cool-userservices-networking

This is a Terraform deployment for creating the VPC, public subnets, and private subnets for the COOL User Services account.

Until this project moves to Terraform 0.13, there is no depends_on support for modules, and we have no way to ensure that the ProvisionNetworking policy is attached to the ProvisionAccount role before Terraform attempts to instantiate the subnet modules. Therefore, in order to apply this Terraform code, one must run a targeted apply before running a full apply:

terraform apply -var-file=<workspace>.tfvars -target=aws_iam_role_policy_attachment.provisionnetworking_policy_attachment -target=aws_iam_policy.provisionnetworking_policy

At this point the ProvisionNetworking policy is attached to the ProvisionAccount role and you can run a full terraform apply.

Pre-requisites

• Terraform installed on your system.
• An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).
• An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).
• Access to all of the Terraform remote states specified in remote_states.tf.

Requirements

Name	Version
terraform	~> 1.1
aws	~> 4.9

Providers

Name	Version
aws	~> 4.9
aws.organizationsreadonly	~> 4.9
aws.sharedservicesprovisionaccount	~> 4.9
aws.userservicesprovisionaccount	~> 4.9
terraform	n/a

Modules

Name	Source	Version
private	github.com/cisagov/distributed-subnets-tf-module	n/a
public	github.com/cisagov/distributed-subnets-tf-module	n/a
read_terraform_state	github.com/cisagov/terraform-state-read-role-tf-module	n/a
vpc_flow_logs	trussworks/vpc-flow-logs/aws	>=2.0.0, <2.1.0

Resources

Name	Type
aws_default_route_table.public	resource
aws_ec2_transit_gateway_route.userservices_routes	resource
aws_ec2_transit_gateway_vpc_attachment.userservices	resource
aws_eip.nat_gw_eips	resource
aws_iam_policy.provisionnetworking_policy	resource
aws_iam_role_policy_attachment.provisionnetworking_policy_attachment	resource
aws_internet_gateway.userservices	resource
aws_nat_gateway.nat_gws	resource
aws_route.cool_route	resource
aws_route.cool_routes	resource
aws_route.external_route	resource
aws_route.external_routes	resource
aws_route_table.private_route_tables	resource
aws_route_table_association.private_route_table_associations	resource
aws_vpc.userservices	resource
aws_caller_identity.current	data source
aws_caller_identity.userservices	data source
aws_iam_policy_document.provisionnetworking_policy_doc	data source
aws_organizations_organization.cool	data source
terraform_remote_state.master	data source
terraform_remote_state.sharedservices	data source
terraform_remote_state.sharedservices_networking	data source
terraform_remote_state.terraform	data source
terraform_remote_state.users	data source
terraform_remote_state.userservices	data source

Inputs

Name	Description	Type	Default	Required
aws_region	The AWS region to deploy into (e.g. us-east-1).	string	"us-east-1"	no
cool_cidr_block	The overall CIDR block associated with the COOL (e.g. "10.128.0.0/9").	string	n/a	yes
private_subnet_cidr_blocks	The CIDR blocks corresponding to the private subnets to be associated with the VPC (e.g. ["10.10.0.0/24", "10.10.1.0/24"]). This list must be the same length as public_subnet_cidr_blocks, since each private subnet will be assigned a NAT gateway in a public subnet in the same Availability Zone.	list(string)	n/a	yes
provisionnetworking_policy_description	The description to associate with the IAM policy that allows provisioning of the networking layer in the User Services account.	string	"Allows provisioning of the networking layer in the User Services account."	no
provisionnetworking_policy_name	The name to assign the IAM policy that allows provisioning of the networking layer in the User Services account.	string	"ProvisionNetworking"	no
public_subnet_cidr_blocks	The CIDR blocks corresponding to the public subnets to be associated with the VPC (e.g. ["10.10.0.0/24", "10.10.1.0/24"]). This list must be the same length as private_subnet_cidr_blocks, since each private subnet will be assigned a NAT gateway in a public subnet in the same Availability Zone.	list(string)	n/a	yes
read_terraform_state_role_name	The name to assign the IAM role (as well as the corresponding policy) that allows read-only access to the cool-userservices-networking state in the S3 bucket where Terraform state is stored.	string	"ReadUserServicesNetworkingTerraformState"	no
tags	Tags to apply to all AWS resources created.	map(string)	{}	no
vpc_cidr_block	The overall CIDR block to be associated with the VPC (e.g. "10.10.0.0/16").	string	n/a	yes

Outputs

Name	Description
private_subnet_nat_gws	The NAT gateways used in the private subnets in the VPC.
private_subnets	The private subnets in the VPC.
public_subnets	The public subnets in the VPC.
read_terraform_state	The IAM policies and role that allow read-only access to the cool-userservices-networking state in the Terraform state bucket.
vpc	The User Services VPC.

Notes

Running pre-commit requires running terraform init in every directory that contains Terraform code. In this repository, this is just the main directory.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.