forked from cloudposse/terraform-aws-transit-gateway
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
151 lines (135 loc) · 9.37 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
locals {
transit_gateway_id = var.existing_transit_gateway_id != null && var.existing_transit_gateway_id != "" ? var.existing_transit_gateway_id : (
module.this.enabled && var.create_transit_gateway ? aws_ec2_transit_gateway.default[0].id : null
)
transit_gateway_route_table_id = var.existing_transit_gateway_inspection_route_table_id != null && var.existing_transit_gateway_inspection_route_table_id != "" ? var.existing_transit_gateway_inspection_route_table_id : (
module.this.enabled && var.create_transit_gateway_route_table ? aws_ec2_transit_gateway_route_table.default[0].id : null
)
# NOTE: This is the same logic as local.transit_gateway_id but we cannot reuse that local in the data source or
# we get the dreaded error: "count" value depends on resource attributes
lookup_transit_gateway = module.this.enabled && ((var.existing_transit_gateway_id != null && var.existing_transit_gateway_id != "") || var.create_transit_gateway)
}
resource "aws_ec2_transit_gateway" "default" {
count = module.this.enabled && var.create_transit_gateway ? 1 : 0
description = var.transit_gateway_description == "" ? format("%s Transit Gateway", module.this.id) : var.transit_gateway_description
auto_accept_shared_attachments = var.auto_accept_shared_attachments
default_route_table_association = var.default_route_table_association
default_route_table_propagation = var.default_route_table_propagation
dns_support = var.dns_support
vpn_ecmp_support = var.vpn_ecmp_support
tags = module.this.tags
transit_gateway_cidr_blocks = var.transit_gateway_cidr_blocks
amazon_side_asn = var.amazon_side_asn
}
resource "aws_ec2_transit_gateway_route_table" "default" {
count = module.this.enabled && var.create_transit_gateway_route_table ? 1 : 0
transit_gateway_id = local.transit_gateway_id
tags = var.transit_gateway_inspection_route_table_name_override != null ? merge(
module.this.tags,
{
"Name" = "${var.transit_gateway_inspection_route_table_name_override}"
},
) : module.this.tags
}
# Need to find out if VPC is in same account as Transit Gateway.
# See resource "aws_ec2_transit_gateway_vpc_attachment" below.
data "aws_ec2_transit_gateway" "this" {
count = local.lookup_transit_gateway ? 1 : 0
id = local.transit_gateway_id
}
data "aws_vpc" "default" {
for_each = module.this.enabled && var.create_transit_gateway_vpc_attachment && var.config != null ? { for k, v in var.config : k => v if v.transit_gateway_vpc_attachment_id == null } : {}
id = each.value["vpc_id"]
}
resource "aws_ec2_transit_gateway_vpc_attachment" "default" {
for_each = module.this.enabled && var.create_transit_gateway_vpc_attachment && var.config != null ? { for k, v in var.config : k => v if v.transit_gateway_vpc_attachment_id == null } : {}
transit_gateway_id = local.transit_gateway_id
vpc_id = each.value["vpc_id"]
subnet_ids = each.value["subnet_ids"]
appliance_mode_support = var.vpc_attachment_appliance_mode_support
dns_support = var.vpc_attachment_dns_support
ipv6_support = var.vpc_attachment_ipv6_support
tags = merge(
module.this.tags,
{
"Name" = "${module.this.id}-${each.key}-vpc-attachment"
},
)
# transit_gateway_default_route_table_association and transit_gateway_default_route_table_propagation
# must be set to `false` if the VPC is in the same account as the Transit Gateway, and `null` otherwise
# https://github.com/terraform-providers/terraform-provider-aws/issues/13512
# https://github.com/terraform-providers/terraform-provider-aws/issues/8383
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment
transit_gateway_default_route_table_association = data.aws_ec2_transit_gateway.this[0].owner_id == data.aws_vpc.default[each.key].owner_id ? false : null
transit_gateway_default_route_table_propagation = data.aws_ec2_transit_gateway.this[0].owner_id == data.aws_vpc.default[each.key].owner_id ? false : null
}
# Allow traffic from the VPC attachments to the Transit Gateway
resource "aws_ec2_transit_gateway_route_table_association" "default" {
for_each = module.this.enabled && var.create_transit_gateway_inspection_route_table_association && var.config != null ? { for k, v in var.config : k => v if v.attach_to_transit_route_table == false } : {}
transit_gateway_attachment_id = each.value["transit_gateway_vpc_attachment_id"] != null ? each.value["transit_gateway_vpc_attachment_id"] : aws_ec2_transit_gateway_vpc_attachment.default[each.key]["id"]
