0 @@ -# 2023-02-01 -moved { - from = aws_resourcegroups_group.this[0] - to = module.resource_group[0].aws_resourcegroups_group.this -} diff --git a/modules/vpc-endpoint-service/outputs.tf b/modules/vpc-endpoint-service/outputs.tf deleted file mode 100644 index 9fd117f..0000000 --- a/modules/vpc-endpoint-service/outputs.tf +++ /dev/null @@ -1,74 +0,0 @@ -output "name" { - description = "The VPC Endpoint Service name." - value = var.name -} - -output "id" { - description = "The ID of the VPC endpoint service." - value = aws_vpc_endpoint_service.this.id -} - -output "arn" { - description = "The Amazon Resource Name (ARN) of the VPC endpoint service." - value = aws_vpc_endpoint_service.this.arn -} - -output "state" { - description = "The state of the VPC endpoint service." - value = aws_vpc_endpoint_service.this.state -} - -output "service_name" { - description = "The service name." - value = aws_vpc_endpoint_service.this.service_name -} - -output "service_type" { - description = "The service type, `Gateway` or `Interface`." - value = aws_vpc_endpoint_service.this.service_type -} - -output "gateway_load_balancer_arns" { - description = "ARNs of Gateway Load Balancers which is associated to the endpoint service." - value = aws_vpc_endpoint_service.this.gateway_load_balancer_arns -} - -output "network_load_balancer_arns" { - description = "ARNs of Network Load Balancers which is associated to the endpoint service." - value = aws_vpc_endpoint_service.this.network_load_balancer_arns -} - -output "availability_zones" { - description = "The Availability Zones in which the service is available." - value = aws_vpc_endpoint_service.this.availability_zones -} - -output "allowed_principals" { - description = "A list of the ARNs of allowed principals to discover a VPC endpoint service." - value = var.allowed_principals -} - -output "manages_vpc_endpoints" { - description = "Whether or not the service manages its VPC endpoints" - value = aws_vpc_endpoint_service.this.manages_vpc_endpoints -} - -output "base_domain_names" { - description = "The DNS names for the service." - value = aws_vpc_endpoint_service.this.base_endpoint_dns_names -} - -output "private_domain" { - description = "The private DNS name for the service." - value = aws_vpc_endpoint_service.this.private_dns_name -} - -output "private_domain_configurations" { - description = "List of objects containing information about the endpoint service private DNS name configuration." - value = aws_vpc_endpoint_service.this.private_dns_name_configuration -} - -output "notification_configurations" { - description = "A list of Endpoint Connection Notifications for VPC Endpoint events." - value = var.notification_configurations -} diff --git a/modules/vpc-endpoint-service/resource-group.tf b/modules/vpc-endpoint-service/resource-group.tf deleted file mode 100644 index 7487ba0..0000000 --- a/modules/vpc-endpoint-service/resource-group.tf +++ /dev/null @@ -1,31 +0,0 @@ -locals { - resource_group_name = (var.resource_group_name != "" - ? var.resource_group_name - : join(".", [ - local.metadata.package, - local.metadata.module, - replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), - ]) - ) -} - - -module "resource_group" { - source = "tedilabs/misc/aws//modules/resource-group" - version = "~> 0.10.0" - - count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 - - name = local.resource_group_name - description = var.resource_group_description - - query = { - resource_tags = local.module_tags - } - - module_tags_enabled = false - tags = merge( - local.module_tags, - var.tags, - ) -} diff --git a/modules/vpc-endpoint-service/variables.tf b/modules/vpc-endpoint-service/variables.tf deleted file mode 100644 index 65f2bb5..0000000 --- a/modules/vpc-endpoint-service/variables.tf +++ /dev/null @@ -1,78 +0,0 @@ -variable "name" { - description = "Desired name for the VPC Endpoint Service." - type = string -} - -variable "gateway_load_balancer_arns" { - description = "List of Amazon Resource Names of one or more Gateway Load Balancers for the endpoint service." - type = list(string) - default = null -} - -variable "network_load_balancer_arns" { - description = "List of Amazon Resource Names of one or more Network Load Balancers for the endpoint service." - type = list(string) - default = null -} - -variable "private_domain" { - description = "The private domain name for the service." - type = string - default = null -} - -variable "acceptance_required" { - description = "Whether or not VPC endpoint connection requests to the service must be accepted by the service owner." - type = bool - default = false -} - -variable "allowed_principals" { - description = "A list of the ARNs of principal to allow to discover a VPC endpoint service." - type = list(string) - default = [] -} - -variable "notification_configurations" { - description = "A list of configurations of Endpoint Connection Notifications for VPC Endpoint events." - type = list(object({ - sns_arn = string - events = list(string) - })) - default = [] -} - -variable "tags" { - description = "A map of tags to add to all resources." - type = map(string) - default = {} -} - -variable "module_tags_enabled" { - description = "Whether to create AWS Resource Tags for the module informations." - type = bool - default = true -} - - -################################################### -# Resource Group -################################################### - -variable "resource_group_enabled" { - description = "Whether to create Resource Group to find and group AWS resources which are created by this module." - type = bool - default = true -} - -variable "resource_group_name" { - description = "The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." - type = string - default = "" -} - -variable "resource_group_description" { - description = "The description of Resource Group." - type = string - default = "Managed by Terraform." -} diff --git a/modules/vpc-endpoint-service/versions.tf b/modules/vpc-endpoint-service/versions.tf deleted file mode 100644 index dd959fc..0000000 --- a/modules/vpc-endpoint-service/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.2" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.45" - } - } -} diff --git a/modules/vpc-gateway-endpoint/README.md b/modules/vpc-gateway-endpoint/README.md deleted file mode 100644 index e47228b..0000000 --- a/modules/vpc-gateway-endpoint/README.md +++ /dev/null @@ -1,67 +0,0 @@ -# vpc-gateway-endpoint - -This module creates following resources. - -- `aws_vpc_endpoint` -- `aws_vpc_endpoint_connection_notification` (optional) - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.2 | -| [aws](#requirement\_aws) | >= 3.45 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 4.52.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_vpc_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint_connection_notification.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_connection_notification) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [name](#input\_name) | (Required) Desired name for the VPC Gateway Endpoint. | `string` | n/a | yes | -| [service\_name](#input\_service\_name) | (Required) The service name. For AWS services the service name is usually in the form `com.amazonaws..`. | `string` | n/a | yes | -| [vpc\_id](#input\_vpc\_id) | (Required) The ID of the VPC in which the endpoint will be used. | `string` | n/a | yes | -| [auto\_accept](#input\_auto\_accept) | (Optional) Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account). | `bool` | `true` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [notification\_configurations](#input\_notification\_configurations) | (Optional) A list of configurations of Endpoint Connection Notifications for VPC Endpoint events. | 
list(object({
    sns_arn = string
    events  = list(string)
  }))
| `[]` | no | -| [policy](#input\_policy) | (Optional) A policy to attach to the endpoint that controls access to the service. This is a JSON formatted string. Defaults to full access. All Gateway and some Interface endpoints support policies. | `string` | `null` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [arn](#output\_arn) | The Amazon Resource Name (ARN) of the VPC endpoint. | -| [cidr\_blocks](#output\_cidr\_blocks) | The list of CIDR blocks for the exposed AWS service. | -| [id](#output\_id) | The ID of the VPC endpoint. | -| [managed](#output\_managed) | Whether or not the VPC Endpoint is being managed by its service. | -| [name](#output\_name) | The VPC Gateway Endpoint name. | -| [notification\_configurations](#output\_notification\_configurations) | A list of Endpoint Connection Notifications for VPC Endpoint events. | -| [owner\_id](#output\_owner\_id) | The Owner ID of the VPC endpoint. | -| [policy](#output\_policy) | The policy which is attached to the endpoint that controls access to the service. | -| [prefix\_list\_id](#output\_prefix\_list\_id) | The prefix list ID of the exposed AWS service. | -| [service\_name](#output\_service\_name) | The service name of the VPC Gateway Endpoint. | -| [state](#output\_state) | The state of the VPC endpoint. | -| [vpc\_id](#output\_vpc\_id) | The VPC ID of the VPC endpoint. | - diff --git a/modules/vpc-gateway-endpoint/main.tf b/modules/vpc-gateway-endpoint/main.tf deleted file mode 100644 index 3ef7380..0000000 --- a/modules/vpc-gateway-endpoint/main.tf +++ /dev/null @@ -1,49 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-network" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = var.name - } - module_tags = var.module_tags_enabled ? { - "module.terraform.io/package" = local.metadata.package - "module.terraform.io/version" = local.metadata.version - "module.terraform.io/name" = local.metadata.module - "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" - "module.terraform.io/instance" = local.metadata.name - } : {} -} - -resource "aws_vpc_endpoint" "this" { - vpc_endpoint_type = "Gateway" - service_name = var.service_name - vpc_id = var.vpc_id - - auto_accept = var.auto_accept - policy = var.policy - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, - ) -} - - -################################################### -# Notification -################################################### - -resource "aws_vpc_endpoint_connection_notification" "this" { - for_each = { - for config in try(var.notification_configurations, []) : - config.sns_arn => config - } - - vpc_endpoint_id = aws_vpc_endpoint.this.id - - connection_notification_arn = each.key - connection_events = try(each.value.events, []) -} diff --git a/modules/vpc-gateway-endpoint/migrations.tf b/modules/vpc-gateway-endpoint/migrations.tf deleted file mode 100644 index 83a0f7e..0000000 --- a/modules/vpc-gateway-endpoint/migrations.tf +++ /dev/null @@ -1,5 +0,0 @@ -# 2023-02-01 -moved { - from = aws_resourcegroups_group.this[0] - to = module.resource_group[0].aws_resourcegroups_group.this -} diff --git a/modules/vpc-gateway-endpoint/outputs.tf b/modules/vpc-gateway-endpoint/outputs.tf deleted file mode 100644 index b7b083b..0000000 --- a/modules/vpc-gateway-endpoint/outputs.tf +++ /dev/null @@ -1,59 +0,0 @@ -output "name" { - description = "The VPC Gateway Endpoint name." - value = var.name -} - -output "service_name" { - description = "The service name of the VPC Gateway Endpoint." - value = aws_vpc_endpoint.this.service_name -} - -output "id" { - description = "The ID of the VPC endpoint." - value = aws_vpc_endpoint.this.id -} - -output "arn" { - description = "The Amazon Resource Name (ARN) of the VPC endpoint." - value = aws_vpc_endpoint.this.arn -} - -output "state" { - description = "The state of the VPC endpoint." - value = aws_vpc_endpoint.this.state -} - -output "owner_id" { - description = "The Owner ID of the VPC endpoint." - value = aws_vpc_endpoint.this.owner_id -} - -output "managed" { - description = "Whether or not the VPC Endpoint is being managed by its service." - value = aws_vpc_endpoint.this.requester_managed -} - -output "vpc_id" { - description = "The VPC ID of the VPC endpoint." - value = aws_vpc_endpoint.this.vpc_id -} - -output "cidr_blocks" { - description = "The list of CIDR blocks for the exposed AWS service." - value = aws_vpc_endpoint.this.cidr_blocks -} - -output "prefix_list_id" { - description = "The prefix list ID of the exposed AWS service." - value = aws_vpc_endpoint.this.prefix_list_id -} - -output "policy" { - description = "The policy which is attached to the endpoint that controls access to the service." - value = aws_vpc_endpoint.this.policy -} - -output "notification_configurations" { - description = "A list of Endpoint Connection Notifications for VPC Endpoint events." - value = var.notification_configurations -} diff --git a/modules/vpc-gateway-endpoint/resource-group.tf b/modules/vpc-gateway-endpoint/resource-group.tf deleted file mode 100644 index 7487ba0..0000000 --- a/modules/vpc-gateway-endpoint/resource-group.tf +++ /dev/null @@ -1,31 +0,0 @@ -locals { - resource_group_name = (var.resource_group_name != "" - ? var.resource_group_name - : join(".", [ - local.metadata.package, - local.metadata.module, - replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), - ]) - ) -} - - -module "resource_group" { - source = "tedilabs/misc/aws//modules/resource-group" - version = "~> 0.10.0" - - count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 - - name = local.resource_group_name - description = var.resource_group_description - - query = { - resource_tags = local.module_tags - } - - module_tags_enabled = false - tags = merge( - local.module_tags, - var.tags, - ) -} diff --git a/modules/vpc-gateway-endpoint/variables.tf b/modules/vpc-gateway-endpoint/variables.tf deleted file mode 100644 index 7457b55..0000000 --- a/modules/vpc-gateway-endpoint/variables.tf +++ /dev/null @@ -1,70 +0,0 @@ -variable "name" { - description = "(Required) Desired name for the VPC Gateway Endpoint." - type = string -} - -variable "service_name" { - description = "(Required) The service name. For AWS services the service name is usually in the form `com.amazonaws..`." - type = string -} - -variable "vpc_id" { - description = "(Required) The ID of the VPC in which the endpoint will be used." - type = string -} - -variable "auto_accept" { - description = "(Optional) Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account)." - type = bool - default = true -} - -variable "policy" { - description = "(Optional) A policy to attach to the endpoint that controls access to the service. This is a JSON formatted string. Defaults to full access. All Gateway and some Interface endpoints support policies." - type = string - default = null -} - -variable "notification_configurations" { - description = "(Optional) A list of configurations of Endpoint Connection Notifications for VPC Endpoint events." - type = list(object({ - sns_arn = string - events = list(string) - })) - default = [] -} - -variable "tags" { - description = "(Optional) A map of tags to add to all resources." - type = map(string) - default = {} -} - -variable "module_tags_enabled" { - description = "(Optional) Whether to create AWS Resource Tags for the module informations." - type = bool - default = true -} - - -################################################### -# Resource Group -################################################### - -variable "resource_group_enabled" { - description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module." - type = bool - default = true -} - -variable "resource_group_name" { - description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." - type = string - default = "" -} - -variable "resource_group_description" { - description = "(Optional) The description of Resource Group." - type = string - default = "Managed by Terraform." -} diff --git a/modules/vpc-gateway-endpoint/versions.tf b/modules/vpc-gateway-endpoint/versions.tf deleted file mode 100644 index dd959fc..0000000 --- a/modules/vpc-gateway-endpoint/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.2" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.45" - } - } -} diff --git a/modules/vpc-interface-endpoint/README.md b/modules/vpc-interface-endpoint/README.md deleted file mode 100644 index a6b77db..0000000 --- a/modules/vpc-interface-endpoint/README.md +++ /dev/null @@ -1,75 +0,0 @@ -# vpc-interface-endpoint - -This module creates following resources. - -- `aws_vpc_endpoint` -- `aws_vpc_endpoint_connection_notification` (optional) - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.2 | -| [aws](#requirement\_aws) | >= 3.45 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 4.52.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | -| [security\_group](#module\_security\_group) | ../security-group | n/a | - -## Resources - -| Name | Type | -|------|------| -| [aws_vpc_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint_connection_notification.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_connection_notification) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [name](#input\_name) | (Required) Desired name for the VPC Interface Endpoint. | `string` | n/a | yes | -| [service\_name](#input\_service\_name) | (Required) The service name. For AWS services the service name is usually in the form `com.amazonaws..`. | `string` | n/a | yes | -| [subnets](#input\_subnets) | (Required) The ID of one or more subnets in which to create a network interface for the endpoint. | `list(string)` | n/a | yes | -| [vpc\_id](#input\_vpc\_id) | (Required) The ID of the VPC in which the endpoint will be used. | `string` | n/a | yes | -| [auto\_accept](#input\_auto\_accept) | (Optional) Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account). | `bool` | `true` | no | -| [default\_security\_group](#input\_default\_security\_group) | (Optional) The configuration of the default security group for the interface endpoint. `default_security_group` block as defined below.
(Optional) `name` - The name of the default security group.
(Optional) `description` - The description of the default security group.
(Optional) `ingress_cidrs` - A list of IPv4 CIDR blocks to allow inbound traffic from.
(Optional) `ingress_ipv6_cidrs` - A list of IPv6 CIDR blocks to allow inbound traffic from.
(Optional) `ingress_prefix_lists` - A list of Prefix List IDs to allow inbound traffic from.
(Optional) `ingress_security_groups` - A list of source Security Group IDs to allow inbound traffic from. | `any` | `{}` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [notification\_configurations](#input\_notification\_configurations) | (Optional) A list of configurations of Endpoint Connection Notifications for VPC Endpoint events. | 
list(object({
    sns_arn = string
    events  = list(string)
  }))
| `[]` | no | -| [policy](#input\_policy) | (Optional) A policy to attach to the endpoint that controls access to the service. This is a JSON formatted string. Defaults to full access. All Gateway and some Interface endpoints support policies. | `string` | `null` | no | -| [private\_dns\_enabled](#input\_private\_dns\_enabled) | (Optional) Whether or not to associate a private hosted zone with the specified VPC. | `bool` | `false` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [security\_groups](#input\_security\_groups) | (Optional) A set of security group IDs to associate with the network interface. | `set(string)` | `[]` | no | -| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [arn](#output\_arn) | The Amazon Resource Name (ARN) of the VPC endpoint. | -| [default\_security\_group](#output\_default\_security\_group) | The default security group of the VPC endpoint. | -| [dns\_configurations](#output\_dns\_configurations) | The DNS entries for the VPC Endpoint. | -| [id](#output\_id) | The ID of the VPC endpoint. | -| [managed](#output\_managed) | Whether or not the VPC Endpoint is being managed by its service. | -| [name](#output\_name) | The VPC Interface Endpoint name. | -| [network\_interface\_ids](#output\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint. | -| [notification\_configurations](#output\_notification\_configurations) | A list of Endpoint Connection Notifications for VPC Endpoint events. | -| [owner\_id](#output\_owner\_id) | The Owner ID of the VPC endpoint. | -| [policy](#output\_policy) | The policy which is attached to the endpoint that controls access to the service. | -| [security\_groups](#output\_security\_groups) | A set of security group IDs which is assigned to the VPC endpoint. | -| [service\_name](#output\_service\_name) | The service name of the VPC Interface Endpoint. | -| [state](#output\_state) | The state of the VPC endpoint. | -| [subnet\_ids](#output\_subnet\_ids) | A list of Subnet IDs of the VPC endpoint. | -| [vpc\_id](#output\_vpc\_id) | The VPC ID of the VPC endpoint. | - diff --git a/modules/vpc-interface-endpoint/main.tf b/modules/vpc-interface-endpoint/main.tf deleted file mode 100644 index 901d4aa..0000000 --- a/modules/vpc-interface-endpoint/main.tf +++ /dev/null @@ -1,55 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-network" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = var.name - } - module_tags = var.module_tags_enabled ? { - "module.terraform.io/package" = local.metadata.package - "module.terraform.io/version" = local.metadata.version - "module.terraform.io/name" = local.metadata.module - "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" - "module.terraform.io/instance" = local.metadata.name - } : {} -} - -resource "aws_vpc_endpoint" "this" { - vpc_endpoint_type = "Interface" - service_name = var.service_name - vpc_id = var.vpc_id - subnet_ids = var.subnets - security_group_ids = setunion( - [module.security_group.id], - var.security_groups, - ) - - private_dns_enabled = var.private_dns_enabled - auto_accept = var.auto_accept - policy = var.policy - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, - ) -} - - -################################################### -# Notification -################################################### - -resource "aws_vpc_endpoint_connection_notification" "this" { - for_each = { - for config in try(var.notification_configurations, []) : - config.sns_arn => config - } - - vpc_endpoint_id = aws_vpc_endpoint.this.id - - connection_notification_arn = each.key - connection_events = try(each.value.events, []) -} diff --git a/modules/vpc-interface-endpoint/migrations.tf b/modules/vpc-interface-endpoint/migrations.tf deleted file mode 100644 index 83a0f7e..0000000 --- a/modules/vpc-interface-endpoint/migrations.tf +++ /dev/null @@ -1,5 +0,0 @@ -# 2023-02-01 -moved { - from = aws_resourcegroups_group.this[0] - to = module.resource_group[0].aws_resourcegroups_group.this -} diff --git a/modules/vpc-interface-endpoint/outputs.tf b/modules/vpc-interface-endpoint/outputs.tf deleted file mode 100644 index cdd8541..0000000 --- a/modules/vpc-interface-endpoint/outputs.tf +++ /dev/null @@ -1,82 +0,0 @@ -output "name" { - description = "The VPC Interface Endpoint name." - value = var.name -} - -output "service_name" { - description = "The service name of the VPC Interface Endpoint." - value = aws_vpc_endpoint.this.service_name -} - -output "id" { - description = "The ID of the VPC endpoint." - value = aws_vpc_endpoint.this.id -} - -output "arn" { - description = "The Amazon Resource Name (ARN) of the VPC endpoint." - value = aws_vpc_endpoint.this.arn -} - -output "state" { - description = "The state of the VPC endpoint." - value = aws_vpc_endpoint.this.state -} - -output "owner_id" { - description = "The Owner ID of the VPC endpoint." - value = aws_vpc_endpoint.this.owner_id -} - -output "managed" { - description = "Whether or not the VPC Endpoint is being managed by its service." - value = aws_vpc_endpoint.this.requester_managed -} - -output "vpc_id" { - description = "The VPC ID of the VPC endpoint." - value = aws_vpc_endpoint.this.vpc_id -} - -output "subnet_ids" { - description = "A list of Subnet IDs of the VPC endpoint." - value = var.subnets -} - -output "default_security_group" { - description = "The default security group of the VPC endpoint." - value = { - id = module.security_group.id - name = module.security_group.name - - ingress_cidrs = try(var.default_security_group.ingress_cidrs, []) - ingress_ipv6_cidrs = try(var.default_security_group.ingress_ipv6_cidrs, []) - ingress_prefix_lists = try(var.default_security_group.ingress_prefix_lists, []) - ingress_security_groups = try(var.default_security_group.ingress_security_groups, []) - } -} - -output "security_groups" { - description = "A set of security group IDs which is assigned to the VPC endpoint." - value = aws_vpc_endpoint.this.security_group_ids -} - -output "network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint." - value = aws_vpc_endpoint.this.network_interface_ids -} - -output "dns_configurations" { - description = "The DNS entries for the VPC Endpoint." - value = aws_vpc_endpoint.this.dns_entry -} - -output "policy" { - description = "The policy which is attached to the endpoint that controls access to the service." - value = aws_vpc_endpoint.this.policy -} - -output "notification_configurations" { - description = "A list of Endpoint Connection Notifications for VPC Endpoint events." - value = var.notification_configurations -} diff --git a/modules/vpc-interface-endpoint/resource-group.tf b/modules/vpc-interface-endpoint/resource-group.tf deleted file mode 100644 index 7487ba0..0000000 --- a/modules/vpc-interface-endpoint/resource-group.tf +++ /dev/null @@ -1,31 +0,0 @@ -locals { - resource_group_name = (var.resource_group_name != "" - ? var.resource_group_name - : join(".", [ - local.metadata.package, - local.metadata.module, - replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), - ]) - ) -} - - -module "resource_group" { - source = "tedilabs/misc/aws//modules/resource-group" - version = "~> 0.10.0" - - count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 - - name = local.resource_group_name - description = var.resource_group_description - - query = { - resource_tags = local.module_tags - } - - module_tags_enabled = false - tags = merge( - local.module_tags, - var.tags, - ) -} diff --git a/modules/vpc-interface-endpoint/security-group.tf b/modules/vpc-interface-endpoint/security-group.tf deleted file mode 100644 index 94f040d..0000000 --- a/modules/vpc-interface-endpoint/security-group.tf +++ /dev/null @@ -1,72 +0,0 @@ -################################################### -# Security Group for Interface Endpoint -################################################### - -module "security_group" { - source = "../security-group" - - vpc_id = var.vpc_id - - name = try(var.default_security_group.name, local.metadata.name) - description = try(var.default_security_group.description, "Managed by Terraform.") - - ingress_rules = concat( - (length(try(var.default_security_group.ingress_cidrs, [])) > 0 - ? [{ - id = "ipv4-cidrs" - description = "Allow inbound traffic from the IPv4 CIDRs." - protocol = "tcp" - from_port = 0 - to_port = 65535 - - cidr_blocks = try(var.default_security_group.ingress_cidrs, []) - }] - : [] - ), - (length(try(var.default_security_group.ingress_ipv6_cidrs, [])) > 0 - ? [{ - id = "ipv6-cidrs" - description = "Allow inbound traffic from the IPv6 CIDRs." - protocol = "tcp" - from_port = 0 - to_port = 65535 - - ipv6_cidr_blocks = try(var.default_security_group.ingress_ipv6_cidrs, []) - }] - : [] - ), - (length(try(var.default_security_group.ingress_prefix_lists, [])) > 0 - ? [{ - id = "prefix-lists" - description = "Allow inbound traffic from the Prefix Lists." - protocol = "tcp" - from_port = 0 - to_port = 65535 - - prefix_list_ids = try(var.default_security_group.ingress_prefix_lists, []) - }] - : [] - ), - [ - for security_group in try(var.default_security_group.ingress_security_groups, []) : { - id = "security-groups" - description = "Allow inbound traffic from the source Security Groups." - protocol = "tcp" - from_port = 0 - to_port = 65535 - - source_security_group_id = security_group - } - ] - ) - egress_rules = [] - - revoke_rules_on_delete = true - resource_group_enabled = false - module_tags_enabled = false - - tags = merge( - local.module_tags, - var.tags, - ) -} diff --git a/modules/vpc-interface-endpoint/variables.tf b/modules/vpc-interface-endpoint/variables.tf deleted file mode 100644 index fba3213..0000000 --- a/modules/vpc-interface-endpoint/variables.tf +++ /dev/null @@ -1,101 +0,0 @@ -variable "name" { - description = "(Required) Desired name for the VPC Interface Endpoint." - type = string -} - -variable "service_name" { - description = "(Required) The service name. For AWS services the service name is usually in the form `com.amazonaws..`." - type = string -} - -variable "vpc_id" { - description = "(Required) The ID of the VPC in which the endpoint will be used." - type = string -} - -variable "subnets" { - description = "(Required) The ID of one or more subnets in which to create a network interface for the endpoint." - type = list(string) -} - -variable "private_dns_enabled" { - description = "(Optional) Whether or not to associate a private hosted zone with the specified VPC." - type = bool - default = false -} - -variable "default_security_group" { - description = < -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.2 | -| [aws](#requirement\_aws) | >= 3.45 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 4.52.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_vpc_peering_connection_accepter.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection_accepter) | resource | -| [aws_vpc_peering_connection_options.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection_options) | resource | -| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_vpc_peering_connection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_peering_connection) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [id](#input\_id) | The VPC Peering Connection ID to manage. | `string` | n/a | yes | -| [allow\_remote\_vpc\_dns\_resolution](#input\_allow\_remote\_vpc\_dns\_resolution) | Allow a accepter VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the requester VPC. This is not supported for inter-region VPC peering. | `bool` | `false` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [name](#input\_name) | Desired name for the VPC Peering resources. | `string` | `""` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [accepter](#output\_accepter) | The accepter information including AWS Account ID, Region, VPC ID. | -| [id](#output\_id) | The ID of the VPC Peering Connection. | -| [name](#output\_name) | The VPC Peering name. | -| [requester](#output\_requester) | The requester information including AWS Account ID, Region, VPC ID. | -| [status](#output\_status) | The status of the VPC Peering Connection request. | - diff --git a/modules/vpc-peering-accepter/main.tf b/modules/vpc-peering-accepter/main.tf deleted file mode 100644 index c089426..0000000 --- a/modules/vpc-peering-accepter/main.tf +++ /dev/null @@ -1,73 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-network" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = var.name - } - module_tags = var.module_tags_enabled ? { - "module.terraform.io/package" = local.metadata.package - "module.terraform.io/version" = local.metadata.version - "module.terraform.io/name" = local.metadata.module - "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" - "module.terraform.io/instance" = local.metadata.name - } : {} -} - -data "aws_caller_identity" "this" {} -data "aws_region" "this" {} - -locals { - requester = { - account_id = aws_vpc_peering_connection_accepter.this.peer_owner_id - region = aws_vpc_peering_connection_accepter.this.peer_region - vpc_id = aws_vpc_peering_connection_accepter.this.peer_vpc_id - cidr_block = data.aws_vpc_peering_connection.this.cidr_block - secondary_cidr_blocks = [ - for cidr in data.aws_vpc_peering_connection.this.cidr_block_set : - cidr.cidr_block - if cidr.cidr_block != data.aws_vpc_peering_connection.this.cidr_block - ] - } - accepter = { - account_id = data.aws_caller_identity.this.account_id - region = data.aws_region.this.name - vpc_id = aws_vpc_peering_connection_accepter.this.vpc_id - cidr_block = data.aws_vpc_peering_connection.this.peer_cidr_block - secondary_cidr_blocks = [ - for cidr in data.aws_vpc_peering_connection.this.peer_cidr_block_set : - cidr.cidr_block - if cidr.cidr_block != data.aws_vpc_peering_connection.this.peer_cidr_block - ] - } -} - - -################################################### -# VPC Peering for Accepter -################################################### - -resource "aws_vpc_peering_connection_accepter" "this" { - vpc_peering_connection_id = var.id - auto_accept = true - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, - ) -} - -resource "aws_vpc_peering_connection_options" "this" { - vpc_peering_connection_id = aws_vpc_peering_connection_accepter.this.id - - accepter { - allow_remote_vpc_dns_resolution = var.allow_remote_vpc_dns_resolution - } -} - -data "aws_vpc_peering_connection" "this" { - id = aws_vpc_peering_connection_accepter.this.id -} diff --git a/modules/vpc-peering-accepter/migrations.tf b/modules/vpc-peering-accepter/migrations.tf deleted file mode 100644 index 83a0f7e..0000000 --- a/modules/vpc-peering-accepter/migrations.tf +++ /dev/null @@ -1,5 +0,0 @@ -# 2023-02-01 -moved { - from = aws_resourcegroups_group.this[0] - to = module.resource_group[0].aws_resourcegroups_group.this -} diff --git a/modules/vpc-peering-accepter/outputs.tf b/modules/vpc-peering-accepter/outputs.tf deleted file mode 100644 index faaa1cb..0000000 --- a/modules/vpc-peering-accepter/outputs.tf +++ /dev/null @@ -1,24 +0,0 @@ -output "name" { - description = "The VPC Peering name." - value = var.name -} - -output "id" { - description = "The ID of the VPC Peering Connection." - value = aws_vpc_peering_connection_accepter.this.id -} - -output "status" { - description = "The status of the VPC Peering Connection request." - value = aws_vpc_peering_connection_accepter.this.accept_status -} - -output "requester" { - description = "The requester information including AWS Account ID, Region, VPC ID." - value = local.requester -} - -output "accepter" { - description = "The accepter information including AWS Account ID, Region, VPC ID." - value = local.accepter -} diff --git a/modules/vpc-peering-accepter/resource-group.tf b/modules/vpc-peering-accepter/resource-group.tf deleted file mode 100644 index 7487ba0..0000000 --- a/modules/vpc-peering-accepter/resource-group.tf +++ /dev/null @@ -1,31 +0,0 @@ -locals { - resource_group_name = (var.resource_group_name != "" - ? var.resource_group_name - : join(".", [ - local.metadata.package, - local.metadata.module, - replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), - ]) - ) -} - - -module "resource_group" { - source = "tedilabs/misc/aws//modules/resource-group" - version = "~> 0.10.0" - - count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 - - name = local.resource_group_name - description = var.resource_group_description - - query = { - resource_tags = local.module_tags - } - - module_tags_enabled = false - tags = merge( - local.module_tags, - var.tags, - ) -} diff --git a/modules/vpc-peering-accepter/variables.tf b/modules/vpc-peering-accepter/variables.tf deleted file mode 100644 index 308a0d6..0000000 --- a/modules/vpc-peering-accepter/variables.tf +++ /dev/null @@ -1,51 +0,0 @@ -variable "id" { - description = "The VPC Peering Connection ID to manage." - type = string -} - -variable "name" { - description = "Desired name for the VPC Peering resources." - type = string - default = "" -} - -variable "allow_remote_vpc_dns_resolution" { - description = "Allow a accepter VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the requester VPC. This is not supported for inter-region VPC peering." - type = bool - default = false -} - -variable "tags" { - description = "A map of tags to add to all resources." - type = map(string) - default = {} -} - -variable "module_tags_enabled" { - description = "Whether to create AWS Resource Tags for the module informations." - type = bool - default = true -} - - -################################################### -# Resource Group -################################################### - -variable "resource_group_enabled" { - description = "Whether to create Resource Group to find and group AWS resources which are created by this module." - type = bool - default = true -} - -variable "resource_group_name" { - description = "The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." - type = string - default = "" -} - -variable "resource_group_description" { - description = "The description of Resource Group." - type = string - default = "Managed by Terraform." -} diff --git a/modules/vpc-peering-accepter/versions.tf b/modules/vpc-peering-accepter/versions.tf deleted file mode 100644 index dd959fc..0000000 --- a/modules/vpc-peering-accepter/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.2" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.45" - } - } -} diff --git a/modules/vpc-peering-requester/README.md b/modules/vpc-peering-requester/README.md deleted file mode 100644 index 6eb3b88..0000000 --- a/modules/vpc-peering-requester/README.md +++ /dev/null @@ -1,63 +0,0 @@ -# vpc-peering-requester - -This module creates following resources. - -- `aws_vpc_peering_connection` -- `aws_vpc_peering_connection_options` (optional) - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.2 | -| [aws](#requirement\_aws) | >= 3.45 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 4.52.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_vpc_peering_connection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection) | resource | -| [aws_vpc_peering_connection_options.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection_options) | resource | -| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_vpc_peering_connection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_peering_connection) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [accepter\_vpc\_id](#input\_accepter\_vpc\_id) | The ID of the VPC with which you are creating the VPC Peering Connection. | `string` | n/a | yes | -| [name](#input\_name) | Desired name for the VPC Peering resources. | `string` | n/a | yes | -| [vpc\_id](#input\_vpc\_id) | The ID of the requester VPC. | `string` | n/a | yes | -| [accepter\_account\_id](#input\_accepter\_account\_id) | The AWS account ID of the owner of the peer VPC. | `string` | `null` | no | -| [accepter\_region](#input\_accepter\_region) | The region of the VPC with which you are creating the VPC Peering Connection. | `string` | `null` | no | -| [allow\_remote\_vpc\_dns\_resolution](#input\_allow\_remote\_vpc\_dns\_resolution) | Allow a requester VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the accepter VPC. This is not supported for inter-region VPC peering. | `bool` | `false` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [accepter](#output\_accepter) | The accepter information including AWS Account ID, Region, VPC ID. | -| [id](#output\_id) | The ID of the VPC Peering Connection. | -| [name](#output\_name) | The VPC Peering name. | -| [requester](#output\_requester) | The requester information including AWS Account ID, Region, VPC ID. | -| [status](#output\_status) | The status of the VPC Peering Connection request. | - diff --git a/modules/vpc-peering-requester/main.tf b/modules/vpc-peering-requester/main.tf deleted file mode 100644 index d6c22b4..0000000 --- a/modules/vpc-peering-requester/main.tf +++ /dev/null @@ -1,67 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-network" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = var.name - } - module_tags = var.module_tags_enabled ? { - "module.terraform.io/package" = local.metadata.package - "module.terraform.io/version" = local.metadata.version - "module.terraform.io/name" = local.metadata.module - "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" - "module.terraform.io/instance" = local.metadata.name - } : {} -} - -data "aws_caller_identity" "this" {} -data "aws_region" "this" {} - -locals { - requester = { - account_id = data.aws_caller_identity.this.account_id - region = data.aws_region.this.name - vpc_id = var.vpc_id - } - accepter = { - account_id = var.accepter_account_id != null ? var.accepter_account_id : local.requester.account_id - region = var.accepter_region != null ? var.accepter_region : local.requester.region - vpc_id = var.accepter_vpc_id - } -} - - -################################################### -# VPC Peering for Requester -################################################### - -resource "aws_vpc_peering_connection" "this" { - vpc_id = local.requester.vpc_id - auto_accept = false - - peer_vpc_id = local.accepter.vpc_id - peer_region = local.accepter.region - peer_owner_id = local.accepter.account_id - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, - ) -} - -resource "aws_vpc_peering_connection_options" "this" { - count = var.allow_remote_vpc_dns_resolution ? 1 : 0 - - vpc_peering_connection_id = aws_vpc_peering_connection.this.id - - requester { - allow_remote_vpc_dns_resolution = true - } -} - -data "aws_vpc_peering_connection" "this" { - id = aws_vpc_peering_connection.this.id -} diff --git a/modules/vpc-peering-requester/migrations.tf b/modules/vpc-peering-requester/migrations.tf deleted file mode 100644 index 83a0f7e..0000000 --- a/modules/vpc-peering-requester/migrations.tf +++ /dev/null @@ -1,5 +0,0 @@ -# 2023-02-01 -moved { - from = aws_resourcegroups_group.this[0] - to = module.resource_group[0].aws_resourcegroups_group.this -} diff --git a/modules/vpc-peering-requester/outputs.tf b/modules/vpc-peering-requester/outputs.tf deleted file mode 100644 index 70113c6..0000000 --- a/modules/vpc-peering-requester/outputs.tf +++ /dev/null @@ -1,38 +0,0 @@ -output "name" { - description = "The VPC Peering name." - value = var.name -} - -output "id" { - description = "The ID of the VPC Peering Connection." - value = aws_vpc_peering_connection.this.id -} - -output "status" { - description = "The status of the VPC Peering Connection request." - value = aws_vpc_peering_connection.this.accept_status -} - -output "requester" { - description = "The requester information including AWS Account ID, Region, VPC ID." - value = merge(local.requester, { - cidr_block = data.aws_vpc_peering_connection.this.cidr_block - secondary_cidr_blocks = [ - for cidr in data.aws_vpc_peering_connection.this.cidr_block_set : - cidr.cidr_block - if cidr.cidr_block != data.aws_vpc_peering_connection.this.cidr_block - ] - }) -} - -output "accepter" { - description = "The accepter information including AWS Account ID, Region, VPC ID." - value = merge(local.accepter, { - cidr_block = data.aws_vpc_peering_connection.this.peer_cidr_block - secondary_cidr_blocks = [ - for cidr in data.aws_vpc_peering_connection.this.peer_cidr_block_set : - cidr.cidr_block - if cidr.cidr_block != data.aws_vpc_peering_connection.this.peer_cidr_block - ] - }) -} diff --git a/modules/vpc-peering-requester/resource-group.tf b/modules/vpc-peering-requester/resource-group.tf deleted file mode 100644 index 7487ba0..0000000 --- a/modules/vpc-peering-requester/resource-group.tf +++ /dev/null @@ -1,31 +0,0 @@ -locals { - resource_group_name = (var.resource_group_name != "" - ? var.resource_group_name - : join(".", [ - local.metadata.package, - local.metadata.module, - replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), - ]) - ) -} - - -module "resource_group" { - source = "tedilabs/misc/aws//modules/resource-group" - version = "~> 0.10.0" - - count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 - - name = local.resource_group_name - description = var.resource_group_description - - query = { - resource_tags = local.module_tags - } - - module_tags_enabled = false - tags = merge( - local.module_tags, - var.tags, - ) -} diff --git a/modules/vpc-peering-requester/variables.tf b/modules/vpc-peering-requester/variables.tf deleted file mode 100644 index 3c3a561..0000000 --- a/modules/vpc-peering-requester/variables.tf +++ /dev/null @@ -1,67 +0,0 @@ -variable "name" { - description = "Desired name for the VPC Peering resources." - type = string -} - -variable "vpc_id" { - description = "The ID of the requester VPC." - type = string -} - -variable "accepter_vpc_id" { - description = "The ID of the VPC with which you are creating the VPC Peering Connection." - type = string -} - -variable "accepter_region" { - description = "The region of the VPC with which you are creating the VPC Peering Connection." - type = string - default = null -} - -variable "accepter_account_id" { - description = "The AWS account ID of the owner of the peer VPC." - type = string - default = null -} - -variable "allow_remote_vpc_dns_resolution" { - description = "Allow a requester VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the accepter VPC. This is not supported for inter-region VPC peering." - type = bool - default = false -} - -variable "tags" { - description = "A map of tags to add to all resources." - type = map(string) - default = {} -} - -variable "module_tags_enabled" { - description = "Whether to create AWS Resource Tags for the module informations." - type = bool - default = true -} - - -################################################### -# Resource Group -################################################### - -variable "resource_group_enabled" { - description = "Whether to create Resource Group to find and group AWS resources which are created by this module." - type = bool - default = true -} - -variable "resource_group_name" { - description = "The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." - type = string - default = "" -} - -variable "resource_group_description" { - description = "The description of Resource Group." - type = string - default = "Managed by Terraform." -} diff --git a/modules/vpc-peering-requester/versions.tf b/modules/vpc-peering-requester/versions.tf deleted file mode 100644 index dd959fc..0000000 --- a/modules/vpc-peering-requester/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.2" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.45" - } - } -} diff --git a/modules/vpc-peering/README.md b/modules/vpc-peering/README.md deleted file mode 100644 index c5a8c35..0000000 --- a/modules/vpc-peering/README.md +++ /dev/null @@ -1,61 +0,0 @@ -# vpc-peering - -This module creates following resources. - -- `aws_vpc_peering_connection` - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.2 | -| [aws](#requirement\_aws) | >= 3.45 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 4.52.