diff --git a/README.md b/README.md
index 6e3319b..79a6078 100644
--- a/README.md
+++ b/README.md
@@ -24,9 +24,15 @@ Support for VPN tunnels will be added soon.
### Credentials
-The module starts from the assumption that the `aws_login_profile` allows the
+The module starts from the assumption that your default aws profile allows the
user to assume the necessary IAM roles, as required, to make the necessary
changes (and in the case of the `satellite` module, cross-account).
+You can use profile of your need if you set `AWS_PROFILE` or `AWS_DEFAULT_PROFILE`, e.g.:
+
+```shell
+export AWS_DEFAULT_PROFILE=login
+```
+
See [this example][4] to first make sure that the credentials you want to use
allow for cross-account actions.
@@ -80,14 +86,14 @@ this fact.
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.15 |
-| [aws](#requirement\_aws) | >= 3 |
+| [aws](#requirement\_aws) | >= 4 |
## Providers
| Name | Version |
|------|---------|
-| [aws.hub](#provider\_aws.hub) | >= 3 |
-| [aws.satellite](#provider\_aws.satellite) | >= 3 |
+| [aws.hub](#provider\_aws.hub) | >= 4 |
+| [aws.satellite](#provider\_aws.satellite) | >= 4 |
## Modules
@@ -112,8 +118,8 @@ No modules.
| [aws_route_table.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source |
| [aws_route_table.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source |
| [aws_route_tables.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source |
-| [aws_subnet_ids.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
-| [aws_subnet_ids.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
+| [aws_subnets.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
+| [aws_subnets.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
| [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
## Inputs
diff --git a/data.tf b/data.tf
index 0660bed..a3be7f8 100644
--- a/data.tf
+++ b/data.tf
@@ -7,10 +7,14 @@ data "aws_vpc" "this" {
}
}
-data "aws_subnet_ids" "this" {
+data "aws_subnets" "this" {
provider = aws.satellite
count = local.create ? 1 : 0
- vpc_id = data.aws_vpc.this[0].id
+
+ filter {
+ name = "vpc-id"
+ values = [data.aws_vpc.this[0].id]
+ }
dynamic "filter" {
for_each = var.attachment_subnet_filters
@@ -21,10 +25,14 @@ data "aws_subnet_ids" "this" {
}
}
-data "aws_subnet_ids" "private" {
+data "aws_subnets" "private" {
provider = aws.satellite
count = local.create ? 1 : 0
- vpc_id = data.aws_vpc.this[0].id
+
+ filter {
+ name = "vpc-id"
+ values = [data.aws_vpc.this[0].id]
+ }
dynamic "filter" {
for_each = var.private_subnet_filters
@@ -43,7 +51,7 @@ data "aws_route_tables" "all" {
data "aws_route_table" "all" {
provider = aws.satellite
- for_each = data.aws_route_tables.all[0].ids
+ for_each = toset(data.aws_route_tables.all[0].ids)
vpc_id = data.aws_vpc.this[0].id
filter {
diff --git a/examples/satellite-all/README.md b/examples/satellite-all/README.md
index 954fea3..ed4a047 100644
--- a/examples/satellite-all/README.md
+++ b/examples/satellite-all/README.md
@@ -25,7 +25,6 @@ No resources.
|------|-------------|------|---------|:--------:|
| [aws\_account\_id\_hub](#input\_aws\_account\_id\_hub) | AWS account number containing the TGW hub | `string` | n/a | yes |
| [aws\_account\_id\_satellite](#input\_aws\_account\_id\_satellite) | List of AWS account numbers representing the satellites of the TGW | `list(string)` | n/a | yes |
-| [aws\_login\_profile](#input\_aws\_login\_profile) | Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles | `string` | n/a | yes |
| [role\_to\_assume\_hub](#input\_role\_to\_assume\_hub) | IAM role name to assume in the AWS account containing the TGW hub (eg. ASSUME-ROLE-HUB) | `string` | n/a | yes |
| [role\_to\_assume\_satellite](#input\_role\_to\_assume\_satellite) | IAM role name to assume in the AWS account containing the TGW satellite (eg. ASSUME-ROLE-SATELLITE) | `string` | n/a | yes |
| [attachment\_subnet\_filters](#input\_attachment\_subnet\_filters) | List of maps selecting the subnet(s) where TGW will be attached | list(object({
name = string
values = list(string)
})) | [
{
"name": "tag:Name",
"values": [
"*private*"
]
}
]
| no |
diff --git a/examples/satellite-all/providers.tf b/examples/satellite-all/providers.tf
index 4d3606d..b647084 100644
--- a/examples/satellite-all/providers.tf
+++ b/examples/satellite-all/providers.tf
@@ -1,7 +1,6 @@
provider "aws" {
- alias = "satellite"
- region = "eu-central-1"
- profile = var.aws_login_profile
+ alias = "satellite"
+ region = "eu-central-1"
assume_role {
role_arn = "arn:aws:iam::${local.aws_account_id_satellite}:role/${var.role_to_assume_satellite}"
session_name = "tf-tgw-module-satellite"
@@ -9,9 +8,8 @@ provider "aws" {
}