transit_gateway_route_table_id = local.transit_gateway_route_table_id
}
# Allow traffic from the Transit Gateway to the VPC attachments
# Propagations will create propagated routes
resource "aws_ec2_transit_gateway_route_table_propagation" "default" {
for_each = module.this.enabled && var.create_transit_gateway_inspection_route_table_propagation && var.config != null ? { for k, v in var.config : k => v if v.attach_to_transit_route_table == false } : {}
transit_gateway_attachment_id = each.value["transit_gateway_vpc_attachment_id"] != null ? each.value["transit_gateway_vpc_attachment_id"] : aws_ec2_transit_gateway_vpc_attachment.default[each.key]["id"]
transit_gateway_route_table_id = local.transit_gateway_route_table_id
}
# Static Transit Gateway routes
# Static routes have a higher precedence than propagated routes
# https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html
# https://docs.aws.amazon.com/vpc/latest/tgw/tgw-route-tables.html
module "transit_gateway_route" {
source = "./modules/transit_gateway_route"
for_each = module.this.enabled && var.create_transit_gateway_inspection_route_table_static_route && var.config != null ? var.config : {}
transit_gateway_attachment_id = each.value["transit_gateway_vpc_attachment_id"] != null ? each.value["transit_gateway_vpc_attachment_id"] : aws_ec2_transit_gateway_vpc_attachment.default[each.key]["id"]
transit_gateway_route_table_id = local.transit_gateway_route_table_id
route_config = each.value["inspection_static_routes"] != null ? each.value["inspection_static_routes"] : []
depends_on = [aws_ec2_transit_gateway_vpc_attachment.default, aws_ec2_transit_gateway_route_table.default]
}
# Create routes in the subnets' route tables to route traffic from subnets to the Transit Gateway VPC attachments
# Only route to VPCs of the environments defined in `route_to` attribute
module "subnet_route" {
source = "./modules/subnet_route"
for_each = module.this.enabled && var.create_transit_gateway_vpc_attachment && var.config != null ? { for k, v in var.config : k => v if v.attach_to_transit_route_table == false } : {}
transit_gateway_id = local.transit_gateway_id
route_table_ids = each.value["subnet_route_table_ids"] != null ? each.value["subnet_route_table_ids"] : []
destination_cidr_blocks = each.value["route_to_cidr_blocks"] != null ? each.value["route_to_cidr_blocks"] : ([for i in setintersection(keys(var.config), (each.value["route_to"] != null ? each.value["route_to"] : [])) : var.config[i]["vpc_cidr"]])
route_keys_enabled = var.route_keys_enabled
depends_on = [aws_ec2_transit_gateway.default, data.aws_ec2_transit_gateway.this, aws_ec2_transit_gateway_vpc_attachment.default]
}
# Create routes in the subnets' route tables to route traffic from subnets to the Transit Gateway VPC attachments
# These can set to
module "extra_subnet_route" {
source = "./modules/subnet_route"
for_each = module.this.enabled && var.subnet_route_to_transit_gateway != null ? var.subnet_route_to_transit_gateway : {}
transit_gateway_id = local.transit_gateway_id
route_table_ids = each.value["subnet_route_table_ids"] != null ? each.value["subnet_route_table_ids"] : []
destination_cidr_blocks = each.value["cidr_blocks"] != null ? each.value["cidr_blocks"] : []
route_keys_enabled = var.route_keys_enabled
depends_on = [aws_ec2_transit_gateway.default, data.aws_ec2_transit_gateway.this, aws_ec2_transit_gateway_vpc_attachment.default]
}
resource "aws_ec2_transit_gateway_peering_attachment" "default" {
for_each = module.this.enabled && var.create_transit_gateway_peering_attachment && var.transit_gateway_peering_attachment_config != null ? var.transit_gateway_peering_attachment_config : {}
peer_account_id = each.value["peer_account_id"]
peer_region = each.value["peer_region"]
peer_transit_gateway_id = each.value["peer_transit_gateway_id"]
transit_gateway_id = local.transit_gateway_id
tags = merge(
module.this.tags,
{
"Name" = "${module.this.id}-${each.key}-peering-attachment"
},
)
}
resource "aws_ec2_transit_gateway_peering_attachment_accepter" "default" {
for_each = module.this.enabled && var.create_transit_gateway_peering_attachment_accepter && var.transit_gateway_peering_attachment_accepter_config != null ? var.transit_gateway_peering_attachment_accepter_config : {}
transit_gateway_attachment_id = each.value["transit_gateway_attachment_id"]
tags = merge(
module.this.tags,
{
"Name" = "${module.this.id}-${each.key}-peering-attachment-accepter"
},
)
}