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_vpc_peering_connection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection) | resource | -| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_vpc.accepter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | -| [aws_vpc.requester](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [accepter\_vpc\_id](#input\_accepter\_vpc\_id) | The ID of the VPC with which you are creating the VPC Peering Connection. | `string` | n/a | yes | -| [name](#input\_name) | Desired name for the VPC Peering resources. | `string` | n/a | yes | -| [requester\_vpc\_id](#input\_requester\_vpc\_id) | The ID of the requester VPC. | `string` | n/a | yes | -| [accepter\_allow\_remote\_vpc\_dns\_resolution](#input\_accepter\_allow\_remote\_vpc\_dns\_resolution) | Allow a accepter VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the requester VPC. This is not supported for inter-region VPC peering. | `bool` | `false` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [requester\_allow\_remote\_vpc\_dns\_resolution](#input\_requester\_allow\_remote\_vpc\_dns\_resolution) | Allow a requester VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the accepter VPC. This is not supported for inter-region VPC peering. | `bool` | `false` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [accepter](#output\_accepter) | The accepter information including AWS Account ID, Region, VPC ID. | -| [id](#output\_id) | The ID of the VPC Peering Connection. | -| [name](#output\_name) | The VPC Peering name. | -| [requester](#output\_requester) | The requester information including AWS Account ID, Region, VPC ID. | -| [status](#output\_status) | The status of the VPC Peering Connection request. | - diff --git a/modules/vpc-peering/main.tf b/modules/vpc-peering/main.tf deleted file mode 100644 index 770aa5c..0000000 --- a/modules/vpc-peering/main.tf +++ /dev/null @@ -1,78 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-network" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = var.name - } - module_tags = var.module_tags_enabled ? { - "module.terraform.io/package" = local.metadata.package - "module.terraform.io/version" = local.metadata.version - "module.terraform.io/name" = local.metadata.module - "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" - "module.terraform.io/instance" = local.metadata.name - } : {} -} - -data "aws_caller_identity" "this" {} -data "aws_region" "this" {} - -data "aws_vpc" "requester" { - id = var.requester_vpc_id -} - -data "aws_vpc" "accepter" { - id = var.accepter_vpc_id -} - -locals { - requester = { - account_id = data.aws_caller_identity.this.account_id - region = data.aws_region.this.name - vpc_id = var.requester_vpc_id - cidr_block = data.aws_vpc.requester.cidr_block - secondary_cidr_blocks = [ - for association in data.aws_vpc.requester.cidr_block_associations : - association.cidr_block - if association.cidr_block != data.aws_vpc.requester.cidr_block - ] - } - accepter = { - account_id = data.aws_caller_identity.this.account_id - region = data.aws_region.this.name - vpc_id = var.accepter_vpc_id - cidr_block = data.aws_vpc.accepter.cidr_block - secondary_cidr_blocks = [ - for association in data.aws_vpc.accepter.cidr_block_associations : - association.cidr_block - if association.cidr_block != data.aws_vpc.accepter.cidr_block - ] - } -} - - -################################################### -# VPC Peering -################################################### - -resource "aws_vpc_peering_connection" "this" { - vpc_id = local.requester.vpc_id - peer_vpc_id = local.accepter.vpc_id - auto_accept = true - - requester { - allow_remote_vpc_dns_resolution = var.requester_allow_remote_vpc_dns_resolution - } - - accepter { - allow_remote_vpc_dns_resolution = var.accepter_allow_remote_vpc_dns_resolution - } - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, - ) -} diff --git a/modules/vpc-peering/migrations.tf b/modules/vpc-peering/migrations.tf deleted file mode 100644 index 83a0f7e..0000000 --- a/modules/vpc-peering/migrations.tf +++ /dev/null @@ -1,5 +0,0 @@ -# 2023-02-01 -moved { - from = aws_resourcegroups_group.this[0] - to = module.resource_group[0].aws_resourcegroups_group.this -} diff --git a/modules/vpc-peering/outputs.tf b/modules/vpc-peering/outputs.tf deleted file mode 100644 index 82f47eb..0000000 --- a/modules/vpc-peering/outputs.tf +++ /dev/null @@ -1,24 +0,0 @@ -output "name" { - description = "The VPC Peering name." - value = var.name -} - -output "id" { - description = "The ID of the VPC Peering Connection." - value = aws_vpc_peering_connection.this.id -} - -output "status" { - description = "The status of the VPC Peering Connection request." - value = aws_vpc_peering_connection.this.accept_status -} - -output "requester" { - description = "The requester information including AWS Account ID, Region, VPC ID." - value = local.requester -} - -output "accepter" { - description = "The accepter information including AWS Account ID, Region, VPC ID." - value = local.accepter -} diff --git a/modules/vpc-peering/resource-group.tf b/modules/vpc-peering/resource-group.tf deleted file mode 100644 index 7487ba0..0000000 --- a/modules/vpc-peering/resource-group.tf +++ /dev/null @@ -1,31 +0,0 @@ -locals { - resource_group_name = (var.resource_group_name != "" - ? var.resource_group_name - : join(".", [ - local.metadata.package, - local.metadata.module, - replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), - ]) - ) -} - - -module "resource_group" { - source = "tedilabs/misc/aws//modules/resource-group" - version = "~> 0.10.0" - - count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 - - name = local.resource_group_name - description = var.resource_group_description - - query = { - resource_tags = local.module_tags - } - - module_tags_enabled = false - tags = merge( - local.module_tags, - var.tags, - ) -} diff --git a/modules/vpc-peering/variables.tf b/modules/vpc-peering/variables.tf deleted file mode 100644 index 8fe1edd..0000000 --- a/modules/vpc-peering/variables.tf +++ /dev/null @@ -1,61 +0,0 @@ -variable "name" { - description = "Desired name for the VPC Peering resources." - type = string -} - -variable "requester_vpc_id" { - description = "The ID of the requester VPC." - type = string -} - -variable "accepter_vpc_id" { - description = "The ID of the VPC with which you are creating the VPC Peering Connection." - type = string -} - -variable "requester_allow_remote_vpc_dns_resolution" { - description = "Allow a requester VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the accepter VPC. This is not supported for inter-region VPC peering." - type = bool - default = false -} - -variable "accepter_allow_remote_vpc_dns_resolution" { - description = "Allow a accepter VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the requester VPC. This is not supported for inter-region VPC peering." - type = bool - default = false -} - -variable "tags" { - description = "A map of tags to add to all resources." - type = map(string) - default = {} -} - -variable "module_tags_enabled" { - description = "Whether to create AWS Resource Tags for the module informations." - type = bool - default = true -} - - -################################################### -# Resource Group -################################################### - -variable "resource_group_enabled" { - description = "Whether to create Resource Group to find and group AWS resources which are created by this module." - type = bool - default = true -} - -variable "resource_group_name" { - description = "The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." - type = string - default = "" -} - -variable "resource_group_description" { - description = "The description of Resource Group." - type = string - default = "Managed by Terraform." -} diff --git a/modules/vpc-peering/versions.tf b/modules/vpc-peering/versions.tf deleted file mode 100644 index dd959fc..0000000 --- a/modules/vpc-peering/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.2" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.45" - } - } -} diff --git a/modules/vpc/versions.tf b/modules/vpc/versions.tf index dd959fc..24f6ed6 100644 --- a/modules/vpc/versions.tf +++ b/modules/vpc/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.2" + required_version = ">= 1.3" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.45" + version = ">= 4.58" } } } From d6dc7b2a796b5ac657c37dc8f8a0cdce6696a15a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Oct 2023 00:08:21 +0900 Subject: [PATCH 36/73] Bump actions/checkout from 3 to 4 (#47) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/sync-labels.yaml | 2 +- .github/workflows/terraform.integration.yaml | 2 +- .github/workflows/yaml.integration.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sync-labels.yaml b/.github/workflows/sync-labels.yaml index 5d0805f..906b890 100644 --- a/.github/workflows/sync-labels.yaml +++ b/.github/workflows/sync-labels.yaml @@ -14,7 +14,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Sync labels uses: crazy-max/ghaction-github-labeler@v4 diff --git a/.github/workflows/terraform.integration.yaml b/.github/workflows/terraform.integration.yaml index 8cfe55e..27767b8 100644 --- a/.github/workflows/terraform.integration.yaml +++ b/.github/workflows/terraform.integration.yaml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 diff --git a/.github/workflows/yaml.integration.yaml b/.github/workflows/yaml.integration.yaml index 5149a2d..eb02914 100644 --- a/.github/workflows/yaml.integration.yaml +++ b/.github/workflows/yaml.integration.yaml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 From 3b5bca2fd093ed3e4411e90fa0f70d4a6844dc60 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Oct 2023 00:08:32 +0900 Subject: [PATCH 37/73] Bump crazy-max/ghaction-github-labeler from 4 to 5 (#49) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/sync-labels.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync-labels.yaml b/.github/workflows/sync-labels.yaml index 906b890..d43aa13 100644 --- a/.github/workflows/sync-labels.yaml +++ b/.github/workflows/sync-labels.yaml @@ -17,7 +17,7 @@ jobs: uses: actions/checkout@v4 - name: Sync labels - uses: crazy-max/ghaction-github-labeler@v4 + uses: crazy-max/ghaction-github-labeler@v5 with: github-token: ${{ secrets.GITHUB_TOKEN }} yaml-file: .github/labels.yaml From 3ad00ed56ea321e6339bb1ef1bc5cdc5aa004b2f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Oct 2023 00:08:54 +0900 Subject: [PATCH 38/73] Bump tj-actions/changed-files from 38 to 39 (#48) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/terraform.integration.yaml | 4 ++-- .github/workflows/yaml.integration.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/terraform.integration.yaml b/.github/workflows/terraform.integration.yaml index 27767b8..ef58145 100644 --- a/.github/workflows/terraform.integration.yaml +++ b/.github/workflows/terraform.integration.yaml @@ -31,7 +31,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v38 + uses: tj-actions/changed-files@v39 with: files: | modules/** @@ -40,7 +40,7 @@ jobs: - name: Get Changed Directories id: changed-directories - uses: tj-actions/changed-files@v38 + uses: tj-actions/changed-files@v39 with: files: | modules/** diff --git a/.github/workflows/yaml.integration.yaml b/.github/workflows/yaml.integration.yaml index eb02914..c2233c0 100644 --- a/.github/workflows/yaml.integration.yaml +++ b/.github/workflows/yaml.integration.yaml @@ -29,7 +29,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v38 + uses: tj-actions/changed-files@v39 with: files: | **/*.yaml From 2ae3c5f9e94122945b8b437b3c1a690df28470c9 Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Tue, 3 Oct 2023 19:08:17 +0900 Subject: [PATCH 39/73] Update terraform version to v1.5 (#50) --- .pre-commit-config.yaml | 5 ++++- modules/nacl/README.md | 4 ++-- modules/nacl/versions.tf | 2 +- modules/nat-gateway/README.md | 4 ++-- modules/nat-gateway/versions.tf | 2 +- modules/route-table/README.md | 4 ++-- modules/route-table/versions.tf | 2 +- modules/security-group/README.md | 4 ++-- modules/security-group/versions.tf | 2 +- modules/subnet-group/README.md | 4 ++-- modules/subnet-group/versions.tf | 2 +- modules/vpc/README.md | 6 +++--- modules/vpc/versions.tf | 2 +- 13 files changed, 23 insertions(+), 20 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 10bde48..8f8a374 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.81.0 + rev: v1.83.4 hooks: - id: terraform_fmt args: @@ -9,6 +9,9 @@ repos: args: - --tf-init-args=-upgrade - --hook-config=--retry-once-with-cleanup=true + - id: terraform_providers_lock + args: + - --hook-config=--mode=always-regenerate-lockfile - id: terraform_tflint args: - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl diff --git a/modules/nacl/README.md b/modules/nacl/README.md index 347f30d..132e59c 100644 --- a/modules/nacl/README.md +++ b/modules/nacl/README.md @@ -10,14 +10,14 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2 | +| [terraform](#requirement\_terraform) | >= 1.5 | | [aws](#requirement\_aws) | >= 3.45 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.52.0 | +| [aws](#provider\_aws) | 5.19.0 | ## Modules diff --git a/modules/nacl/versions.tf b/modules/nacl/versions.tf index dd959fc..9ae3d78 100644 --- a/modules/nacl/versions.tf +++ b/modules/nacl/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2" + required_version = ">= 1.5" required_providers { aws = { diff --git a/modules/nat-gateway/README.md b/modules/nat-gateway/README.md index 0bdbd2d..4d29ad7 100644 --- a/modules/nat-gateway/README.md +++ b/modules/nat-gateway/README.md @@ -10,14 +10,14 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2 | +| [terraform](#requirement\_terraform) | >= 1.5 | | [aws](#requirement\_aws) | >= 3.45 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.52.0 | +| [aws](#provider\_aws) | 5.19.0 | ## Modules diff --git a/modules/nat-gateway/versions.tf b/modules/nat-gateway/versions.tf index dd959fc..9ae3d78 100644 --- a/modules/nat-gateway/versions.tf +++ b/modules/nat-gateway/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2" + required_version = ">= 1.5" required_providers { aws = { diff --git a/modules/route-table/README.md b/modules/route-table/README.md index 8ca2520..ae21618 100644 --- a/modules/route-table/README.md +++ b/modules/route-table/README.md @@ -14,14 +14,14 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2 | +| [terraform](#requirement\_terraform) | >= 1.5 | | [aws](#requirement\_aws) | >= 4.22 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.22.0 | +| [aws](#provider\_aws) | 5.19.0 | ## Modules diff --git a/modules/route-table/versions.tf b/modules/route-table/versions.tf index 341c2f1..16131a3 100644 --- a/modules/route-table/versions.tf +++ b/modules/route-table/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2" + required_version = ">= 1.5" required_providers { aws = { diff --git a/modules/security-group/README.md b/modules/security-group/README.md index e6241d9..054d8a1 100644 --- a/modules/security-group/README.md +++ b/modules/security-group/README.md @@ -10,14 +10,14 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2 | +| [terraform](#requirement\_terraform) | >= 1.5 | | [aws](#requirement\_aws) | >= 3.45 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.52.0 | +| [aws](#provider\_aws) | 5.19.0 | ## Modules diff --git a/modules/security-group/versions.tf b/modules/security-group/versions.tf index dd959fc..9ae3d78 100644 --- a/modules/security-group/versions.tf +++ b/modules/security-group/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2" + required_version = ">= 1.5" required_providers { aws = { diff --git a/modules/subnet-group/README.md b/modules/subnet-group/README.md index 4b46748..b7f4c59 100644 --- a/modules/subnet-group/README.md +++ b/modules/subnet-group/README.md @@ -16,14 +16,14 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2 | +| [terraform](#requirement\_terraform) | >= 1.5 | | [aws](#requirement\_aws) | >= 3.71 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.52.0 | +| [aws](#provider\_aws) | 5.19.0 | ## Modules diff --git a/modules/subnet-group/versions.tf b/modules/subnet-group/versions.tf index d677476..6baf4a1 100644 --- a/modules/subnet-group/versions.tf +++ b/modules/subnet-group/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2" + required_version = ">= 1.5" required_providers { aws = { diff --git a/modules/vpc/README.md b/modules/vpc/README.md index 69de423..869369e 100644 --- a/modules/vpc/README.md +++ b/modules/vpc/README.md @@ -16,14 +16,14 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.2 | -| [aws](#requirement\_aws) | >= 3.45 | +| [terraform](#requirement\_terraform) | >= 1.5 | +| [aws](#requirement\_aws) | >= 4.58 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.52.0 | +| [aws](#provider\_aws) | 5.19.0 | ## Modules diff --git a/modules/vpc/versions.tf b/modules/vpc/versions.tf index 24f6ed6..a218c92 100644 --- a/modules/vpc/versions.tf +++ b/modules/vpc/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.3" + required_version = ">= 1.5" required_providers { aws = { From 694d35d0719da06048d0b2c07dc3965cb37dfdb1 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Tue, 17 Oct 2023 21:36:49 +0900 Subject: [PATCH 40/73] Fix vpc module --- modules/vpc/outputs.tf | 2 +- modules/vpc/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/vpc/outputs.tf b/modules/vpc/outputs.tf index 4ee925f..ea6ea4b 100644 --- a/modules/vpc/outputs.tf +++ b/modules/vpc/outputs.tf @@ -120,7 +120,7 @@ output "egress_only_internet_gateway_enabled" { output "egress_only_internet_gateway_id" { description = "The ID of the Egress Only Internet Gateway." - value = one(aws_egress_only_internet_gateway.this[0].id) + value = one(aws_egress_only_internet_gateway.this[*].id) } output "vpn_gateway_enabled" { diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf index 582c4f0..0c5a962 100644 --- a/modules/vpc/variables.tf +++ b/modules/vpc/variables.tf @@ -6,7 +6,7 @@ variable "name" { variable "cidr_block" { description = "The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden." type = string - default = "0.0.0.0/0" + default = "10.0.0.0/16" } variable "secondary_cidr_blocks" { From 0db49ac59903b7ee486510748e50c682a662e7d1 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Tue, 17 Oct 2023 21:37:12 +0900 Subject: [PATCH 41/73] Bump to v0.28.0 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 1b58cc1..697f087 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.27.0 +0.28.0 From d6d63e857e853d77f25465e15a2eabffb6901014 Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Sun, 22 Oct 2023 22:41:29 +0900 Subject: [PATCH 42/73] Refine vpc module (#51) --- README.md | 10 +- examples/vpc-full/main.tf | 101 +++++ examples/vpc-full/outputs.tf | 4 + examples/vpc-full/versions.tf | 10 + examples/vpc-ipv4-secondary-cidrs/main.tf | 31 ++ examples/vpc-ipv4-secondary-cidrs/outputs.tf | 4 + examples/vpc-ipv4-secondary-cidrs/versions.tf | 10 + examples/vpc-ipv6-cidrs/main.tf | 30 ++ examples/vpc-ipv6-cidrs/outputs.tf | 4 + examples/vpc-ipv6-cidrs/versions.tf | 10 + examples/vpc-simple/main.tf | 25 ++ examples/vpc-simple/outputs.tf | 4 + examples/vpc-simple/versions.tf | 10 + examples/vpc-with-ipam/ipam.tf | 55 +++ examples/vpc-with-ipam/main.tf | 63 ++++ examples/vpc-with-ipam/outputs.tf | 4 + examples/vpc-with-ipam/versions.tf | 10 + modules/vpc/README.md | 108 +++--- modules/vpc/defaults.tf | 237 ++++++++++++ modules/vpc/dhcp-options.tf | 47 +++ modules/vpc/gateways.tf | 79 ++++ modules/vpc/main.tf | 198 +++++----- modules/vpc/outputs.tf | 305 ++++++++++----- modules/vpc/route53.tf | 21 ++ modules/vpc/variables.tf | 349 ++++++++++++++---- modules/vpc/versions.tf | 2 +- 26 files changed, 1409 insertions(+), 322 deletions(-) create mode 100644 examples/vpc-full/main.tf create mode 100644 examples/vpc-full/outputs.tf create mode 100644 examples/vpc-full/versions.tf create mode 100644 examples/vpc-ipv4-secondary-cidrs/main.tf create mode 100644 examples/vpc-ipv4-secondary-cidrs/outputs.tf create mode 100644 examples/vpc-ipv4-secondary-cidrs/versions.tf create mode 100644 examples/vpc-ipv6-cidrs/main.tf create mode 100644 examples/vpc-ipv6-cidrs/outputs.tf create mode 100644 examples/vpc-ipv6-cidrs/versions.tf create mode 100644 examples/vpc-simple/main.tf create mode 100644 examples/vpc-simple/outputs.tf create mode 100644 examples/vpc-simple/versions.tf create mode 100644 examples/vpc-with-ipam/ipam.tf create mode 100644 examples/vpc-with-ipam/main.tf create mode 100644 examples/vpc-with-ipam/outputs.tf create mode 100644 examples/vpc-with-ipam/versions.tf create mode 100644 modules/vpc/defaults.tf create mode 100644 modules/vpc/dhcp-options.tf create mode 100644 modules/vpc/gateways.tf create mode 100644 modules/vpc/route53.tf diff --git a/README.md b/README.md index 8783486..1e8a9a9 100644 --- a/README.md +++ b/README.md @@ -20,20 +20,28 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws- - **AWS VPC (Virtual Private Cloud)** - VPC + - Default Network ACL + - Default Security Group - Subnet - Route Table - NACL (Network ACL) - Security Group - Gateways - Internet Gateway + - Egress-only Internet Gateway - NAT Gateway + - VPN Gateway (Virtual Private Gateway) ## Examples ### VPC -- To be added +- [vpc-full](./examples/vpc-full) +- [vpc-ipv4-secondary-cidrs](./examples/vpc-ipv4-secondary-cidrs) +- [vpc-ipv6-cidrs](./examples/vpc-ipv6-cidrs) +- [vpc-simple](./examples/vpc-simple) +- [vpc-with-ipam](./examples/vpc-with-ipam) ## Self Promotion diff --git a/examples/vpc-full/main.tf b/examples/vpc-full/main.tf new file mode 100644 index 0000000..19cc623 --- /dev/null +++ b/examples/vpc-full/main.tf @@ -0,0 +1,101 @@ +provider "aws" { + region = "us-east-1" +} + + +################################################### +# VPC +################################################### + +module "vpc" { + source = "../../modules/vpc" + # source = "tedilabs/network/aws//modules/vpc" + # version = "~> 0.2.0" + + name = "test" + ipv4_cidrs = [ + { + cidr = "10.0.0.0/16" + }, + ] + ipv6_cidrs = [ + { + type = "AMAZON" + }, + ] + + + ## DHCP Option Set + dhcp_options = { + enabled = true + domain_name = "example.com" + domain_name_servers = ["4.4.4.4", "8.8.8.8"] + } + + + ## Gateways + internet_gateway = { + enabled = true + } + egress_only_internet_gateway = { + enabled = true + } + vpn_gateway = { + enabled = true + } + + + ## Defaults + default_network_acl = { + name = "test-default" + ingress_rules = [ + { + priority = 200 + action = "ALLOW" + protocol = "tcp" + from_port = 443 + to_port = 443 + ipv4_cidr = "0.0.0.0/0" + }, + { + priority = 201 + action = "ALLOW" + protocol = "tcp" + from_port = 443 + to_port = 443 + ipv6_cidr = "::/0" + }, + ] + } + default_security_group = { + name = "test-default" + ingress_rules = [ + { + protocol = "tcp" + from_port = 80 + to_port = 80 + ipv4_cidrs = ["10.0.0.0/16"] + }, + { + protocol = "tcp" + from_port = 443 + to_port = 443 + self = true + }, + ] + egress_rules = [ + { + protocol = "all" + from_port = 0 + to_port = 0 + ipv4_cidrs = ["0.0.0.0/0"] + ipv6_cidrs = ["::/0"] + } + ] + } + + + tags = { + "project" = "terraform-aws-network-examples" + } +} diff --git a/examples/vpc-full/outputs.tf b/examples/vpc-full/outputs.tf new file mode 100644 index 0000000..cc46043 --- /dev/null +++ b/examples/vpc-full/outputs.tf @@ -0,0 +1,4 @@ +output "vpc" { + description = "The VPC." + value = module.vpc +} diff --git a/examples/vpc-full/versions.tf b/examples/vpc-full/versions.tf new file mode 100644 index 0000000..59c42e8 --- /dev/null +++ b/examples/vpc-full/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.5" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} diff --git a/examples/vpc-ipv4-secondary-cidrs/main.tf b/examples/vpc-ipv4-secondary-cidrs/main.tf new file mode 100644 index 0000000..b9d61e8 --- /dev/null +++ b/examples/vpc-ipv4-secondary-cidrs/main.tf @@ -0,0 +1,31 @@ +provider "aws" { + region = "us-east-1" +} + + +################################################### +# VPC +################################################### + +module "vpc" { + source = "../../modules/vpc" + # source = "tedilabs/network/aws//modules/vpc" + # version = "~> 0.2.0" + + name = "test" + ipv4_cidrs = [ + { + cidr = "10.0.0.0/16" + }, + { + cidr = "10.1.0.0/16" + }, + { + cidr = "10.2.0.0/16" + }, + ] + + tags = { + "project" = "terraform-aws-network-examples" + } +} diff --git a/examples/vpc-ipv4-secondary-cidrs/outputs.tf b/examples/vpc-ipv4-secondary-cidrs/outputs.tf new file mode 100644 index 0000000..cc46043 --- /dev/null +++ b/examples/vpc-ipv4-secondary-cidrs/outputs.tf @@ -0,0 +1,4 @@ +output "vpc" { + description = "The VPC." + value = module.vpc +} diff --git a/examples/vpc-ipv4-secondary-cidrs/versions.tf b/examples/vpc-ipv4-secondary-cidrs/versions.tf new file mode 100644 index 0000000..59c42e8 --- /dev/null +++ b/examples/vpc-ipv4-secondary-cidrs/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.5" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} diff --git a/examples/vpc-ipv6-cidrs/main.tf b/examples/vpc-ipv6-cidrs/main.tf new file mode 100644 index 0000000..0b5db58 --- /dev/null +++ b/examples/vpc-ipv6-cidrs/main.tf @@ -0,0 +1,30 @@ +provider "aws" { + region = "us-east-1" +} + + +################################################### +# VPC +################################################### + +module "vpc" { + source = "../../modules/vpc" + # source = "tedilabs/network/aws//modules/vpc" + # version = "~> 0.2.0" + + name = "test" + ipv4_cidrs = [ + { + cidr = "10.0.0.0/16" + }, + ] + ipv6_cidrs = [ + { + type = "AMAZON" + }, + ] + + tags = { + "project" = "terraform-aws-network-examples" + } +} diff --git a/examples/vpc-ipv6-cidrs/outputs.tf b/examples/vpc-ipv6-cidrs/outputs.tf new file mode 100644 index 0000000..cc46043 --- /dev/null +++ b/examples/vpc-ipv6-cidrs/outputs.tf @@ -0,0 +1,4 @@ +output "vpc" { + description = "The VPC." + value = module.vpc +} diff --git a/examples/vpc-ipv6-cidrs/versions.tf b/examples/vpc-ipv6-cidrs/versions.tf new file mode 100644 index 0000000..59c42e8 --- /dev/null +++ b/examples/vpc-ipv6-cidrs/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.5" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} diff --git a/examples/vpc-simple/main.tf b/examples/vpc-simple/main.tf new file mode 100644 index 0000000..6f94771 --- /dev/null +++ b/examples/vpc-simple/main.tf @@ -0,0 +1,25 @@ +provider "aws" { + region = "us-east-1" +} + + +################################################### +# VPC +################################################### + +module "vpc" { + source = "../../modules/vpc" + # source = "tedilabs/network/aws//modules/vpc" + # version = "~> 0.2.0" + + name = "test" + ipv4_cidrs = [ + { + cidr = "10.0.0.0/16" + }, + ] + + tags = { + "project" = "terraform-aws-network-examples" + } +} diff --git a/examples/vpc-simple/outputs.tf b/examples/vpc-simple/outputs.tf new file mode 100644 index 0000000..cc46043 --- /dev/null +++ b/examples/vpc-simple/outputs.tf @@ -0,0 +1,4 @@ +output "vpc" { + description = "The VPC." + value = module.vpc +} diff --git a/examples/vpc-simple/versions.tf b/examples/vpc-simple/versions.tf new file mode 100644 index 0000000..59c42e8 --- /dev/null +++ b/examples/vpc-simple/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.5" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} diff --git a/examples/vpc-with-ipam/ipam.tf b/examples/vpc-with-ipam/ipam.tf new file mode 100644 index 0000000..b19baab --- /dev/null +++ b/examples/vpc-with-ipam/ipam.tf @@ -0,0 +1,55 @@ +data "aws_region" "this" {} + +locals { + region = data.aws_region.this.name +} + + +################################################### +# IPAM +################################################### + +module "ipam" { + source = "tedilabs/ipam/aws//modules/ipam" + version = "~> 0.1.0" + + name = "test" + description = "Managed by Terraform." + + operating_regions = [local.region] + + tags = { + "project" = "terraform-aws-network-examples" + } +} + + +################################################### +# IPAM Pools +################################################### + +resource "aws_vpc_ipam_pool" "ipv4" { + address_family = "ipv4" + ipam_scope_id = module.ipam.default_scopes["private"] + locale = local.region +} + +resource "aws_vpc_ipam_pool_cidr" "ipv4" { + ipam_pool_id = aws_vpc_ipam_pool.ipv4.id + cidr = "10.20.0.0/16" + +} + +resource "aws_vpc_ipam_pool" "ipv6" { + address_family = "ipv6" + ipam_scope_id = module.ipam.default_scopes["public"] + locale = local.region + publicly_advertisable = false + public_ip_source = "amazon" + aws_service = "ec2" +} + +resource "aws_vpc_ipam_pool_cidr" "ipv6" { + ipam_pool_id = aws_vpc_ipam_pool.ipv6.id + netmask_length = 52 +} diff --git a/examples/vpc-with-ipam/main.tf b/examples/vpc-with-ipam/main.tf new file mode 100644 index 0000000..a29e791 --- /dev/null +++ b/examples/vpc-with-ipam/main.tf @@ -0,0 +1,63 @@ +provider "aws" { + region = "us-east-1" +} + + +################################################### +# VPC +################################################### + +module "vpc" { + source = "../../modules/vpc" + # source = "tedilabs/network/aws//modules/vpc" + # version = "~> 0.2.0" + + name = "test" + ipv4_cidrs = [ + { + type = "IPAM_POOL" + ipam_pool = { + id = aws_vpc_ipam_pool.ipv4.id + netmask_length = 28 + } + }, + { + cidr = "10.0.0.0/16" + }, + { + type = "IPAM_POOL" + ipam_pool = { + id = aws_vpc_ipam_pool.ipv4.id + netmask_length = 28 + } + }, + ] + ipv6_cidrs = [ + { + type = "AMAZON" + }, + { + type = "IPAM_POOL" + ipam_pool = { + id = aws_vpc_ipam_pool.ipv6.id + netmask_length = 56 + } + }, + { + type = "IPAM_POOL" + ipam_pool = { + id = aws_vpc_ipam_pool.ipv6.id + cidr = "2600:1f28:7f:4100::/56" + } + }, + ] + + tags = { + "project" = "terraform-aws-network-examples" + } + + depends_on = [ + aws_vpc_ipam_pool_cidr.ipv4, + aws_vpc_ipam_pool_cidr.ipv6, + ] +} diff --git a/examples/vpc-with-ipam/outputs.tf b/examples/vpc-with-ipam/outputs.tf new file mode 100644 index 0000000..cc46043 --- /dev/null +++ b/examples/vpc-with-ipam/outputs.tf @@ -0,0 +1,4 @@ +output "vpc" { + description = "The VPC." + value = module.vpc +} diff --git a/examples/vpc-with-ipam/versions.tf b/examples/vpc-with-ipam/versions.tf new file mode 100644 index 0000000..59c42e8 --- /dev/null +++ b/examples/vpc-with-ipam/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.5" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} diff --git a/modules/vpc/README.md b/modules/vpc/README.md index 869369e..28ff9b1 100644 --- a/modules/vpc/README.md +++ b/modules/vpc/README.md @@ -3,27 +3,32 @@ This module creates following resources. - `aws_vpc` -- `aws_vpc_ipv4_cidr_block_association` (optional) -- `aws_route53_zone_association` (optional) +- `aws_default_network_acl` +- `aws_default_security_group` - `aws_vpc_dhcp_options` (optional) - `aws_vpc_dhcp_options_association` (optional) +- `aws_vpc_ipv4_cidr_block_association` (optional) +- `aws_vpc_ipv6_cidr_block_association` (optional) +- `aws_route53_zone_association` (optional) - `aws_internet_gateway` (optional) +- `aws_internet_gateway_attachment` (optional) - `aws_egress_only_internet_gateway` (optional) - `aws_vpn_gateway` (optional) +- `aws_vpn_gateway_attachment` (optional) ## Requirements | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | +| [terraform](#requirement\_terraform) | >= 1.6 | | [aws](#requirement\_aws) | >= 4.58 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.19.0 | +| [aws](#provider\_aws) | 5.22.0 | ## Modules @@ -35,77 +40,72 @@ This module creates following resources. | Name | Type | |------|------| +| [aws_default_network_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl) | resource | +| [aws_default_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource | | [aws_egress_only_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/egress_only_internet_gateway) | resource | | [aws_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource | +| [aws_internet_gateway_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway_attachment) | resource | | [aws_route53_resolver_dnssec_config.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_dnssec_config) | resource | | [aws_route53_zone_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource | | [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource | | [aws_vpc_dhcp_options.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_dhcp_options) | resource | | [aws_vpc_dhcp_options_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_dhcp_options_association) | resource | | [aws_vpc_ipv4_cidr_block_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipv4_cidr_block_association) | resource | +| [aws_vpc_ipv6_cidr_block_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipv6_cidr_block_association) | resource | | [aws_vpn_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway) | resource | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_vpn_gateway_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway_attachment) | resource | +| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [name](#input\_name) | Desired name for the VPC resources. | `string` | n/a | yes | -| [cidr\_block](#input\_cidr\_block) | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden. | `string` | `"0.0.0.0/0"` | no | -| [dhcp\_options\_domain\_name](#input\_dhcp\_options\_domain\_name) | Specifies DNS name for DHCP options set (requires enable\_dhcp\_options set to true). | `string` | `""` | no | -| [dhcp\_options\_domain\_name\_servers](#input\_dhcp\_options\_domain\_name\_servers) | Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable\_dhcp\_options set to true). | `list(string)` | 
[
  "AmazonProvidedDNS"
]
| no | -| [dhcp\_options\_enabled](#input\_dhcp\_options\_enabled) | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type. | `bool` | `false` | no | -| [dhcp\_options\_netbios\_name\_servers](#input\_dhcp\_options\_netbios\_name\_servers) | Specify a list of netbios servers for DHCP options set (requires enable\_dhcp\_options set to true). | `list(string)` | `[]` | no | -| [dhcp\_options\_netbios\_node\_type](#input\_dhcp\_options\_netbios\_node\_type) | Specify netbios node\_type for DHCP options set (requires enable\_dhcp\_options set to true). | `string` | `""` | no | -| [dhcp\_options\_ntp\_servers](#input\_dhcp\_options\_ntp\_servers) | Specify a list of NTP servers for DHCP options set (requires enable\_dhcp\_options set to true). | `list(string)` | `[]` | no | -| [dns\_dnssec\_validation\_enabled](#input\_dns\_dnssec\_validation\_enabled) | Should be true to enable Route53 DNSSEC validation in the VPC. | `bool` | `false` | no | -| [dns\_hostnames\_enabled](#input\_dns\_hostnames\_enabled) | Should be true to enable DNS hostnames in the VPC. | `bool` | `false` | no | -| [dns\_support\_enabled](#input\_dns\_support\_enabled) | Should be true to enable DNS support in the VPC. | `bool` | `true` | no | -| [egress\_only\_internet\_gateway\_enabled](#input\_egress\_only\_internet\_gateway\_enabled) | Should be true if you want to create a new Egress Only Internet Gateway resource and attach it to the VPC. | `bool` | `false` | no | -| [instance\_tenancy](#input\_instance\_tenancy) | A tenancy option for instances launched into the VPC. Only support `default` or `dedicated`. | `string` | `"default"` | no | -| [internet\_gateway\_enabled](#input\_internet\_gateway\_enabled) | Should be true if you want to create a new Internet Gateway resource and attach it to the VPC. | `bool` | `true` | no | -| [ipv6\_enabled](#input\_ipv6\_enabled) | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. | `bool` | `false` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [private\_hosted\_zones](#input\_private\_hosted\_zones) | List of private Hosted Zone IDs to associate. | `list(string)` | `[]` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool. | `list(string)` | `[]` | no | -| [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | -| [vpn\_gateway\_asn](#input\_vpn\_gateway\_asn) | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | `number` | `64512` | no | -| [vpn\_gateway\_enabled](#input\_vpn\_gateway\_enabled) | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC. | `bool` | `false` | no | +| [name](#input\_name) | (Required) Desired name for the VPC resources. | `string` | n/a | yes | +| [default\_network\_acl](#input\_default\_network\_acl) | (Optional) The configuration for the default Network ACL of the VPC. `default_network_acl` as defined below.
(Optional) `name` - The name of the default Network ACL. Defaults to same name of the VPC.
(Optional) `ingress_rules` - A set of ingress rules in the default Network ACL. If not explicitly defined, the AWS default rules are applied. `ingress_rules` as defined below.
(Required) `priority` - The rule priority. The rule number. Used for ordering.
(Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`.
(Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`.
(Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`.
(Optional) `egress_rules` - A set of egress rules in the default Network ACL. If not explicitly defined, the AWS default rules are applied. `egress_rules` as defined below.
(Required) `priority` - The rule priority. The rule number. Used for ordering.
(Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`.
(Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`.
(Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`. | 
object({
    name = optional(string)
    ingress_rules = optional(set(object({
      priority  = number
      action    = string
      protocol  = string
      from_port = number
      to_port   = number
      ipv4_cidr = optional(string)
      ipv6_cidr = optional(string)
      icmp_type = optional(number, 0)
      icmp_code = optional(number, 0)
    })))
    egress_rules = optional(set(object({
      priority  = number
      action    = string
      protocol  = string
      from_port = number
      to_port   = number
      ipv4_cidr = optional(string)
      ipv6_cidr = optional(string)
      icmp_type = optional(number, 0)
      icmp_code = optional(number, 0)
    })))
  })
| `{}` | no | +| [default\_security\_group](#input\_default\_security\_group) | (Optional) The configuration for the default Security Group of the VPC. `default_security_group` as defined below.
(Optional) `name` - The name of the default Security Group. Defaults to same name of the VPC.
(Optional) `ingress_rules` - A set of ingress rules in the default Network ACL. If not explicitly defined, the AWS default rules are applied. `ingress_rules` as defined below.
(Required) `priority` - The rule priority. The rule number. Used for ordering.
(Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`.
(Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`.
(Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`.
(Optional) `egress_rules` - A set of egress rules in the default Network ACL. If not explicitly defined, the AWS default rules are applied. `egress_rules` as defined below.
(Required) `priority` - The rule priority. The rule number. Used for ordering.
(Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`.
(Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`.
(Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`. | 
object({
    name = optional(string)
    ingress_rules = optional(set(object({
      description     = optional(string, "Managed by Terraform.")
      protocol        = string
      from_port       = number
      to_port         = number
      ipv4_cidrs      = optional(set(string))
      ipv6_cidrs      = optional(set(string))
      prefix_lists    = optional(set(string))
      security_groups = optional(set(string))
      self            = optional(bool, false)
    })))
    egress_rules = optional(set(object({
      description     = optional(string, "Managed by Terraform.")
      protocol        = string
      from_port       = number
      to_port         = number
      ipv4_cidrs      = optional(set(string))
      ipv6_cidrs      = optional(set(string))
      prefix_lists    = optional(set(string))
      security_groups = optional(set(string))
      self            = optional(bool, false)
    })))
  })
| `{}` | no | +| [dhcp\_options](#input\_dhcp\_options) | (Optional) The configuration for a DHCP option set of the VPC. Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network. `dhcp_options` as defined below.
(Optional) `enabled` - Whether to create a DHCP option set for the VPC. Defaults to `false`.
(Optional) `name` - The name of the DHCP option set. Defaults to same name of the VPC.
(Optional) `domain_name` - The suffix domain name to use by default when resolving non Fully Qualified Domain Names. In other words, this is what ends up being the search value in the `/etc/resolv.conf` file. If you're using `AmazonProvidedDNS` in `us-east-1`, specify `ec2.internal`. If you're using `AmazonProvidedDNS` in another Region, specify `{region}.compute.internal`.
(Optional) `domain_name_servers` - A list of name servers to configure in `/etc/resolv.conf`. The IP addresses of up to four domain name servers, or `AmazonProvidedDNS`. If you want to use the default AWS nameservers you should set this to `AmazonProvidedDNS`. Defaults to `["AmazonProvidedDNS"]`.
(Optional) `netbios_name_servers` - A list of NetBIOS name servers. The IP addresses of up to four NetBIOS name servers.
(Optional) `netbios_node_type` - The NetBIOS node type (1, 2, 4, or 8). AWS recommends to specify 2 since broadcast and multicast are not supported in their network. For more information about these node types, see RFC 2132. Defaults to `2`.
(Optional) `ntp_servers` - A list of NTP servers to configure. The IP addresses of up to four Network Time Protocol (NTP) servers. | 
object({
    enabled              = optional(bool, false)
    name                 = optional(string)
    domain_name          = optional(string)
    domain_name_servers  = optional(list(string), ["AmazonProvidedDNS"])
    netbios_name_servers = optional(list(string), [])
    netbios_node_type    = optional(number, 2)
    ntp_servers          = optional(list(string), [])
  })
| `{}` | no | +| [dns\_dnssec\_validation\_enabled](#input\_dns\_dnssec\_validation\_enabled) | (Optional) Should be true to enable Route53 DNSSEC validation in the VPC. | `bool` | `false` | no | +| [dns\_hostnames\_enabled](#input\_dns\_hostnames\_enabled) | (Optional) Whether instances launched in the VPC receive public DNS hostnames that correspond to their public IP addresses. Defaults to `true`. | `bool` | `true` | no | +| [dns\_resolution\_enabled](#input\_dns\_resolution\_enabled) | (Optional) Whether DNS resolution through the Amazon DNS server is supported for the VPC. Defaults to `true`. | `bool` | `true` | no | +| [egress\_only\_internet\_gateway](#input\_egress\_only\_internet\_gateway) | (Required) The configuration for an Egress-only Internet Gateway of the VPC. Egress-only Internet Gateway is VPC component that allows outbound only communication to the internet over IPv6, and prevents the Internet from initiating an IPv6 connection with your instances. `egress_only_internet_gateway` as defined below.
(Optional) `enabled` - Whether to create an egress-only Internet gateway for the VPC. Defaults to `false`.
(Optional) `name` - The name of the Egress-only Internet Gateway. Defaults to same name of the VPC. | 
object({
    enabled = optional(bool, false)
    name    = optional(string)
  })
| `{}` | no | +| [internet\_gateway](#input\_internet\_gateway) | (Required) The configuration for an Internet Gateway of the VPC. An internet gateway is a virtual router that connects a VPC to the internet. `internet_gateway` as defined below.
(Optional) `enabled` - Whether to create an Internet gateway for the VPC. Defaults to `true`.
(Optional) `name` - The name of the Internet Gateway. Defaults to same name of the VPC. | 
object({
    enabled = optional(bool, true)
    name    = optional(string)
  })
| `{}` | no | +| [ipv4\_cidrs](#input\_ipv4\_cidrs) | (Required) A list of IPv4 CIDR blocks for the VPC. At least one CIDR must be defined. Each block of `ipv4_cidrs` as defined below.
(Optional) `type` - Valid values are `MANUAL` and `IPAM_POOL`. Defaults to `MANUAL`.
(Optional) `cidr` - The CIDR block for the VPC. CIDR block size must be between /16 and /28.
(Optional) `ipam_pool` - The configuration to get an IPv4 CIDR from the IPAM pool to use for the VPC. Required if `type` is `IPAM_POOL`. `ipam_pool` as defined below.
(Required) `id` - The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR.
(Optional) `netmask_length` - The netmask length of the IPv4 CIDR you want to allocate to this VPC. | 
list(object({
    type = optional(string, "MANUAL")
    cidr = optional(string)
    ipam_pool = optional(object({
      id             = string
      netmask_length = optional(number)
    }))
  }))
| `[]` | no | +| [ipv6\_cidrs](#input\_ipv6\_cidrs) | (Optional) A list of IPv6 CIDR blocks for the VPC. Each block of `ipv6_cidrs` as defined below.
(Optional) `type` - Valid values are `AMAZON` and `IPAM_POOL`. Defaults to `AMAZON`.
(Optional) `network_border_group` - The name of the network border group. This can be changed to restrict advertisement of public addresses to specific Network Border Groups such as LocalZones. Defaults to the region of the VPC.
(Optional) `ipam_pool` - The configuration to get an IPv6 CIDR from the IPAM pool to use for the VPC. Required if `type` is `IPAM_POOL`. `ipam_pool` as defined below.
(Required) `id` - The ID of an IPv6 IPAM pool you want to use for allocating this VPC's CIDR.
(Optional) `cidr` - The CIDR block for the VPC. The CIDR can be explicitly set. Required if `netmask_length` is not set and the IPAM pool does not have `allocation_default_netmask` set.
(Optional) `netmask_length` - The netmask length of the IPv6 CIDR you want to allocate to this VPC. | 
list(object({
    type = optional(string, "AMAZON")
    amazon = optional(object({
      network_border_group = optional(string)
    }), {})
    ipam_pool = optional(object({
      id             = string
      cidr           = optional(string)
      netmask_length = optional(number)
    }))
  }))
| `[]` | no | +| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | +| [network\_address\_usage\_metrics\_enabled](#input\_network\_address\_usage\_metrics\_enabled) | (Optional) Whether NAU (Network Address Usage) metrics are enabled for the VPC. Defaults to `false`. | `bool` | `false` | no | +| [private\_hosted\_zones](#input\_private\_hosted\_zones) | (Optional) List of private Hosted Zone IDs to associate. | `list(string)` | `[]` | no | +| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | +| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | +| [tenancy](#input\_tenancy) | (Optional) A tenancy option for instances launched into the VPC. Valid values are `DEFAULT` and `DEDICATED`. Defaults to `DEFAULT`.
`DEFAULT` - Ensure that EC2 instances launched in this VPC use the EC2 instance tenancy attribute specified when the EC2 instance is launched
`DEDICATED` - Ensure that EC2 instances launched in this VPC are run on dedicated tenancy instances regardless of the tenancy attribute specified at launch. This has a dedicated per region fee of $2 per hour, plus an hourly per instance usage fee. | `string` | `"DEFAULT"` | no | +| [vpn\_gateway](#input\_vpn\_gateway) | (Required) The configuration for a virtual private gateway of the VPC. A virtual private gateway is the VPN concentrator on the Amazon side of the site-to-site VPN connection. `vpn_gateway` as defined below.
(Optional) `enabled` - Whether to create a new VPN Gateway resource and attach it to the VPC. Defaults to `false`.
(Optional) `name` - The name of the VPN Gateway. Defaults to same name of the VPC.
(Optional) `asn` - The Autonomous System Number (ASN) for the Amazon side of the gateway. Defaults to `64512`. | 
object({
    enabled = optional(bool, false)
    name    = optional(string)
    asn     = optional(number, 64512)
  })
| `{}` | no | ## Outputs | Name | Description | |------|-------------| -| [arn](#output\_arn) | The ARN of the VPC. | -| [cidr\_block](#output\_cidr\_block) | The CIDR block of the VPC. | -| [default\_network\_acl\_id](#output\_default\_network\_acl\_id) | The ID of the default network ACL. | -| [default\_route\_table\_id](#output\_default\_route\_table\_id) | The ID of the default route table. | -| [default\_security\_group\_id](#output\_default\_security\_group\_id) | The ID of the security group created by default on VPC creation. | -| [dhcp\_options\_arn](#output\_dhcp\_options\_arn) | The ARN of the DHCP Options Set. | -| [dhcp\_options\_enabled](#output\_dhcp\_options\_enabled) | Whether DHCP options set is enabled in the VPC. | -| [dhcp\_options\_id](#output\_dhcp\_options\_id) | The ID of the DHCP Options Set. | +| [arn](#output\_arn) | The ARN (Amazon Resource Name) of the VPC. | +| [default\_network\_acl](#output\_default\_network\_acl) | The configuration for the default Network ACL of the VPC.
`id` - The ID of the default Network ACL.
`arn` - The ARN of the default Network ACL.
`owner` - The ID of the AWS account that owns the default Network ACL. | +| [default\_route\_table](#output\_default\_route\_table) | The configuration for the default Route Table of the VPC.
`id` - The ID of the default Route Table. | +| [default\_security\_group](#output\_default\_security\_group) | The configuration for the default Security Group of the VPC.
`id` - The ID of the default Security Group.
`arn` - The ARN of the default Security Group.
`owner` - The ID of the AWS account that owns the default Security Group.
`name` - The name of the default Security Group.
`description` - The description of the default Security Group. | +| [dhcp\_options](#output\_dhcp\_options) | The configuration for the DHCP Option Set of the VPC.
`id` - The ID of the DHCP Options Set.
`arn` - The ARN of the DHCP Options Set.
`owner` - The ID of the AWS account that owns the DHCP Option Set.