provider "aws" {
- alias = "hub"
- region = "eu-central-1"
- profile = var.aws_login_profile
+ alias = "hub"
+ region = "eu-central-1"
assume_role {
role_arn = "arn:aws:iam::${var.aws_account_id_hub}:role/${var.role_to_assume_hub}"
session_name = "tf-tgw-module-satellite"
diff --git a/examples/satellite-all/variables.auto.tfvars b/examples/satellite-all/variables.auto.tfvars
index 05ed9a6..7baabf6 100644
--- a/examples/satellite-all/variables.auto.tfvars
+++ b/examples/satellite-all/variables.auto.tfvars
@@ -1,7 +1,5 @@
satellite_create = true
-aws_login_profile = "login"
-
role_to_assume_hub = "ASSUME-ENG-CI"
role_to_assume_satellite = "ASSUME-ENG-CI"
diff --git a/examples/satellite-all/variables.tf b/examples/satellite-all/variables.tf
index 465e718..8f0d5c2 100644
--- a/examples/satellite-all/variables.tf
+++ b/examples/satellite-all/variables.tf
@@ -4,11 +4,6 @@ variable "satellite_create" {
type = bool
}
-variable "aws_login_profile" {
- description = "Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles"
- type = string
-}
-
variable "aws_account_id_hub" {
description = "AWS account number containing the TGW hub"
type = string
diff --git a/examples/satellite-default-route-all/README.md b/examples/satellite-default-route-all/README.md
index da7a7a0..50205ae 100644
--- a/examples/satellite-default-route-all/README.md
+++ b/examples/satellite-default-route-all/README.md
@@ -25,7 +25,6 @@ No resources.
|------|-------------|------|---------|:--------:|
| [aws\_account\_id\_hub](#input\_aws\_account\_id\_hub) | AWS account number containing the TGW hub | `string` | n/a | yes |
| [aws\_account\_id\_satellite](#input\_aws\_account\_id\_satellite) | List of AWS account numbers representing the satellites of the TGW | `list(string)` | n/a | yes |
-| [aws\_login\_profile](#input\_aws\_login\_profile) | Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles | `string` | n/a | yes |
| [role\_to\_assume\_hub](#input\_role\_to\_assume\_hub) | IAM role name to assume in the AWS account containing the TGW hub (eg. ASSUME-ROLE-HUB) | `string` | n/a | yes |
| [role\_to\_assume\_satellite](#input\_role\_to\_assume\_satellite) | IAM role name to assume in the AWS account containing the TGW satellite (eg. ASSUME-ROLE-SATELLITE) | `string` | n/a | yes |
| [attachment\_subnet\_filters](#input\_attachment\_subnet\_filters) | List of maps selecting the subnet(s) where TGW will be attached | list(object({
name = string
values = list(string)
})) | [
{
"name": "tag:Name",
"values": [
"*private*"
]
}
]
| no |
diff --git a/examples/satellite-default-route-all/providers.tf b/examples/satellite-default-route-all/providers.tf
index 4d3606d..b647084 100644
--- a/examples/satellite-default-route-all/providers.tf
+++ b/examples/satellite-default-route-all/providers.tf
@@ -1,7 +1,6 @@
provider "aws" {
- alias = "satellite"
- region = "eu-central-1"
- profile = var.aws_login_profile
+ alias = "satellite"
+ region = "eu-central-1"
assume_role {
role_arn = "arn:aws:iam::${local.aws_account_id_satellite}:role/${var.role_to_assume_satellite}"
session_name = "tf-tgw-module-satellite"
@@ -9,9 +8,8 @@ provider "aws" {
}
provider "aws" {
- alias = "hub"
- region = "eu-central-1"
- profile = var.aws_login_profile
+ alias = "hub"
+ region = "eu-central-1"
assume_role {
role_arn = "arn:aws:iam::${var.aws_account_id_hub}:role/${var.role_to_assume_hub}"
session_name = "tf-tgw-module-satellite"
diff --git a/examples/satellite-default-route-all/variables.auto.tfvars b/examples/satellite-default-route-all/variables.auto.tfvars
index 82609af..4c04fb8 100644
--- a/examples/satellite-default-route-all/variables.auto.tfvars
+++ b/examples/satellite-default-route-all/variables.auto.tfvars
@@ -1,7 +1,5 @@
satellite_create = true
-aws_login_profile = "login"
-
role_to_assume_hub = "ASSUME-ENG-CI"
role_to_assume_satellite = "ASSUME-ENG-CI"
diff --git a/examples/satellite-default-route-all/variables.tf b/examples/satellite-default-route-all/variables.tf
index 465e718..8f0d5c2 100644
--- a/examples/satellite-default-route-all/variables.tf
+++ b/examples/satellite-default-route-all/variables.tf
@@ -4,11 +4,6 @@ variable "satellite_create" {
type = bool
}
-variable "aws_login_profile" {
- description = "Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles"
- type = string
-}
-
variable "aws_account_id_hub" {
description = "AWS account number containing the TGW hub"
type = string
diff --git a/examples/satellite-default-route/README.md b/examples/satellite-default-route/README.md
index 2ab7b38..26d648e 100644
--- a/examples/satellite-default-route/README.md
+++ b/examples/satellite-default-route/README.md
@@ -25,7 +25,6 @@ No resources.
