Adds support for separate, multiple routable CIDRs (#4)

* Adds support for separate, multiple routable CIDRs

* Fixes terraform destroy command

Makefile

@@ -144,13 +144,13 @@ test: _pull-tf
 			fi; \
 		else \
 			echo "Apply failed"; \
-			if docker run -$$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY --workdir "$${DOCKER_PATH}" hashicorp/terraform:$(TF_VERSION) \
+			if docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY --workdir "$${DOCKER_PATH}" hashicorp/terraform:$(TF_VERSION) \
 				destroy \
 					-auto-approve \
 					$(ARGS) \
 					; then \
 				echo "Destroy OK"; \
-				docker run -$$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" --entrypoint=rm hashicorp/terraform:$(TF_VERSION) -rf .terraform/ terraform.tfstate terraform.tfstate.backup || true; \
+				docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" --entrypoint=rm hashicorp/terraform:$(TF_VERSION) -rf .terraform/ terraform.tfstate terraform.tfstate.backup || true; \
 			else \
 				echo "Destroy failed. You should check for dangling resources."; \
 				exit 1; \

README.md

@@ -58,10 +58,11 @@ Check the `subnet_name_keyword_selector` variable if you want to change this.
 | aws\_login\_profile | Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles | `any` | n/a | yes |
 | role\_to\_assume\_hub | IAM role name to assume in the AWS account containing the TGW hub (eg. ASSUME-ROLE-HUB) | `string` | n/a | yes |
 | aws\_account\_id\_satellite | AWS account number containing the TGW satellite | `string` | `""` | no |
-| destination\_cidr\_block | CIDR to be routed | `string` | `""` | no |
+| hub\_destination\_cidr\_blocks | List of CIDRs to be routed for the hub | `list` | `[]` | no |
 | ram\_resource\_association\_id | Identifier of the Resource Access Manager Resource Association | `string` | `""` | no |
 | role\_to\_assume\_satellite | IAM role name to assume in the AWS account containing the TGW satellite (eg. ASSUME-ROLE-SATELLITE) | `string` | `""` | no |
 | satellite\_create | Boolean flag for toggling the handling of satellite resources | `bool` | `false` | no |
+| satellite\_destination\_cidr\_blocks | List of CIDRs to be routed for the satellite | `list` | `[]` | no |
 | subnet\_name\_keyword\_selector | Keyword matching the name of the subnet(s) for which the routing will be added (i.e. private) | `string` | `"private"` | no |
 | transit\_gateway\_hub\_name | Name of the Transit Gateway to attach to | `string` | `""` | no |
 | transit\_gateway\_id | Identifier of the Transit Gateway | `string` | `""` | no |

examples/satellite/README.md

@@ -14,8 +14,9 @@ No provider.
 | aws\_login\_profile | Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles | `any` | n/a | yes |
 | role\_to\_assume\_hub | IAM role name to assume in the AWS account containing the TGW hub (eg. ASSUME-ROLE-HUB) | `string` | n/a | yes |
 | role\_to\_assume\_satellite | IAM role name to assume in the AWS account containing the TGW satellite (eg. ASSUME-ROLE-SATELLITE) | `string` | n/a | yes |
-| destination\_cidr\_block | CIDR to be routed | `string` | `""` | no |
+| hub\_destination\_cidr\_blocks | List of CIDRs to be routed for the hub | `list` | `[]` | no |
 | satellite\_create | Boolean flag for toggling the handling of satellite resources | `bool` | `false` | no |
+| satellite\_destination\_cidr\_blocks | List of CIDRs to be routed for the satellite | `list` | `[]` | no |
 | subnet\_name\_keyword\_selector | Keyword matching the name of the subnet(s) for which the routing will be added (i.e. private) | `string` | `"private"` | no |
 | transit\_gateway\_hub\_name | Name of the Transit Gateway to attach to | `string` | `""` | no |
 | transit\_gateway\_id | Identifier of the Transit Gateway | `string` | `""` | no |

examples/satellite/main.tf

@@ -17,8 +17,10 @@ module "tgw-satellite" {
   role_to_assume_hub       = var.role_to_assume_hub
   role_to_assume_satellite = var.role_to_assume_satellite
 