`domain_name` - The suffix domain name to use by default when resolving non Fully Qualified Domain Names.
`domain_name_servers` - A list of name servers to configure in `/etc/resolv.conf`.
`netbios_name_servers` - A list of NetBIOS name servers.
`netbios_node_type` - The NetBIOS node type (1, 2, 4, or 8).
`ntp_servers` - A list of NTP servers to configure. | | [dns\_dnssec\_validation\_enabled](#output\_dns\_dnssec\_validation\_enabled) | Whether or not the VPC has Route53 DNSSEC validation support. | | [dns\_dnssec\_validation\_id](#output\_dns\_dnssec\_validation\_id) | The ID of a configuration for DNSSEC validation. | -| [dns\_hostnames\_enabled](#output\_dns\_hostnames\_enabled) | Whether or not the VPC has DNS hostname support. | -| [dns\_support\_enabled](#output\_dns\_support\_enabled) | Whether or not the VPC has DNS support. | -| [egress\_only\_internet\_gateway\_enabled](#output\_egress\_only\_internet\_gateway\_enabled) | Whether Egress Only Internet Gateway is enabled in the VPC. | -| [egress\_only\_internet\_gateway\_id](#output\_egress\_only\_internet\_gateway\_id) | The ID of the Egress Only Internet Gateway. | +| [dns\_hostnames\_enabled](#output\_dns\_hostnames\_enabled) | Whether instances launched in the VPC receive public DNS hostnames that correspond to their public IP addresses. | +| [dns\_resolution\_enabled](#output\_dns\_resolution\_enabled) | Whether DNS resolution through the Amazon DNS server is supported for the VPC. | +| [egress\_only\_internet\_gateway](#output\_egress\_only\_internet\_gateway) | The configuration for the Egress-only Internet Gateway of the VPC.
`id` - The ID of the Egress-only Internet Gateway. | | [id](#output\_id) | The ID of the VPC. | -| [instance\_tenancy](#output\_instance\_tenancy) | Tenancy of instances spin up within VPC. | -| [internet\_gateway\_arn](#output\_internet\_gateway\_arn) | The ARN of the Internet Gateway. | -| [internet\_gateway\_enabled](#output\_internet\_gateway\_enabled) | Whether Internet Gateway is enabled in the VPC. | -| [internet\_gateway\_id](#output\_internet\_gateway\_id) | The ID of the Internet Gateway. | -| [ipv6\_association\_id](#output\_ipv6\_association\_id) | The association ID for the IPv6 CIDR block. | -| [ipv6\_cidr\_block](#output\_ipv6\_cidr\_block) | The IPv6 CIDR block. | -| [main\_route\_table\_id](#output\_main\_route\_table\_id) | The ID of the main route table associated with this VPC. Note that you can change a VPC's main route table. | -| [name](#output\_name) | The VPC name. | +| [internet\_gateway](#output\_internet\_gateway) | The configuration for the Internet Gateway of the VPC.
`id` - The ID of the Internet Gateway.
`arn` - The ARN of the Internet Gateway.
`owner` - The ID of the AWS account that owns the internet gateway. | +| [ipv4\_cidr\_configurations](#output\_ipv4\_cidr\_configurations) | The list of IPv4 CIDR configurations for the VPC. | +| [ipv4\_cidrs](#output\_ipv4\_cidrs) | The list of IPv4 CIDR blocks for the VPC. | +| [ipv6\_cidr\_configurations](#output\_ipv6\_cidr\_configurations) | The list of IPv6 CIDR configurations for the VPC. | +| [ipv6\_cidrs](#output\_ipv6\_cidrs) | The list of IPv6 CIDR blocks for the VPC. | +| [main\_route\_table](#output\_main\_route\_table) | The configuration for the main Route Table of the VPC. Note that you can change a VPC's main route table.
`id` - The ID of the main Route Table. | +| [name](#output\_name) | The name of the VPC. | +| [network\_address\_usage\_metrics\_enabled](#output\_network\_address\_usage\_metrics\_enabled) | Whether NAU (Network Address Usage) metrics are enabled for the VPC. | +| [owner](#output\_owner) | The ID of the AWS account that owns the VPC. | | [private\_hosted\_zones](#output\_private\_hosted\_zones) | List of associated private Hosted Zone IDs. | -| [secondary\_cidr\_blocks](#output\_secondary\_cidr\_blocks) | List of secondary CIDR blocks of the VPC. | -| [vpn\_gateway\_arn](#output\_vpn\_gateway\_arn) | The ARN of the Virtual Private Gateway. | -| [vpn\_gateway\_asn](#output\_vpn\_gateway\_asn) | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | -| [vpn\_gateway\_enabled](#output\_vpn\_gateway\_enabled) | Whether VPN Gateway is enabled in the VPC. | -| [vpn\_gateway\_id](#output\_vpn\_gateway\_id) | The ID of the Virtual Private Gateway. | +| [tenancy](#output\_tenancy) | A tenancy option for instances launched into the VPC. | +| [vpn\_gateway](#output\_vpn\_gateway) | The configuration for the virtual private gateway of the VPC.
`id` - The ID of the Virtual Private Gateway.
`arn` - The ARN of the Virtual Private Gateway.
`asn` - The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | diff --git a/modules/vpc/defaults.tf b/modules/vpc/defaults.tf new file mode 100644 index 0000000..5dea42d --- /dev/null +++ b/modules/vpc/defaults.tf @@ -0,0 +1,237 @@ +################################################### +# Default NACL +################################################### + +# INFO: Not supported attributes +# - `subnet_ids` +resource "aws_default_network_acl" "this" { + default_network_acl_id = aws_vpc.this.default_network_acl_id + + dynamic "ingress" { + for_each = (var.default_network_acl.ingress_rules == null + ? ["go"] + : [] + ) + + content { + rule_no = 100 + action = "allow" + protocol = -1 + from_port = 0 + to_port = 0 + cidr_block = "0.0.0.0/0" + } + } + + dynamic "ingress" { + for_each = (var.default_network_acl.ingress_rules == null && local.ipv6_enabled + ? ["go"] + : [] + ) + + content { + rule_no = 101 + action = "allow" + protocol = -1 + from_port = 0 + to_port = 0 + ipv6_cidr_block = "::/0" + } + } + + dynamic "ingress" { + for_each = (var.default_network_acl.ingress_rules != null + ? var.default_network_acl.ingress_rules + : [] + ) + + content { + rule_no = ingress.value.priority + action = lower(ingress.value.action) + protocol = ingress.value.protocol + from_port = ingress.value.from_port + to_port = ingress.value.to_port + cidr_block = ingress.value.ipv4_cidr + ipv6_cidr_block = ingress.value.ipv6_cidr + icmp_type = ingress.value.icmp_type + icmp_code = ingress.value.icmp_code + } + } + + dynamic "egress" { + for_each = (var.default_network_acl.egress_rules == null + ? ["go"] + : [] + ) + + content { + rule_no = 100 + action = "allow" + protocol = -1 + from_port = 0 + to_port = 0 + cidr_block = "0.0.0.0/0" + } + } + + dynamic "egress" { + for_each = (var.default_network_acl.egress_rules == null && local.ipv6_enabled + ? ["go"] + : [] + ) + + content { + rule_no = 101 + action = "allow" + protocol = -1 + from_port = 0 + to_port = 0 + ipv6_cidr_block = "::/0" + } + } + + dynamic "egress" { + for_each = (var.default_network_acl.egress_rules != null + ? var.default_network_acl.egress_rules + : [] + ) + + content { + rule_no = egress.value.priority + action = lower(egress.value.action) + protocol = egress.value.protocol + from_port = egress.value.from_port + to_port = egress.value.to_port + cidr_block = egress.value.ipv4_cidr + ipv6_cidr_block = egress.value.ipv6_cidr + icmp_type = egress.value.icmp_type + icmp_code = egress.value.icmp_code + } + } + + tags = merge( + { + "Name" = coalesce(var.default_network_acl.name, local.metadata.name) + }, + local.module_tags, + var.tags, + ) + + lifecycle { + ignore_changes = [subnet_ids] + } +} + + +################################################### +# Default Route Table +################################################### + +# resource "aws_default_route_table" "this" { +# default_route_table_id = aws_vpc.this.default_route_table_id +# +# tags = merge( +# { +# "Name" = coalesce(var.default_route_table.name, local.metadata.name) +# }, +# local.module_tags, +# var.tags, +# ) +# } + + +################################################### +# Default Security Group +################################################### + +resource "aws_default_security_group" "this" { + vpc_id = aws_vpc.this.id + + dynamic "ingress" { + for_each = (var.default_security_group.ingress_rules == null + ? ["go"] + : [] + ) + + content { + protocol = -1 + from_port = 0 + to_port = 0 + self = true + } + } + + dynamic "ingress" { + for_each = (var.default_security_group.ingress_rules != null + ? var.default_security_group.ingress_rules + : [] + ) + + content { + description = ingress.value.description + protocol = ingress.value.protocol + from_port = ingress.value.from_port + to_port = ingress.value.to_port + cidr_blocks = ingress.value.ipv4_cidrs + ipv6_cidr_blocks = ingress.value.ipv6_cidrs + prefix_list_ids = ingress.value.prefix_lists + security_groups = ingress.value.security_groups + self = ingress.value.self + } + } + + dynamic "egress" { + for_each = (var.default_security_group.egress_rules == null + ? ["go"] + : [] + ) + + content { + protocol = -1 + from_port = 0 + to_port = 0 + cidr_blocks = ["0.0.0.0/0"] + } + } + + dynamic "egress" { + for_each = (var.default_security_group.egress_rules == null && local.ipv6_enabled + ? ["go"] + : [] + ) + + content { + protocol = -1 + from_port = 0 + to_port = 0 + ipv6_cidr_blocks = ["::/0"] + } + } + + dynamic "egress" { + for_each = (var.default_security_group.egress_rules != null + ? var.default_security_group.egress_rules + : [] + ) + + content { + description = egress.value.description + protocol = egress.value.protocol + from_port = egress.value.from_port + to_port = egress.value.to_port + cidr_blocks = egress.value.ipv4_cidrs + ipv6_cidr_blocks = egress.value.ipv6_cidrs + prefix_list_ids = egress.value.prefix_lists + security_groups = egress.value.security_groups + self = egress.value.self + } + } + + tags = merge( + { + "Name" = coalesce(var.default_security_group.name, local.metadata.name) + }, + local.module_tags, + var.tags, + ) +} diff --git a/modules/vpc/dhcp-options.tf b/modules/vpc/dhcp-options.tf new file mode 100644 index 0000000..22e770e --- /dev/null +++ b/modules/vpc/dhcp-options.tf @@ -0,0 +1,47 @@ +data "aws_region" "this" {} + +locals { + region = data.aws_region.this.name + + default_dhcp_options_domain_name = (local.region != "us-east-1" + ? "${local.region}.compute.internal" + : "ec2.internal" + ) +} + + +################################################### +# DHCP Options +################################################### + +resource "aws_vpc_dhcp_options" "this" { + count = var.dhcp_options.enabled ? 1 : 0 + + domain_name = (length(compact([var.dhcp_options.domain_name])) > 0 + ? var.dhcp_options.domain_name + : local.default_dhcp_options_domain_name + ) + domain_name_servers = var.dhcp_options.domain_name_servers + ntp_servers = var.dhcp_options.ntp_servers + netbios_name_servers = var.dhcp_options.netbios_name_servers + netbios_node_type = var.dhcp_options.netbios_node_type + + tags = merge( + { + "Name" = coalesce(var.dhcp_options.name, local.metadata.name) + }, + local.module_tags, + var.tags, + ) + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_vpc_dhcp_options_association" "this" { + count = var.dhcp_options.enabled ? 1 : 0 + + vpc_id = aws_vpc.this.id + dhcp_options_id = aws_vpc_dhcp_options.this[0].id +} diff --git a/modules/vpc/gateways.tf b/modules/vpc/gateways.tf new file mode 100644 index 0000000..edde2da --- /dev/null +++ b/modules/vpc/gateways.tf @@ -0,0 +1,79 @@ +################################################### +# Internet Gateway +################################################### + +# INFO: Not supported attributes +# - `vpc_id` +resource "aws_internet_gateway" "this" { + count = var.internet_gateway.enabled ? 1 : 0 + + tags = merge( + { + "Name" = coalesce(var.internet_gateway.name, local.metadata.name) + }, + local.module_tags, + var.tags, + ) +} + +resource "aws_internet_gateway_attachment" "this" { + count = var.internet_gateway.enabled ? 1 : 0 + + vpc_id = aws_vpc.this.id + internet_gateway_id = aws_internet_gateway.this[0].id +} + + +################################################### +# Egress Only Internet Gateway (IPv6) +################################################### + +resource "aws_egress_only_internet_gateway" "this" { + count = var.egress_only_internet_gateway.enabled ? 1 : 0 + + vpc_id = aws_vpc.this.id + + tags = merge( + { + "Name" = coalesce(var.egress_only_internet_gateway.name, local.metadata.name) + }, + local.module_tags, + var.tags, + ) + + lifecycle { + precondition { + condition = local.ipv6_enabled + error_message = "Egress Only Internet Gateway (IPv6) cannot be enabled if IPv6 is not enabled." + } + } +} + + +################################################### +# Virtual Private Gateway +################################################### + +# INFO: Not supported attributes +# - `vpc_id` +# - `availability_zone` +resource "aws_vpn_gateway" "this" { + count = var.vpn_gateway.enabled ? 1 : 0 + + amazon_side_asn = var.vpn_gateway.asn + + tags = merge( + { + "Name" = coalesce(var.vpn_gateway.name, local.metadata.name) + }, + local.module_tags, + var.tags, + ) +} + +resource "aws_vpn_gateway_attachment" "this" { + count = var.vpn_gateway.enabled ? 1 : 0 + + vpc_id = aws_vpc.this.id + vpn_gateway_id = aws_vpn_gateway.this[0].id +} diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf index 2ab5a8a..42bf003 100644 --- a/modules/vpc/main.tf +++ b/modules/vpc/main.tf @@ -14,100 +14,82 @@ locals { } : {} } -resource "aws_vpc" "this" { - cidr_block = var.cidr_block - assign_generated_ipv6_cidr_block = var.ipv6_enabled - - instance_tenancy = var.instance_tenancy - - enable_dns_hostnames = var.dns_hostnames_enabled - enable_dns_support = var.dns_support_enabled - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, - ) -} - -resource "aws_vpc_ipv4_cidr_block_association" "this" { - for_each = toset(var.secondary_cidr_blocks) - - vpc_id = aws_vpc.this.id - cidr_block = each.key -} - - -################################################### -# Associated Route53 Private Hosted Zones -################################################### - -resource "aws_route53_zone_association" "this" { - for_each = toset(var.private_hosted_zones) - - vpc_id = aws_vpc.this.id - zone_id = each.value -} - - -################################################### -# Route53 DNSSEC Validation -################################################### - -resource "aws_route53_resolver_dnssec_config" "this" { - count = var.dns_dnssec_validation_enabled ? 1 : 0 - - resource_id = aws_vpc.this.id +locals { + ipv4_secondary_cidrs = slice(var.ipv4_cidrs, 1, length(var.ipv4_cidrs)) + ipv6_enabled = length(var.ipv6_cidrs) > 0 + tenancy = { + "DEFAULT" = "default" + "DEDICATED" = "dedicated" + } } ################################################### -# DHCP Options +# VPC ################################################### -data "aws_region" "current" {} - -locals { - current_region = data.aws_region.current.name - default_dhcp_options_domain_name = local.current_region != "us-east-1" ? "${local.current_region}.compute.internal" : "ec2.internal" -} - -resource "aws_vpc_dhcp_options" "this" { - count = var.dhcp_options_enabled ? 1 : 0 - - domain_name = var.dhcp_options_domain_name != "" ? var.dhcp_options_domain_name : local.default_dhcp_options_domain_name - domain_name_servers = var.dhcp_options_domain_name_servers - ntp_servers = var.dhcp_options_ntp_servers - netbios_name_servers = var.dhcp_options_netbios_name_servers - netbios_node_type = var.dhcp_options_netbios_node_type - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, +resource "aws_vpc" "this" { + ## IPv4 CIDR Blocks + cidr_block = (var.ipv4_cidrs[0].type == "MANUAL" + ? var.ipv4_cidrs[0].cidr + : null + ) + ipv4_ipam_pool_id = (var.ipv4_cidrs[0].type == "IPAM_POOL" + ? var.ipv4_cidrs[0].ipam_pool.id + : null + ) + ipv4_netmask_length = (var.ipv4_cidrs[0].type == "IPAM_POOL" + ? var.ipv4_cidrs[0].ipam_pool.netmask_length + : null ) -} -resource "aws_vpc_dhcp_options_association" "this" { - count = var.dhcp_options_enabled ? 1 : 0 - vpc_id = aws_vpc.this.id - dhcp_options_id = aws_vpc_dhcp_options.this[0].id -} + ## IPv6 CIDR Blocks + # TODO: Want to manage IPv6 CIDRs with `aws_vpc_ipv6_cidr_block_association` resource. But, there are unsupported featrues yet. + assign_generated_ipv6_cidr_block = (local.ipv6_enabled + ? (var.ipv6_cidrs[0].type == "AMAZON" + ? true + : null + ) + : null + ) + ipv6_cidr_block_network_border_group = (local.ipv6_enabled + ? (var.ipv6_cidrs[0].type == "AMAZON" + ? var.ipv6_cidrs[0].amazon.network_border_group + : null + ) + : null + ) + ipv6_ipam_pool_id = (local.ipv6_enabled + ? (var.ipv6_cidrs[0].type == "IPAM_POOL" + ? var.ipv6_cidrs[0].ipam_pool.id + : null + ) + : null + ) + ipv6_cidr_block = (local.ipv6_enabled + ? (var.ipv6_cidrs[0].type == "IPAM_POOL" + ? var.ipv6_cidrs[0].ipam_pool.cidr + : null + ) + : null + ) + ipv6_netmask_length = (local.ipv6_enabled + ? (var.ipv6_cidrs[0].type == "IPAM_POOL" + ? var.ipv6_cidrs[0].ipam_pool.netmask_length + : null + ) + : null + ) -################################################### -# Internet Gateway -################################################### + ## Attributes + instance_tenancy = local.tenancy[var.tenancy] -resource "aws_internet_gateway" "this" { - count = var.internet_gateway_enabled ? 1 : 0 + enable_network_address_usage_metrics = var.network_address_usage_metrics_enabled - vpc_id = aws_vpc.this.id + enable_dns_hostnames = var.dns_hostnames_enabled + enable_dns_support = var.dns_resolution_enabled tags = merge( { @@ -120,41 +102,41 @@ resource "aws_internet_gateway" "this" { ################################################### -# Egress Only Internet Gateway (IPv6) +# Additional CIDR Blocks for the VPC ################################################### -resource "aws_egress_only_internet_gateway" "this" { - count = var.ipv6_enabled && var.egress_only_internet_gateway_enabled ? 1 : 0 +resource "aws_vpc_ipv4_cidr_block_association" "this" { + count = length(var.ipv4_cidrs) > 0 ? length(var.ipv4_cidrs) - 1 : 0 vpc_id = aws_vpc.this.id - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, + cidr_block = (var.ipv4_cidrs[count.index + 1].type == "MANUAL" + ? var.ipv4_cidrs[count.index + 1].cidr + : null + ) + ipv4_ipam_pool_id = (var.ipv4_cidrs[count.index + 1].type == "IPAM_POOL" + ? var.ipv4_cidrs[count.index + 1].ipam_pool.id + : null + ) + ipv4_netmask_length = (var.ipv4_cidrs[count.index + 1].type == "IPAM_POOL" + ? var.ipv4_cidrs[count.index + 1].ipam_pool.netmask_length + : null ) } - -################################################### -# Virtual Private Gateway -################################################### - -resource "aws_vpn_gateway" "this" { - count = var.vpn_gateway_enabled ? 1 : 0 +resource "aws_vpc_ipv6_cidr_block_association" "this" { + count = length(var.ipv6_cidrs) > 0 ? length(var.ipv6_cidrs) - 1 : 0 vpc_id = aws_vpc.this.id - # TODO: I don't know why this variable is needed - # availability_zone = "ap-northeast-2a" - amazon_side_asn = var.vpn_gateway_asn - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, + ipv6_cidr_block = (var.ipv6_cidrs[count.index + 1].type == "IPAM_POOL" + ? var.ipv6_cidrs[count.index + 1].ipam_pool.cidr + : null + ) + ipv6_ipam_pool_id = (var.ipv6_cidrs[count.index + 1].type == "IPAM_POOL" + ? var.ipv6_cidrs[count.index + 1].ipam_pool.id + : null + ) + ipv6_netmask_length = (var.ipv6_cidrs[count.index + 1].type == "IPAM_POOL" + ? var.ipv6_cidrs[count.index + 1].ipam_pool.netmask_length + : null ) } diff --git a/modules/vpc/outputs.tf b/modules/vpc/outputs.tf index ea6ea4b..042f237 100644 --- a/modules/vpc/outputs.tf +++ b/modules/vpc/outputs.tf @@ -1,53 +1,144 @@ output "name" { - description = "The VPC name." + description = "The name of the VPC." value = var.name } +output "owner" { + description = "The ID of the AWS account that owns the VPC." + value = aws_vpc.this.owner_id +} + output "id" { description = "The ID of the VPC." value = aws_vpc.this.id } output "arn" { - description = "The ARN of the VPC." + description = "The ARN (Amazon Resource Name) of the VPC." value = aws_vpc.this.arn } -output "cidr_block" { - description = "The CIDR block of the VPC." - value = aws_vpc.this.cidr_block +output "ipv4_cidrs" { + description = "The list of IPv4 CIDR blocks for the VPC." + value = concat( + [aws_vpc.this.cidr_block], + [ + for association in aws_vpc_ipv4_cidr_block_association.this : + association.cidr_block + ] + ) } -output "secondary_cidr_blocks" { - description = "List of secondary CIDR blocks of the VPC." - value = var.secondary_cidr_blocks +output "ipv4_cidr_configurations" { + description = "The list of IPv4 CIDR configurations for the VPC." + value = merge({ + (aws_vpc.this.cidr_block) = { + type = aws_vpc.this.ipv4_ipam_pool_id != null ? "IPAM_POOL" : "MANUAL" + + ipam_pool = (aws_vpc.this.ipv4_ipam_pool_id != null + ? { + id = aws_vpc.this.ipv4_ipam_pool_id + netmask_length = aws_vpc.this.ipv4_netmask_length + } + : null + ) + }, + }, { + for association in aws_vpc_ipv4_cidr_block_association.this : + (association.cidr_block) => { + type = association.ipv4_ipam_pool_id != null ? "IPAM_POOL" : "MANUAL" + ipam_pool = (association.ipv4_ipam_pool_id != null + ? { + id = association.ipv4_ipam_pool_id + netmask_length = association.ipv4_netmask_length + } + : null + ) + } + }) } -output "ipv6_cidr_block" { - description = "The IPv6 CIDR block." - value = aws_vpc.this.ipv6_cidr_block +output "ipv6_cidrs" { + description = "The list of IPv6 CIDR blocks for the VPC." + value = (local.ipv6_enabled + ? concat( + [aws_vpc.this.ipv6_cidr_block], + [ + for association in aws_vpc_ipv6_cidr_block_association.this : + association.ipv6_cidr_block + ] + ) + : [] + ) } -output "ipv6_association_id" { - description = "The association ID for the IPv6 CIDR block." - value = aws_vpc.this.ipv6_association_id +output "ipv6_cidr_configurations" { + description = "The list of IPv6 CIDR configurations for the VPC." + value = (local.ipv6_enabled + ? merge({ + (aws_vpc.this.ipv6_cidr_block) = { + type = length(compact([aws_vpc.this.ipv6_ipam_pool_id])) > 0 ? "IPAM_POOL" : "AMAZON" + amazon = (length(compact([aws_vpc.this.ipv6_ipam_pool_id])) < 1 + ? { + network_border_group = aws_vpc.this.ipv6_cidr_block_network_border_group + } + : null + ) + ipam_pool = (length(compact([aws_vpc.this.ipv6_ipam_pool_id])) > 0 + ? { + id = aws_vpc.this.ipv6_ipam_pool_id + netmask_length = aws_vpc.this.ipv6_netmask_length + } + : null + ) + }, + }, { + for association in aws_vpc_ipv6_cidr_block_association.this : + (association.ipv6_cidr_block) => { + type = length(compact([association.ipv6_ipam_pool_id])) > 0 ? "IPAM_POOL" : "AMAZON" + amazon = (length(compact([association.ipv6_ipam_pool_id])) < 1 + ? { + # TODO: Not supported yet + network_border_group = null + } + : null + ) + ipam_pool = (length(compact([association.ipv6_ipam_pool_id])) > 0 + ? { + id = association.ipv6_ipam_pool_id + netmask_length = association.ipv6_netmask_length + } + : null + ) + } + }) + : {} + ) } -output "instance_tenancy" { - description = "Tenancy of instances spin up within VPC." - value = aws_vpc.this.instance_tenancy +output "tenancy" { + description = "A tenancy option for instances launched into the VPC." + value = { + for k, v in local.tenancy : + v => k + }[aws_vpc.this.instance_tenancy] } -output "dns_support_enabled" { - description = "Whether or not the VPC has DNS support." - value = aws_vpc.this.enable_dns_support +output "network_address_usage_metrics_enabled" { + description = "Whether NAU (Network Address Usage) metrics are enabled for the VPC." + value = aws_vpc.this.enable_network_address_usage_metrics } output "dns_hostnames_enabled" { - description = "Whether or not the VPC has DNS hostname support." + description = "Whether instances launched in the VPC receive public DNS hostnames that correspond to their public IP addresses." value = aws_vpc.this.enable_dns_hostnames } +output "dns_resolution_enabled" { + description = "Whether DNS resolution through the Amazon DNS server is supported for the VPC." + value = aws_vpc.this.enable_dns_support +} + output "dns_dnssec_validation_enabled" { description = "Whether or not the VPC has Route53 DNSSEC validation support." value = var.dns_dnssec_validation_enabled @@ -63,82 +154,130 @@ output "private_hosted_zones" { value = values(aws_route53_zone_association.this)[*].zone_id } -output "default_security_group_id" { - description = "The ID of the security group created by default on VPC creation." - value = aws_vpc.this.default_security_group_id +output "default_network_acl" { + description = < 0 + error_message = "At least one IPv4 CIDR must be defined." + } + validation { + condition = alltrue([ + for ipv4_cidr in var.ipv4_cidrs : + contains(["MANUAL", "IPAM_POOL"], ipv4_cidr.type) + ]) + error_message = "Valid values for `type` of each IPv4 CIDR are `MANUAL` and `IPAM_POOL`." + } } -variable "ipv6_enabled" { - description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block." - type = bool - default = false +variable "ipv6_cidrs" { + description = <= 64512 && var.vpn_gateway.asn <= 65534, + var.vpn_gateway.asn >= 4200000000 && var.vpn_gateway.asn <= 4294967294, + ]) + error_message = "Value of `asn` must be in the `64512` - `65534` or `4200000000` - `4294967294` range." + } } variable "tags" { - description = "A map of tags to add to all resources." + description = "(Optional) A map of tags to add to all resources." type = map(string) default = {} + nullable = false } variable "module_tags_enabled" { - description = "Whether to create AWS Resource Tags for the module informations." + description = "(Optional) Whether to create AWS Resource Tags for the module informations." type = bool default = true + nullable = false } @@ -129,19 +325,22 @@ variable "module_tags_enabled" { ################################################### variable "resource_group_enabled" { - description = "Whether to create Resource Group to find and group AWS resources which are created by this module." + description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module." type = bool default = true + nullable = false } variable "resource_group_name" { - description = "The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." + description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." type = string default = "" + nullable = false } variable "resource_group_description" { - description = "The description of Resource Group." + description = "(Optional) The description of Resource Group." type = string default = "Managed by Terraform." + nullable = false } diff --git a/modules/vpc/versions.tf b/modules/vpc/versions.tf index a218c92..0745c4e 100644 --- a/modules/vpc/versions.tf +++ b/modules/vpc/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.5" + required_version = ">= 1.6" required_providers { aws = { From 0de88101bc883d09c243fe7186bbf5fd5614a7d3 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Sun, 22 Oct 2023 22:41:58 +0900 Subject: [PATCH 43/73] Update README.md --- README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/README.md b/README.md index 1e8a9a9..f6b4c09 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,20 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws- - [vpc-with-ipam](./examples/vpc-with-ipam) +## Other Terraform Modules from Tedilabs + +Enjoying [terraform-aws-network](https://github.com/tedilabs/terraform-aws-network)? Check out some of our other modules: + +- [AWS Container](https://github.com/tedilabs/terraform-aws-container) - A package of Terraform Modules to manage AWS Container resources. +- [AWS Domain](https://github.com/tedilabs/terraform-aws-domain) - A package of Terraform Modules to manage AWS Domain resources. +- [AWS IPAM](https://github.com/tedilabs/terraform-aws-ipam) - A package of Terraform Modules to manage AWS IPAM related resources (IPAM, Elastic IP, Prefix List). +- [AWS Load Balancer](https://github.com/tedilabs/terraform-aws-load-balancer) - A package of Terraform Modules to manage AWS Load Balancer resources. +- [AWS Security](https://github.com/tedilabs/terraform-aws-security) - A package of Terraform Modules to manage AWS Security resources. +- [AWS VPC Connectivity](https://github.com/tedilabs/terraform-aws-vpc-connectivity) - A package of Terraform Modules to manage AWS VPC Connectivity related resources (VPC Peering, VPC Private Link, VPC Lattice, Client VPN, Site-to-Site VPN, DX). + +Or check out [the full list](https://github.com/search?q=org%3Atedilabs+topic%3Aterraform-module&type=repositories) + + ## Self Promotion Like this project? Follow the repository on [GitHub](https://github.com/tedilabs/terraform-aws-network). And if you're feeling especially charitable, follow **[posquit0](https://github.com/posquit0)** on GitHub. From ed9d2a1b34427cb7e61b31cae542b464695b42fc Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Sun, 22 Oct 2023 22:57:28 +0900 Subject: [PATCH 44/73] Fix vpc module --- modules/vpc/README.md | 2 +- modules/vpc/variables.tf | 17 +++++++++++++++++ modules/vpc/versions.tf | 2 +- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/modules/vpc/README.md b/modules/vpc/README.md index 28ff9b1..1b33b16 100644 --- a/modules/vpc/README.md +++ b/modules/vpc/README.md @@ -22,7 +22,7 @@ This module creates following resources. | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.6 | -| [aws](#requirement\_aws) | >= 4.58 | +| [aws](#requirement\_aws) | >= 5.3 | ## Providers diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf index b9684fb..5e8e2cd 100644 --- a/modules/vpc/variables.tf +++ b/modules/vpc/variables.tf @@ -173,6 +173,23 @@ variable "default_network_acl" { }) default = {} nullable = false + + validation { + condition = alltrue([ + for rule in var.default_network_acl.ingress_rules : + contains(["ALLOW", "DENY"], rule.action) + if var.default_network_acl.ingress_rules != null + ]) + error_message = "Valid values for `action` of each rules are `ALLOW` and `DENY`." + } + validation { + condition = alltrue([ + for rule in var.default_network_acl.egress_rules : + contains(["ALLOW", "DENY"], rule.action) + if var.default_network_acl.egress_rules != null + ]) + error_message = "Valid values for `action` of each rules are `ALLOW` and `DENY`." + } } variable "default_security_group" { diff --git a/modules/vpc/versions.tf b/modules/vpc/versions.tf index 0745c4e..4cedc8b 100644 --- a/modules/vpc/versions.tf +++ b/modules/vpc/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.58" + version = ">= 5.3" } } } From 59815f9bee370a2623ecadbf4ef8f3fe69f69c09 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Sun, 22 Oct 2023 23:41:46 +0900 Subject: [PATCH 45/73] Fix vpc module --- modules/vpc/README.md | 2 +- modules/vpc/variables.tf | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/vpc/README.md b/modules/vpc/README.md index 1b33b16..8f1ad20 100644 --- a/modules/vpc/README.md +++ b/modules/vpc/README.md @@ -70,7 +70,7 @@ This module creates following resources. | [egress\_only\_internet\_gateway](#input\_egress\_only\_internet\_gateway) | (Required) The configuration for an Egress-only Internet Gateway of the VPC. Egress-only Internet Gateway is VPC component that allows outbound only communication to the internet over IPv6, and prevents the Internet from initiating an IPv6 connection with your instances. `egress_only_internet_gateway` as defined below.
(Optional) `enabled` - Whether to create an egress-only Internet gateway for the VPC. Defaults to `false`.
(Optional) `name` - The name of the Egress-only Internet Gateway. Defaults to same name of the VPC. | 
object({
    enabled = optional(bool, false)
    name    = optional(string)
  })
| `{}` | no | | [internet\_gateway](#input\_internet\_gateway) | (Required) The configuration for an Internet Gateway of the VPC. An internet gateway is a virtual router that connects a VPC to the internet. `internet_gateway` as defined below.
(Optional) `enabled` - Whether to create an Internet gateway for the VPC. Defaults to `true`.
(Optional) `name` - The name of the Internet Gateway. Defaults to same name of the VPC. | 
object({
    enabled = optional(bool, true)
    name    = optional(string)
  })
| `{}` | no | | [ipv4\_cidrs](#input\_ipv4\_cidrs) | (Required) A list of IPv4 CIDR blocks for the VPC. At least one CIDR must be defined. Each block of `ipv4_cidrs` as defined below.
(Optional) `type` - Valid values are `MANUAL` and `IPAM_POOL`. Defaults to `MANUAL`.
(Optional) `cidr` - The CIDR block for the VPC. CIDR block size must be between /16 and /28.
(Optional) `ipam_pool` - The configuration to get an IPv4 CIDR from the IPAM pool to use for the VPC. Required if `type` is `IPAM_POOL`. `ipam_pool` as defined below.
(Required) `id` - The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR.
(Optional) `netmask_length` - The netmask length of the IPv4 CIDR you want to allocate to this VPC. | 
list(object({
    type = optional(string, "MANUAL")
    cidr = optional(string)
    ipam_pool = optional(object({
      id             = string
      netmask_length = optional(number)
    }))
  }))
| `[]` | no | -| [ipv6\_cidrs](#input\_ipv6\_cidrs) | (Optional) A list of IPv6 CIDR blocks for the VPC. Each block of `ipv6_cidrs` as defined below.
(Optional) `type` - Valid values are `AMAZON` and `IPAM_POOL`. Defaults to `AMAZON`.
(Optional) `network_border_group` - The name of the network border group. This can be changed to restrict advertisement of public addresses to specific Network Border Groups such as LocalZones. Defaults to the region of the VPC.
(Optional) `ipam_pool` - The configuration to get an IPv6 CIDR from the IPAM pool to use for the VPC. Required if `type` is `IPAM_POOL`. `ipam_pool` as defined below.
(Required) `id` - The ID of an IPv6 IPAM pool you want to use for allocating this VPC's CIDR.
(Optional) `cidr` - The CIDR block for the VPC. The CIDR can be explicitly set. Required if `netmask_length` is not set and the IPAM pool does not have `allocation_default_netmask` set.
(Optional) `netmask_length` - The netmask length of the IPv6 CIDR you want to allocate to this VPC. | 
list(object({
    type = optional(string, "AMAZON")
    amazon = optional(object({
      network_border_group = optional(string)
    }), {})
    ipam_pool = optional(object({
      id             = string
      cidr           = optional(string)
      netmask_length = optional(number)
    }))
  }))
| `[]` | no | +| [ipv6\_cidrs](#input\_ipv6\_cidrs) | (Optional) A list of IPv6 CIDR blocks for the VPC. Each block of `ipv6_cidrs` as defined below.
(Optional) `type` - Valid values are `AMAZON` and `IPAM_POOL`. Defaults to `AMAZON`.
(Optional) `amazon` - The configuration to get the Amazon-provided IPv6 CIDR to use for the VPC. Only used if `type` is `AMAZON`. `amazon` as defined below.
(Optional) `network_border_group` - The name of the network border group. This can be changed to restrict advertisement of public addresses to specific Network Border Groups such as LocalZones. Defaults to the region of the VPC.
(Optional) `ipam_pool` - The configuration to get an IPv6 CIDR from the IPAM pool to use for the VPC. Required if `type` is `IPAM_POOL`. `ipam_pool` as defined below.
(Required) `id` - The ID of an IPv6 IPAM pool you want to use for allocating this VPC's CIDR.
(Optional) `cidr` - The CIDR block for the VPC. The CIDR can be explicitly set. Required if `netmask_length` is not set and the IPAM pool does not have `allocation_default_netmask` set.
(Optional) `netmask_length` - The netmask length of the IPv6 CIDR you want to allocate to this VPC. | 
list(object({
    type = optional(string, "AMAZON")
    amazon = optional(object({
      network_border_group = optional(string)
    }), {})
    ipam_pool = optional(object({
      id             = string
      cidr           = optional(string)
      netmask_length = optional(number)
    }))
  }))