|------|-------------|------|---------|:--------:|
| [aws\_account\_id\_hub](#input\_aws\_account\_id\_hub) | AWS account number containing the TGW hub | `string` | n/a | yes |
| [aws\_account\_id\_satellite](#input\_aws\_account\_id\_satellite) | List of AWS account numbers representing the satellites of the TGW | `list(string)` | n/a | yes |
-| [aws\_login\_profile](#input\_aws\_login\_profile) | Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles | `string` | n/a | yes |
| [role\_to\_assume\_hub](#input\_role\_to\_assume\_hub) | IAM role name to assume in the AWS account containing the TGW hub (eg. ASSUME-ROLE-HUB) | `string` | n/a | yes |
| [role\_to\_assume\_satellite](#input\_role\_to\_assume\_satellite) | IAM role name to assume in the AWS account containing the TGW satellite (eg. ASSUME-ROLE-SATELLITE) | `string` | n/a | yes |
| [attachment\_subnet\_filters](#input\_attachment\_subnet\_filters) | List of maps selecting the subnet(s) where TGW will be attached | list(object({
name = string
values = list(string)
})) | [
{
"name": "tag:Name",
"values": [
"*private*"
]
}
]
| no |
diff --git a/examples/satellite-default-route/providers.tf b/examples/satellite-default-route/providers.tf
index 4d3606d..b647084 100644
--- a/examples/satellite-default-route/providers.tf
+++ b/examples/satellite-default-route/providers.tf
@@ -1,7 +1,6 @@
provider "aws" {
- alias = "satellite"
- region = "eu-central-1"
- profile = var.aws_login_profile
+ alias = "satellite"
+ region = "eu-central-1"
assume_role {
role_arn = "arn:aws:iam::${local.aws_account_id_satellite}:role/${var.role_to_assume_satellite}"
session_name = "tf-tgw-module-satellite"
@@ -9,9 +8,8 @@ provider "aws" {
}
provider "aws" {
- alias = "hub"
- region = "eu-central-1"
- profile = var.aws_login_profile
+ alias = "hub"
+ region = "eu-central-1"
assume_role {
role_arn = "arn:aws:iam::${var.aws_account_id_hub}:role/${var.role_to_assume_hub}"
session_name = "tf-tgw-module-satellite"
diff --git a/examples/satellite-default-route/variables.auto.tfvars b/examples/satellite-default-route/variables.auto.tfvars
index 360363f..cf39740 100644
--- a/examples/satellite-default-route/variables.auto.tfvars
+++ b/examples/satellite-default-route/variables.auto.tfvars
@@ -1,7 +1,5 @@
satellite_create = true
-aws_login_profile = "login"
-
role_to_assume_hub = "ASSUME-ENG-CI"
role_to_assume_satellite = "ASSUME-ENG-CI"
diff --git a/examples/satellite-default-route/variables.tf b/examples/satellite-default-route/variables.tf
index 465e718..8f0d5c2 100644
--- a/examples/satellite-default-route/variables.tf
+++ b/examples/satellite-default-route/variables.tf
@@ -4,11 +4,6 @@ variable "satellite_create" {
type = bool
}
-variable "aws_login_profile" {
- description = "Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles"
- type = string
-}
-
variable "aws_account_id_hub" {
description = "AWS account number containing the TGW hub"
type = string
diff --git a/examples/satellite/README.md b/examples/satellite/README.md
index 2957bb1..9bdb625 100644
--- a/examples/satellite/README.md
+++ b/examples/satellite/README.md
@@ -25,7 +25,6 @@ No resources.