-  vpc_name_to_attach     = var.vpc_name_to_attach
-  destination_cidr_block = var.destination_cidr_block
+  vpc_name_to_attach = var.vpc_name_to_attach
+
+  satellite_destination_cidr_blocks = var.satellite_destination_cidr_blocks
+  hub_destination_cidr_blocks       = var.hub_destination_cidr_blocks
 
   subnet_name_keyword_selector = var.subnet_name_keyword_selector
 

examples/satellite/variables.auto.tfvars

@@ -5,8 +5,10 @@ aws_login_profile = "login"
 role_to_assume_hub       = "ASSUME-ENG-CI"
 role_to_assume_satellite = "ASSUME-ENG-CI"
 
-vpc_name_to_attach     = "default"
-destination_cidr_block = "1.1.1.1/32"
+vpc_name_to_attach = "default"
+
+satellite_destination_cidr_blocks = ["208.67.222.222/32", "208.67.220.220/32"]
+hub_destination_cidr_blocks       = ["8.8.4.4/32", "8.8.8.8/32"]
 
 subnet_name_keyword_selector = "private"
 transit_gateway_hub_name     = "test-tgw-fixture"

examples/satellite/variables.tf

@@ -34,9 +34,16 @@ variable "vpc_name_to_attach" {
   default     = ""
 }
 
-variable "destination_cidr_block" {
-  description = "CIDR to be routed"
-  default     = ""
+variable "satellite_destination_cidr_blocks" {
+  description = "List of CIDRs to be routed for the satellite"
+  type        = list
+  default     = []
+}
+
+variable "hub_destination_cidr_blocks" {
+  description = "List of CIDRs to be routed for the hub"
+  type        = list
+  default     = []
 }
 
 variable "subnet_name_keyword_selector" {

locals.tf

@@ -4,4 +4,11 @@ locals {
   transit_gateway_id = var.transit_gateway_id == "" ? data.aws_ec2_transit_gateway.this[0].id : var.transit_gateway_id
 
   transit_gateway_route_table_id = var.transit_gateway_route_table_id == "" ? data.aws_ec2_transit_gateway_route_table.this[0].id : var.transit_gateway_route_table_id
+
+  routes_in_tables = [
+    for pair in setproduct(data.aws_route_table.this[*].route_table_id, var.satellite_destination_cidr_blocks) : {
+      table_id        = pair[0]
+      dest_cidr_block = pair[1]
+    }
+  ]
 }

main.tf

@@ -15,8 +15,8 @@ resource "aws_ec2_transit_gateway_vpc_attachment" "this" {
 
 resource "aws_ec2_transit_gateway_route" "this" {
   provider                       = aws.hub
-  count                          = local.create ? 1 : 0
-  destination_cidr_block         = var.destination_cidr_block
+  count                          = local.create ? length(var.hub_destination_cidr_blocks) : 0
+  destination_cidr_block         = element(var.hub_destination_cidr_blocks, count.index)
   transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpc_attachment.this[0].id
   transit_gateway_route_table_id = local.transit_gateway_route_table_id
   depends_on                     = [aws_ec2_transit_gateway_vpc_attachment.this]
@@ -39,12 +39,15 @@ resource "aws_ec2_transit_gateway_route_table_propagation" "this" {
 }
 
 resource "aws_route" "this" {
+  for_each = {
+    for route in local.routes_in_tables : "${route.table_id}.${route.dest_cidr_block}" => route...
+  }
+
   provider = aws.satellite
-  count    = local.create ? length(data.aws_route_table.this[*].subnet_id) : 0
 
-  destination_cidr_block = var.destination_cidr_block
+  destination_cidr_block = each.value[0].dest_cidr_block
   transit_gateway_id     = local.transit_gateway_id
-  route_table_id         = sort(data.aws_route_table.this[*].route_table_id)[count.index]
+  route_table_id         = each.value[1].table_id
 
   depends_on = [aws_ec2_transit_gateway_vpc_attachment.this]
 }

variables.tf

@@ -4,9 +4,16 @@ variable "satellite_create" {
   type        = bool
 }
 
-variable "destination_cidr_block" {
-  description = "CIDR to be routed"
-  default     = ""
+variable "satellite_destination_cidr_blocks" {
+  description = "List of CIDRs to be routed for the satellite"
+  type        = list
+  default     = []
+}
+
+variable "hub_destination_cidr_blocks" {
+  description = "List of CIDRs to be routed for the hub"
+  type        = list
+  default     = []
 }
 
 variable "aws_account_id_satellite" {