| `[]` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | | [network\_address\_usage\_metrics\_enabled](#input\_network\_address\_usage\_metrics\_enabled) | (Optional) Whether NAU (Network Address Usage) metrics are enabled for the VPC. Defaults to `false`. | `bool` | `false` | no | | [private\_hosted\_zones](#input\_private\_hosted\_zones) | (Optional) List of private Hosted Zone IDs to associate. | `list(string)` | `[]` | no | diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf index 5e8e2cd..c73bdcc 100644 --- a/modules/vpc/variables.tf +++ b/modules/vpc/variables.tf @@ -41,7 +41,8 @@ variable "ipv6_cidrs" { description = < Date: Sun, 22 Oct 2023 23:42:00 +0900 Subject: [PATCH 46/73] Bump to v0.29.0 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 697f087..ae6dd4e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.28.0 +0.29.0 From cfe10326547dfe68a7ae8a1436e67ac693c89519 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Sun, 22 Oct 2023 23:49:53 +0900 Subject: [PATCH 47/73] Fix vpc module --- VERSION | 2 +- modules/vpc/variables.tf | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/VERSION b/VERSION index ae6dd4e..25939d3 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.29.0 +0.29.1 diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf index c73bdcc..daa4a2b 100644 --- a/modules/vpc/variables.tf +++ b/modules/vpc/variables.tf @@ -177,17 +177,15 @@ variable "default_network_acl" { validation { condition = alltrue([ - for rule in var.default_network_acl.ingress_rules : + for rule in try(var.default_network_acl.ingress_rules, []) : contains(["ALLOW", "DENY"], rule.action) - if var.default_network_acl.ingress_rules != null ]) error_message = "Valid values for `action` of each rules are `ALLOW` and `DENY`." } validation { condition = alltrue([ - for rule in var.default_network_acl.egress_rules : + for rule in try(var.default_network_acl.egress_rules, []) : contains(["ALLOW", "DENY"], rule.action) - if var.default_network_acl.egress_rules != null ]) error_message = "Valid values for `action` of each rules are `ALLOW` and `DENY`." } From a876f95beaabaa54d181667fa4c07095a7a9f796 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Sun, 22 Oct 2023 23:52:54 +0900 Subject: [PATCH 48/73] Fix vpc module --- VERSION | 2 +- modules/vpc/variables.tf | 22 ++++++++++++++-------- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/VERSION b/VERSION index 25939d3..20f0687 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.29.1 +0.29.2 diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf index daa4a2b..edd39bf 100644 --- a/modules/vpc/variables.tf +++ b/modules/vpc/variables.tf @@ -176,17 +176,23 @@ variable "default_network_acl" { nullable = false validation { - condition = alltrue([ - for rule in try(var.default_network_acl.ingress_rules, []) : - contains(["ALLOW", "DENY"], rule.action) - ]) + condition = (var.default_network_acl.ingress_rules != null + ? alltrue([ + for rule in var.default_network_acl.ingress_rules : + contains(["ALLOW", "DENY"], rule.action) + ]) + : true + ) error_message = "Valid values for `action` of each rules are `ALLOW` and `DENY`." } validation { - condition = alltrue([ - for rule in try(var.default_network_acl.egress_rules, []) : - contains(["ALLOW", "DENY"], rule.action) - ]) + condition = (var.default_network_acl.egress_rules != null + ? alltrue([ + for rule in var.default_network_acl.egress_rules : + contains(["ALLOW", "DENY"], rule.action) + ]) + : true + ) error_message = "Valid values for `action` of each rules are `ALLOW` and `DENY`." } } From 7b55fd5f53f08fff0119844d448247e0bad36ebf Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Tue, 24 Oct 2023 00:43:40 +0900 Subject: [PATCH 49/73] Improve nat-gateway (#52) --- README.md | 6 ++ .../main.tf | 84 ++++++++++++++++ .../outputs.tf | 7 ++ .../versions.tf | 10 ++ examples/nat-gateway-private/main.tf | 41 ++++++++ examples/nat-gateway-private/outputs.tf | 4 + examples/nat-gateway-private/versions.tf | 10 ++ examples/nat-gateway-public/main.tf | 57 +++++++++++ examples/nat-gateway-public/outputs.tf | 9 ++ examples/nat-gateway-public/versions.tf | 10 ++ modules/nat-gateway/README.md | 45 +++++---- modules/nat-gateway/main.tf | 59 +++++++++--- modules/nat-gateway/outputs.tf | 53 +++++++++-- modules/nat-gateway/variables.tf | 95 +++++++++++++++---- modules/nat-gateway/versions.tf | 4 +- 15 files changed, 436 insertions(+), 58 deletions(-) create mode 100644 examples/nat-gateway-private-secondary-ip-addresses/main.tf create mode 100644 examples/nat-gateway-private-secondary-ip-addresses/outputs.tf create mode 100644 examples/nat-gateway-private-secondary-ip-addresses/versions.tf create mode 100644 examples/nat-gateway-private/main.tf create mode 100644 examples/nat-gateway-private/outputs.tf create mode 100644 examples/nat-gateway-private/versions.tf create mode 100644 examples/nat-gateway-public/main.tf create mode 100644 examples/nat-gateway-public/outputs.tf create mode 100644 examples/nat-gateway-public/versions.tf diff --git a/README.md b/README.md index f6b4c09..43c4c91 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,12 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws- - [vpc-simple](./examples/vpc-simple) - [vpc-with-ipam](./examples/vpc-with-ipam) +### NAT Gateway + +- [nat-gateway-public](./examples/nat-gateway-public/) +- [nat-gateway-private](./examples/nat-gateway-private/) +- [nat-gateway-private-secondary-ip-addresses](./examples/nat-gateway-private-secondary-ip-addresses) + ## Other Terraform Modules from Tedilabs diff --git a/examples/nat-gateway-private-secondary-ip-addresses/main.tf b/examples/nat-gateway-private-secondary-ip-addresses/main.tf new file mode 100644 index 0000000..3a5add1 --- /dev/null +++ b/examples/nat-gateway-private-secondary-ip-addresses/main.tf @@ -0,0 +1,84 @@ +provider "aws" { + region = "us-east-1" +} + +data "aws_vpc" "default" { + default = true +} + +data "aws_subnets" "default" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } +} + + +################################################### +# Public NAT Gateway +################################################### + +module "nat_gateway" { + source = "../../modules/nat-gateway" + # source = "tedilabs/network/aws//modules/nat-gateway" + # version = "~> 0.2.0" + + name = "test-count" + is_private = true + subnet = data.aws_subnets.default.ids[0] + + + ## Primary IP Address + primary_ip_assignment = { + # Automatically assign a public IP address to the NAT Gateway + private_ip = null + } + + + ## Secondary IP Addresses + secondary_ip_count = 7 + + + tags = { + "project" = "terraform-aws-network-examples" + } +} + +module "nat_gateway_2" { + source = "../../modules/nat-gateway" + # source = "tedilabs/network/aws//modules/nat-gateway" + # version = "~> 0.2.0" + + name = "test-assingments" + is_private = true + subnet = data.aws_subnets.default.ids[0] + + + ## Primary IP Address + primary_ip_assignment = { + # Automatically assign a public IP address to the NAT Gateway + private_ip = "172.31.51.100" + } + + + ## Secondary IP Addresses + secondary_ip_assignments = [ + { + private_ip = "172.31.51.101" + }, + { + private_ip = "172.31.51.102" + }, + { + private_ip = "172.31.51.103" + }, + { + private_ip = "172.31.51.104" + }, + ] + + + tags = { + "project" = "terraform-aws-network-examples" + } +} diff --git a/examples/nat-gateway-private-secondary-ip-addresses/outputs.tf b/examples/nat-gateway-private-secondary-ip-addresses/outputs.tf new file mode 100644 index 0000000..c0ba79e --- /dev/null +++ b/examples/nat-gateway-private-secondary-ip-addresses/outputs.tf @@ -0,0 +1,7 @@ +output "nat_gateway" { + description = "The NAT Gateways." + value = { + count = module.nat_gateway + assignments = module.nat_gateway_2 + } +} diff --git a/examples/nat-gateway-private-secondary-ip-addresses/versions.tf b/examples/nat-gateway-private-secondary-ip-addresses/versions.tf new file mode 100644 index 0000000..59c42e8 --- /dev/null +++ b/examples/nat-gateway-private-secondary-ip-addresses/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.5" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} diff --git a/examples/nat-gateway-private/main.tf b/examples/nat-gateway-private/main.tf new file mode 100644 index 0000000..0dee5c9 --- /dev/null +++ b/examples/nat-gateway-private/main.tf @@ -0,0 +1,41 @@ +provider "aws" { + region = "us-east-1" +} + +data "aws_vpc" "default" { + default = true +} + +data "aws_subnets" "default" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } +} + + +################################################### +# Public NAT Gateway +################################################### + +module "nat_gateway" { + source = "../../modules/nat-gateway" + # source = "tedilabs/network/aws//modules/nat-gateway" + # version = "~> 0.2.0" + + name = "test/az1" + is_private = true + subnet = data.aws_subnets.default.ids[0] + + + ## Primary IP Address + primary_ip_assignment = { + # Automatically assign a public IP address to the NAT Gateway + private_ip = null + } + + + tags = { + "project" = "terraform-aws-network-examples" + } +} diff --git a/examples/nat-gateway-private/outputs.tf b/examples/nat-gateway-private/outputs.tf new file mode 100644 index 0000000..1e20c3a --- /dev/null +++ b/examples/nat-gateway-private/outputs.tf @@ -0,0 +1,4 @@ +output "nat_gateway" { + description = "The NAT Gateway." + value = module.nat_gateway +} diff --git a/examples/nat-gateway-private/versions.tf b/examples/nat-gateway-private/versions.tf new file mode 100644 index 0000000..59c42e8 --- /dev/null +++ b/examples/nat-gateway-private/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.5" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} diff --git a/examples/nat-gateway-public/main.tf b/examples/nat-gateway-public/main.tf new file mode 100644 index 0000000..5970f38 --- /dev/null +++ b/examples/nat-gateway-public/main.tf @@ -0,0 +1,57 @@ +provider "aws" { + region = "us-east-1" +} + +data "aws_vpc" "default" { + default = true +} + +data "aws_subnets" "default" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } +} + + +################################################### +# Elastic IP +################################################### + +module "elastic_ip" { + source = "tedilabs/ipam/aws//modules/elastic-ip" + version = "~> 0.3.0" + + name = "nat-gw-public" + type = "AMAZON" + + tags = { + "project" = "terraform-aws-network-examples" + } +} + + +################################################### +# Public NAT Gateway +################################################### + +module "nat_gateway" { + source = "../../modules/nat-gateway" + # source = "tedilabs/network/aws//modules/nat-gateway" + # version = "~> 0.2.0" + + name = "test/az1" + is_private = false + subnet = data.aws_subnets.default.ids[0] + + + ## Primary IP Address + primary_ip_assignment = { + elastic_ip = module.elastic_ip.id + } + + + tags = { + "project" = "terraform-aws-network-examples" + } +} diff --git a/examples/nat-gateway-public/outputs.tf b/examples/nat-gateway-public/outputs.tf new file mode 100644 index 0000000..57010c1 --- /dev/null +++ b/examples/nat-gateway-public/outputs.tf @@ -0,0 +1,9 @@ +output "elastic_ip" { + description = "The Elastic IP." + value = module.elastic_ip +} + +output "nat_gateway" { + description = "The NAT Gateway." + value = module.nat_gateway +} diff --git a/examples/nat-gateway-public/versions.tf b/examples/nat-gateway-public/versions.tf new file mode 100644 index 0000000..59c42e8 --- /dev/null +++ b/examples/nat-gateway-public/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.5" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} diff --git a/modules/nat-gateway/README.md b/modules/nat-gateway/README.md index 4d29ad7..96d3248 100644 --- a/modules/nat-gateway/README.md +++ b/modules/nat-gateway/README.md @@ -10,14 +10,14 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 3.45 | +| [terraform](#requirement\_terraform) | >= 1.6 | +| [aws](#requirement\_aws) | >= 5.10 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.19.0 | +| [aws](#provider\_aws) | 5.22.0 | ## Modules @@ -29,32 +29,39 @@ This module creates following resources. | Name | Type | |------|------| -| [aws_eip.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource | | [aws_nat_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource | +| [aws_subnet.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [name](#input\_name) | Desired name for the NAT Gateway resources. | `string` | n/a | yes | -| [subnet\_id](#input\_subnet\_id) | The ID of the subnet which the NAT Gateway belongs to. | `string` | n/a | yes | -| [assign\_eip\_on\_create](#input\_assign\_eip\_on\_create) | Assign a new Elastic IP to NAT Gateway on create. Set false if you want to provide existing Elastic IP. | `bool` | `false` | no | -| [eip\_id](#input\_eip\_id) | The Allocation ID of the Elastic IP address for the gateway. Create a new Elastic IP if not provided. | `string` | `""` | no | -| [is\_private](#input\_is\_private) | Whether to create the gateway as private or public connectivity type. Defaults to public(false). | `bool` | `false` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | +| [name](#input\_name) | (Required) Desired name for the NAT Gateway resources. | `string` | n/a | yes | +| [subnet](#input\_subnet) | (Required) The Subnet ID of the subnet in which to place the NAT Gateway. | `string` | n/a | yes | +| [is\_private](#input\_is\_private) | (Optional) Whether to create the NAT gateway as private or public connectivity type. Defaults to `false` (public). | `bool` | `false` | no | +| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | +| [primary\_ip\_assignment](#input\_primary\_ip\_assignment) | (Optional) A configuration to assign primary ip address with the NAT Gateway. `primary_ip_assignment` as defined below.
(Optional) `elastic_ip` - The allocation ID of Elastic IP address to associate with the NAT Gateway.
(Optional) `private_ip` - The private IP address to associate with the NAT Gateway. If you dont't provide an address, a private IPv4 address will be automatically assigned. | 
object({
    elastic_ip = optional(string)
    private_ip = optional(string)
  })
| `{}` | no | +| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | +| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [secondary\_ip\_assignments](#input\_secondary\_ip\_assignments) | (Optional) A configuration to assign secondary ip addresses with the NAT Gateway. Each block of `secondary_ip_assignments` as defined below.
(Optional) `elastic_ip` - The allocation ID of Elastic IP address to associate with the NAT Gateway.
(Optional) `private_ip` - The private IP address to associate with the NAT Gateway. If you dont't provide an address, a private IPv4 address will be automatically assigned. | 
list(object({
    elastic_ip = optional(string)
    private_ip = optional(string)
  }))
| `[]` | no | +| [secondary\_ip\_count](#input\_secondary\_ip\_count) | (Optional) The number of secondary private IPv4 addresses to assign to the NAT Gateway. Only used with private NAT Gateway. | `number` | `null` | no | +| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | +| [timeouts](#input\_timeouts) | (Optional) How long to wait for the NAT Gateway to be created/updated/deleted. | 
object({
    create = optional(string, "10m")
    update = optional(string, "10m")
    delete = optional(string, "30m")
  })
| `{}` | no | ## Outputs | Name | Description | |------|-------------| -| [connectivity\_type](#output\_connectivity\_type) | Connectivity type for the gateway. Valid values are private and public. | -| [eip\_id](#output\_eip\_id) | The Allocation ID of the Elastic IP address for the gateway. | -| [eni\_id](#output\_eni\_id) | The ENI ID of the network interface created by the NAT gateway. | +| [availability\_zone](#output\_availability\_zone) | The availability zone of the NAT Gateway.
`id` - The ID of the availability zone.
`name` - The name of the availability zone. | +| [elastic\_ip](#output\_elastic\_ip) | The Allocation ID of the Elastic IP address for the gateway. | | [id](#output\_id) | The ID of the NAT Gateway. | -| [private\_ip](#output\_private\_ip) | The private IP address of the NAT Gateway. | -| [public\_ip](#output\_public\_ip) | The public IP address of the NAT Gateway. | +| [is\_private](#output\_is\_private) | Whether the NAT Gateway supports public or private connectivity. | +| [name](#output\_name) | The name of the NAT Gateway. | +| [netework\_interface](#output\_netework\_interface) | The ENI ID of the network interface created by the NAT gateway. | +| [primary\_private\_ip](#output\_primary\_private\_ip) | The private IP address of the NAT Gateway. | +| [primary\_public\_ip](#output\_primary\_public\_ip) | The public IP address of the NAT Gateway. | +| [secondary\_private\_ips](#output\_secondary\_private\_ips) | The secondary private IP addresses of the NAT Gateway. | +| [subnet](#output\_subnet) | The subnet which the NAT Gateway belongs to.
`id` - The ID of the subnet.
`arn` - The ARN of the subnet. | +| [vpc\_id](#output\_vpc\_id) | The VPC ID of the NAT Gateway. | diff --git a/modules/nat-gateway/main.tf b/modules/nat-gateway/main.tf index 9e9756a..6c1b144 100644 --- a/modules/nat-gateway/main.tf +++ b/modules/nat-gateway/main.tf @@ -14,24 +14,47 @@ locals { } : {} } -resource "aws_eip" "this" { - count = !var.is_private && var.assign_eip_on_create ? 1 : 0 +data "aws_subnet" "this" { + id = var.subnet +} - vpc = true - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, - ) -} +################################################### +# NAT Gateway +################################################### resource "aws_nat_gateway" "this" { connectivity_type = var.is_private ? "private" : "public" - subnet_id = var.subnet_id - allocation_id = length(aws_eip.this) > 0 ? aws_eip.this[0].id : var.eip_id + subnet_id = var.subnet + + + ## Primary IP Addresse + allocation_id = var.primary_ip_assignment.elastic_ip + private_ip = var.primary_ip_assignment.private_ip + + + ## Secondary IP Addresses + secondary_allocation_ids = (!var.is_private + ? [ + for assignment in var.secondary_ip_assignments : + assignment.elastic_ip + ] + : null + ) + secondary_private_ip_addresses = (var.secondary_ip_count == null + ? [ + for assignment in var.secondary_ip_assignments : + assignment.private_ip + ] + : null + ) + secondary_private_ip_address_count = var.secondary_ip_count + + timeouts { + create = var.timeouts.create + update = var.timeouts.update + delete = var.timeouts.delete + } tags = merge( { @@ -40,4 +63,14 @@ resource "aws_nat_gateway" "this" { local.module_tags, var.tags, ) + + lifecycle { + precondition { + condition = anytrue([ + var.secondary_ip_count == null, + var.secondary_ip_count != null && var.is_private == true, + ]) + error_message = "`secondary_ip_count` variable is only supported with private NAT Gateway." + } + } } diff --git a/modules/nat-gateway/outputs.tf b/modules/nat-gateway/outputs.tf index 2891a6b..eb4cf21 100644 --- a/modules/nat-gateway/outputs.tf +++ b/modules/nat-gateway/outputs.tf @@ -3,27 +3,66 @@ output "id" { value = aws_nat_gateway.this.id } -output "connectivity_type" { - description = "Connectivity type for the gateway. Valid values are private and public." - value = aws_nat_gateway.this.connectivity_type +output "name" { + description = "The name of the NAT Gateway." + value = var.name } -output "eip_id" { +output "is_private" { + description = "Whether the NAT Gateway supports public or private connectivity." + value = aws_nat_gateway.this.connectivity_type == "private" +} + +output "availability_zone" { + description = < 0 && var.secondary_ip_count < 32 + : true + ) + error_message = "`secondary_ip_count` must be greater than 0 and less than 32." + } +} + +variable "timeouts" { + description = "(Optional) How long to wait for the NAT Gateway to be created/updated/deleted." + type = object({ + create = optional(string, "10m") + update = optional(string, "10m") + delete = optional(string, "30m") + }) + default = {} + nullable = false } variable "tags" { - description = "A map of tags to add to all resources." + description = "(Optional) A map of tags to add to all resources." type = map(string) default = {} + nullable = false } variable "module_tags_enabled" { - description = "Whether to create AWS Resource Tags for the module informations." + description = "(Optional) Whether to create AWS Resource Tags for the module informations." type = bool default = true + nullable = false } @@ -44,19 +102,22 @@ variable "module_tags_enabled" { ################################################### variable "resource_group_enabled" { - description = "Whether to create Resource Group to find and group AWS resources which are created by this module." + description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module." type = bool default = true + nullable = false } variable "resource_group_name" { - description = "The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." + description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." type = string default = "" + nullable = false } variable "resource_group_description" { - description = "The description of Resource Group." + description = "(Optional) The description of Resource Group." type = string default = "Managed by Terraform." + nullable = false } diff --git a/modules/nat-gateway/versions.tf b/modules/nat-gateway/versions.tf index 9ae3d78..c46e4aa 100644 --- a/modules/nat-gateway/versions.tf +++ b/modules/nat-gateway/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.5" + required_version = ">= 1.6" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.45" + version = ">= 5.10" } } } From 272ff6e45e449678f370a68f870c41410f4383b5 Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Fri, 27 Oct 2023 01:54:27 +0900 Subject: [PATCH 50/73] Refine nacl module (#54) --- modules/nacl/README.md | 29 ++++++------ modules/nacl/main.tf | 62 +++++++++++++++++--------- modules/nacl/outputs.tf | 14 +++++- modules/nacl/variables.tf | 94 +++++++++++++++++++++++++++++++++------ modules/nacl/versions.tf | 2 +- 5 files changed, 151 insertions(+), 50 deletions(-) diff --git a/modules/nacl/README.md b/modules/nacl/README.md index 132e59c..46ed073 100644 --- a/modules/nacl/README.md +++ b/modules/nacl/README.md @@ -3,6 +3,7 @@ This module creates following resources. - `aws_network_acl` +- `aws_network_acl_association` (optional) - `aws_network_acl_rule` (optional) @@ -11,13 +12,13 @@ This module creates following resources. | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 3.45 | +| [aws](#requirement\_aws) | >= 4.59 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.19.0 | +| [aws](#provider\_aws) | 5.22.0 | ## Modules @@ -37,23 +38,25 @@ This module creates following resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [name](#input\_name) | Desired name for the network ACL resources. | `string` | n/a | yes | -| [vpc\_id](#input\_vpc\_id) | The ID of the associated VPC. | `string` | n/a | yes | -| [egress\_rules](#input\_egress\_rules) | A map of egress rules in a network ACL. Use the key of map as the rule number. | `map(map(any))` | `{}` | no | -| [ingress\_rules](#input\_ingress\_rules) | A map of ingress rules in a network ACL. Use the key of map as the rule number. | `map(map(any))` | `{}` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [subnets](#input\_subnets) | A list of subnet IDs to apply the ACL to. | `list(string)` | `[]` | no | -| [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | +| [name](#input\_name) | (Required) Desired name for the network ACL resources. | `string` | n/a | yes | +| [vpc\_id](#input\_vpc\_id) | (Required) The ID of the VPC to associate. | `string` | n/a | yes | +| [egress\_rules](#input\_egress\_rules) | (Optional) A set of egress rules in the default Network ACL. Use the key of map as the rule number (priority). If not explicitly defined, the AWS default rules are applied. Each block of `egress_rules` as defined below.
(Required) `priority` - The rule priority. The rule number. Used for ordering.
(Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`.
(Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`.
(Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`. | 
map(object({
    action    = string
    protocol  = string
    from_port = number
    to_port   = number
    ipv4_cidr = optional(string)
    ipv6_cidr = optional(string)
    icmp_type = optional(number, 0)
    icmp_code = optional(number, 0)
  }))
| `{}` | no | +| [ingress\_rules](#input\_ingress\_rules) | (Optional) A map of ingress rules in the default Network ACL. Use the key of map as the rule number (priority). If not explicitly defined, the AWS default rules are applied. Each block of `ingress_rules` as defined below.
(Required) `priority` - The rule priority. The rule number. Used for ordering.
(Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`.
(Required) `protocol` - The protocol to match. If using the `-1` `all` protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`.
(Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`.
(Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`. | 
map(object({
    action    = string
    protocol  = string
    from_port = number
    to_port   = number
    ipv4_cidr = optional(string)
    ipv6_cidr = optional(string)
    icmp_type = optional(number, 0)
    icmp_code = optional(number, 0)
  }))
| `{}` | no | +| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | +| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | +| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [subnets](#input\_subnets) | (Optional) A list of subnet IDs to apply the ACL to. | `list(string)` | `[]` | no | +| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | ## Outputs | Name | Description | |------|-------------| | [arn](#output\_arn) | The ARN of the network ACL. | -| [associated\_subnets](#output\_associated\_subnets) | A list of subnet IDs which is associated with the network ACL. | | [id](#output\_id) | The ID of the network ACL. | +| [name](#output\_name) | The name of the network ACL. | | [owner\_id](#output\_owner\_id) | The ID of the AWS account that owns the network ACL. | +| [subnets](#output\_subnets) | A list of subnet IDs which is associated with the network ACL. | +| [vpc\_id](#output\_vpc\_id) | The VPC ID of the network ACL. | diff --git a/modules/nacl/main.tf b/modules/nacl/main.tf index 98f3660..55381ae 100644 --- a/modules/nacl/main.tf +++ b/modules/nacl/main.tf @@ -14,6 +14,14 @@ locals { } : {} } + +################################################### +# Network ACL +################################################### + +# INFO: Not supported attributes +# - `ingress` +# - `egress` resource "aws_network_acl" "this" { vpc_id = var.vpc_id subnet_ids = var.subnets @@ -28,6 +36,18 @@ resource "aws_network_acl" "this" { } +################################################### +# Subnet Associations of Network ACL +################################################### + +# resource "aws_network_acl_association" "this" { +# for_each = toset(var.subnets) +# +# network_acl_id = aws_network_acl.this.id +# subnet_id = each.value +# } + + ################################################### # Network ACL Rules ################################################### @@ -37,16 +57,17 @@ resource "aws_network_acl_rule" "ingress" { network_acl_id = aws_network_acl.this.id - egress = false - rule_number = each.key - rule_action = lookup(each.value, "action", "") - protocol = lookup(each.value, "protocol", -1) - from_port = lookup(each.value, "from_port", null) - to_port = lookup(each.value, "to_port", null) - icmp_type = lookup(each.value, "icmp_type", null) - icmp_code = lookup(each.value, "icmp_code", null) - cidr_block = lookup(each.value, "cidr_block", null) - ipv6_cidr_block = lookup(each.value, "ipv6_cidr_block", null) + egress = false + rule_number = each.key + + rule_action = lower(each.value.action) + protocol = each.value.protocol + from_port = each.value.from_port + to_port = each.value.to_prot + icmp_type = each.value.icmp_type + icmp_code = each.value.icmp_code + cidr_block = each.value.ipv4_cidr + ipv6_cidr_block = each.value.ipv6_cidr } resource "aws_network_acl_rule" "egress" { @@ -54,14 +75,15 @@ resource "aws_network_acl_rule" "egress" { network_acl_id = aws_network_acl.this.id - egress = true - rule_number = each.key - rule_action = lookup(each.value, "action", "") - protocol = lookup(each.value, "protocol", -1) - from_port = lookup(each.value, "from_port", null) - to_port = lookup(each.value, "to_port", null) - icmp_type = lookup(each.value, "icmp_type", null) - icmp_code = lookup(each.value, "icmp_code", null) - cidr_block = lookup(each.value, "cidr_block", null) - ipv6_cidr_block = lookup(each.value, "ipv6_cidr_block", null) + egress = true + rule_number = each.key + + rule_action = lower(each.value.action) + protocol = each.value.protocol + from_port = each.value.from_port + to_port = each.value.to_prot + icmp_type = each.value.icmp_type + icmp_code = each.value.icmp_code + cidr_block = each.value.ipv4_cidr + ipv6_cidr_block = each.value.ipv6_cidr } diff --git a/modules/nacl/outputs.tf b/modules/nacl/outputs.tf index 70d3515..37cbaec 100644 --- a/modules/nacl/outputs.tf +++ b/modules/nacl/outputs.tf @@ -13,7 +13,17 @@ output "owner_id" { value = aws_network_acl.this.owner_id } -output "associated_subnets" { +output "name" { + description = "The name of the network ACL." + value = var.name +} + +output "vpc_id" { + description = "The VPC ID of the network ACL." + value = aws_network_acl.this.vpc_id +} + +output "subnets" { description = "A list of subnet IDs which is associated with the network ACL." - value = var.subnets + value = aws_network_acl.this.subnet_ids } diff --git a/modules/nacl/variables.tf b/modules/nacl/variables.tf index de858af..cd464a4 100644 --- a/modules/nacl/variables.tf +++ b/modules/nacl/variables.tf @@ -1,41 +1,104 @@ variable "name" { - description = "Desired name for the network ACL resources." + description = "(Required) Desired name for the network ACL resources." type = string + nullable = false } variable "vpc_id" { - description = "The ID of the associated VPC." + description = "(Required) The ID of the VPC to associate." type = string + nullable = false } variable "subnets" { - description = "A list of subnet IDs to apply the ACL to." + description = "(Optional) A list of subnet IDs to apply the ACL to." type = list(string) default = [] + nullable = false } variable "ingress_rules" { - description = "A map of ingress rules in a network ACL. Use the key of map as the rule number." - type = map(map(any)) - default = {} + description = < Date: Fri, 27 Oct 2023 01:59:08 +0900 Subject: [PATCH 51/73] Refine subnet-group module (#55) --- .github/labeler.yaml | 3 + examples/vpc-full/nat-gateways.tf | 67 ++++++ examples/vpc-full/outputs.tf | 18 ++ examples/vpc-full/subnet-groups.tf | 138 +++++++++++ modules/subnet-group/README.md | 94 ++++---- modules/subnet-group/integrations.tf | 169 +++++++++++++ modules/subnet-group/main.tf | 198 ++++++---------- modules/subnet-group/outputs.tf | 253 +++++++++++++++----- modules/subnet-group/variables.tf | 339 +++++++++++++++++++-------- 9 files changed, 942 insertions(+), 337 deletions(-) create mode 100644 examples/vpc-full/nat-gateways.tf create mode 100644 examples/vpc-full/subnet-groups.tf create mode 100644 modules/subnet-group/integrations.tf diff --git a/.github/labeler.yaml b/.github/labeler.yaml index bb352d2..bc6b780 100644 --- a/.github/labeler.yaml +++ b/.github/labeler.yaml @@ -11,5 +11,8 @@ ":floppy_disk: security-group": - modules/security-group/**/* +":floppy_disk: subnet-group": +- modules/subnet-group/**/* + ":floppy_disk: vpc": - modules/vpc/**/* diff --git a/examples/vpc-full/nat-gateways.tf b/examples/vpc-full/nat-gateways.tf new file mode 100644 index 0000000..3df103c --- /dev/null +++ b/examples/vpc-full/nat-gateways.tf @@ -0,0 +1,67 @@ +################################################### +# Elastic IP +################################################### + +module "elastic_ip" { + source = "tedilabs/ipam/aws//modules/elastic-ip" + version = "~> 0.3.0" + + name = "nat-gw-test-public/az2" + type = "AMAZON" + + tags = { + "project" = "terraform-aws-network-examples" + } +} + + +################################################### +# Public NAT Gateway +################################################### + +module "public_nat_gateway" { + source = "../../modules/nat-gateway" + # source = "tedilabs/network/aws//modules/nat-gateway" + # version = "~> 0.2.0" + + name = "test-public/az2" + is_private = false + subnet = module.public_subnet_group.subnets_by_az["use1-az2"][0].id + + + ## Primary IP Address + primary_ip_assignment = { + elastic_ip = module.elastic_ip.id + } + + + tags = { + "project" = "terraform-aws-network-examples" + } +} + + +################################################### +# Private NAT Gateway +################################################### + +module "private_nat_gateway" { + source = "../../modules/nat-gateway" + # source = "tedilabs/network/aws//modules/nat-gateway" + # version = "~> 0.2.0" + + name = "test-private/az2" + is_private = true + subnet = module.private_subnet_group.subnets_by_az["use1-az2"][0].id + + + ## Primary IP Address + primary_ip_assignment = { + private_ip = "10.0.200.7" + } + + + tags = { + "project" = "terraform-aws-network-examples" + } +} diff --git a/examples/vpc-full/outputs.tf b/examples/vpc-full/outputs.tf index cc46043..6bd50a8 100644 --- a/examples/vpc-full/outputs.tf +++ b/examples/vpc-full/outputs.tf @@ -2,3 +2,21 @@ output "vpc" { description = "The VPC." value = module.vpc } + +output "subnet_groups" { + description = "The Subnet Groups for the VPC." + value = { + private = module.private_subnet_group + public = module.public_subnet_group + } +} + +output "public_nat_gateways" { + description = "The NAT Gateways in public." + value = module.public_nat_gateway +} + +output "private_nat_gateways" { + description = "The NAT Gateways in private." + value = module.private_nat_gateway +} diff --git a/examples/vpc-full/subnet-groups.tf b/examples/vpc-full/subnet-groups.tf new file mode 100644 index 0000000..868f46a --- /dev/null +++ b/examples/vpc-full/subnet-groups.tf @@ -0,0 +1,138 @@ +################################################### +# Subnet Groups +################################################### + +module "private_subnet_group" { + source = "../../modules/subnet-group" + # source = "tedilabs/network/aws//modules/subnet-group" + # version = "~> 0.2.0" + + name = "test/private" + + vpc_id = module.vpc.id + + subnets = { + "test/private/az2" = { + availability_zone_id = "use1-az2" + ipv4_cidr = "10.0.200.0/24" + } + "test/private/az4" = { + availability_zone_id = "use1-az4" + ipv4_cidr = "10.0.201.0/24" + } + } + + + ## IP Assignments + public_ipv4_address_assignment = { + enabled = false + } + ipv6_address_assignment = { + enabled = false + } + customer_owned_ipv4_address_assignment = { + enabled = false + } + + + ## DNS Configurations + dns_config = { + hostname_type = "RESOURCE_NAME" + dns_resource_name_ipv4_enabled = true + dns_resource_name_ipv6_enabled = false + dns64_enabled = false + } + + ## Integrations + dax_subnet_group = { + enabled = true + name = "test-dax" + description = "Test DAX Subnet Group" + } + dms_replication_subnet_group = { + enabled = true + name = "test-dms-replication" + description = "Test DMS Replication Subnet Group" + } + docdb_subnet_group = { + enabled = true + name = "test-docdb" + description = "Test DocumentDB Subnet Group" + } + elasticache_subnet_group = { + enabled = true + name = "test-elasticache" + description = "Test ElastiCache Subnet Group" + } + memorydb_subnet_group = { + enabled = true + name = "test-memorydb" + description = "Test MemoryDB Subnet Group" + } + neptune_subnet_group = { + enabled = true + name = "test-neptune" + description = "Test Neptune Subnet Group" + } + rds_subnet_group = { + enabled = true + name = "test-rds" + description = "Test RDS Subnet Group" + } + redshift_subnet_group = { + enabled = true + name = "test-redshift" + description = "Test Redshift Subnet Group" + } + + tags = { + "project" = "terraform-aws-network-examples" + } +} + +module "public_subnet_group" { + source = "../../modules/subnet-group" + # source = "tedilabs/network/aws//modules/subnet-group" + # version = "~> 0.2.0" + + name = "test/public" + + vpc_id = module.vpc.id + + subnets = { + "test/public/az2" = { + availability_zone_id = "use1-az2" + ipv4_cidr = "10.0.100.0/24" + } + "test/public/az4" = { + availability_zone_id = "use1-az4" + ipv4_cidr = "10.0.101.0/24" + } + } + + + ## IP Assignments + public_ipv4_address_assignment = { + enabled = true + } + ipv6_address_assignment = { + enabled = false + } + customer_owned_ipv4_address_assignment = { + enabled = false + } + + + ## DNS Configurations + dns_config = { + hostname_type = "RESOURCE_NAME" + dns_resource_name_ipv4_enabled = true + dns_resource_name_ipv6_enabled = false + dns64_enabled = false + } + + + tags = { + "project" = "terraform-aws-network-examples" + } +} diff --git a/modules/subnet-group/README.md b/modules/subnet-group/README.md index b7f4c59..662fd10 100644 --- a/modules/subnet-group/README.md +++ b/modules/subnet-group/README.md @@ -3,13 +3,14 @@ This module creates following resources. - `aws_subnet` +- `aws_dax_subnet_group` (optional) - `aws_db_subnet_group` (optional) +- `aws_dms_replication_subnet_group` (optional) +- `aws_docdb_subnet_group` (optional) - `aws_elasticache_subnet_group` (optional) -- `aws_redshift_subnet_group` (optional) +- `aws_memorydb_subnet_group` (optional) - `aws_neptune_subnet_group` (optional) -- `aws_docdb_subnet_group` (optional) -- `aws_dax_subnet_group` (optional) -- `aws_dms_replication_subnet_group` (optional) +- `aws_redshift_subnet_group` (optional) ## Requirements @@ -23,7 +24,7 @@ This module creates following resources. | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.19.0 | +| [aws](#provider\_aws) | 5.22.0 | ## Modules @@ -44,40 +45,34 @@ This module creates following resources. | [aws_neptune_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_subnet_group) | resource | | [aws_redshift_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_subnet_group) | resource | | [aws_subnet.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [name](#input\_name) | The name of the subnet group. | `string` | n/a | yes | -| [subnets](#input\_subnets) | A map of subnet parameters to create subnets for the subnet group. | `map(map(any))` | n/a | yes | -| [vpc\_id](#input\_vpc\_id) | The ID of the VPC which the subnet group belongs to. | `string` | n/a | yes | -| [assign\_ipv6\_address\_on\_creation](#input\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch. | `bool` | `false` | no | -| [cache\_subnet\_group\_enabled](#input\_cache\_subnet\_group\_enabled) | Controls if Elasticache Subnet Group should be created. | `bool` | `false` | no | -| [cache\_subnet\_group\_name](#input\_cache\_subnet\_group\_name) | Desired name for the Elasticache Subnet Group. | `string` | `""` | no | -| [customer\_owned\_ipv4\_pool](#input\_customer\_owned\_ipv4\_pool) | The customer owned IPv4 address pool. `outpost_arn` argument must be specified when configured. | `string` | `""` | no | -| [dax\_subnet\_group\_enabled](#input\_dax\_subnet\_group\_enabled) | Controls if DAX Subnet Group should be created. | `bool` | `false` | no | -| [dax\_subnet\_group\_name](#input\_dax\_subnet\_group\_name) | Desired name for the DAX Subnet Group. | `string` | `""` | no | -| [db\_subnet\_group\_enabled](#input\_db\_subnet\_group\_enabled) | Controls if RDS Subnet Group should be created. | `bool` | `false` | no | -| [db\_subnet\_group\_name](#input\_db\_subnet\_group\_name) | Desired name for the RDS Subnet Group. | `string` | `""` | no | -| [dms\_replication\_subnet\_group\_enabled](#input\_dms\_replication\_subnet\_group\_enabled) | Controls if DMS Replication Subnet Group should be created. | `bool` | `false` | no | -| [dms\_replication\_subnet\_group\_name](#input\_dms\_replication\_subnet\_group\_name) | Desired name for the DMS Replication Subnet Group. | `string` | `""` | no | -| [docdb\_subnet\_group\_enabled](#input\_docdb\_subnet\_group\_enabled) | Controls if DocumentDB Subnet Group should be created. | `bool` | `false` | no | -| [docdb\_subnet\_group\_name](#input\_docdb\_subnet\_group\_name) | Desired name for the DocumentDB Subnet Group. | `string` | `""` | no | -| [map\_customer\_owned\_ip\_on\_launch](#input\_map\_customer\_owned\_ip\_on\_launch) | Should be true if network interfaces created in the subnet should be assigned a customer owned IP address. | `bool` | `false` | no | -| [map\_public\_ip\_on\_launch](#input\_map\_public\_ip\_on\_launch) | Should be false if you do not want to auto-assign public IP on launch. | `bool` | `false` | no | -| [memorydb\_subnet\_group\_enabled](#input\_memorydb\_subnet\_group\_enabled) | Controls if MemoryDB Subnet Group should be created. | `bool` | `false` | no | -| [memorydb\_subnet\_group\_name](#input\_memorydb\_subnet\_group\_name) | Desired name for the MemoryDB Subnet Group. | `string` | `""` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [neptune\_subnet\_group\_enabled](#input\_neptune\_subnet\_group\_enabled) | Controls if Neptune Subnet Group should be created. | `bool` | `false` | no | -| [neptune\_subnet\_group\_name](#input\_neptune\_subnet\_group\_name) | Desired name for the Neptune Subnet Group. | `string` | `""` | no | -| [outpost\_arn](#input\_outpost\_arn) | The ARN of the Outpost. | `string` | `""` | no | -| [redshift\_subnet\_group\_enabled](#input\_redshift\_subnet\_group\_enabled) | Controls if Redshift Subnet Group should be created. | `bool` | `false` | no | -| [redshift\_subnet\_group\_name](#input\_redshift\_subnet\_group\_name) | Desired name for the Redshift Subnet Group. | `string` | `""` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | +| [name](#input\_name) | (Required) The name of the subnet group. | `string` | n/a | yes | +| [subnets](#input\_subnets) | (Required) A configuration of subnets to create in the subnet group. Each block of `subnets` as defined below.
(Required) `type` - The type of subnet. Valid values are `DUALSTACK` and `IPV6`.
(Optional) `availability_zone` - The availability zone of the subnet. If the value of `availability_zone` and `availability_zone_id` are both not provided, the subnet will be created in random availability zone.
(Optional) `availability_zone_id` - The availability zone ID of the subnet. If the value of `availability_zone` and `availability_zone_id` are both not provided, the subnet will be created in random availability zone. | 
map(object({
    type = optional(string, "DUALSTACK")

