From b9ffd0d23f41c9f78e0d90b96fbea4852852c475 Mon Sep 17 00:00:00 2001 From: Dan Vaida Date: Mon, 6 Apr 2020 18:45:38 +0200 Subject: [PATCH] Adds support for separate, multiple routable CIDRs (#4) * Adds support for separate, multiple routable CIDRs * Fixes terraform destroy command --- Makefile | 4 ++-- README.md | 3 ++- examples/satellite/README.md | 3 ++- examples/satellite/main.tf | 6 ++++-- examples/satellite/variables.auto.tfvars | 6 ++++-- examples/satellite/variables.tf | 13 ++++++++++--- locals.tf | 7 +++++++ main.tf | 13 ++++++++----- variables.tf | 13 ++++++++++--- 9 files changed, 49 insertions(+), 19 deletions(-) diff --git a/Makefile b/Makefile index 0adab54..608f77c 100644 --- a/Makefile +++ b/Makefile @@ -144,13 +144,13 @@ test: _pull-tf fi; \ else \ echo "Apply failed"; \ - if docker run -$$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY --workdir "$${DOCKER_PATH}" hashicorp/terraform:$(TF_VERSION) \ + if docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY --workdir "$${DOCKER_PATH}" hashicorp/terraform:$(TF_VERSION) \ destroy \ -auto-approve \ $(ARGS) \ ; then \ echo "Destroy OK"; \ - docker run -$$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" --entrypoint=rm hashicorp/terraform:$(TF_VERSION) -rf .terraform/ terraform.tfstate terraform.tfstate.backup || true; \ + docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" --entrypoint=rm hashicorp/terraform:$(TF_VERSION) -rf .terraform/ terraform.tfstate terraform.tfstate.backup || true; \ else \ echo "Destroy failed. You should check for dangling resources."; \ exit 1; \ diff --git a/README.md b/README.md index ea992a2..d90eb79 100644 --- a/README.md +++ b/README.md @@ -58,10 +58,11 @@ Check the `subnet_name_keyword_selector` variable if you want to change this. | aws\_login\_profile | Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles | `any` | n/a | yes | | role\_to\_assume\_hub | IAM role name to assume in the AWS account containing the TGW hub (eg. ASSUME-ROLE-HUB) | `string` | n/a | yes | | aws\_account\_id\_satellite | AWS account number containing the TGW satellite | `string` | `""` | no | -| destination\_cidr\_block | CIDR to be routed | `string` | `""` | no | +| hub\_destination\_cidr\_blocks | List of CIDRs to be routed for the hub | `list` | `[]` | no | | ram\_resource\_association\_id | Identifier of the Resource Access Manager Resource Association | `string` | `""` | no | | role\_to\_assume\_satellite | IAM role name to assume in the AWS account containing the TGW satellite (eg. ASSUME-ROLE-SATELLITE) | `string` | `""` | no | | satellite\_create | Boolean flag for toggling the handling of satellite resources | `bool` | `false` | no | +| satellite\_destination\_cidr\_blocks | List of CIDRs to be routed for the satellite | `list` | `[]` | no | | subnet\_name\_keyword\_selector | Keyword matching the name of the subnet(s) for which the routing will be added (i.e. private) | `string` | `"private"` | no | | transit\_gateway\_hub\_name | Name of the Transit Gateway to attach to | `string` | `""` | no | | transit\_gateway\_id | Identifier of the Transit Gateway | `string` | `""` | no | diff --git a/examples/satellite/README.md b/examples/satellite/README.md index 42a79ee..5ca7479 100644 --- a/examples/satellite/README.md +++ b/examples/satellite/README.md @@ -14,8 +14,9 @@ No provider. | aws\_login\_profile | Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles | `any` | n/a | yes | | role\_to\_assume\_hub | IAM role name to assume in the AWS account containing the TGW hub (eg. ASSUME-ROLE-HUB) | `string` | n/a | yes | | role\_to\_assume\_satellite | IAM role name to assume in the AWS account containing the TGW satellite (eg. ASSUME-ROLE-SATELLITE) | `string` | n/a | yes | -| destination\_cidr\_block | CIDR to be routed | `string` | `""` | no | +| hub\_destination\_cidr\_blocks | List of CIDRs to be routed for the hub | `list` | `[]` | no | | satellite\_create | Boolean flag for toggling the handling of satellite resources | `bool` | `false` | no | +| satellite\_destination\_cidr\_blocks | List of CIDRs to be routed for the satellite | `list` | `[]` | no | | subnet\_name\_keyword\_selector | Keyword matching the name of the subnet(s) for which the routing will be added (i.e. private) | `string` | `"private"` | no | | transit\_gateway\_hub\_name | Name of the Transit Gateway to attach to | `string` | `""` | no | | transit\_gateway\_id | Identifier of the Transit Gateway | `string` | `""` | no | diff --git