|------|-------------|------|---------|:--------:|
| [aws\_account\_id\_hub](#input\_aws\_account\_id\_hub) | AWS account number containing the TGW hub | `string` | n/a | yes |
| [aws\_account\_id\_satellite](#input\_aws\_account\_id\_satellite) | List of AWS account numbers representing the satellites of the TGW | `list(string)` | n/a | yes |
-| [aws\_login\_profile](#input\_aws\_login\_profile) | Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles | `string` | n/a | yes |
| [role\_to\_assume\_hub](#input\_role\_to\_assume\_hub) | IAM role name to assume in the AWS account containing the TGW hub (eg. ASSUME-ROLE-HUB) | `string` | n/a | yes |
| [role\_to\_assume\_satellite](#input\_role\_to\_assume\_satellite) | IAM role name to assume in the AWS account containing the TGW satellite (eg. ASSUME-ROLE-SATELLITE) | `string` | n/a | yes |
| [attachment\_subnet\_filters](#input\_attachment\_subnet\_filters) | List of maps selecting the subnet(s) where TGW will be attached | list(object({
name = string
values = list(string)
})) | [
{
"name": "tag:Name",
"values": [
"*private*"
]
}
]
| no |
diff --git a/examples/satellite/providers.tf b/examples/satellite/providers.tf
index 4d3606d..b647084 100644
--- a/examples/satellite/providers.tf
+++ b/examples/satellite/providers.tf
@@ -1,7 +1,6 @@
provider "aws" {
- alias = "satellite"
- region = "eu-central-1"
- profile = var.aws_login_profile
+ alias = "satellite"
+ region = "eu-central-1"
assume_role {
role_arn = "arn:aws:iam::${local.aws_account_id_satellite}:role/${var.role_to_assume_satellite}"
session_name = "tf-tgw-module-satellite"
@@ -9,9 +8,8 @@ provider "aws" {
}
provider "aws" {
- alias = "hub"
- region = "eu-central-1"
- profile = var.aws_login_profile
+ alias = "hub"
+ region = "eu-central-1"
assume_role {
role_arn = "arn:aws:iam::${var.aws_account_id_hub}:role/${var.role_to_assume_hub}"
session_name = "tf-tgw-module-satellite"
diff --git a/examples/satellite/variables.auto.tfvars b/examples/satellite/variables.auto.tfvars
index 0bf8fc3..d19f58f 100644
--- a/examples/satellite/variables.auto.tfvars
+++ b/examples/satellite/variables.auto.tfvars
@@ -1,7 +1,5 @@
satellite_create = true
-aws_login_profile = "login"
-
role_to_assume_hub = "ASSUME-ENG-CI"
role_to_assume_satellite = "ASSUME-ENG-CI"
diff --git a/examples/satellite/variables.tf b/examples/satellite/variables.tf
index 13b62c1..07b9e9d 100644
--- a/examples/satellite/variables.tf
+++ b/examples/satellite/variables.tf
@@ -4,11 +4,6 @@ variable "satellite_create" {
type = bool
}
-variable "aws_login_profile" {
- description = "Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles"
- type = string
-}
-
variable "aws_account_id_hub" {
description = "AWS account number containing the TGW hub"
type = string
diff --git a/locals.tf b/locals.tf
index ea89bc0..a0c8127 100644
--- a/locals.tf
+++ b/locals.tf
@@ -29,6 +29,6 @@ locals {
subnets_with_rt_associations = toset(flatten([for rt in data.aws_route_table.all : rt.associations[*].subnet_id]))
- private_subnets_with_rt = setintersection(data.aws_subnet_ids.private[0].ids, local.subnets_with_rt_associations)
+ private_subnets_with_rt = setintersection(data.aws_subnets.private[0].ids, local.subnets_with_rt_associations)
}
diff --git a/main.tf b/main.tf
index 54d3190..afc79c8 100644
--- a/main.tf
+++ b/main.tf
@@ -1,7 +1,7 @@
resource "aws_ec2_transit_gateway_vpc_attachment" "this" {
provider = aws.satellite
count = local.create ? 1 : 0
- subnet_ids = data.aws_subnet_ids.this[0].ids
+ subnet_ids = data.aws_subnets.this[0].ids
transit_gateway_id = local.transit_gateway_id
vpc_id = data.aws_vpc.this[0].id
@@ -56,7 +56,7 @@ resource "aws_network_acl" "private" {
provider = aws.satellite
count = local.create && var.private_subnets_strict_acl_rules ? 1 : 0
vpc_id = data.aws_vpc.this[0].id
- subnet_ids = data.aws_subnet_ids.private[0].ids
+ subnet_ids = data.aws_subnets.private[0].ids
}
resource "aws_network_acl_rule" "private_default_egress" {
diff --git a/versions.tf b/versions.tf
index d12b45d..e4e70a3 100644
--- a/versions.tf
+++ b/versions.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3"
+ version = ">= 4"
configuration_aliases = [
aws.hub,
aws.satellite