    availability_zone    = optional(string)
    availability_zone_id = optional(string)

    ipv4_cidr = optional(string)
    ipv6_cidr = optional(string)
  }))
| n/a | yes | +| [vpc\_id](#input\_vpc\_id) | (Required) The ID of the VPC which the subnet group belongs to. | `string` | n/a | yes | +| [customer\_owned\_ipv4\_address\_assignment](#input\_customer\_owned\_ipv4\_address\_assignment) | (Optional) A configuration for Customer-owned IPv4 address assignment. `customer_owned_ipv4_address_assignment` as defined below.
(Optional) `enabled` - Whether to automatically request a Customer-owned IPv4 address for a new network interface in this subnet. Defaults to `false`.
(Optional) `outpost` - The Amazon Resource Name (ARN) of the Outpost.
(Optional) `pool` - The customer owned IPv4 address pool. | 
object({
    enabled = optional(bool, false)
    outpost = optional(string)
    pool    = optional(string)
  })
| `{}` | no | +| [dax\_subnet\_group](#input\_dax\_subnet\_group) | (Optional) A configuration of DAX Subnet Group. `dax_subnet_group` as defined below.
(Optional) `enabled` - Whether to create DAX Subnet Group. Defaults to `false`.
(Optional) `name` - The name of the DAX Subnet Group. If not provided, the value of `name` will be used.
(Optional) `description` - The description of the DAX Subnet Group. | 
object({
    enabled     = optional(bool, false)
    name        = optional(string)
    description = optional(string, "Managed by Terraform.")
  })
| `{}` | no | +| [dms\_replication\_subnet\_group](#input\_dms\_replication\_subnet\_group) | (Optional) A configuration of DMS Replication Subnet Group. `dms_replication_subnet_group` as defined below.
(Optional) `enabled` - Whether to create DMS Replication Subnet Group. Defaults to `false`.
(Optional) `name` - The name of the DMS Replication Subnet Group. If not provided, the value of `name` will be used.
(Optional) `description` - The description of the DMS Replication Subnet Group. | 
object({
    enabled     = optional(bool, false)
    name        = optional(string)
    description = optional(string, "Managed by Terraform.")
  })
| `{}` | no | +| [dns\_config](#input\_dns\_config) | (Optional) A configuration for DNS queries for the subnet. `dns_config` as defined below.
(Optional) `hostname_type` - The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID (`RESOURCE_NAME`). For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address (`IP_NAME`) or the instance ID (`RESOURCE_NAME`). Valid values are `IP_NAME`, `RESOURCE_NAME`. Defaults to `RESOURCE_NAME`.
(Optional) `dns_resource_name_ipv4_enabled` - Whether to respond to DNS queries for instance hostnames with DNS A records. Always `false` for IPv6 only subnet. Defaults to `false`.
(Optional) `dns_resource_name_ipv6_enabled` - Whether to respond to DNS queries for instance hostnames with DNS AAAA records. Always `true` for IPv6 only subnet. Defaults to `false`.
(Optional) `dns64_enabled` - Whether to enable DNS64 to allow IPv6-only services in Amazon VPC to communicate with IPv4-only services and networks. Defaults to `false`. | 
object({
    hostname_type                  = optional(string, "RESOURCE_NAME")
    dns_resource_name_ipv4_enabled = optional(bool, false)
    dns_resource_name_ipv6_enabled = optional(bool, false)
    dns64_enabled                  = optional(bool, false)
  })
| `{}` | no | +| [docdb\_subnet\_group](#input\_docdb\_subnet\_group) | (Optional) A configuration of DocumentDB Subnet Group. `docdb_subnet_group` as defined below.
(Optional) `enabled` - Whether to create DocumentDB Subnet Group. Defaults to `false`.
(Optional) `name` - The name of the DocumentDB Subnet Group. If not provided, the value of `name` will be used.
(Optional) `description` - The description of the DocumentDB Subnet Group. | 
object({
    enabled     = optional(bool, false)
    name        = optional(string)
    description = optional(string, "Managed by Terraform.")
  })
| `{}` | no | +| [elasticache\_subnet\_group](#input\_elasticache\_subnet\_group) | (Optional) A configuration of ElastiCache Subnet Group. `elasticache_subnet_group` as defined below.
(Optional) `enabled` - Whether to create ElastiCache Subnet Group. Defaults to `false`.
(Optional) `name` - The name of the ElastiCache Subnet Group. If not provided, the value of `name` will be used.
(Optional) `description` - The description of the ElastiCache Subnet Group. | 
object({
    enabled     = optional(bool, false)
    name        = optional(string)
    description = optional(string, "Managed by Terraform.")
  })
| `{}` | no | +| [ipv6\_address\_assignment](#input\_ipv6\_address\_assignment) | (Optional) A configuration for IPv6 address assignment. `ipv6_address_assignment` as defined below.
(Optional) `enabled` - Whether to automatically request a IPv6 address for a new network interface in this subnet. Defaults to `false`. | 
object({
    enabled = optional(bool, false)
  })
| `{}` | no | +| [local\_network\_interface\_device\_index](#input\_local\_network\_interface\_device\_index) | (Optional) The device position for local network interfaces in this subnet. For example, `1` indicates local network interfaces in this subnet are the secondary network interface (eth1). A local network interface cannot be the primary network interface (eth0). | `number` | `null` | no | +| [memorydb\_subnet\_group](#input\_memorydb\_subnet\_group) | (Optional) A configuration of MemoryDB Subnet Group. `memorydb_subnet_group` as defined below.
(Optional) `enabled` - Whether to create MemoryDB Subnet Group. Defaults to `false`.
(Optional) `name` - The name of the MemoryDB Subnet Group. If not provided, the value of `name` will be used.
(Optional) `description` - The description of the MemoryDB Subnet Group. | 
object({
    enabled     = optional(bool, false)
    name        = optional(string)
    description = optional(string, "Managed by Terraform.")
  })
| `{}` | no | +| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | +| [neptune\_subnet\_group](#input\_neptune\_subnet\_group) | (Optional) A configuration of Neptune Subnet Group. `neptune_subnet_group` as defined below.
(Optional) `enabled` - Whether to create Neptune Subnet Group. Defaults to `false`.
(Optional) `name` - The name of the Neptune Subnet Group. If not provided, the value of `name` will be used.
(Optional) `description` - The description of the Neptune Subnet Group. | 
object({
    enabled     = optional(bool, false)
    name        = optional(string)
    description = optional(string, "Managed by Terraform.")
  })
| `{}` | no | +| [public\_ipv4\_address\_assignment](#input\_public\_ipv4\_address\_assignment) | (Optional) A configuration for public IPv4 address assignment. `public_ipv4_address_assignment` as defined below.
(Optional) `enabled` - Whether to automatically request a public IPv4 address for a new network interface in this subnet. Defaults to `false`. | 
object({
    enabled = optional(bool, false)
  })
| `{}` | no | +| [rds\_subnet\_group](#input\_rds\_subnet\_group) | (Optional) A configuration of RDS Subnet Group. `rds_subnet_group` as defined below.
(Optional) `enabled` - Whether to create RDS Subnet Group. Defaults to `false`.
(Optional) `name` - The name of the RDS Subnet Group. If not provided, the value of `name` will be used.
(Optional) `description` - The description of the RDS Subnet Group. | 
object({
    enabled     = optional(bool, false)
    name        = optional(string)
    description = optional(string, "Managed by Terraform.")
  })
| `{}` | no | +| [redshift\_subnet\_group](#input\_redshift\_subnet\_group) | (Optional) A configuration of Redshift Subnet Group. `redshift_subnet_group` as defined below.
(Optional) `enabled` - Whether to create Redshift Subnet Group. Defaults to `false`.
(Optional) `name` - The name of the Redshift Subnet Group. If not provided, the value of `name` will be used.
(Optional) `description` - The description of the Redshift Subnet Group. | 
object({
    enabled     = optional(bool, false)
    name        = optional(string)
    description = optional(string, "Managed by Terraform.")
  })
| `{}` | no | +| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | +| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | +| [timeouts](#input\_timeouts) | (Optional) How long to wait for the subnet group to be created/deleted. | 
object({
    create = optional(string, "10m")
    delete = optional(string, "20m")
  })
| `{}` | no | ## Outputs @@ -86,23 +81,24 @@ This module creates following resources. | [arns](#output\_arns) | A list of ARNs of subnets | | [availability\_zone\_ids](#output\_availability\_zone\_ids) | A list of availability zone IDs which the subnet group uses. | | [availability\_zones](#output\_availability\_zones) | A list of availability zones which the subnet group uses. | -| [cache\_subnet\_group\_id](#output\_cache\_subnet\_group\_id) | The ID of the Elasticache Subnet Group. | -| [cidr\_blocks](#output\_cidr\_blocks) | The CIDR blocks of the subnet group. | -| [dax\_subnet\_group\_id](#output\_dax\_subnet\_group\_id) | The ID of the DAX Subnet Group. | -| [db\_subnet\_group\_arn](#output\_db\_subnet\_group\_arn) | The ARN of the RDS Subnet Group. | -| [db\_subnet\_group\_id](#output\_db\_subnet\_group\_id) | The ID of the RDS Subnet Group. | -| [dms\_replication\_subnet\_group\_id](#output\_dms\_replication\_subnet\_group\_id) | The ID of the DMS Replication Subnet Group. | -| [docdb\_subnet\_group\_arn](#output\_docdb\_subnet\_group\_arn) | The ARN of the DocumentDB Subnet Group. | -| [docdb\_subnet\_group\_id](#output\_docdb\_subnet\_group\_id) | The ID of the DocumentDB Subnet Group. | +| [customer\_owned\_ipv4\_address\_assignment](#output\_customer\_owned\_ipv4\_address\_assignment) | The configuration of Customer-owned IPv4 address assignment.
`enabled` - Whether to automatically assign Customer-owned IPv4 address to instances launched in the subnet group.
`outpost` - The ARN of the Outpost.
`pool` - The ID of the Customer-owned IPv4 address pool. | +| [dax\_subnet\_group](#output\_dax\_subnet\_group) | The configuration of DAX Subnet Group.
`id` - The ID of the DAX Subnet Group.
`name` - The name of the DAX Subnet Group.
`description` - The description of the DAX Subnet Group. | +| [dms\_replication\_subnet\_group](#output\_dms\_replication\_subnet\_group) | The configuration of DMS Replication Subnet Group.
`id` - The ID of the DMS Replication Subnet Group.
`arn` - The ARN of the DMS Replication Subnet Group.
`name` - The name of the DMS Replication Subnet Group.
`description` - The description of the DMS Replication Subnet Group. | +| [dns\_config](#output\_dns\_config) | The DNS configuration for the subnet group.
`id` - The ID of the DAX Subnet Group. | +| [docdb\_subnet\_group](#output\_docdb\_subnet\_group) | The configuration of DocumentDB Subnet Group.
`id` - The ID of the DocumentDB Subnet Group.
`arn` - The ARN of the DocumentDB Subnet Group.
`name` - The name of the DocumentDB Subnet Group.
`description` - The description of the DocumentDB Subnet Group. | +| [elasticache\_subnet\_group](#output\_elasticache\_subnet\_group) | The configuration of ElastiCache Subnet Group.
`id` - The ID of the ElastiCache Subnet Group.
`arn` - The ARN of the ElastiCache Subnet Group.
`name` - The name of the ElastiCache Subnet Group.
`description` - The description of the ElastiCache Subnet Group. | | [ids](#output\_ids) | A list of IDs of subnets | -| [ipv6\_cidr\_blocks](#output\_ipv6\_cidr\_blocks) | The IPv6 CIDR blocks of the subnet group. | -| [memorydb\_subnet\_group\_arn](#output\_memorydb\_subnet\_group\_arn) | The ARN of the MemoryDB Subnet Group. | -| [memorydb\_subnet\_group\_id](#output\_memorydb\_subnet\_group\_id) | The ID of the MemoryDB Subnet Group. | +| [ipv4\_cidrs](#output\_ipv4\_cidrs) | The IPv4 CIDR blocks of the subnet group. | +| [ipv6\_address\_assignment](#output\_ipv6\_address\_assignment) | The configuration of IPv6 address assignment.
`enabled` - Whether to automatically assign IPv6 address to instances launched in the subnet group. | +| [ipv6\_cidrs](#output\_ipv6\_cidrs) | The IPv6 CIDR blocks of the subnet group. | +| [local\_network\_interface\_device\_index](#output\_local\_network\_interface\_device\_index) | The device position for local network interfaces in this subnet. | +| [memorydb\_subnet\_group](#output\_memorydb\_subnet\_group) | The configuration of MemoryDB Subnet Group.
`id` - The ID of the MemoryDB Subnet Group.
`arn` - The ARN of the MemoryDB Subnet Group.
`name` - The name of the MemoryDB Subnet Group.
`description` - The description of the MemoryDB Subnet Group. | | [name](#output\_name) | The name of the subnet group. | -| [neptune\_subnet\_group\_arn](#output\_neptune\_subnet\_group\_arn) | The ARN of the Neptune Subnet Group. | -| [neptune\_subnet\_group\_id](#output\_neptune\_subnet\_group\_id) | The ID of the Neptune DB Subnet Group. | -| [redshift\_subnet\_group\_arn](#output\_redshift\_subnet\_group\_arn) | The ARN of the Redshift Subnet Group. | -| [redshift\_subnet\_group\_id](#output\_redshift\_subnet\_group\_id) | The ID of the Redshift Subnet Group. | +| [neptune\_subnet\_group](#output\_neptune\_subnet\_group) | The configuration of Neptune Subnet Group.
`id` - The ID of the Neptune Subnet Group.
`arn` - The ARN of the Neptune Subnet Group.
`name` - The name of the Neptune Subnet Group.
`description` - The description of the Neptune Subnet Group. | +| [owner](#output\_owner) | The ID of the AWS account that owns subnets in the subnet group. | +| [public\_ipv4\_address\_assignment](#output\_public\_ipv4\_address\_assignment) | The configuration of public IPv4 address assignment.
`enabled` - Whether to automatically assign public IPv4 address to instances launched in the subnet group. | +| [rds\_subnet\_group](#output\_rds\_subnet\_group) | The configuration of RDS Subnet Group.
`id` - The ID of the RDS Subnet Group.
`arn` - The ARN of the RDS Subnet Group.
`name` - The name of the RDS Subnet Group.
`description` - The description of the RDS Subnet Group. | +| [redshift\_subnet\_group](#output\_redshift\_subnet\_group) | The configuration of Redshift Subnet Group.
`id` - The ID of the Redshift Subnet Group.
`arn` - The ARN of the Redshift Subnet Group.
`name` - The name of the Redshift Subnet Group.
`description` - The description of the Redshift Subnet Group. | | [subnets](#output\_subnets) | A list of subnets of the subnet group. | | [subnets\_by\_az](#output\_subnets\_by\_az) | A map of subnets of the subnet group which are grouped by availability zone id. | | [vpc\_id](#output\_vpc\_id) | The ID of the VPC which the subnet group belongs to. | diff --git a/modules/subnet-group/integrations.tf b/modules/subnet-group/integrations.tf new file mode 100644 index 0000000..f1eae91 --- /dev/null +++ b/modules/subnet-group/integrations.tf @@ -0,0 +1,169 @@ +################################################### +# Subnet Group for DAX +################################################### + +resource "aws_dax_subnet_group" "this" { + count = var.dax_subnet_group.enabled ? 1 : 0 + + name = coalesce(var.dax_subnet_group.name, var.name) + description = var.dax_subnet_group.description + + subnet_ids = values(aws_subnet.this)[*].id + + # INFO: Not support resource tags + # tags = {} +} + + +################################################### +# Subnet Group for DMS Replication +################################################### + +resource "aws_dms_replication_subnet_group" "this" { + count = var.dms_replication_subnet_group.enabled ? 1 : 0 + + replication_subnet_group_id = coalesce(var.dms_replication_subnet_group.name, var.name) + replication_subnet_group_description = var.dms_replication_subnet_group.description + + subnet_ids = values(aws_subnet.this)[*].id + + tags = merge( + { + "Name" = coalesce(var.dms_replication_subnet_group.name, var.name) + }, + local.module_tags, + var.tags, + ) +} + + +################################################### +# Subnet Group for DocumentDB +################################################### + +resource "aws_docdb_subnet_group" "this" { + count = var.docdb_subnet_group.enabled ? 1 : 0 + + name = coalesce(var.docdb_subnet_group.name, var.name) + description = var.docdb_subnet_group.description + + subnet_ids = values(aws_subnet.this)[*].id + + tags = merge( + { + "Name" = coalesce(var.docdb_subnet_group.name, var.name) + }, + local.module_tags, + var.tags, + ) +} + + +################################################### +# Subnet Group for ElastiCache +################################################### + +resource "aws_elasticache_subnet_group" "this" { + count = var.elasticache_subnet_group.enabled ? 1 : 0 + + name = coalesce(var.elasticache_subnet_group.name, var.name) + description = var.elasticache_subnet_group.description + + subnet_ids = values(aws_subnet.this)[*].id + + tags = merge( + { + "Name" = coalesce(var.elasticache_subnet_group.name, var.name) + }, + local.module_tags, + var.tags, + ) +} + + +################################################### +# Subnet Group for MemoryDB +################################################### + +resource "aws_memorydb_subnet_group" "this" { + count = var.memorydb_subnet_group.enabled ? 1 : 0 + + name = coalesce(var.memorydb_subnet_group.name, var.name) + description = var.memorydb_subnet_group.description + + subnet_ids = values(aws_subnet.this)[*].id + + tags = merge( + { + "Name" = coalesce(var.memorydb_subnet_group.name, var.name) + }, + local.module_tags, + var.tags, + ) +} + + +################################################### +# Subnet Group for Neptune +################################################### + +resource "aws_neptune_subnet_group" "this" { + count = var.neptune_subnet_group.enabled ? 1 : 0 + + name = coalesce(var.neptune_subnet_group.name, var.name) + description = var.neptune_subnet_group.description + + subnet_ids = values(aws_subnet.this)[*].id + + tags = merge( + { + "Name" = coalesce(var.neptune_subnet_group.name, var.name) + }, + local.module_tags, + var.tags, + ) +} + + +################################################### +# Subnet Group for RDS +################################################### + +resource "aws_db_subnet_group" "this" { + count = var.rds_subnet_group.enabled ? 1 : 0 + + name = coalesce(var.rds_subnet_group.name, var.name) + description = var.rds_subnet_group.description + + subnet_ids = values(aws_subnet.this)[*].id + + tags = merge( + { + "Name" = coalesce(var.rds_subnet_group.name, var.name) + }, + local.module_tags, + var.tags, + ) +} + + +################################################### +# Subnet Group for Redshift +################################################### + +resource "aws_redshift_subnet_group" "this" { + count = var.redshift_subnet_group.enabled ? 1 : 0 + + name = coalesce(var.redshift_subnet_group.name, var.name) + description = var.redshift_subnet_group.description + + subnet_ids = values(aws_subnet.this)[*].id + + tags = merge( + { + "Name" = coalesce(var.redshift_subnet_group.name, var.name) + }, + local.module_tags, + var.tags, + ) +} diff --git a/modules/subnet-group/main.tf b/modules/subnet-group/main.tf index 4d51a2a..4506fce 100644 --- a/modules/subnet-group/main.tf +++ b/modules/subnet-group/main.tf @@ -14,6 +14,25 @@ locals { } : {} } +data "aws_availability_zones" "available" { + state = "available" +} + +locals { + available_availablity_zones = data.aws_availability_zones.available.names + available_availablity_zone_ids = data.aws_availability_zones.available.zone_ids + + az = { + for idx, id in local.available_availablity_zone_ids : + id => local.available_availablity_zones[idx] + } + + hostname_types = { + "RESOURCE_NAME" = "resource-name" + "IP_NAME" = "ip-name" + } +} + locals { availability_zones = distinct( values(aws_subnet.this)[*].availability_zone @@ -21,9 +40,6 @@ locals { availability_zone_ids = distinct( values(aws_subnet.this)[*].availability_zone_id ) -} - -locals { subnets = [ for subnet in aws_subnet.this : { id = subnet.id @@ -39,149 +55,85 @@ locals { ] } -resource "aws_subnet" "this" { - for_each = var.subnets - - vpc_id = var.vpc_id - availability_zone = lookup(each.value, "availability_zone", null) - availability_zone_id = lookup(each.value, "availability_zone_id", null) - - cidr_block = lookup(each.value, "cidr_block", "") - ipv6_cidr_block = lookup(each.value, "ipv6_cidr_block", null) - - map_public_ip_on_launch = var.map_public_ip_on_launch - assign_ipv6_address_on_creation = var.assign_ipv6_address_on_creation - - outpost_arn = var.outpost_arn - customer_owned_ipv4_pool = var.customer_owned_ipv4_pool - map_customer_owned_ip_on_launch = var.map_customer_owned_ip_on_launch - - tags = merge( - { - "Name" = each.key - }, - local.module_tags, - var.tags, - ) -} - ################################################### -# Subnet Groups for Managed Data Services +# Subnets of the Subnet Group ################################################### -resource "aws_db_subnet_group" "this" { - count = var.db_subnet_group_enabled ? 1 : 0 - - name = var.db_subnet_group_name - subnet_ids = values(aws_subnet.this)[*].id +# INFO: Not supported attributes +# - `availability_zone_id` +resource "aws_subnet" "this" { + for_each = var.subnets - tags = merge( - { - "Name" = var.db_subnet_group_name - }, - local.module_tags, - var.tags, + vpc_id = var.vpc_id + availability_zone = (each.value.availability_zone != null + ? each.value.availability_zone + : (each.value.availability_zone_id != null + ? local.az[each.value.availability_zone_id] + : null + ) ) -} -resource "aws_elasticache_subnet_group" "this" { - count = var.cache_subnet_group_enabled ? 1 : 0 + enable_lni_at_device_index = var.local_network_interface_device_index - name = var.cache_subnet_group_name - subnet_ids = values(aws_subnet.this)[*].id - tags = merge( - { - "Name" = var.cache_subnet_group_name - }, - local.module_tags, - var.tags, - ) -} + ## IP CIDR Blocks + ipv6_native = each.value.type == "IPV6" -resource "aws_redshift_subnet_group" "this" { - count = var.redshift_subnet_group_enabled ? 1 : 0 + cidr_block = each.value.ipv4_cidr + ipv6_cidr_block = each.value.ipv6_cidr - name = var.redshift_subnet_group_name - subnet_ids = values(aws_subnet.this)[*].id - tags = merge( - { - "Name" = var.redshift_subnet_group_name - }, - local.module_tags, - var.tags, + ## IP Assignments + map_public_ip_on_launch = (each.value.type == "IPV6" + ? false + : var.public_ipv4_address_assignment.enabled ) -} - -resource "aws_neptune_subnet_group" "this" { - count = var.neptune_subnet_group_enabled ? 1 : 0 - - name = var.neptune_subnet_group_name - subnet_ids = values(aws_subnet.this)[*].id - - tags = merge( - { - "Name" = var.neptune_subnet_group_name - }, - local.module_tags, - var.tags, + assign_ipv6_address_on_creation = (each.value.type == "IPV6" + ? true + : var.ipv6_address_assignment.enabled ) -} - -resource "aws_docdb_subnet_group" "this" { - count = var.docdb_subnet_group_enabled ? 1 : 0 - - name = var.docdb_subnet_group_name - subnet_ids = values(aws_subnet.this)[*].id - - tags = merge( - { - "Name" = var.docdb_subnet_group_name - }, - local.module_tags, - var.tags, + map_customer_owned_ip_on_launch = (each.value.type == "IPV6" + ? null + : (var.customer_owned_ipv4_address_assignment.enabled + ? true + : null + ) + ) + outpost_arn = (var.customer_owned_ipv4_address_assignment.enabled + ? var.customer_owned_ipv4_address_assignment.outpost + : null + ) + customer_owned_ipv4_pool = (var.customer_owned_ipv4_address_assignment.enabled + ? var.customer_owned_ipv4_address_assignment.pool + : null ) -} - -resource "aws_dax_subnet_group" "this" { - count = var.dax_subnet_group_enabled ? 1 : 0 - - name = var.dax_subnet_group_name - subnet_ids = values(aws_subnet.this)[*].id - - # INFO: Not support resource tags - # tags = {} -} - -resource "aws_dms_replication_subnet_group" "this" { - count = var.dms_replication_subnet_group_enabled ? 1 : 0 - - replication_subnet_group_id = var.dms_replication_subnet_group_name - replication_subnet_group_description = "Managed by Terraform." - subnet_ids = values(aws_subnet.this)[*].id - tags = merge( - { - "Name" = var.dms_replication_subnet_group_name - }, - local.module_tags, - var.tags, + ## DNS Configurations + private_dns_hostname_type_on_launch = (each.value.type == "IPV6" + ? "resource-name" + : local.hostname_types[var.dns_config.hostname_type] ) -} + enable_resource_name_dns_a_record_on_launch = (each.value.type == "IPV6" + ? false + : var.dns_config.dns_resource_name_ipv4_enabled + ) + enable_resource_name_dns_aaaa_record_on_launch = (each.value.type == "IPV6" + ? true + : var.dns_config.dns_resource_name_ipv6_enabled + ) + enable_dns64 = var.dns_config.dns64_enabled -resource "aws_memorydb_subnet_group" "this" { - count = var.memorydb_subnet_group_enabled ? 1 : 0 - name = var.memorydb_subnet_group_name - description = "Managed by Terraform." - subnet_ids = values(aws_subnet.this)[*].id + timeouts { + create = var.timeouts.create + delete = var.timeouts.delete + } tags = merge( { - "Name" = var.memorydb_subnet_group_name + "Name" = each.key }, local.module_tags, var.tags, diff --git a/modules/subnet-group/outputs.tf b/modules/subnet-group/outputs.tf index 381c981..a9d00d0 100644 --- a/modules/subnet-group/outputs.tf +++ b/modules/subnet-group/outputs.tf @@ -5,7 +5,7 @@ output "name" { output "vpc_id" { description = "The ID of the VPC which the subnet group belongs to." - value = var.vpc_id + value = values(aws_subnet.this)[0].vpc_id } output "ids" { @@ -18,12 +18,17 @@ output "arns" { value = values(aws_subnet.this)[*].arn } -output "cidr_blocks" { - description = "The CIDR blocks of the subnet group." - value = values(aws_subnet.this)[*].cidr_block +output "owner" { + description = "The ID of the AWS account that owns subnets in the subnet group." + value = values(aws_subnet.this)[0].owner_id } -output "ipv6_cidr_blocks" { +output "ipv4_cidrs" { + description = "The IPv4 CIDR blocks of the subnet group." + value = compact(values(aws_subnet.this)[*].cidr_block) +} + +output "ipv6_cidrs" { description = "The IPv6 CIDR blocks of the subnet group." value = compact(values(aws_subnet.this)[*].ipv6_cidr_block) } @@ -51,85 +56,209 @@ output "subnets_by_az" { } } -output "db_subnet_group_id" { - description = "The ID of the RDS Subnet Group." - value = one(aws_db_subnet_group.this[*].id) +output "local_network_interface_device_index" { + description = "The device position for local network interfaces in this subnet." + value = var.local_network_interface_device_index } -output "db_subnet_group_arn" { - description = "The ARN of the RDS Subnet Group." - value = one(aws_db_subnet_group.this[*].arn) +output "public_ipv4_address_assignment" { + description = < k + }[values(aws_subnet.this)[0].private_dns_hostname_type_on_launch] + dns_resource_name_ipv4_enabled = values(aws_subnet.this)[0].enable_resource_name_dns_a_record_on_launch + dns_resource_name_ipv6_enabled = values(aws_subnet.this)[0].enable_resource_name_dns_aaaa_record_on_launch + dns64_enabled = values(aws_subnet.this)[0].enable_dns64 + } } -output "neptune_subnet_group_id" { - description = "The ID of the Neptune DB Subnet Group." - value = one(aws_neptune_subnet_group.this[*].id) +output "dax_subnet_group" { + description = < 0 + error_message = "At least one subnet must be provided." + } + validation { + condition = alltrue([ + for subnet in values(var.subnets) : + contains(["DUALSTACK", "IPV6"], subnet.type) + ]) + error_message = "Valid values for `type` of each subnet are `DUALSTACK` and `IPV6`." + } + validation { + condition = alltrue([ + for subnet in values(var.subnets) : + subnet.ipv4_cidr != null + if subnet.type == "DUALSTACK" + ]) + error_message = "IPv4 CIDR block must be provided for `DUALSTACK` subnet." + } + validation { + condition = alltrue([ + for subnet in values(var.subnets) : + subnet.ipv6_cidr != null && subnet.ipv4_cidr == null + if subnet.type == "IPV6" + ]) + error_message = "IPv6 CIDR block must be provided for `IPV6` subnet." + } } -variable "customer_owned_ipv4_pool" { - description = "The customer owned IPv4 address pool. `outpost_arn` argument must be specified when configured." - type = string - default = "" +variable "local_network_interface_device_index" { + description = < Date: Fri, 27 Oct 2023 02:31:05 +0900 Subject: [PATCH 52/73] Support ram sharing for subnet-group module (#56) --- examples/vpc-full/subnet-groups.tf | 21 ++++++++++++++------ modules/subnet-group/README.md | 3 +++ modules/subnet-group/main.tf | 8 ++++---- modules/subnet-group/outputs.tf | 12 ++++++++++++ modules/subnet-group/ram-share.tf | 31 ++++++++++++++++++++++++++++++ modules/subnet-group/variables.tf | 21 ++++++++++++++++++++ 6 files changed, 86 insertions(+), 10 deletions(-) create mode 100644 modules/subnet-group/ram-share.tf diff --git a/examples/vpc-full/subnet-groups.tf b/examples/vpc-full/subnet-groups.tf index 868f46a..d7d21d6 100644 --- a/examples/vpc-full/subnet-groups.tf +++ b/examples/vpc-full/subnet-groups.tf @@ -7,16 +7,16 @@ module "private_subnet_group" { # source = "tedilabs/network/aws//modules/subnet-group" # version = "~> 0.2.0" - name = "test/private" + name = "test-private" vpc_id = module.vpc.id subnets = { - "test/private/az2" = { + "test-private/az2" = { availability_zone_id = "use1-az2" ipv4_cidr = "10.0.200.0/24" } - "test/private/az4" = { + "test-private/az4" = { availability_zone_id = "use1-az4" ipv4_cidr = "10.0.201.0/24" } @@ -85,6 +85,15 @@ module "private_subnet_group" { description = "Test Redshift Subnet Group" } + + ## Sharing + shares = [ + # { + # name = "team1" + # principals = ["123456789012"] + # }, + ] + tags = { "project" = "terraform-aws-network-examples" } @@ -95,16 +104,16 @@ module "public_subnet_group" { # source = "tedilabs/network/aws//modules/subnet-group" # version = "~> 0.2.0" - name = "test/public" + name = "test-public" vpc_id = module.vpc.id subnets = { - "test/public/az2" = { + "test-public/az2" = { availability_zone_id = "use1-az2" ipv4_cidr = "10.0.100.0/24" } - "test/public/az4" = { + "test-public/az4" = { availability_zone_id = "use1-az4" ipv4_cidr = "10.0.101.0/24" } diff --git a/modules/subnet-group/README.md b/modules/subnet-group/README.md index 662fd10..ecbc2a6 100644 --- a/modules/subnet-group/README.md +++ b/modules/subnet-group/README.md @@ -31,6 +31,7 @@ This module creates following resources. | Name | Source | Version | |------|--------|---------| | [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | +| [share](#module\_share) | tedilabs/account/aws//modules/ram-share | ~> 0.27.0 | ## Resources @@ -71,6 +72,7 @@ This module creates following resources. | [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | | [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | | [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [shares](#input\_shares) | (Optional) A list of resource shares via RAM (Resource Access Manager). | 
list(object({
    name = optional(string)