a/examples/satellite/main.tf b/examples/satellite/main.tf index 6bb095c..d98e2d6 100644 --- a/examples/satellite/main.tf +++ b/examples/satellite/main.tf @@ -17,8 +17,10 @@ module "tgw-satellite" { role_to_assume_hub = var.role_to_assume_hub role_to_assume_satellite = var.role_to_assume_satellite - vpc_name_to_attach = var.vpc_name_to_attach - destination_cidr_block = var.destination_cidr_block + vpc_name_to_attach = var.vpc_name_to_attach + + satellite_destination_cidr_blocks = var.satellite_destination_cidr_blocks + hub_destination_cidr_blocks = var.hub_destination_cidr_blocks subnet_name_keyword_selector = var.subnet_name_keyword_selector diff --git a/examples/satellite/variables.auto.tfvars b/examples/satellite/variables.auto.tfvars index 76c2009..babec4e 100644 --- a/examples/satellite/variables.auto.tfvars +++ b/examples/satellite/variables.auto.tfvars @@ -5,8 +5,10 @@ aws_login_profile = "login" role_to_assume_hub = "ASSUME-ENG-CI" role_to_assume_satellite = "ASSUME-ENG-CI" -vpc_name_to_attach = "default" -destination_cidr_block = "1.1.1.1/32" +vpc_name_to_attach = "default" + +satellite_destination_cidr_blocks = ["208.67.222.222/32", "208.67.220.220/32"] +hub_destination_cidr_blocks = ["8.8.4.4/32", "8.8.8.8/32"] subnet_name_keyword_selector = "private" transit_gateway_hub_name = "test-tgw-fixture" diff --git a/examples/satellite/variables.tf b/examples/satellite/variables.tf index 6faab81..534402d 100644 --- a/examples/satellite/variables.tf +++ b/examples/satellite/variables.tf @@ -34,9 +34,16 @@ variable "vpc_name_to_attach" { default = "" } -variable "destination_cidr_block" { - description = "CIDR to be routed" - default = "" +variable "satellite_destination_cidr_blocks" { + description = "List of CIDRs to be routed for the satellite" + type = list + default = [] +} + +variable "hub_destination_cidr_blocks" { + description = "List of CIDRs to be routed for the hub" + type = list + default = [] } variable "subnet_name_keyword_selector" { diff --git a/locals.tf b/locals.tf index a35331b..c8cf9d2 100644 --- a/locals.tf +++ b/locals.tf @@ -4,4 +4,11 @@ locals { transit_gateway_id = var.transit_gateway_id == "" ? data.aws_ec2_transit_gateway.this[0].id : var.transit_gateway_id transit_gateway_route_table_id = var.transit_gateway_route_table_id == "" ? data.aws_ec2_transit_gateway_route_table.this[0].id : var.transit_gateway_route_table_id + + routes_in_tables = [ + for pair in setproduct(data.aws_route_table.this[*].route_table_id, var.satellite_destination_cidr_blocks) : { + table_id = pair[0] + dest_cidr_block = pair[1] + } + ] } diff --git a/main.tf b/main.tf index 8e452c3..0f7cb90 100644 --- a/main.tf +++ b/main.tf @@ -15,8 +15,8 @@ resource "aws_ec2_transit_gateway_vpc_attachment" "this" { resource "aws_ec2_transit_gateway_route" "this" { provider = aws.hub - count = local.create ? 1 : 0 - destination_cidr_block = var.destination_cidr_block + count = local.create ? length(var.hub_destination_cidr_blocks) : 0 + destination_cidr_block = element(var.hub_destination_cidr_blocks, count.index) transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.this[0].id transit_gateway_route_table_id = local.transit_gateway_route_table_id depends_on = [aws_ec2_transit_gateway_vpc_attachment.this] @@ -39,12 +39,15 @@ resource "aws_ec2_transit_gateway_route_table_propagation" "this" { } resource "aws_route" "this" { + for_each = { + for route in local.routes_in_tables : "${route.table_id}.${route.dest_cidr_block}" => route... + } + provider = aws.satellite - count = local.create ? length(data.aws_route_table.this[*].subnet_id) : 0 - destination_cidr_block = var.destination_cidr_block + destination_cidr_block = each.value[0].dest_cidr_block transit_gateway_id = local.transit_gateway_id - route_table_id = sort(data.aws_route_table.this[*].route_table_id)[count.index] + route_table_id = each.value[1].table_id depends_on = [aws_ec2_transit_gateway_vpc_attachment.this] } diff --git a/variables.tf b/variables.tf index 53dba31..72a8907 100644 --- a/variables.tf +++ b/variables.tf @@ -4,9 +4,16 @@ variable "satellite_create" { type = bool } -variable "destination_cidr_block" { - description = "CIDR to be routed" - default = "" +variable "satellite_destination_cidr_blocks" { + description = "List of CIDRs to be routed for the satellite" + type = list + default = [] +} + +variable "hub_destination_cidr_blocks" { + description = "List of CIDRs to be routed for the hub" + type = list + default = [] } variable "aws_account_id_satellite" {