    permissions = optional(set(string), ["AWSRAMDefaultPermissionSubnet"])

    external_principals_allowed = optional(bool, false)
    principals                  = optional(set(string), [])

    tags = optional(map(string), {})
  }))
| `[]` | no | | [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | | [timeouts](#input\_timeouts) | (Optional) How long to wait for the subnet group to be created/deleted. | 
object({
    create = optional(string, "10m")
    delete = optional(string, "20m")
  })
| `{}` | no | @@ -99,6 +101,7 @@ This module creates following resources. | [public\_ipv4\_address\_assignment](#output\_public\_ipv4\_address\_assignment) | The configuration of public IPv4 address assignment.
`enabled` - Whether to automatically assign public IPv4 address to instances launched in the subnet group. | | [rds\_subnet\_group](#output\_rds\_subnet\_group) | The configuration of RDS Subnet Group.
`id` - The ID of the RDS Subnet Group.
`arn` - The ARN of the RDS Subnet Group.
`name` - The name of the RDS Subnet Group.
`description` - The description of the RDS Subnet Group. | | [redshift\_subnet\_group](#output\_redshift\_subnet\_group) | The configuration of Redshift Subnet Group.
`id` - The ID of the Redshift Subnet Group.
`arn` - The ARN of the Redshift Subnet Group.
`name` - The name of the Redshift Subnet Group.
`description` - The description of the Redshift Subnet Group. | +| [sharing](#output\_sharing) | The configuration for sharing of subnets in the subnet group.
`status` - An indication of whether subnets are shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are `NOT_SHARED`, `SHARED_BY_ME` or `SHARED_WITH_ME`.
`shares` - The list of resource shares via RAM (Resource Access Manager). | | [subnets](#output\_subnets) | A list of subnets of the subnet group. | | [subnets\_by\_az](#output\_subnets\_by\_az) | A map of subnets of the subnet group which are grouped by availability zone id. | | [vpc\_id](#output\_vpc\_id) | The ID of the VPC which the subnet group belongs to. | diff --git a/modules/subnet-group/main.tf b/modules/subnet-group/main.tf index 4506fce..dc6c85c 100644 --- a/modules/subnet-group/main.tf +++ b/modules/subnet-group/main.tf @@ -41,16 +41,16 @@ locals { values(aws_subnet.this)[*].availability_zone_id ) subnets = [ - for subnet in aws_subnet.this : { + for name, subnet in aws_subnet.this : { id = subnet.id arn = subnet.arn - name = subnet.tags["Name"] + name = name availability_zone = subnet.availability_zone availability_zone_id = subnet.availability_zone_id - cidr_block = subnet.cidr_block - ipv6_cidr_block = subnet.ipv6_cidr_block + ipv4_cidr = subnet.cidr_block + ipv6_cidr = subnet.ipv6_cidr_block } ] } diff --git a/modules/subnet-group/outputs.tf b/modules/subnet-group/outputs.tf index a9d00d0..be882b7 100644 --- a/modules/subnet-group/outputs.tf +++ b/modules/subnet-group/outputs.tf @@ -262,3 +262,15 @@ output "redshift_subnet_group" { : null ) } + +output "sharing" { + description = < 0 ? "SHARED_BY_ME" : "NOT_SHARED" + shares = module.share + } +} diff --git a/modules/subnet-group/ram-share.tf b/modules/subnet-group/ram-share.tf new file mode 100644 index 0000000..9f5d4a5 --- /dev/null +++ b/modules/subnet-group/ram-share.tf @@ -0,0 +1,31 @@ +################################################### +# Resource Sharing by RAM (Resource Access Manager) +################################################### + +module "share" { + source = "tedilabs/account/aws//modules/ram-share" + version = "~> 0.27.0" + + for_each = { + for share in var.shares : + share.name => share + } + + name = "vpc.subnet-group.${var.name}.${each.key}" + + resources = values(aws_subnet.this)[*].arn + + permissions = each.value.permissions + + external_principals_allowed = each.value.external_principals_allowed + principals = each.value.principals + + resource_group_enabled = false + module_tags_enabled = false + + tags = merge( + local.module_tags, + var.tags, + each.value.tags, + ) +} diff --git a/modules/subnet-group/variables.tf b/modules/subnet-group/variables.tf index 0e80ef5..cf93ce0 100644 --- a/modules/subnet-group/variables.tf +++ b/modules/subnet-group/variables.tf @@ -306,3 +306,24 @@ variable "resource_group_description" { default = "Managed by Terraform." nullable = false } + + +################################################### +# Resource Sharing by RAM (Resource Access Manager) +################################################### + +variable "shares" { + description = "(Optional) A list of resource shares via RAM (Resource Access Manager)." + type = list(object({ + name = optional(string) + + permissions = optional(set(string), ["AWSRAMDefaultPermissionSubnet"]) + + external_principals_allowed = optional(bool, false) + principals = optional(set(string), []) + + tags = optional(map(string), {}) + })) + default = [] + nullable = false +} From ed15271aea17fdfb1b966f8b73e419b4d5e906d1 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Tue, 31 Oct 2023 02:58:48 +0900 Subject: [PATCH 53/73] Fix typo in nacl module --- modules/nacl/README.md | 6 +++--- modules/nacl/main.tf | 4 ++-- modules/nacl/variables.tf | 16 ++++++++-------- modules/nacl/versions.tf | 2 +- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/modules/nacl/README.md b/modules/nacl/README.md index 46ed073..4afaf0f 100644 --- a/modules/nacl/README.md +++ b/modules/nacl/README.md @@ -11,7 +11,7 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | +| [terraform](#requirement\_terraform) | >= 1.6 | | [aws](#requirement\_aws) | >= 4.59 | ## Providers @@ -40,8 +40,8 @@ This module creates following resources. |------|-------------|------|---------|:--------:| | [name](#input\_name) | (Required) Desired name for the network ACL resources. | `string` | n/a | yes | | [vpc\_id](#input\_vpc\_id) | (Required) The ID of the VPC to associate. | `string` | n/a | yes | -| [egress\_rules](#input\_egress\_rules) | (Optional) A set of egress rules in the default Network ACL. Use the key of map as the rule number (priority). If not explicitly defined, the AWS default rules are applied. Each block of `egress_rules` as defined below.
(Required) `priority` - The rule priority. The rule number. Used for ordering.
(Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`.
(Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`.
(Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`. | 
map(object({
    action    = string
    protocol  = string
    from_port = number
    to_port   = number
    ipv4_cidr = optional(string)
    ipv6_cidr = optional(string)
    icmp_type = optional(number, 0)
    icmp_code = optional(number, 0)
  }))
| `{}` | no | -| [ingress\_rules](#input\_ingress\_rules) | (Optional) A map of ingress rules in the default Network ACL. Use the key of map as the rule number (priority). If not explicitly defined, the AWS default rules are applied. Each block of `ingress_rules` as defined below.
(Required) `priority` - The rule priority. The rule number. Used for ordering.
(Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`.
(Required) `protocol` - The protocol to match. If using the `-1` `all` protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`.
(Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`.
(Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`. | 
map(object({
    action    = string
    protocol  = string
    from_port = number
    to_port   = number
    ipv4_cidr = optional(string)
    ipv6_cidr = optional(string)
    icmp_type = optional(number, 0)
    icmp_code = optional(number, 0)
  }))
| `{}` | no | +| [egress\_rules](#input\_egress\_rules) | (Optional) A set of egress rules in the default Network ACL. Use the key of map as the rule number (priority). If not explicitly defined, the AWS default rules are applied. Each block of `egress_rules` as defined below.
(Required) `priority` - The rule priority. The rule number. Used for ordering.
(Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Optional) `from_port` - The from port to match.
(Optional) `to_port` - The to port to match.
(Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`.
(Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`.
(Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`. | 
map(object({
    action    = string
    protocol  = string
    from_port = optional(number)
    to_port   = optional(number)
    ipv4_cidr = optional(string)
    ipv6_cidr = optional(string)
    icmp_type = optional(number, 0)
    icmp_code = optional(number, 0)
  }))
| `{}` | no | +| [ingress\_rules](#input\_ingress\_rules) | (Optional) A map of ingress rules in the default Network ACL. Use the key of map as the rule number (priority). If not explicitly defined, the AWS default rules are applied. Each block of `ingress_rules` as defined below.
(Required) `priority` - The rule priority. The rule number. Used for ordering.
(Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`.
(Required) `protocol` - The protocol to match. If using the `-1` `all` protocol, you must specify a from and to port of `0`.
(Optional) `from_port` - The from port to match.
(Optional) `to_port` - The to port to match.
(Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`.
(Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`.
(Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`. | 
map(object({
    action    = string
    protocol  = string
    from_port = optional(number)
    to_port   = optional(number)
    ipv4_cidr = optional(string)
    ipv6_cidr = optional(string)
    icmp_type = optional(number, 0)
    icmp_code = optional(number, 0)
  }))
| `{}` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | | [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | | [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | diff --git a/modules/nacl/main.tf b/modules/nacl/main.tf index 55381ae..aaa9084 100644 --- a/modules/nacl/main.tf +++ b/modules/nacl/main.tf @@ -63,7 +63,7 @@ resource "aws_network_acl_rule" "ingress" { rule_action = lower(each.value.action) protocol = each.value.protocol from_port = each.value.from_port - to_port = each.value.to_prot + to_port = each.value.to_port icmp_type = each.value.icmp_type icmp_code = each.value.icmp_code cidr_block = each.value.ipv4_cidr @@ -81,7 +81,7 @@ resource "aws_network_acl_rule" "egress" { rule_action = lower(each.value.action) protocol = each.value.protocol from_port = each.value.from_port - to_port = each.value.to_prot + to_port = each.value.to_port icmp_type = each.value.icmp_type icmp_code = each.value.icmp_code cidr_block = each.value.ipv4_cidr diff --git a/modules/nacl/variables.tf b/modules/nacl/variables.tf index cd464a4..9b6dcaf 100644 --- a/modules/nacl/variables.tf +++ b/modules/nacl/variables.tf @@ -23,8 +23,8 @@ variable "ingress_rules" { (Required) `priority` - The rule priority. The rule number. Used for ordering. (Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`. (Required) `protocol` - The protocol to match. If using the `-1` `all` protocol, you must specify a from and to port of `0`. - (Required) `from_port` - The from port to match. - (Required) `to_port` - The to port to match. + (Optional) `from_port` - The from port to match. + (Optional) `to_port` - The to port to match. (Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`. (Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`. (Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`. @@ -33,8 +33,8 @@ variable "ingress_rules" { type = map(object({ action = string protocol = string - from_port = number - to_port = number + from_port = optional(number) + to_port = optional(number) ipv4_cidr = optional(string) ipv6_cidr = optional(string) icmp_type = optional(number, 0) @@ -58,8 +58,8 @@ variable "egress_rules" { (Required) `priority` - The rule priority. The rule number. Used for ordering. (Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`. (Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`. - (Required) `from_port` - The from port to match. - (Required) `to_port` - The to port to match. + (Optional) `from_port` - The from port to match. + (Optional) `to_port` - The to port to match. (Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`. (Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`. (Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`. @@ -68,8 +68,8 @@ variable "egress_rules" { type = map(object({ action = string protocol = string - from_port = number - to_port = number + from_port = optional(number) + to_port = optional(number) ipv4_cidr = optional(string) ipv6_cidr = optional(string) icmp_type = optional(number, 0) diff --git a/modules/nacl/versions.tf b/modules/nacl/versions.tf index 68beaae..25ac0f4 100644 --- a/modules/nacl/versions.tf +++ b/modules/nacl/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.5" + required_version = ">= 1.6" required_providers { aws = { From 4b8263a2a5921421b24784350f6f1eafc91b3792 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Tue, 31 Oct 2023 03:01:18 +0900 Subject: [PATCH 54/73] Fix typo in vpc module --- modules/vpc/README.md | 2 +- modules/vpc/variables.tf | 10 ++++------ 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/modules/vpc/README.md b/modules/vpc/README.md index 8f1ad20..e798ce2 100644 --- a/modules/vpc/README.md +++ b/modules/vpc/README.md @@ -62,7 +62,7 @@ This module creates following resources. |------|-------------|------|---------|:--------:| | [name](#input\_name) | (Required) Desired name for the VPC resources. | `string` | n/a | yes | | [default\_network\_acl](#input\_default\_network\_acl) | (Optional) The configuration for the default Network ACL of the VPC. `default_network_acl` as defined below.
(Optional) `name` - The name of the default Network ACL. Defaults to same name of the VPC.
(Optional) `ingress_rules` - A set of ingress rules in the default Network ACL. If not explicitly defined, the AWS default rules are applied. `ingress_rules` as defined below.
(Required) `priority` - The rule priority. The rule number. Used for ordering.
(Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`.
(Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`.
(Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`.
(Optional) `egress_rules` - A set of egress rules in the default Network ACL. If not explicitly defined, the AWS default rules are applied. `egress_rules` as defined below.
(Required) `priority` - The rule priority. The rule number. Used for ordering.
(Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`.
(Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`.
(Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`. | 
object({
    name = optional(string)
    ingress_rules = optional(set(object({
      priority  = number
      action    = string
      protocol  = string
      from_port = number
      to_port   = number
      ipv4_cidr = optional(string)
      ipv6_cidr = optional(string)
      icmp_type = optional(number, 0)
      icmp_code = optional(number, 0)
    })))
    egress_rules = optional(set(object({
      priority  = number
      action    = string
      protocol  = string
      from_port = number
      to_port   = number
      ipv4_cidr = optional(string)
      ipv6_cidr = optional(string)
      icmp_type = optional(number, 0)
      icmp_code = optional(number, 0)
    })))
  })
| `{}` | no | -| [default\_security\_group](#input\_default\_security\_group) | (Optional) The configuration for the default Security Group of the VPC. `default_security_group` as defined below.
(Optional) `name` - The name of the default Security Group. Defaults to same name of the VPC.
(Optional) `ingress_rules` - A set of ingress rules in the default Network ACL. If not explicitly defined, the AWS default rules are applied. `ingress_rules` as defined below.
(Required) `priority` - The rule priority. The rule number. Used for ordering.
(Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`.
(Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`.
(Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`.
(Optional) `egress_rules` - A set of egress rules in the default Network ACL. If not explicitly defined, the AWS default rules are applied. `egress_rules` as defined below.
(Required) `priority` - The rule priority. The rule number. Used for ordering.
(Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`.
(Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`.
(Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`. | 
object({
    name = optional(string)
    ingress_rules = optional(set(object({
      description     = optional(string, "Managed by Terraform.")
      protocol        = string
      from_port       = number
      to_port         = number
      ipv4_cidrs      = optional(set(string))
      ipv6_cidrs      = optional(set(string))
      prefix_lists    = optional(set(string))
      security_groups = optional(set(string))
      self            = optional(bool, false)
    })))
    egress_rules = optional(set(object({
      description     = optional(string, "Managed by Terraform.")
      protocol        = string
      from_port       = number
      to_port         = number
      ipv4_cidrs      = optional(set(string))
      ipv6_cidrs      = optional(set(string))
      prefix_lists    = optional(set(string))
      security_groups = optional(set(string))
      self            = optional(bool, false)
    })))
  })
| `{}` | no | +| [default\_security\_group](#input\_default\_security\_group) | (Optional) The configuration for the default Security Group of the VPC. `default_security_group` as defined below.
(Optional) `name` - The name of the default Security Group. Defaults to same name of the VPC.
(Optional) `ingress_rules` - A set of ingress rules in the default Security Group. If not explicitly defined, the AWS default rules are applied. `ingress_rules` as defined below.
(Optional) `description` - The description of the rule.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation. Cannot be specified with `ipv6_cidrs`.
(Optional) `ipv6_cidr` - The IPv6 network ranges to allow, in CIDR notation. Cannot be specified with `ipv4_cidrs`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`.
(Optional) `egress_rules` - A set of egress rules in the default Network ACL. If not explicitly defined, the AWS default rules are applied. `egress_rules` as defined below.
(Required) `priority` - The rule priority. The rule number. Used for ordering.
(Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`.
(Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`.
(Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`. | 
object({
    name = optional(string)
    ingress_rules = optional(set(object({
      description     = optional(string, "Managed by Terraform.")
      protocol        = string
      from_port       = number
      to_port         = number
      ipv4_cidrs      = optional(set(string))
      ipv6_cidrs      = optional(set(string))
      prefix_lists    = optional(set(string))
      security_groups = optional(set(string))
      self            = optional(bool, false)
    })))
    egress_rules = optional(set(object({
      description     = optional(string, "Managed by Terraform.")
      protocol        = string
      from_port       = number
      to_port         = number
      ipv4_cidrs      = optional(set(string))
      ipv6_cidrs      = optional(set(string))
      prefix_lists    = optional(set(string))
      security_groups = optional(set(string))
      self            = optional(bool, false)
    })))
  })
| `{}` | no | | [dhcp\_options](#input\_dhcp\_options) | (Optional) The configuration for a DHCP option set of the VPC. Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network. `dhcp_options` as defined below.
(Optional) `enabled` - Whether to create a DHCP option set for the VPC. Defaults to `false`.
(Optional) `name` - The name of the DHCP option set. Defaults to same name of the VPC.
(Optional) `domain_name` - The suffix domain name to use by default when resolving non Fully Qualified Domain Names. In other words, this is what ends up being the search value in the `/etc/resolv.conf` file. If you're using `AmazonProvidedDNS` in `us-east-1`, specify `ec2.internal`. If you're using `AmazonProvidedDNS` in another Region, specify `{region}.compute.internal`.
(Optional) `domain_name_servers` - A list of name servers to configure in `/etc/resolv.conf`. The IP addresses of up to four domain name servers, or `AmazonProvidedDNS`. If you want to use the default AWS nameservers you should set this to `AmazonProvidedDNS`. Defaults to `["AmazonProvidedDNS"]`.
(Optional) `netbios_name_servers` - A list of NetBIOS name servers. The IP addresses of up to four NetBIOS name servers.
(Optional) `netbios_node_type` - The NetBIOS node type (1, 2, 4, or 8). AWS recommends to specify 2 since broadcast and multicast are not supported in their network. For more information about these node types, see RFC 2132. Defaults to `2`.
(Optional) `ntp_servers` - A list of NTP servers to configure. The IP addresses of up to four Network Time Protocol (NTP) servers. | 
object({
    enabled              = optional(bool, false)
    name                 = optional(string)
    domain_name          = optional(string)
    domain_name_servers  = optional(list(string), ["AmazonProvidedDNS"])
    netbios_name_servers = optional(list(string), [])
    netbios_node_type    = optional(number, 2)
    ntp_servers          = optional(list(string), [])
  })
| `{}` | no | | [dns\_dnssec\_validation\_enabled](#input\_dns\_dnssec\_validation\_enabled) | (Optional) Should be true to enable Route53 DNSSEC validation in the VPC. | `bool` | `false` | no | | [dns\_hostnames\_enabled](#input\_dns\_hostnames\_enabled) | (Optional) Whether instances launched in the VPC receive public DNS hostnames that correspond to their public IP addresses. Defaults to `true`. | `bool` | `true` | no | diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf index edd39bf..7806fc3 100644 --- a/modules/vpc/variables.tf +++ b/modules/vpc/variables.tf @@ -201,15 +201,13 @@ variable "default_security_group" { description = < Date: Tue, 31 Oct 2023 03:01:56 +0900 Subject: [PATCH 55/73] Change `subnets[].type` to optional in subnet-group module --- modules/subnet-group/README.md | 6 +++--- modules/subnet-group/variables.tf | 2 +- modules/subnet-group/versions.tf | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/subnet-group/README.md b/modules/subnet-group/README.md index ecbc2a6..f21ad1a 100644 --- a/modules/subnet-group/README.md +++ b/modules/subnet-group/README.md @@ -17,8 +17,8 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 3.71 | +| [terraform](#requirement\_terraform) | >= 1.6 | +| [aws](#requirement\_aws) | >= 5.22 | ## Providers @@ -53,7 +53,7 @@ This module creates following resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [name](#input\_name) | (Required) The name of the subnet group. | `string` | n/a | yes | -| [subnets](#input\_subnets) | (Required) A configuration of subnets to create in the subnet group. Each block of `subnets` as defined below.
(Required) `type` - The type of subnet. Valid values are `DUALSTACK` and `IPV6`.
(Optional) `availability_zone` - The availability zone of the subnet. If the value of `availability_zone` and `availability_zone_id` are both not provided, the subnet will be created in random availability zone.
(Optional) `availability_zone_id` - The availability zone ID of the subnet. If the value of `availability_zone` and `availability_zone_id` are both not provided, the subnet will be created in random availability zone. | 
map(object({
    type = optional(string, "DUALSTACK")

    availability_zone    = optional(string)
    availability_zone_id = optional(string)

    ipv4_cidr = optional(string)
    ipv6_cidr = optional(string)
  }))
| n/a | yes | +| [subnets](#input\_subnets) | (Required) A configuration of subnets to create in the subnet group. Each block of `subnets` as defined below.
(Optional) `type` - The type of subnet. Valid values are `DUALSTACK` and `IPV6`. Defaults to `DUALSTACK`.
(Optional) `availability_zone` - The availability zone of the subnet. If the value of `availability_zone` and `availability_zone_id` are both not provided, the subnet will be created in random availability zone.
(Optional) `availability_zone_id` - The availability zone ID of the subnet. If the value of `availability_zone` and `availability_zone_id` are both not provided, the subnet will be created in random availability zone. | 
map(object({
    type = optional(string, "DUALSTACK")

    availability_zone    = optional(string)
    availability_zone_id = optional(string)

    ipv4_cidr = optional(string)
    ipv6_cidr = optional(string)
  }))
| n/a | yes | | [vpc\_id](#input\_vpc\_id) | (Required) The ID of the VPC which the subnet group belongs to. | `string` | n/a | yes | | [customer\_owned\_ipv4\_address\_assignment](#input\_customer\_owned\_ipv4\_address\_assignment) | (Optional) A configuration for Customer-owned IPv4 address assignment. `customer_owned_ipv4_address_assignment` as defined below.
(Optional) `enabled` - Whether to automatically request a Customer-owned IPv4 address for a new network interface in this subnet. Defaults to `false`.
(Optional) `outpost` - The Amazon Resource Name (ARN) of the Outpost.
(Optional) `pool` - The customer owned IPv4 address pool. | 
object({
    enabled = optional(bool, false)
    outpost = optional(string)
    pool    = optional(string)
  })
| `{}` | no | | [dax\_subnet\_group](#input\_dax\_subnet\_group) | (Optional) A configuration of DAX Subnet Group. `dax_subnet_group` as defined below.
(Optional) `enabled` - Whether to create DAX Subnet Group. Defaults to `false`.
(Optional) `name` - The name of the DAX Subnet Group. If not provided, the value of `name` will be used.
(Optional) `description` - The description of the DAX Subnet Group. | 
object({
    enabled     = optional(bool, false)
    name        = optional(string)
    description = optional(string, "Managed by Terraform.")
  })
| `{}` | no | diff --git a/modules/subnet-group/variables.tf b/modules/subnet-group/variables.tf index cf93ce0..3fe912a 100644 --- a/modules/subnet-group/variables.tf +++ b/modules/subnet-group/variables.tf @@ -13,7 +13,7 @@ variable "vpc_id" { variable "subnets" { description = < Date: Tue, 31 Oct 2023 03:03:05 +0900 Subject: [PATCH 56/73] Refine route-table module --- modules/route-table/README.md | 20 ++-- modules/route-table/main.tf | 87 ++++------------ modules/route-table/outputs.tf | 98 ++++++++++++++++- modules/route-table/routes.tf | 174 +++++++++++++++++++++++++++++++ modules/route-table/variables.tf | 109 +++++++++++++++---- modules/route-table/versions.tf | 4 +- 6 files changed, 392 insertions(+), 100 deletions(-) create mode 100644 modules/route-table/routes.tf diff --git a/modules/route-table/README.md b/modules/route-table/README.md index ae21618..a6b7eb4 100644 --- a/modules/route-table/README.md +++ b/modules/route-table/README.md @@ -14,14 +14,14 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 4.22 | +| [terraform](#requirement\_terraform) | >= 1.6 | +| [aws](#requirement\_aws) | >= 5.11 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.19.0 | +| [aws](#provider\_aws) | 5.23.1 | ## Modules @@ -50,28 +50,34 @@ This module creates following resources. | [name](#input\_name) | (Required) Desired name for the route table resources. | `string` | n/a | yes | | [vpc\_id](#input\_vpc\_id) | (Required) The ID of the VPC which the route table belongs to. | `string` | n/a | yes | | [gateways](#input\_gateways) | (Optional) A list of gateway IDs to associate with the route table. Only support Internet Gateway and Virtual Private Gateway. | `list(string)` | `[]` | no | -| [ipv4\_routes](#input\_ipv4\_routes) | (Optional) A list of route rules for IPv4 CIDRs. | `list(map(string))` | `[]` | no | -| [ipv6\_routes](#input\_ipv6\_routes) | (Optional) A list of route rules for IPv6 CIDRs. | `list(map(string))` | `[]` | no | -| [is\_main](#input\_is\_main) | (Optional) Whether to set this route table as the main route table. | `bool` | `false` | no | +| [ipv4\_routes](#input\_ipv4\_routes) | (Optional) A list of route rules for destinations to IPv4 CIDRs. Each block of `ipv4_routes` as defined below.
(Required) `destination` - The destination IPv4 CIDR block of the route rule.
(Required) `target` - A configuration of the target of the route rule. `target` as defined below.
(Required) `type` - The type of the target of the route rule. Valid values are `CARRIER_GATEWAY`, `CORE_GATEWAY`, `EGRESS_ONLY_INTERNET_GATEWAY`, `INTERNET_GATEWAY`, `VPN_GATEWAY`, `LOCAL_GATEWAY`, `NAT_GATEWAY`, `NETWORK_INTERFACE`, `TRANSIT_GATEWAY`, `VPC_ENDPOINT`, `VPC_PEERING_CONNECTION`.
(Required) `id` - The ID of the target of the route rule. | 
list(object({
    destination = string

    target = object({
      type = string
      id   = string
    })
  }))
| `[]` | no | +| [ipv6\_routes](#input\_ipv6\_routes) | (Optional) A list of route rules for destinations to IPv6 CIDRs. Each block of `ipv6_routes` as defined below.
(Required) `destination` - The destination IPv6 CIDR block of the route rule.
(Required) `target` - A configuration of the target of the route rule. `target` as defined below.
(Required) `type` - The type of the target of the route rule. Valid values are `CARRIER_GATEWAY`, `CORE_GATEWAY`, `EGRESS_ONLY_INTERNET_GATEWAY`, `INTERNET_GATEWAY`, `VPN_GATEWAY`, `LOCAL_GATEWAY`, `NAT_GATEWAY`, `NETWORK_INTERFACE`, `TRANSIT_GATEWAY`, `VPC_ENDPOINT`, `VPC_PEERING_CONNECTION`.
(Required) `id` - The ID of the target of the route rule. | 
list(object({
    destination = string

    target = object({
      type = string
      id   = string
    })
  }))
| `[]` | no | +| [is\_main](#input\_is\_main) | (Optional) Whether to set this route table as the main route table. Defaults to `false`. | `bool` | `false` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [prefix\_list\_routes](#input\_prefix\_list\_routes) | (Optional) A list of route rules for Managed Prefix List. | `list(map(string))` | `[]` | no | +| [prefix\_list\_routes](#input\_prefix\_list\_routes) | (Optional) A list of route rules for destinations to Prefix Lists. Each block of `prefix_list_routes` as defined below.
(Required) `name` - The name of the route rule.
(Required) `destination` - The destination Prefix List of the route rule.
(Required) `target` - A configuration of the target of the route rule. `target` as defined below.
(Required) `type` - The type of the target of the route rule. Valid values are `CARRIER_GATEWAY`, `CORE_GATEWAY`, `EGRESS_ONLY_INTERNET_GATEWAY`, `INTERNET_GATEWAY`, `VPN_GATEWAY`, `LOCAL_GATEWAY`, `NAT_GATEWAY`, `NETWORK_INTERFACE`, `TRANSIT_GATEWAY`, `VPC_ENDPOINT`, `VPC_PEERING_CONNECTION`.
(Required) `id` - The ID of the target of the route rule. | 
list(object({
    name        = string
    destination = string

    target = object({
      type = string
      id   = string
    })
  }))
| `[]` | no | | [propagating\_vpn\_gateways](#input\_propagating\_vpn\_gateways) | (Optional) A list of Virtual Private Gateway IDs to propagate routes from. | `list(string)` | `[]` | no | | [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | | [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | | [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | | [subnets](#input\_subnets) | (Optional) A list of subnet IDs to associate with the route table. | `list(string)` | `[]` | no | | [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | +| [timeouts](#input\_timeouts) | (Optional) How long to wait for the route table to be created/updated/deleted. | 
object({
    create = optional(string, "5m")
    update = optional(string, "2m")
    delete = optional(string, "5m")
  })
| `{}` | no | | [vpc\_gateway\_endpoints](#input\_vpc\_gateway\_endpoints) | (Optional) A list of the VPC Endpoint IDs with which the Route Table will be associated. | `list(string)` | `[]` | no | ## Outputs | Name | Description | |------|-------------| +| [arn](#output\_arn) | The ARN of the routing table. | | [associated\_gateways](#output\_associated\_gateways) | A list of gateway IDs which is associated with the route table. | | [associated\_subnets](#output\_associated\_subnets) | A list of subnet IDs which is associated with the route table. | | [associated\_vpc\_gateway\_endpoints](#output\_associated\_vpc\_gateway\_endpoints) | A list of the VPC Gateway Endpoint IDs which is associated with the route table. | | [id](#output\_id) | The ID of the routing table. | +| [ipv4\_routes](#output\_ipv4\_routes) | A list of route rules for destinations to IPv4 CIDRs. | +| [ipv6\_routes](#output\_ipv6\_routes) | A list of route rules for destinations to IPv6 CIDRs. | | [is\_main](#output\_is\_main) | Whether to set this route table as the main route table. | +| [owner](#output\_owner) | The ID of the AWS account that owns subnets in the routing table. | +| [prefix\_list\_routes](#output\_prefix\_list\_routes) | A list of route rules for destinations to Prefix Lists. | | [propagated\_vpn\_gateways](#output\_propagated\_vpn\_gateways) | A list of Virtual Private Gateway IDs which propagate routes from. | | [vpc\_id](#output\_vpc\_id) | The ID of the VPC which the route table belongs to. | diff --git a/modules/route-table/main.tf b/modules/route-table/main.tf index bf45d07..c676e8e 100644 --- a/modules/route-table/main.tf +++ b/modules/route-table/main.tf @@ -14,9 +14,20 @@ locals { } : {} } + +################################################### +# Route Table +################################################### + resource "aws_route_table" "this" { vpc_id = var.vpc_id + timeouts { + create = var.timeouts.create + update = var.timeouts.update + delete = var.timeouts.delete + } + tags = merge( { "Name" = local.metadata.name @@ -24,6 +35,10 @@ resource "aws_route_table" "this" { local.module_tags, var.tags, ) + + lifecycle { + create_before_destroy = true + } } resource "aws_main_route_table_association" "this" { @@ -31,76 +46,12 @@ resource "aws_main_route_table_association" "this" { vpc_id = var.vpc_id route_table_id = aws_route_table.this.id -} - - -################################################### -# Routes -################################################### - -# INFO: Not supported attributes -# - `instance_id` (Deprecated) -resource "aws_route" "ipv4" { - for_each = { - for route in var.ipv4_routes : - route.cidr_block => route - } - - route_table_id = aws_route_table.this.id - destination_cidr_block = each.key - - carrier_gateway_id = try(each.value.carrier_gateway_id, null) - core_network_arn = try(each.value.core_network_arn, null) - egress_only_gateway_id = try(each.value.egress_only_gateway_id, null) - gateway_id = try(each.value.gateway_id, null) - local_gateway_id = try(each.value.local_gateway_id, null) - nat_gateway_id = try(each.value.nat_gateway_id, null) - network_interface_id = try(each.value.network_interface_id, null) - transit_gateway_id = try(each.value.transit_gateway_id, null) - vpc_endpoint_id = try(each.value.vpc_endpoint_id, null) - vpc_peering_connection_id = try(each.value.vpc_peering_connection_id, null) -} -resource "aws_route" "ipv6" { - for_each = { - for route in var.ipv6_routes : - route.cidr => route + timeouts { + create = var.timeouts.create + update = var.timeouts.update + delete = var.timeouts.delete } - - route_table_id = aws_route_table.this.id - destination_ipv6_cidr_block = each.key - - carrier_gateway_id = try(each.value.carrier_gateway_id, null) - core_network_arn = try(each.value.core_network_arn, null) - egress_only_gateway_id = try(each.value.egress_only_gateway_id, null) - gateway_id = try(each.value.gateway_id, null) - local_gateway_id = try(each.value.local_gateway_id, null) - nat_gateway_id = try(each.value.nat_gateway_id, null) - network_interface_id = try(each.value.network_interface_id, null) - transit_gateway_id = try(each.value.transit_gateway_id, null) - vpc_endpoint_id = try(each.value.vpc_endpoint_id, null) - vpc_peering_connection_id = try(each.value.vpc_peering_connection_id, null) -} - -resource "aws_route" "prefix_list" { - for_each = { - for route in var.prefix_list_routes : - route.id => route - } - - route_table_id = aws_route_table.this.id - destination_prefix_list_id = each.key - - carrier_gateway_id = try(each.value.carrier_gateway_id, null) - core_network_arn = try(each.value.core_network_arn, null) - egress_only_gateway_id = try(each.value.egress_only_gateway_id, null) - gateway_id = try(each.value.gateway_id, null) - local_gateway_id = try(each.value.local_gateway_id, null) - nat_gateway_id = try(each.value.nat_gateway_id, null) - network_interface_id = try(each.value.network_interface_id, null) - transit_gateway_id = try(each.value.transit_gateway_id, null) - vpc_endpoint_id = try(each.value.vpc_endpoint_id, null) - vpc_peering_connection_id = try(each.value.vpc_peering_connection_id, null) } diff --git a/modules/route-table/outputs.tf b/modules/route-table/outputs.tf index e18686e..7bfa23c 100644 --- a/modules/route-table/outputs.tf +++ b/modules/route-table/outputs.tf @@ -8,6 +8,100 @@ output "id" { value = aws_route_table.this.id } +output "arn" { + description = "The ARN of the routing table." + value = aws_route_table.this.arn +} + +output "owner" { + description = "The ID of the AWS account that owns subnets in the routing table." + value = aws_route_table.this.owner_id +} + +output "is_main" { + description = "Whether to set this route table as the main route table." + value = var.is_main +} + +output "ipv4_routes" { + description = "A list of route rules for destinations to IPv4 CIDRs." + value = [ + for route in var.ipv4_routes : { + destination = route.destination + target = { + id = aws_route.ipv4[route.destination].id, + state = aws_route.ipv4[route.destination].state, + type = route.target.type + id = coalesce( + aws_route.ipv4[route.destination].carrier_gateway_id, + aws_route.ipv4[route.destination].core_network_arn, + aws_route.ipv4[route.destination].egress_only_gateway_id, + aws_route.ipv4[route.destination].gateway_id, + aws_route.ipv4[route.destination].local_gateway_id, + aws_route.ipv4[route.destination].nat_gateway_id, + aws_route.ipv4[route.destination].network_interface_id, + aws_route.ipv4[route.destination].transit_gateway_id, + aws_route.ipv4[route.destination].vpc_endpoint_id, + aws_route.ipv4[route.destination].vpc_peering_connection_id, + ) + } + } + ] +} + +output "ipv6_routes" { + description = "A list of route rules for destinations to IPv6 CIDRs." + value = [ + for route in var.ipv6_routes : { + destination = route.destination + target = { + id = aws_route.ipv6[route.destination].id, + state = aws_route.ipv6[route.destination].state, + type = route.target.type + id = coalesce( + aws_route.ipv6[route.destination].carrier_gateway_id, + aws_route.ipv6[route.destination].core_network_arn, + aws_route.ipv6[route.destination].egress_only_gateway_id, + aws_route.ipv6[route.destination].gateway_id, + aws_route.ipv6[route.destination].local_gateway_id, + aws_route.ipv6[route.destination].nat_gateway_id, + aws_route.ipv6[route.destination].network_interface_id, + aws_route.ipv6[route.destination].transit_gateway_id, + aws_route.ipv6[route.destination].vpc_endpoint_id, + aws_route.ipv6[route.destination].vpc_peering_connection_id, + ) + } + } + ] +} + +output "prefix_list_routes" { + description = "A list of route rules for destinations to Prefix Lists." + value = [ + for route in var.prefix_list_routes : { + destination = route.destination + target = { + id = aws_route.prefix_list[route.destination].id, + state = aws_route.prefix_list[route.destination].state, + type = route.target.type + id = coalesce( + aws_route.prefix_list[route.destination].carrier_gateway_id, + aws_route.prefix_list[route.destination].core_network_arn, + aws_route.prefix_list[route.destination].egress_only_gateway_id, + aws_route.prefix_list[route.destination].gateway_id, + aws_route.prefix_list[route.destination].local_gateway_id, + aws_route.prefix_list[route.destination].nat_gateway_id, + aws_route.prefix_list[route.destination].network_interface_id, + aws_route.prefix_list[route.destination].transit_gateway_id, + aws_route.prefix_list[route.destination].vpc_endpoint_id, + aws_route.prefix_list[route.destination].vpc_peering_connection_id, + ) + } + } + ] +} + + output "associated_subnets" { description = "A list of subnet IDs which is associated with the route table." value = aws_route_table_association.subnets[*].subnet_id @@ -28,7 +122,3 @@ output "propagated_vpn_gateways" { value = values(aws_vpn_gateway_route_propagation.this)[*].vpn_gateway_id } -output "is_main" { - description = "Whether to set this route table as the main route table." - value = var.is_main -} diff --git a/modules/route-table/routes.tf b/modules/route-table/routes.tf new file mode 100644 index 0000000..8245014 --- /dev/null +++ b/modules/route-table/routes.tf @@ -0,0 +1,174 @@ +################################################### +# IPv4 Routes +################################################### + +# INFO: Not supported attributes +# - `instance_id` (Deprecated) +resource "aws_route" "ipv4" { + for_each = { + for route in var.ipv4_routes : + route.destination => route + } + + route_table_id = aws_route_table.this.id + destination_cidr_block = each.key + + + ## Targets + carrier_gateway_id = (each.value.target.type == "CARRIER_GATEWAY" + ? each.value.target.id + : null + ) + core_network_arn = (each.value.target.type == "CORE_NETWORK" + ? each.value.target.id + : null + ) + egress_only_gateway_id = (each.value.target.type == "EGRESS_ONLY_INTERNET_GATEWAY" + ? each.value.target.id + : null + ) + gateway_id = (contains(["INTERNET_GATEWAY", "VPN_GATEWAY"], each.value.target.type) + ? each.value.target.id + : null + ) + local_gateway_id = (each.value.target.type == "LOCAL_GATEWAY" + ? each.value.target.id + : null + ) + nat_gateway_id = (each.value.target.type == "NAT_GATEWAY" + ? each.value.target.id + : null + ) + network_interface_id = (each.value.target.type == "NETWORK_INTERFACE" + ? each.value.target.id + : null + ) + transit_gateway_id = (each.value.target.type == "TRANSIT_GATEWAY" + ? each.value.target.id + : null + ) + vpc_endpoint_id = (each.value.target.type == "VPC_ENDPOINT" + ? each.value.target.id + : null + ) + vpc_peering_connection_id = (each.value.target.type == "VPC_PEERING_CONNECTION" + ? each.value.target.id + : null + ) +} + + +################################################### +# IPv6 Routes +################################################### + +resource "aws_route" "ipv6" { + for_each = { + for route in var.ipv6_routes : + route.destination => route + } + + route_table_id = aws_route_table.this.id + destination_ipv6_cidr_block = each.key + + + ## Targets + carrier_gateway_id = (each.value.target.type == "CARRIER_GATEWAY" + ? each.value.target.id + : null + ) + core_network_arn = (each.value.target.type == "CORE_NETWORK" + ? each.value.target.id + : null + ) + egress_only_gateway_id = (each.value.target.type == "EGRESS_ONLY_INTERNET_GATEWAY" + ? each.value.target.id + : null + ) + gateway_id = (contains(["INTERNET_GATEWAY", "VPN_GATEWAY"], each.value.target.type) + ? each.value.target.id + : null + ) + local_gateway_id = (each.value.target.type == "LOCAL_GATEWAY" + ? each.value.target.id + : null + ) + nat_gateway_id = (each.value.target.type == "NAT_GATEWAY" + ? each.value.target.id + : null + ) + network_interface_id = (each.value.target.type == "NETWORK_INTERFACE" + ? each.value.target.id + : null + ) + transit_gateway_id = (each.value.target.type == "TRANSIT_GATEWAY" + ? each.value.target.id + : null + ) + vpc_endpoint_id = (each.value.target.type == "VPC_ENDPOINT" + ? each.value.target.id + : null + ) + vpc_peering_connection_id = (each.value.target.type == "VPC_PEERING_CONNECTION" + ? each.value.target.id + : null + ) +} + + +################################################### +# Prefix List Routes +################################################### + +resource "aws_route" "prefix_list" { + for_each = { + for route in var.prefix_list_routes : + route.name => route + } + + route_table_id = aws_route_table.this.id + destination_prefix_list_id = each.value.destination + + + ## Targets + carrier_gateway_id = (each.value.target.type == "CARRIER_GATEWAY" + ? each.value.target.id + : null + ) + core_network_arn = (each.value.target.type == "CORE_NETWORK" + ? each.value.target.id + : null + ) + egress_only_gateway_id = (each.value.target.type == "EGRESS_ONLY_INTERNET_GATEWAY" + ? each.value.target.id + : null + ) + gateway_id = (contains(["INTERNET_GATEWAY", "VPN_GATEWAY"], each.value.target.type) + ? each.value.target.id + : null + ) + local_gateway_id = (each.value.target.type == "LOCAL_GATEWAY" + ? each.value.target.id + : null + ) + nat_gateway_id = (each.value.target.type == "NAT_GATEWAY" + ? each.value.target.id + : null + ) + network_interface_id = (each.value.target.type == "NETWORK_INTERFACE" + ? each.value.target.id + : null + ) + transit_gateway_id = (each.value.target.type == "TRANSIT_GATEWAY" + ? each.value.target.id + : null + ) + vpc_endpoint_id = (each.value.target.type == "VPC_ENDPOINT" + ? each.value.target.id + : null + ) + vpc_peering_connection_id = (each.value.target.type == "VPC_PEERING_CONNECTION" + ? each.value.target.id + : null + ) +} diff --git a/modules/route-table/variables.tf b/modules/route-table/variables.tf index 4ae9bfd..b023837 100644 --- a/modules/route-table/variables.tf +++ b/modules/route-table/variables.tf @@ -10,6 +10,13 @@ variable "vpc_id" { nullable = false } +variable "is_main" { + description = "(Optional) Whether to set this route table as the main route table. Defaults to `false`." + type = bool + default = false + nullable = false +} + variable "subnets" { description = "(Optional) A list of subnet IDs to associate with the route table." type = list(string) @@ -38,32 +45,93 @@ variable "propagating_vpn_gateways" { nullable = false } -variable "is_main" { - description = "(Optional) Whether to set this route table as the main route table." - type = bool - default = false - nullable = false -} - variable "ipv4_routes" { - description = "(Optional) A list of route rules for IPv4 CIDRs." - type = list(map(string)) - default = [] - nullable = false + description = < Date: Tue, 31 Oct 2023 03:03:16 +0900 Subject: [PATCH 57/73] Update vpc-full example --- examples/vpc-full/nacls.tf | 103 ++++++++++++++++++++++++++++++ examples/vpc-full/outputs.tf | 27 ++++++-- examples/vpc-full/route-tables.tf | 69 ++++++++++++++++++++ 3 files changed, 193 insertions(+), 6 deletions(-) create mode 100644 examples/vpc-full/nacls.tf create mode 100644 examples/vpc-full/route-tables.tf diff --git a/examples/vpc-full/nacls.tf b/examples/vpc-full/nacls.tf new file mode 100644 index 0000000..4985be0 --- /dev/null +++ b/examples/vpc-full/nacls.tf @@ -0,0 +1,103 @@ +################################################### +# Network ACLs +################################################### + +module "private_network_acl" { + source = "../../modules/nacl" + # source = "tedilabs/network/aws//modules/nacl" + # version = "~> 0.2.0" + + name = "test-private" + vpc_id = module.vpc.id + subnets = module.private_subnet_group.ids + + ingress_rules = { + 900 = { + action = "ALLOW" + protocol = "-1" + ipv4_cidr = "10.0.0.0/16" + } + } + egress_rules = { + 900 = { + action = "ALLOW" + protocol = "-1" + ipv4_cidr = "10.0.0.0/16" + } + } + + tags = { + "project" = "terraform-aws-network-examples" + } +} + +module "public_network_acl" { + source = "../../modules/nacl" + # source = "tedilabs/network/aws//modules/nacl" + # version = "~> 0.2.0" + + name = "test-public" + vpc_id = module.vpc.id + subnets = module.public_subnet_group.ids + + ingress_rules = { + 100 = { + action = "ALLOW" + protocol = "icmp" + ipv4_cidr = "0.0.0.0/0" + icmp_type = -1 + icmp_code = -1 + } + 200 = { + action = "ALLOW" + protocol = "tcp" + ipv4_cidr = "0.0.0.0/0" + from_port = 22 + to_port = 22 + } + 300 = { + action = "ALLOW" + protocol = "tcp" + ipv4_cidr = "0.0.0.0/0" + from_port = 80 + to_port = 80 + } + 310 = { + action = "ALLOW" + protocol = "tcp" + ipv4_cidr = "0.0.0.0/0" + from_port = 443 + to_port = 443 + } + 800 = { + action = "ALLOW" + protocol = "tcp" + ipv4_cidr = "0.0.0.0/0" + from_port = 1024 + to_port = 65535 + } + 801 = { + action = "ALLOW" + protocol = "udp" + ipv4_cidr = "0.0.0.0/0" + from_port = 1024 + to_port = 65535 + } + 900 = { + action = "ALLOW" + protocol = "-1" + ipv4_cidr = "10.0.0.0/16" + } + } + egress_rules = { + 900 = { + action = "ALLOW" + protocol = "-1" + ipv4_cidr = "0.0.0.0/0" + } + } + + tags = { + "project" = "terraform-aws-network-examples" + } +} diff --git a/examples/vpc-full/outputs.tf b/examples/vpc-full/outputs.tf index 6bd50a8..22756b4 100644 --- a/examples/vpc-full/outputs.tf +++ b/examples/vpc-full/outputs.tf @@ -11,12 +11,27 @@ output "subnet_groups" { } } -output "public_nat_gateways" { - description = "The NAT Gateways in public." - value = module.public_nat_gateway +output "nat_gateways" { + description = "The NAT Gateways." + value = { + public = module.public_nat_gateway + private = module.private_nat_gateway + } } -output "private_nat_gateways" { - description = "The NAT Gateways in private." - value = module.private_nat_gateway +output "nacls" { + description = "The Network ACLs." + value = { + public = module.public_network_acl + private = module.private_network_acl + } } + +output "route_tables" { + description = "The Route Tables." + value = { + public = module.public_route_table + private = module.private_route_table + } +} + diff --git a/examples/vpc-full/route-tables.tf b/examples/vpc-full/route-tables.tf new file mode 100644 index 0000000..625db76 --- /dev/null +++ b/examples/vpc-full/route-tables.tf @@ -0,0 +1,69 @@ +################################################### +# Route Tables +################################################### + +module "private_route_table" { + source = "../../modules/route-table" + # source = "tedilabs/network/aws//modules/route-table" + # version = "~> 0.2.0" + + name = "test-private" + vpc_id = module.vpc.id + subnets = module.private_subnet_group.ids + gateways = [] + + + ## Route Rules + ipv4_routes = [ + { + destination = "0.0.0.0/0" + target = { + type = "NAT_GATEWAY" + id = module.public_nat_gateway.id + } + }, + ] + ipv6_routes = [] + prefix_list_routes = [] + + vpc_gateway_endpoints = [] + propagating_vpn_gateways = [] + + + tags = { + "project" = "terraform-aws-network-examples" + } +} + +module "public_route_table" { + source = "../../modules/route-table" + # source = "tedilabs/network/aws//modules/route-table" + # version = "~> 0.2.0" + + name = "test-public" + vpc_id = module.vpc.id + subnets = module.public_subnet_group.ids + gateways = [] + + + ## Route Rules + ipv4_routes = [ + { + destination = "0.0.0.0/0" + target = { + type = "INTERNET_GATEWAY" + id = module.vpc.internet_gateway.id + } + }, + ] + ipv6_routes = [] + prefix_list_routes = [] + + vpc_gateway_endpoints = [] + propagating_vpn_gateways = [] + + + tags = { + "project" = "terraform-aws-network-examples" + } +} From 7b301fe330c0f92e35a57c167ca20675f375692c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 Nov 2023 02:05:38 +0900 Subject: [PATCH 58/73] Bump tj-actions/changed-files from 39 to 40 (#53) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39 to 40. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/v39...v40) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/terraform.integration.yaml | 4 ++-- .github/workflows/yaml.integration.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/terraform.integration.yaml b/.github/workflows/terraform.integration.yaml index ef58145..92b2077 100644 --- a/.github/workflows/terraform.integration.yaml +++ b/.github/workflows/terraform.integration.yaml @@ -31,7 +31,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v39 + uses: tj-actions/changed-files@v40 with: files: | modules/** @@ -40,7 +40,7 @@ jobs: - name: Get Changed Directories id: changed-directories - uses: tj-actions/changed-files@v39 + uses: tj-actions/changed-files@v40 with: files: | modules/** diff --git a/.github/workflows/yaml.integration.yaml b/.github/workflows/yaml.integration.yaml index c2233c0..884f3ee 100644 --- a/.github/workflows/yaml.integration.yaml +++ b/.github/workflows/yaml.integration.yaml @@ -29,7 +29,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v39 + uses: tj-actions/changed-files@v40 with: files: | **/*.yaml From bbfb6a9e6050c28a851ebac82cbbf5a67e912166 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Tue, 7 Nov 2023 11:35:07 +0900 Subject: [PATCH 59/73] Update route-table --- modules/route-table/main.tf | 5 ++--- modules/route-table/outputs.tf | 3 +-- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/modules/route-table/main.tf b/modules/route-table/main.tf index c676e8e..0b064c4 100644 --- a/modules/route-table/main.tf +++ b/modules/route-table/main.tf @@ -59,7 +59,6 @@ resource "aws_main_route_table_association" "this" { # Associations ################################################### -# INFO: Conflict on create with `for_each` resource "aws_route_table_association" "subnets" { count = length(var.subnets) @@ -68,10 +67,10 @@ resource "aws_route_table_association" "subnets" { } resource "aws_route_table_association" "gateways" { - for_each = toset(var.gateways) + count = length(var.gateways) route_table_id = aws_route_table.this.id - gateway_id = each.value + gateway_id = var.gateways[count.index] } diff --git a/modules/route-table/outputs.tf b/modules/route-table/outputs.tf index 7bfa23c..6502412 100644 --- a/modules/route-table/outputs.tf +++ b/modules/route-table/outputs.tf @@ -109,7 +109,7 @@ output "associated_subnets" { output "associated_gateways" { description = "A list of gateway IDs which is associated with the route table." - value = values(aws_route_table_association.gateways)[*].gateway_id + value = aws_route_table_association.gateways[*].gateway_id } output "associated_vpc_gateway_endpoints" { @@ -121,4 +121,3 @@ output "propagated_vpn_gateways" { description = "A list of Virtual Private Gateway IDs which propagate routes from." value = values(aws_vpn_gateway_route_propagation.this)[*].vpn_gateway_id } - From fc71d906ec4a01ec55d83ba5fe66ae7243d82ab3 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Tue, 7 Nov 2023 11:35:28 +0900 Subject: [PATCH 60/73] Bump to v0.30.0 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 20f0687..c25c8e5 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.29.2 +0.30.0 From bb619dd41306ef57d735978ed7ec5723ada4ffa4 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Tue, 7 Nov 2023 16:33:30 +0900 Subject: [PATCH 61/73] Update description for variables --- modules/subnet-group/README.md | 2 +- modules/subnet-group/variables.tf | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/subnet-group/README.md b/modules/subnet-group/README.md index f21ad1a..44309eb 100644 --- a/modules/subnet-group/README.md +++ b/modules/subnet-group/README.md @@ -53,7 +53,7 @@ This module creates following resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [name](#input\_name) | (Required) The name of the subnet group. | `string` | n/a | yes | -| [subnets](#input\_subnets) | (Required) A configuration of subnets to create in the subnet group. Each block of `subnets` as defined below.
(Optional) `type` - The type of subnet. Valid values are `DUALSTACK` and `IPV6`. Defaults to `DUALSTACK`.
(Optional) `availability_zone` - The availability zone of the subnet. If the value of `availability_zone` and `availability_zone_id` are both not provided, the subnet will be created in random availability zone.
(Optional) `availability_zone_id` - The availability zone ID of the subnet. If the value of `availability_zone` and `availability_zone_id` are both not provided, the subnet will be created in random availability zone. | 
map(object({
    type = optional(string, "DUALSTACK")

    availability_zone    = optional(string)
    availability_zone_id = optional(string)

    ipv4_cidr = optional(string)
    ipv6_cidr = optional(string)
  }))
| n/a | yes | +| [subnets](#input\_subnets) | (Required) A configuration of subnets to create in the subnet group. Each block of `subnets` as defined below.
(Optional) `type` - The type of subnet. Valid values are `DUALSTACK` and `IPV6`. Defaults to `DUALSTACK`.
(Optional) `availability_zone` - The availability zone of the subnet. If the value of `availability_zone` and `availability_zone_id` are both not provided, the subnet will be created in random availability zone.
(Optional) `availability_zone_id` - The availability zone ID of the subnet. If the value of `availability_zone` and `availability_zone_id` are both not provided, the subnet will be created in random availability zone.
(Optional) `ipv4_cidr` - The IPv4 CIDR block for the subnet.
(Optional) `ipv6_cidr` - The IPv6 network range for the subnet, in CIDR notation. The subnet size must use a /64 prefix length. | 
map(object({
    type = optional(string, "DUALSTACK")

    availability_zone    = optional(string)
    availability_zone_id = optional(string)

    ipv4_cidr = optional(string)
    ipv6_cidr = optional(string)
  }))
| n/a | yes | | [vpc\_id](#input\_vpc\_id) | (Required) The ID of the VPC which the subnet group belongs to. | `string` | n/a | yes | | [customer\_owned\_ipv4\_address\_assignment](#input\_customer\_owned\_ipv4\_address\_assignment) | (Optional) A configuration for Customer-owned IPv4 address assignment. `customer_owned_ipv4_address_assignment` as defined below.
(Optional) `enabled` - Whether to automatically request a Customer-owned IPv4 address for a new network interface in this subnet. Defaults to `false`.
(Optional) `outpost` - The Amazon Resource Name (ARN) of the Outpost.
(Optional) `pool` - The customer owned IPv4 address pool. | 
object({
    enabled = optional(bool, false)
    outpost = optional(string)
    pool    = optional(string)
  })
| `{}` | no | | [dax\_subnet\_group](#input\_dax\_subnet\_group) | (Optional) A configuration of DAX Subnet Group. `dax_subnet_group` as defined below.
(Optional) `enabled` - Whether to create DAX Subnet Group. Defaults to `false`.
(Optional) `name` - The name of the DAX Subnet Group. If not provided, the value of `name` will be used.
(Optional) `description` - The description of the DAX Subnet Group. | 
object({
    enabled     = optional(bool, false)
    name        = optional(string)
    description = optional(string, "Managed by Terraform.")
  })
| `{}` | no | diff --git a/modules/subnet-group/variables.tf b/modules/subnet-group/variables.tf index 3fe912a..aa12dca 100644 --- a/modules/subnet-group/variables.tf +++ b/modules/subnet-group/variables.tf @@ -16,6 +16,8 @@ variable "subnets" { (Optional) `type` - The type of subnet. Valid values are `DUALSTACK` and `IPV6`. Defaults to `DUALSTACK`. (Optional) `availability_zone` - The availability zone of the subnet. If the value of `availability_zone` and `availability_zone_id` are both not provided, the subnet will be created in random availability zone. (Optional) `availability_zone_id` - The availability zone ID of the subnet. If the value of `availability_zone` and `availability_zone_id` are both not provided, the subnet will be created in random availability zone. + (Optional) `ipv4_cidr` - The IPv4 CIDR block for the subnet. + (Optional) `ipv6_cidr` - The IPv6 network range for the subnet, in CIDR notation. The subnet size must use a /64 prefix length. EOF type = map(object({ type = optional(string, "DUALSTACK") From 4aa87dcfea309a6be33d5aabcaaff0997be5eab0 Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Wed, 8 Nov 2023 00:10:00 +0900 Subject: [PATCH 62/73] Refactor security-group module (#57) --- README.md | 5 + examples/security-group-simple/main.tf | 26 ++ examples/security-group-simple/outputs.tf | 4 + examples/security-group-simple/versions.tf | 10 + .../security-group-with-ipv4-cidrs/main.tf | 50 ++++ .../security-group-with-ipv4-cidrs/outputs.tf | 4 + .../versions.tf | 10 + modules/security-group/README.md | 21 +- modules/security-group/main.tf | 96 +------ modules/security-group/outputs.tf | 41 +++ modules/security-group/rules.tf | 250 ++++++++++++++++++ modules/security-group/variables.tf | 107 +++++++- modules/security-group/versions.tf | 4 +- modules/vpc/README.md | 2 +- modules/vpc/variables.tf | 20 +- 15 files changed, 534 insertions(+), 116 deletions(-) create mode 100644 examples/security-group-simple/main.tf create mode 100644 examples/security-group-simple/outputs.tf create mode 100644 examples/security-group-simple/versions.tf create mode 100644 examples/security-group-with-ipv4-cidrs/main.tf create mode 100644 examples/security-group-with-ipv4-cidrs/outputs.tf create mode 100644 examples/security-group-with-ipv4-cidrs/versions.tf create mode 100644 modules/security-group/rules.tf diff --git a/README.md b/README.md index 43c4c91..30945e9 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,11 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws- - [vpc-simple](./examples/vpc-simple) - [vpc-with-ipam](./examples/vpc-with-ipam) +### Security Group + +- [security-group-simple](./examples/security-group-simple) +- [security-group-with-ipv4-cidrs](./examples/security-group-with-ipv4-cidrs) + ### NAT Gateway - [nat-gateway-public](./examples/nat-gateway-public/) diff --git a/examples/security-group-simple/main.tf b/examples/security-group-simple/main.tf new file mode 100644 index 0000000..b5fd32f --- /dev/null +++ b/examples/security-group-simple/main.tf @@ -0,0 +1,26 @@ +provider "aws" { + region = "us-east-1" +} + +data "aws_vpc" "default" { + default = true +} + + +################################################### +# Security Group +################################################### + +module "security_group" { + source = "../../modules/security-group" + # source = "tedilabs/ipam/aws//modules/security-group" + # version = "~> 0.30.0" + + vpc_id = data.aws_vpc.default.id + + name = "hello-world" + + tags = { + "project" = "terraform-aws-network-examples" + } +} diff --git a/examples/security-group-simple/outputs.tf b/examples/security-group-simple/outputs.tf new file mode 100644 index 0000000..ee0168f --- /dev/null +++ b/examples/security-group-simple/outputs.tf @@ -0,0 +1,4 @@ +output "security_group" { + description = "The Security Group." + value = module.security_group +} diff --git a/examples/security-group-simple/versions.tf b/examples/security-group-simple/versions.tf new file mode 100644 index 0000000..59c42e8 --- /dev/null +++ b/examples/security-group-simple/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.5" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} diff --git a/examples/security-group-with-ipv4-cidrs/main.tf b/examples/security-group-with-ipv4-cidrs/main.tf new file mode 100644 index 0000000..9b71880 --- /dev/null +++ b/examples/security-group-with-ipv4-cidrs/main.tf @@ -0,0 +1,50 @@ +provider "aws" { + region = "us-east-1" +} + +data "aws_vpc" "default" { + default = true +} + + +################################################### +# Security Group +################################################### + +module "security_group" { + source = "../../modules/security-group" + # source = "tedilabs/ipam/aws//modules/security-group" + # version = "~> 0.30.0" + + vpc_id = data.aws_vpc.default.id + + name = "hello-world-ipv4-cidrs" + description = "Sample Security Group with IPv4 CIDRs." + + revoke_rules_on_delete = true + + ingress_rules = [ + { + id = "tcp/80" + description = "Allow HTTP from VPC" + from_port = 80 + to_port = 80 + protocol = "tcp" + ipv4_cidrs = ["192.168.0.0/16", "10.0.0.0/8", "172.168.0.0/24"] + }, + ] + egress_rules = [ + { + id = "all/all" + description = "Allow all traffics to the internet" + from_port = 0 + to_port = 0 + protocol = "-1" + ipv4_cidrs = ["0.0.0.0/0"] + }, + ] + + tags = { + "project" = "terraform-aws-network-examples" + } +} diff --git a/examples/security-group-with-ipv4-cidrs/outputs.tf b/examples/security-group-with-ipv4-cidrs/outputs.tf new file mode 100644 index 0000000..ee0168f --- /dev/null +++ b/examples/security-group-with-ipv4-cidrs/outputs.tf @@ -0,0 +1,4 @@ +output "security_group" { + description = "The Security Group." + value = module.security_group +} diff --git a/examples/security-group-with-ipv4-cidrs/versions.tf b/examples/security-group-with-ipv4-cidrs/versions.tf new file mode 100644 index 0000000..59c42e8 --- /dev/null +++ b/examples/security-group-with-ipv4-cidrs/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.5" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} diff --git a/modules/security-group/README.md b/modules/security-group/README.md index 054d8a1..513082d 100644 --- a/modules/security-group/README.md +++ b/modules/security-group/README.md @@ -3,21 +3,22 @@ This module creates following resources. - `aws_security_group` -- `aws_security_group_rule` (optional) +- `aws_vpc_security_group_ingress_rule` (optional) +- `aws_vpc_security_group_egress_rule` (optional) ## Requirements | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 3.45 | +| [terraform](#requirement\_terraform) | >= 1.6 | +| [aws](#requirement\_aws) | >= 5.3 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.19.0 | +| [aws](#provider\_aws) | 5.24.0 | ## Modules @@ -30,8 +31,8 @@ This module creates following resources. | Name | Type | |------|------| | [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | -| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_security_group_rule.ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_vpc_security_group_egress_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource | +| [aws_vpc_security_group_ingress_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource | ## Inputs @@ -40,10 +41,9 @@ This module creates following resources. | [name](#input\_name) | (Required) The name of the security group. | `string` | n/a | yes | | [vpc\_id](#input\_vpc\_id) | (Required) The ID of the associated VPC. | `string` | n/a | yes | | [description](#input\_description) | (Optional) The security group description. This field maps to the AWS `GroupDescription` attribute, for which there is no Update API. | `string` | `"Managed by Terraform."` | no | -| [egress\_rules](#input\_egress\_rules) | (Optional) A list of egress rules in a security group. | `any` | `[]` | no | -| [ingress\_rules](#input\_ingress\_rules) | (Optional) A list of ingress rules in a security group. | `any` | `[]` | no | +| [egress\_rules](#input\_egress\_rules) | (Optional) The configuration for egress rules of the security group. Each block of `egress_rules` as defined below.
(Required) `id` - The ID of the egress rule. This value is only used internally within Terraform code.
(Optional) `description` - The description of the rule.
(Required) `protocol` - The protocol to match. Note that if `protocol` is set to `-1`, it translates to all protocols, all port ranges, and `from_port` and `to_port` values should not be defined.
(Required) `from_port` - The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type.
(Required) `to_port` - The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code.
(Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation.
(Optional) `ipv6_cidrs` - The IPv6 network ranges to allow, in CIDR notation.
(Optional) `prefix_lists` - The prefix list IDs to allow.
(Optional) `security_groups` - The source security group IDs to allow.
(Optional) `self` - Whether the security group itself will be added as a source to this ingress rule. | 
list(object({
    id              = string
    description     = optional(string, "Managed by Terraform.")
    protocol        = string
    from_port       = number
    to_port         = number
    ipv4_cidrs      = optional(list(string), [])
    ipv6_cidrs      = optional(list(string), [])
    prefix_lists    = optional(list(string), [])
    security_groups = optional(list(string), [])
    self            = optional(bool, false)
  }))
| `[]` | no | +| [ingress\_rules](#input\_ingress\_rules) | (Optional) The configuration for ingress rules of the security group. Each block of `ingress_rules` as defined below.
(Required) `id` - The ID of the ingress rule. This value is only used internally within Terraform code.
(Optional) `description` - The description of the rule.
(Required) `protocol` - The protocol to match. Note that if `protocol` is set to `-1`, it translates to all protocols, all port ranges, and `from_port` and `to_port` values should not be defined.
(Required) `from_port` - The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type.
(Required) `to_port` - The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code.
(Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation.
(Optional) `ipv6_cidrs` - The IPv6 network ranges to allow, in CIDR notation.
(Optional) `prefix_lists` - The prefix list IDs to allow.
(Optional) `security_groups` - The source security group IDs to allow.
(Optional) `self` - Whether the security group itself will be added as a source to this ingress rule. | 
list(object({
    id              = string
    description     = optional(string, "Managed by Terraform.")
    protocol        = string
    from_port       = number
    to_port         = number
    ipv4_cidrs      = optional(list(string), [])
    ipv6_cidrs      = optional(list(string), [])
    prefix_lists    = optional(list(string), [])
    security_groups = optional(list(string), [])
    self            = optional(bool, false)
  }))
| `[]` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [name\_prefix](#input\_name\_prefix) | (Optional) Creates a unique name beginning with the specified prefix. Conflicts with `name`. | `string` | `null` | no | | [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | | [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | | [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | @@ -55,7 +55,10 @@ This module creates following resources. | Name | Description | |------|-------------| | [arn](#output\_arn) | The ARN of the security group. | +| [description](#output\_description) | The description of the security group. | +| [egress\_rules](#output\_egress\_rules) | The configuration of the security group egress rules. | | [id](#output\_id) | The ID of the security group. | +| [ingress\_rules](#output\_ingress\_rules) | The configuration of the security group ingress rules. | | [name](#output\_name) | The name of the security group. | | [owner\_id](#output\_owner\_id) | The ID of the AWS account that owns the security group. | | [vpc\_id](#output\_vpc\_id) | The ID of the associated VPC. | diff --git a/modules/security-group/main.tf b/modules/security-group/main.tf index 1dd6c1c..d2b3e93 100644 --- a/modules/security-group/main.tf +++ b/modules/security-group/main.tf @@ -14,11 +14,21 @@ locals { } : {} } + +################################################### +# Security Group +################################################### + +# INFO: Not supported attributes +# - `name_prefix` +# INFO: Use a separate resource +# - `egress` +# - `ingress` resource "aws_security_group" "this" { vpc_id = var.vpc_id - name = var.name - name_prefix = var.name_prefix + name = var.name + # name_prefix = var.name_prefix description = var.description revoke_rules_on_delete = var.revoke_rules_on_delete @@ -31,85 +41,3 @@ resource "aws_security_group" "this" { var.tags, ) } - - -################################################### -# Security Group Rules -################################################### - -locals { - normalized_ingress_rules = [ - for rule in var.ingress_rules : { - id = rule.id - description = lookup(rule, "description", "Managed by Terraform") - - protocol = rule.protocol - from_port = rule.from_port - to_port = rule.to_port - - cidr_blocks = try(sort(compact(rule.cidr_blocks)), null) - ipv6_cidr_blocks = try(sort(compact(rule.ipv6_cidr_blocks)), null) - prefix_list_ids = try(sort(compact(rule.prefix_list_ids)), null) - source_security_group_id = try(rule.source_security_group_id, null) - self = try(rule.self, false) ? true : null - } - ] - normalized_egress_rules = [ - for rule in var.egress_rules : { - id = rule.id - description = lookup(rule, "description", "Managed by Terraform") - - protocol = rule.protocol - from_port = rule.from_port - to_port = rule.to_port - - cidr_blocks = try(sort(compact(rule.cidr_blocks)), null) - ipv6_cidr_blocks = try(sort(compact(rule.ipv6_cidr_blocks)), null) - prefix_list_ids = try(sort(compact(rule.prefix_list_ids)), null) - source_security_group_id = try(rule.source_security_group_id, null) - self = try(rule.self, false) ? true : null - } - ] -} - -resource "aws_security_group_rule" "ingress" { - for_each = { - for rule in local.normalized_ingress_rules : - rule.id => rule - } - - security_group_id = aws_security_group.this.id - type = "ingress" - description = each.value.description - - protocol = each.value.protocol - from_port = each.value.from_port - to_port = each.value.to_port - - cidr_blocks = each.value.cidr_blocks - ipv6_cidr_blocks = each.value.ipv6_cidr_blocks - prefix_list_ids = each.value.prefix_list_ids - source_security_group_id = each.value.source_security_group_id - self = each.value.self -} - -resource "aws_security_group_rule" "egress" { - for_each = { - for rule in local.normalized_egress_rules : - rule.id => rule - } - - security_group_id = aws_security_group.this.id - type = "egress" - description = each.value.description - - protocol = each.value.protocol - from_port = each.value.from_port - to_port = each.value.to_port - - cidr_blocks = each.value.cidr_blocks - ipv6_cidr_blocks = each.value.ipv6_cidr_blocks - prefix_list_ids = each.value.prefix_list_ids - source_security_group_id = each.value.source_security_group_id - self = each.value.self -} diff --git a/modules/security-group/outputs.tf b/modules/security-group/outputs.tf index 2260b4f..e1287bf 100644 --- a/modules/security-group/outputs.tf +++ b/modules/security-group/outputs.tf @@ -13,6 +13,11 @@ output "name" { value = aws_security_group.this.name } +output "description" { + description = "The description of the security group." + value = aws_security_group.this.description +} + output "owner_id" { description = "The ID of the AWS account that owns the security group." value = aws_security_group.this.owner_id @@ -22,3 +27,39 @@ output "vpc_id" { description = "The ID of the associated VPC." value = aws_security_group.this.vpc_id } + +output "ingress_rules" { + description = < { + id = rule.id + arn = rule.arn + description = rule.description + + protocol = rule.ip_protocol + from_port = rule.from_port + to_port = rule.to_port + } + } +} + +output "egress_rules" { + description = < { + id = rule.id + arn = rule.arn + description = rule.description + + protocol = rule.ip_protocol + from_port = rule.from_port + to_port = rule.to_port + } + } +} diff --git a/modules/security-group/rules.tf b/modules/security-group/rules.tf new file mode 100644 index 0000000..4a5fdc5 --- /dev/null +++ b/modules/security-group/rules.tf @@ -0,0 +1,250 @@ +locals { + normalized_ingress_rules = concat([], [ + for rule in var.ingress_rules : + concat( + [ + for idx, cidr in rule.ipv4_cidrs : + { + id = "${rule.id}/ipv4/${idx}" + description = rule.description + + protocol = rule.protocol + from_port = rule.from_port + to_port = rule.to_port + + ipv4_cidr = cidr + ipv6_cidr = null + prefix_list = null + security_group = null + } + ], + [ + for idx, cidr in rule.ipv6_cidrs : + { + id = "${rule.id}/ipv6/${idx}" + description = rule.description + + protocol = rule.protocol + from_port = rule.from_port + to_port = rule.to_port + + ipv4_cidr = null + ipv6_cidr = cidr + prefix_list = null + security_group = null + } + ], + [ + for idx, prefix_list in rule.prefix_lists : + { + id = "${rule.id}/prefix-list/${idx}" + description = rule.description + + protocol = rule.protocol + from_port = rule.from_port + to_port = rule.to_port + + ipv4_cidr = null + ipv6_cidr = null + prefix_list = prefix_list + security_group = null + } + ], + [ + for idx, security_group in rule.security_groups : + { + id = "${rule.id}/security-group/${idx}" + description = rule.description + + protocol = rule.protocol + from_port = rule.from_port + to_port = rule.to_port + + ipv4_cidr = null + ipv6_cidr = null + prefix_list = null + security_group = security_group + } + ], + [ + for self in [rule.self] : + { + id = "${rule.id}/self" + description = rule.description + + protocol = rule.protocol + from_port = rule.from_port + to_port = rule.to_port + + ipv4_cidr = null + ipv6_cidr = null + prefix_list = null + security_group = aws_security_group.this.id + } + if self + ] + ) + ]...) + normalized_egress_rules = concat([], [ + for rule in var.egress_rules : + concat( + [ + for idx, cidr in rule.ipv4_cidrs : + { + id = "${rule.id}/ipv4/${idx}" + description = rule.description + + protocol = rule.protocol + from_port = rule.from_port + to_port = rule.to_port + + ipv4_cidr = cidr + ipv6_cidr = null + prefix_list = null + security_group = null + } + ], + [ + for idx, cidr in rule.ipv6_cidrs : + { + id = "${rule.id}/ipv6/${idx}" + description = rule.description + + protocol = rule.protocol + from_port = rule.from_port + to_port = rule.to_port + + ipv4_cidr = null + ipv6_cidr = cidr + prefix_list = null + security_group = null + } + ], + [ + for idx, prefix_list in rule.prefix_lists : + { + id = "${rule.id}/prefix-list/${idx}" + description = rule.description + + protocol = rule.protocol + from_port = rule.from_port + to_port = rule.to_port + + ipv4_cidr = null + ipv6_cidr = null + prefix_list = prefix_list + security_group = null + } + ], + [ + for idx, security_group in rule.security_groups : + { + id = "${rule.id}/security-group/${idx}" + description = rule.description + + protocol = rule.protocol + from_port = rule.from_port + to_port = rule.to_port + + ipv4_cidr = null + ipv6_cidr = null + prefix_list = null + security_group = security_group + } + ], + [ + for self in [rule.self] : + { + id = "${rule.id}/self" + description = rule.description + + protocol = rule.protocol + from_port = rule.from_port + to_port = rule.to_port + + ipv4_cidr = null + ipv6_cidr = null + prefix_list = null + security_group = aws_security_group.this.id + } + if self + ] + ) + ]...) +} + + +################################################### +# Ingress Rules for Security Group +################################################### + +resource "aws_vpc_security_group_ingress_rule" "this" { + for_each = { + for rule in local.normalized_ingress_rules : + rule.id => rule + } + + security_group_id = aws_security_group.this.id + description = each.value.description + + ip_protocol = each.value.protocol + from_port = (contains(["all", "-1"], each.value.protocol) + ? null + : each.value.from_port + ) + to_port = (contains(["all", "-1"], each.value.protocol) + ? null + : each.value.to_port + ) + + cidr_ipv4 = each.value.ipv4_cidr + cidr_ipv6 = each.value.ipv6_cidr + prefix_list_id = each.value.prefix_list + referenced_security_group_id = each.value.security_group + + tags = merge( + { + "Name" = each.key + }, + local.module_tags, + var.tags, + ) +} + + +################################################### +# Egress Rules for Security Group +################################################### + +resource "aws_vpc_security_group_egress_rule" "this" { + for_each = { + for rule in local.normalized_egress_rules : + rule.id => rule + } + + security_group_id = aws_security_group.this.id + description = each.value.description + + ip_protocol = each.value.protocol + from_port = (contains(["all", "-1"], each.value.protocol) + ? null + : each.value.from_port + ) + to_port = (contains(["all", "-1"], each.value.protocol) + ? null + : each.value.to_port + ) + + cidr_ipv4 = each.value.ipv4_cidr + cidr_ipv6 = each.value.ipv6_cidr + prefix_list_id = each.value.prefix_list + referenced_security_group_id = each.value.security_group + + tags = merge( + { + "Name" = each.key + }, + local.module_tags, + var.tags, + ) +} diff --git a/modules/security-group/variables.tf b/modules/security-group/variables.tf index be593d2..f28506d 100644 --- a/modules/security-group/variables.tf +++ b/modules/security-group/variables.tf @@ -4,51 +4,133 @@ variable "name" { nullable = false } -variable "name_prefix" { - description = "(Optional) Creates a unique name beginning with the specified prefix. Conflicts with `name`." - type = string - default = null -} +# variable "name_prefix" { +# description = "(Optional) Creates a unique name beginning with the specified prefix. Conflicts with `name`." +# type = string +# default = null +# nullable = true +# } variable "description" { description = "(Optional) The security group description. This field maps to the AWS `GroupDescription` attribute, for which there is no Update API." type = string default = "Managed by Terraform." + nullable = false } variable "vpc_id" { description = "(Required) The ID of the associated VPC." type = string + nullable = false } variable "revoke_rules_on_delete" { description = "(Optional) Instruct Terraform to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed." type = bool default = false + nullable = false } variable "ingress_rules" { - description = "(Optional) A list of ingress rules in a security group." - type = any - default = [] + description = < 0, + length(rule.ipv6_cidrs) > 0, + length(rule.prefix_lists) > 0, + length(rule.security_groups) > 0, + rule.self, + ]) + ]) + error_message = "At least one of `ipv4_cidrs`, `ipv6_cidrs`, `prefix_lists`, `security_groups` or `self` must be specified." + } } variable "egress_rules" { - description = "(Optional) A list of egress rules in a security group." - type = any - default = [] + description = < 0, + length(rule.ipv6_cidrs) > 0, + length(rule.prefix_lists) > 0, + length(rule.security_groups) > 0, + rule.self, + ]) + ]) + error_message = "At least one of `ipv4_cidrs`, `ipv6_cidrs`, `prefix_lists`, `security_groups` or `self` must be specified." + } } variable "tags" { description = "(Optional) A map of tags to add to all resources." type = map(string) default = {} + nullable = false } variable "module_tags_enabled" { description = "(Optional) Whether to create AWS Resource Tags for the module informations." type = bool default = true + nullable = false } @@ -60,16 +142,19 @@ variable "resource_group_enabled" { description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module." type = bool default = true + nullable = false } variable "resource_group_name" { description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." type = string default = "" + nullable = false } variable "resource_group_description" { description = "(Optional) The description of Resource Group." type = string default = "Managed by Terraform." + nullable = false } diff --git a/modules/security-group/versions.tf b/modules/security-group/versions.tf index 9ae3d78..4cedc8b 100644 --- a/modules/security-group/versions.tf +++ b/modules/security-group/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.5" + required_version = ">= 1.6" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.45" + version = ">= 5.3" } } } diff --git a/modules/vpc/README.md b/modules/vpc/README.md index e798ce2..02cbf5d 100644 --- a/modules/vpc/README.md +++ b/modules/vpc/README.md @@ -62,7 +62,7 @@ This module creates following resources. |------|-------------|------|---------|:--------:| | [name](#input\_name) | (Required) Desired name for the VPC resources. | `string` | n/a | yes | | [default\_network\_acl](#input\_default\_network\_acl) | (Optional) The configuration for the default Network ACL of the VPC. `default_network_acl` as defined below.
(Optional) `name` - The name of the default Network ACL. Defaults to same name of the VPC.
(Optional) `ingress_rules` - A set of ingress rules in the default Network ACL. If not explicitly defined, the AWS default rules are applied. `ingress_rules` as defined below.
(Required) `priority` - The rule priority. The rule number. Used for ordering.
(Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`.
(Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`.
(Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`.
(Optional) `egress_rules` - A set of egress rules in the default Network ACL. If not explicitly defined, the AWS default rules are applied. `egress_rules` as defined below.
(Required) `priority` - The rule priority. The rule number. Used for ordering.
(Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`.
(Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`.
(Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`. | 
object({
    name = optional(string)
    ingress_rules = optional(set(object({
      priority  = number
      action    = string
      protocol  = string
      from_port = number
      to_port   = number
      ipv4_cidr = optional(string)
      ipv6_cidr = optional(string)
      icmp_type = optional(number, 0)
      icmp_code = optional(number, 0)
    })))
    egress_rules = optional(set(object({
      priority  = number
      action    = string
      protocol  = string
      from_port = number
      to_port   = number
      ipv4_cidr = optional(string)
      ipv6_cidr = optional(string)
      icmp_type = optional(number, 0)
      icmp_code = optional(number, 0)
    })))
  })
| `{}` | no | -| [default\_security\_group](#input\_default\_security\_group) | (Optional) The configuration for the default Security Group of the VPC. `default_security_group` as defined below.
(Optional) `name` - The name of the default Security Group. Defaults to same name of the VPC.
(Optional) `ingress_rules` - A set of ingress rules in the default Security Group. If not explicitly defined, the AWS default rules are applied. `ingress_rules` as defined below.
(Optional) `description` - The description of the rule.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation. Cannot be specified with `ipv6_cidrs`.
(Optional) `ipv6_cidr` - The IPv6 network ranges to allow, in CIDR notation. Cannot be specified with `ipv4_cidrs`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`.
(Optional) `egress_rules` - A set of egress rules in the default Network ACL. If not explicitly defined, the AWS default rules are applied. `egress_rules` as defined below.
(Required) `priority` - The rule priority. The rule number. Used for ordering.
(Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`.
(Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`.
(Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`.
(Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`. | 
object({
    name = optional(string)
    ingress_rules = optional(set(object({
      description     = optional(string, "Managed by Terraform.")
      protocol        = string
      from_port       = number
      to_port         = number
      ipv4_cidrs      = optional(set(string))
      ipv6_cidrs      = optional(set(string))
      prefix_lists    = optional(set(string))
      security_groups = optional(set(string))
      self            = optional(bool, false)
    })))
    egress_rules = optional(set(object({
      description     = optional(string, "Managed by Terraform.")
      protocol        = string
      from_port       = number
      to_port         = number
      ipv4_cidrs      = optional(set(string))
      ipv6_cidrs      = optional(set(string))
      prefix_lists    = optional(set(string))
      security_groups = optional(set(string))
      self            = optional(bool, false)
    })))
  })
| `{}` | no | +| [default\_security\_group](#input\_default\_security\_group) | (Optional) The configuration for the default Security Group of the VPC. `default_security_group` as defined below.
(Optional) `name` - The name of the default Security Group. Defaults to same name of the VPC.
(Optional) `ingress_rules` - A set of ingress rules in the default Security Group. If not explicitly defined, the AWS default rules are applied. `ingress_rules` as defined below.
(Optional) `description` - The description of the rule.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation. Cannot be specified with `ipv6_cidrs`.
(Optional) `ipv6_cidrs` - The IPv6 network ranges to allow, in CIDR notation. Cannot be specified with `ipv4_cidrs`.
(Optional) `prefix_lists` - The prefix list IDs to allow.
(Optional) `security_groups` - The source security group IDs to allow.
(Optional) `self` - Whether the security group itself will be added as a source to this ingress rule.
(Optional) `egress_rules` - A set of egress rules in the default Security Group. If not explicitly defined, the AWS default rules are applied. `egress_rules` as defined below.
(Optional) `description` - The description of the rule.
(Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`.
(Required) `from_port` - The from port to match.
(Required) `to_port` - The to port to match.
(Optional) `ipv4_cidrs` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidrs`.
(Optional) `ipv6_cidrs` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidrs`.
(Optional) `prefix_lists` - The prefix list IDs to allow.
(Optional) `security_groups` - The source security group IDs to allow.
(Optional) `self` - Whether the security group itself will be added as a source to this ingress rule. | 
object({
    name = optional(string)
    ingress_rules = optional(set(object({
      description     = optional(string, "Managed by Terraform.")
      protocol        = string
      from_port       = number
      to_port         = number
      ipv4_cidrs      = optional(set(string))
      ipv6_cidrs      = optional(set(string))
      prefix_lists    = optional(set(string))
      security_groups = optional(set(string))
      self            = optional(bool, false)
    })))
    egress_rules = optional(set(object({
      description     = optional(string, "Managed by Terraform.")
      protocol        = string
      from_port       = number
      to_port         = number
      ipv4_cidrs      = optional(set(string))
      ipv6_cidrs      = optional(set(string))
      prefix_lists    = optional(set(string))
      security_groups = optional(set(string))
      self            = optional(bool, false)
    })))
  })
| `{}` | no | | [dhcp\_options](#input\_dhcp\_options) | (Optional) The configuration for a DHCP option set of the VPC. Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network. `dhcp_options` as defined below.
(Optional) `enabled` - Whether to create a DHCP option set for the VPC. Defaults to `false`.
(Optional) `name` - The name of the DHCP option set. Defaults to same name of the VPC.
(Optional) `domain_name` - The suffix domain name to use by default when resolving non Fully Qualified Domain Names. In other words, this is what ends up being the search value in the `/etc/resolv.conf` file. If you're using `AmazonProvidedDNS` in `us-east-1`, specify `ec2.internal`. If you're using `AmazonProvidedDNS` in another Region, specify `{region}.compute.internal`.
(Optional) `domain_name_servers` - A list of name servers to configure in `/etc/resolv.conf`. The IP addresses of up to four domain name servers, or `AmazonProvidedDNS`. If you want to use the default AWS nameservers you should set this to `AmazonProvidedDNS`. Defaults to `["AmazonProvidedDNS"]`.
(Optional) `netbios_name_servers` - A list of NetBIOS name servers. The IP addresses of up to four NetBIOS name servers.
(Optional) `netbios_node_type` - The NetBIOS node type (1, 2, 4, or 8). AWS recommends to specify 2 since broadcast and multicast are not supported in their network. For more information about these node types, see RFC 2132. Defaults to `2`.
(Optional) `ntp_servers` - A list of NTP servers to configure. The IP addresses of up to four Network Time Protocol (NTP) servers. | 
object({
    enabled              = optional(bool, false)
    name                 = optional(string)
    domain_name          = optional(string)
    domain_name_servers  = optional(list(string), ["AmazonProvidedDNS"])
    netbios_name_servers = optional(list(string), [])
    netbios_node_type    = optional(number, 2)
    ntp_servers          = optional(list(string), [])
  })
| `{}` | no | | [dns\_dnssec\_validation\_enabled](#input\_dns\_dnssec\_validation\_enabled) | (Optional) Should be true to enable Route53 DNSSEC validation in the VPC. | `bool` | `false` | no | | [dns\_hostnames\_enabled](#input\_dns\_hostnames\_enabled) | (Optional) Whether instances launched in the VPC receive public DNS hostnames that correspond to their public IP addresses. Defaults to `true`. | `bool` | `true` | no | diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf index 7806fc3..531a97a 100644 --- a/modules/vpc/variables.tf +++ b/modules/vpc/variables.tf @@ -207,18 +207,20 @@ variable "default_security_group" { (Required) `from_port` - The from port to match. (Required) `to_port` - The to port to match. (Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation. Cannot be specified with `ipv6_cidrs`. - (Optional) `ipv6_cidr` - The IPv6 network ranges to allow, in CIDR notation. Cannot be specified with `ipv4_cidrs`. - (Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`. - (Optional) `egress_rules` - A set of egress rules in the default Network ACL. If not explicitly defined, the AWS default rules are applied. `egress_rules` as defined below. - (Required) `priority` - The rule priority. The rule number. Used for ordering. - (Required) `action` - The action to indicate whether to allow or deny the traffic that matches the rule. Valid values are `ALLOW` and `DENY`. + (Optional) `ipv6_cidrs` - The IPv6 network ranges to allow, in CIDR notation. Cannot be specified with `ipv4_cidrs`. + (Optional) `prefix_lists` - The prefix list IDs to allow. + (Optional) `security_groups` - The source security group IDs to allow. + (Optional) `self` - Whether the security group itself will be added as a source to this ingress rule. + (Optional) `egress_rules` - A set of egress rules in the default Security Group. If not explicitly defined, the AWS default rules are applied. `egress_rules` as defined below. + (Optional) `description` - The description of the rule. (Required) `protocol` - The protocol to match. If using the `-1` 'all' protocol, you must specify a from and to port of `0`. (Required) `from_port` - The from port to match. (Required) `to_port` - The to port to match. - (Optional) `ipv4_cidr` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidr`. - (Optional) `ipv6_cidr` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidr`. - (Optional) `icmp_type` - The ICMP type to be used. Defaults to `0`. - (Optional) `icmp_code` - The ICMP code to be used. Defaults to `0`. + (Optional) `ipv4_cidrs` - The IPv4 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv6_cidrs`. + (Optional) `ipv6_cidrs` - The IPv6 network range to allow or deny, in CIDR notation. Cannot be specified with `ipv4_cidrs`. + (Optional) `prefix_lists` - The prefix list IDs to allow. + (Optional) `security_groups` - The source security group IDs to allow. + (Optional) `self` - Whether the security group itself will be added as a source to this ingress rule. EOF type = object({ name = optional(string) From 93ec1b4d53ef073ab846e4ccaa3dc2860bfc743f Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Wed, 8 Nov 2023 11:19:43 +0900 Subject: [PATCH 63/73] Bump to v0.31.0 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index c25c8e5..26bea73 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.30.0 +0.31.0 From 175608f5b6c9cf216e2f07a45c19ddc7ea9031a9 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Thu, 14 Dec 2023 02:54:42 +0900 Subject: [PATCH 64/73] Fix recreation bug in availability_zone_id for subnet-group --- VERSION | 2 +- modules/subnet-group/main.tf | 13 +++---------- 2 files changed, 4 insertions(+), 11 deletions(-) diff --git a/VERSION b/VERSION index 26bea73..f176c94 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.31.0 +0.31.1 diff --git a/modules/subnet-group/main.tf b/modules/subnet-group/main.tf index dc6c85c..4beec77 100644 --- a/modules/subnet-group/main.tf +++ b/modules/subnet-group/main.tf @@ -60,19 +60,12 @@ locals { # Subnets of the Subnet Group ################################################### -# INFO: Not supported attributes -# - `availability_zone_id` resource "aws_subnet" "this" { for_each = var.subnets - vpc_id = var.vpc_id - availability_zone = (each.value.availability_zone != null - ? each.value.availability_zone - : (each.value.availability_zone_id != null - ? local.az[each.value.availability_zone_id] - : null - ) - ) + vpc_id = var.vpc_id + availability_zone = each.value.availability_zone + availability_zone_id = each.value.availability_zone_id enable_lni_at_device_index = var.local_network_interface_device_index From 03f8a7d051b3ba230ef64741c3458b0d481c4d1e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Dec 2023 02:33:58 +0000 Subject: [PATCH 65/73] Bump tj-actions/changed-files from 40 to 41 (#59) --- .github/workflows/terraform.integration.yaml | 4 ++-- .github/workflows/yaml.integration.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/terraform.integration.yaml b/.github/workflows/terraform.integration.yaml index 92b2077..fd6ca9f 100644 --- a/.github/workflows/terraform.integration.yaml +++ b/.github/workflows/terraform.integration.yaml @@ -31,7 +31,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v40 + uses: tj-actions/changed-files@v41 with: files: | modules/** @@ -40,7 +40,7 @@ jobs: - name: Get Changed Directories id: changed-directories - uses: tj-actions/changed-files@v40 + uses: tj-actions/changed-files@v41 with: files: | modules/** diff --git a/.github/workflows/yaml.integration.yaml b/.github/workflows/yaml.integration.yaml index 884f3ee..52c19f9 100644 --- a/.github/workflows/yaml.integration.yaml +++ b/.github/workflows/yaml.integration.yaml @@ -29,7 +29,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v40 + uses: tj-actions/changed-files@v41 with: files: | **/*.yaml From 5ea987bf48a3c404df7634122189537a292e1c54 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Wed, 7 Feb 2024 18:08:11 +0900 Subject: [PATCH 66/73] Support transit gateway vpc attachments for subnet-group module --- VERSION | 2 +- modules/subnet-group/README.md | 3 +++ modules/subnet-group/integrations.tf | 32 +++++++++++++++++++++++++ modules/subnet-group/outputs.tf | 19 +++++++++++++++ modules/subnet-group/variables.tf | 35 ++++++++++++++++++++++++++++ 5 files changed, 90 insertions(+), 1 deletion(-) diff --git a/VERSION b/VERSION index f176c94..9eb2aa3 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.31.1 +0.32.0 diff --git a/modules/subnet-group/README.md b/modules/subnet-group/README.md index 44309eb..f7a92d6 100644 --- a/modules/subnet-group/README.md +++ b/modules/subnet-group/README.md @@ -41,6 +41,7 @@ This module creates following resources. | [aws_db_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource | | [aws_dms_replication_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dms_replication_subnet_group) | resource | | [aws_docdb_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_subnet_group) | resource | +| [aws_ec2_transit_gateway_vpc_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment) | resource | | [aws_elasticache_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_subnet_group) | resource | | [aws_memorydb_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/memorydb_subnet_group) | resource | | [aws_neptune_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_subnet_group) | resource | @@ -75,6 +76,7 @@ This module creates following resources. | [shares](#input\_shares) | (Optional) A list of resource shares via RAM (Resource Access Manager). | 
list(object({
    name = optional(string)

    permissions = optional(set(string), ["AWSRAMDefaultPermissionSubnet"])

    external_principals_allowed = optional(bool, false)
    principals                  = optional(set(string), [])

    tags = optional(map(string), {})
  }))
| `[]` | no | | [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | | [timeouts](#input\_timeouts) | (Optional) How long to wait for the subnet group to be created/deleted. | 
object({
    create = optional(string, "10m")
    delete = optional(string, "20m")
  })
| `{}` | no | +| [transit\_gateway\_attachments](#input\_transit\_gateway\_attachments) | (Optional) A list of configurations for Transit Gateway VPC attachments. Each block of `transit_gateway_attachments` as defined below.
(Required) `name` - The name of the Transit Gateway VPC attachment.
(Required) `transit_gateway` - The ID of the Transit Gateway.
(Optional) `appliance_mode_enabled` - Whether Appliance Mode support is enabled. If enabled, a traffic flow between a source and destination uses the same Availability Zone for the VPC attachment for the lifetime of that flow. Defaults to `false`.
(Optional) `dns_support_enabled` - Whether to enable Domain Name System resolution for VPCs attached to this transit gateway. Defaults to `true`.
(Optional) `ipv6_enabled` - Whether to enable IPv6 support. Defaults to `false`.
(Optional) `default_association_route_table_enabled` - Whether to automatically associate transit gateway attachments with this transit gateway's default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways. Defaults to `false`.
(Optional) `default_propagation_route_table_enabled` - Whether to automatically propagate transit gateway attachments with this transit gateway's default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways. Defaults to `false`.
(Optional) `tags` - A map of tags to add to the vpc association. | 
list(object({
    name                                    = string
    transit_gateway                         = string
    appliance_mode_enabled                  = optional(bool, false)
    dns_support_enabled                     = optional(bool, true)
    ipv6_enabled                            = optional(bool, false)
    default_association_route_table_enabled = optional(bool, false)
    default_propagation_route_table_enabled = optional(bool, false)

    tags = optional(map(string), {})
  }))
| `[]` | no | ## Outputs @@ -104,5 +106,6 @@ This module creates following resources. | [sharing](#output\_sharing) | The configuration for sharing of subnets in the subnet group.
`status` - An indication of whether subnets are shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are `NOT_SHARED`, `SHARED_BY_ME` or `SHARED_WITH_ME`.
`shares` - The list of resource shares via RAM (Resource Access Manager). | | [subnets](#output\_subnets) | A list of subnets of the subnet group. | | [subnets\_by\_az](#output\_subnets\_by\_az) | A map of subnets of the subnet group which are grouped by availability zone id. | +| [transit\_gateway\_attachments](#output\_transit\_gateway\_attachments) | The configuration of Transit Gateway VPC attachments. | | [vpc\_id](#output\_vpc\_id) | The ID of the VPC which the subnet group belongs to. | diff --git a/modules/subnet-group/integrations.tf b/modules/subnet-group/integrations.tf index f1eae91..d042a5e 100644 --- a/modules/subnet-group/integrations.tf +++ b/modules/subnet-group/integrations.tf @@ -1,3 +1,35 @@ +################################################### +# VPC Attachments for Transit Gateway +################################################### + +resource "aws_ec2_transit_gateway_vpc_attachment" "this" { + for_each = { + for attachment in var.transit_gateway_attachments : + attachment.name => attachment + } + + vpc_id = var.vpc_id + subnet_ids = values(aws_subnet.this)[*].id + + transit_gateway_id = each.value.transit_gateway + + appliance_mode_support = each.value.appliance_mode_enabled ? "enable" : "disable" + dns_support = each.value.dns_support_enabled ? "enable" : "disable" + ipv6_support = each.value.ipv6_enabled ? "enable" : "disable" + transit_gateway_default_route_table_association = each.value.default_association_route_table_enabled + transit_gateway_default_route_table_propagation = each.value.default_propagation_route_table_enabled + + tags = merge( + { + "Name" = each.key + }, + local.module_tags, + var.tags, + each.value.tags, + ) +} + + ################################################### # Subnet Group for DAX ################################################### diff --git a/modules/subnet-group/outputs.tf b/modules/subnet-group/outputs.tf index be882b7..980f36d 100644 --- a/modules/subnet-group/outputs.tf +++ b/modules/subnet-group/outputs.tf @@ -111,6 +111,25 @@ output "dns_config" { } } +output "transit_gateway_attachments" { + description = < { + name = name + transit_gateway = attachment.transit_gateway_id + + appliance_mode_enabled = attachment.appliance_mode_support == "enable" + dns_support_enabled = attachment.dns_support == "enable" + ipv6_enabled = attachment.ipv6_support == "enable" + default_association_route_table_enabled = attachment.transit_gateway_default_route_table_association + default_propagation_route_table_enabled = attachment.transit_gateway_default_route_table_propagation + } + } +} + output "dax_subnet_group" { description = < Date: Fri, 23 Feb 2024 13:54:42 +0900 Subject: [PATCH 67/73] Fix bug in ram-shared transit gateway vpc attachment --- modules/subnet-group/README.md | 2 ++ modules/subnet-group/integrations.tf | 35 ++++++++++++++++++++++++---- 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/modules/subnet-group/README.md b/modules/subnet-group/README.md index f7a92d6..337a251 100644 --- a/modules/subnet-group/README.md +++ b/modules/subnet-group/README.md @@ -48,6 +48,8 @@ This module creates following resources. | [aws_redshift_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_subnet_group) | resource | | [aws_subnet.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_ec2_transit_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source | ## Inputs diff --git a/modules/subnet-group/integrations.tf b/modules/subnet-group/integrations.tf index d042a5e..28c8135 100644 --- a/modules/subnet-group/integrations.tf +++ b/modules/subnet-group/integrations.tf @@ -1,7 +1,26 @@ +data "aws_caller_identity" "this" {} + +locals { + account_id = data.aws_caller_identity.this.account_id +} + + ################################################### # VPC Attachments for Transit Gateway ################################################### +data "aws_ec2_transit_gateway" "this" { + for_each = { + for attachment in var.transit_gateway_attachments : + attachment.name => attachment.transit_gateway + } + + filter { + name = "transit-gateway-id" + values = [each.value] + } +} + resource "aws_ec2_transit_gateway_vpc_attachment" "this" { for_each = { for attachment in var.transit_gateway_attachments : @@ -13,11 +32,17 @@ resource "aws_ec2_transit_gateway_vpc_attachment" "this" { transit_gateway_id = each.value.transit_gateway - appliance_mode_support = each.value.appliance_mode_enabled ? "enable" : "disable" - dns_support = each.value.dns_support_enabled ? "enable" : "disable" - ipv6_support = each.value.ipv6_enabled ? "enable" : "disable" - transit_gateway_default_route_table_association = each.value.default_association_route_table_enabled - transit_gateway_default_route_table_propagation = each.value.default_propagation_route_table_enabled + appliance_mode_support = each.value.appliance_mode_enabled ? "enable" : "disable" + dns_support = each.value.dns_support_enabled ? "enable" : "disable" + ipv6_support = each.value.ipv6_enabled ? "enable" : "disable" + transit_gateway_default_route_table_association = (local.account_id == data.aws_ec2_transit_gateway.this[each.key].owner_id + ? each.value.default_association_route_table_enabled + : null + ) + transit_gateway_default_route_table_propagation = (local.account_id == data.aws_ec2_transit_gateway.this[each.key].owner_id + ? each.value.default_propagation_route_table_enabled + : null + ) tags = merge( { From f49f4ded85d826e957d4eda417ee58afd29f0f7b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 17 Mar 2024 13:12:30 +0000 Subject: [PATCH 68/73] Bump tj-actions/changed-files from 41 to 43 (#61) --- .github/workflows/terraform.integration.yaml | 4 ++-- .github/workflows/yaml.integration.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/terraform.integration.yaml b/.github/workflows/terraform.integration.yaml index fd6ca9f..20f5bd6 100644 --- a/.github/workflows/terraform.integration.yaml +++ b/.github/workflows/terraform.integration.yaml @@ -31,7 +31,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v41 + uses: tj-actions/changed-files@v43 with: files: | modules/** @@ -40,7 +40,7 @@ jobs: - name: Get Changed Directories id: changed-directories - uses: tj-actions/changed-files@v41 + uses: tj-actions/changed-files@v43 with: files: | modules/** diff --git a/.github/workflows/yaml.integration.yaml b/.github/workflows/yaml.integration.yaml index 52c19f9..b1f80a3 100644 --- a/.github/workflows/yaml.integration.yaml +++ b/.github/workflows/yaml.integration.yaml @@ -29,7 +29,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v41 + uses: tj-actions/changed-files@v43 with: files: | **/*.yaml From 9bf1bdaa1313d72fb44862b08698c4f21a6e21ba Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Mar 2024 18:52:08 +0000 Subject: [PATCH 69/73] Bump tj-actions/changed-files from 43 to 44 (#62) --- .github/workflows/terraform.integration.yaml | 4 ++-- .github/workflows/yaml.integration.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/terraform.integration.yaml b/.github/workflows/terraform.integration.yaml index 20f5bd6..daca2fa 100644 --- a/.github/workflows/terraform.integration.yaml +++ b/.github/workflows/terraform.integration.yaml @@ -31,7 +31,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v43 + uses: tj-actions/changed-files@v44 with: files: | modules/** @@ -40,7 +40,7 @@ jobs: - name: Get Changed Directories id: changed-directories - uses: tj-actions/changed-files@v43 + uses: tj-actions/changed-files@v44 with: files: | modules/** diff --git a/.github/workflows/yaml.integration.yaml b/.github/workflows/yaml.integration.yaml index b1f80a3..fc933f2 100644 --- a/.github/workflows/yaml.integration.yaml +++ b/.github/workflows/yaml.integration.yaml @@ -29,7 +29,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v43 + uses: tj-actions/changed-files@v44 with: files: | **/*.yaml From b08a321808f31048700589efb8b46bcc1f759cbf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 5 Apr 2024 17:20:54 +0900 Subject: [PATCH 70/73] Bump actions/labeler from 4 to 5 (#58) Bumps [actions/labeler](https://github.com/actions/labeler) from 4 to 5. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](https://github.com/actions/labeler/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/labeler dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pull-request-labeler.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull-request-labeler.yaml b/.github/workflows/pull-request-labeler.yaml index 1784c72..d5ac851 100644 --- a/.github/workflows/pull-request-labeler.yaml +++ b/.github/workflows/pull-request-labeler.yaml @@ -9,7 +9,7 @@ jobs: steps: - name: Add Labels for PR - uses: actions/labeler@v4 + uses: actions/labeler@v5 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" configuration-path: .github/labeler.yaml From e175c6c34e623ecca04e29879f3713b9e1cd1d0a Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Fri, 3 May 2024 02:19:08 +0900 Subject: [PATCH 71/73] Update dependabot --- .github/dependabot.yml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 759819d..31d7ee2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,17 @@ version: 2 updates: -- package-ecosystem: "github-actions" - directory: "/" +- package-ecosystem: github-actions + directory: / schedule: - interval: "daily" + interval: daily + +- package-ecosystem: terraform + directories: + - /modules/nacl + - /modules/nat-gateway + - /modules/route-table + - /modules/security-group + - /modules/subnet-group + - /modules/vpc + schedule: + interval: weekly From 78557bb9777e62e943a721dc850f0e6ebe2cbd21 Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Wed, 8 May 2024 01:18:47 +0900 Subject: [PATCH 72/73] Support ipv6_address_preferred_lease_time for vpc dhcp options set (#70) --- modules/vpc/dhcp-options.tf | 9 +++++---- modules/vpc/outputs.tf | 12 +++++++----- modules/vpc/variables.tf | 16 +++++++++------- modules/vpc/versions.tf | 2 +- 4 files changed, 22 insertions(+), 17 deletions(-) diff --git a/modules/vpc/dhcp-options.tf b/modules/vpc/dhcp-options.tf index 22e770e..74b5317 100644 --- a/modules/vpc/dhcp-options.tf +++ b/modules/vpc/dhcp-options.tf @@ -21,10 +21,11 @@ resource "aws_vpc_dhcp_options" "this" { ? var.dhcp_options.domain_name : local.default_dhcp_options_domain_name ) - domain_name_servers = var.dhcp_options.domain_name_servers - ntp_servers = var.dhcp_options.ntp_servers - netbios_name_servers = var.dhcp_options.netbios_name_servers - netbios_node_type = var.dhcp_options.netbios_node_type + domain_name_servers = var.dhcp_options.domain_name_servers + ipv6_address_preferred_lease_time = var.dhcp_options.ipv6_address_preferred_lease_time + ntp_servers = var.dhcp_options.ntp_servers + netbios_name_servers = var.dhcp_options.netbios_name_servers + netbios_node_type = var.dhcp_options.netbios_node_type tags = merge( { diff --git a/modules/vpc/outputs.tf b/modules/vpc/outputs.tf index 042f237..bdc066b 100644 --- a/modules/vpc/outputs.tf +++ b/modules/vpc/outputs.tf @@ -215,6 +215,7 @@ output "dhcp_options" { `domain_name` - The suffix domain name to use by default when resolving non Fully Qualified Domain Names. `domain_name_servers` - A list of name servers to configure in `/etc/resolv.conf`. + `ipv6_address_preferred_lease_time` - A value for how frequently a running instance with an IPv6 assigned to it goes through DHCPv6 lease renewal. `netbios_name_servers` - A list of NetBIOS name servers. `netbios_node_type` - The NetBIOS node type (1, 2, 4, or 8). `ntp_servers` - A list of NTP servers to configure. @@ -225,11 +226,12 @@ output "dhcp_options" { arn = one(aws_vpc_dhcp_options.this[*].arn) owner = one(aws_vpc_dhcp_options.this[*].owner_id) - domain_name = one(aws_vpc_dhcp_options.this[*].domain_name) - domain_name_servers = one(aws_vpc_dhcp_options.this[*].domain_name_servers) - netbios_name_servers = one(aws_vpc_dhcp_options.this[*].netbios_name_servers) - netbios_node_type = one(aws_vpc_dhcp_options.this[*].netbios_node_type) - ntp_servers = one(aws_vpc_dhcp_options.this[*].ntp_servers) + domain_name = one(aws_vpc_dhcp_options.this[*].domain_name) + domain_name_servers = one(aws_vpc_dhcp_options.this[*].domain_name_servers) + ipv6_address_preferred_lease_time = one(aws_vpc_dhcp_options.this[*].ipv6_address_preferred_lease_time) + netbios_name_servers = one(aws_vpc_dhcp_options.this[*].netbios_name_servers) + netbios_node_type = one(aws_vpc_dhcp_options.this[*].netbios_node_type) + ntp_servers = one(aws_vpc_dhcp_options.this[*].ntp_servers) } : null ) diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf index 531a97a..2d8b85f 100644 --- a/modules/vpc/variables.tf +++ b/modules/vpc/variables.tf @@ -258,18 +258,20 @@ variable "dhcp_options" { (Optional) `name` - The name of the DHCP option set. Defaults to same name of the VPC. (Optional) `domain_name` - The suffix domain name to use by default when resolving non Fully Qualified Domain Names. In other words, this is what ends up being the search value in the `/etc/resolv.conf` file. If you're using `AmazonProvidedDNS` in `us-east-1`, specify `ec2.internal`. If you're using `AmazonProvidedDNS` in another Region, specify `{region}.compute.internal`. (Optional) `domain_name_servers` - A list of name servers to configure in `/etc/resolv.conf`. The IP addresses of up to four domain name servers, or `AmazonProvidedDNS`. If you want to use the default AWS nameservers you should set this to `AmazonProvidedDNS`. Defaults to `["AmazonProvidedDNS"]`. + (Optional) `ipv6_address_preferred_lease_time` - How frequently, in seconds, a running instance with an IPv6 assigned to it goes through DHCPv6 lease renewal. Acceptable values are between 140 and 2147483647 (approximately 68 years). Defaults to `140` seconds. If you use long-term addressing for EC2 instances, you can increase the lease time and avoid frequent lease renewal requests. Lease renewal typically occurs when half of the lease time has elapsed. (Optional) `netbios_name_servers` - A list of NetBIOS name servers. The IP addresses of up to four NetBIOS name servers. (Optional) `netbios_node_type` - The NetBIOS node type (1, 2, 4, or 8). AWS recommends to specify 2 since broadcast and multicast are not supported in their network. For more information about these node types, see RFC 2132. Defaults to `2`. (Optional) `ntp_servers` - A list of NTP servers to configure. The IP addresses of up to four Network Time Protocol (NTP) servers. EOF type = object({ - enabled = optional(bool, false) - name = optional(string) - domain_name = optional(string) - domain_name_servers = optional(list(string), ["AmazonProvidedDNS"]) - netbios_name_servers = optional(list(string), []) - netbios_node_type = optional(number, 2) - ntp_servers = optional(list(string), []) + enabled = optional(bool, false) + name = optional(string) + domain_name = optional(string) + domain_name_servers = optional(list(string), ["AmazonProvidedDNS"]) + ipv6_address_preferred_lease_time = optional(number, 140) + netbios_name_servers = optional(list(string), []) + netbios_node_type = optional(number, 2) + ntp_servers = optional(list(string), []) }) default = {} nullable = false diff --git a/modules/vpc/versions.tf b/modules/vpc/versions.tf index 4cedc8b..0cf17ea 100644 --- a/modules/vpc/versions.tf +++ b/modules/vpc/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.3" + version = ">= 5.46" } } } From 4eb09a35240ea5af58cc5b304ca44b4467a7e4d7 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Wed, 8 May 2024 01:19:06 +0900 Subject: [PATCH 73/73] Bump to v0.32.1 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 9eb2aa3..fd9620c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.32.0 +0.32.1