From b2c47ac4b6cbf0228e79556af93221a82b11070a Mon Sep 17 00:00:00 2001 From: wiseelf Date: Tue, 22 Apr 2025 12:53:44 +0200 Subject: [PATCH 1/3] feat: New CloudWAN and Transit Gateway subnets --- README.md | 94 +++++++++++++ main.tf | 373 ++++++++++++++++++++++++++++++++++++++++++++++++++- outputs.tf | 150 +++++++++++++++++++++ variables.tf | 316 +++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 932 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ffe631e3..70f9fcfc 100644 --- a/README.md +++ b/README.md @@ -275,7 +275,9 @@ No modules. |------|------| | [aws_cloudwatch_log_group.flow_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_customer_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/customer_gateway) | resource | +| [aws_db_subnet_group.cwan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource | | [aws_db_subnet_group.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource | +| [aws_db_subnet_group.tgw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource | | [aws_default_network_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl) | resource | | [aws_default_route_table.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table) | resource | | [aws_default_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource | @@ -289,6 +291,7 @@ No modules. | [aws_iam_role_policy_attachment.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource | | [aws_nat_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource | +| [aws_network_acl.cwan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | | [aws_network_acl.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | | [aws_network_acl.elasticache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | | [aws_network_acl.intra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | @@ -296,6 +299,9 @@ No modules. | [aws_network_acl.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | | [aws_network_acl.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | | [aws_network_acl.redshift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | +| [aws_network_acl.tgw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | +| [aws_network_acl_rule.cwan_inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | +| [aws_network_acl_rule.cwan_outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | | [aws_network_acl_rule.database_inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | | [aws_network_acl_rule.database_outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | | [aws_network_acl_rule.elasticache_inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | @@ -310,7 +316,13 @@ No modules. | [aws_network_acl_rule.public_outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | | [aws_network_acl_rule.redshift_inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | | [aws_network_acl_rule.redshift_outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | +| [aws_network_acl_rule.tgw_inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | +| [aws_network_acl_rule.tgw_outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | | [aws_redshift_subnet_group.redshift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_subnet_group) | resource | +| [aws_route.cwan_dns64_nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | +| [aws_route.cwan_internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | +| [aws_route.cwan_ipv6_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | +| [aws_route.cwan_nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | | [aws_route.database_dns64_nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | | [aws_route.database_internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | | [aws_route.database_ipv6_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | @@ -320,12 +332,19 @@ No modules. | [aws_route.private_nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | | [aws_route.public_internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | | [aws_route.public_internet_gateway_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | +| [aws_route.tgw_dns64_nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | +| [aws_route.tgw_internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | +| [aws_route.tgw_ipv6_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | +| [aws_route.tgw_nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | +| [aws_route_table.cwan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | | [aws_route_table.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | | [aws_route_table.elasticache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | | [aws_route_table.intra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | | [aws_route_table.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | | [aws_route_table.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | | [aws_route_table.redshift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | +| [aws_route_table.tgw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | +| [aws_route_table_association.cwan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | | [aws_route_table_association.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | | [aws_route_table_association.elasticache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | | [aws_route_table_association.intra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | @@ -334,6 +353,8 @@ No modules. | [aws_route_table_association.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | | [aws_route_table_association.redshift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | | [aws_route_table_association.redshift_public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_route_table_association.tgw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_subnet.cwan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | | [aws_subnet.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | | [aws_subnet.elasticache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | | [aws_subnet.intra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | @@ -341,6 +362,7 @@ No modules. | [aws_subnet.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | | [aws_subnet.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | | [aws_subnet.redshift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_subnet.tgw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | | [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource | | [aws_vpc_block_public_access_exclusion.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_block_public_access_exclusion) | resource | | [aws_vpc_block_public_access_options.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_block_public_access_options) | resource | @@ -365,6 +387,10 @@ No modules. | [amazon\_side\_asn](#input\_amazon\_side\_asn) | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN | `string` | `"64512"` | no | | [azs](#input\_azs) | A list of availability zones names or ids in the region | `list(string)` | `[]` | no | | [cidr](#input\_cidr) | (Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id` | `string` | `"10.0.0.0/16"` | no | +| [create\_cwan\_internet\_gateway\_route](#input\_create\_cwan\_internet\_gateway\_route) | Controls if an internet gateway route for public CloudWAN access should be created | `bool` | `false` | no | +| [create\_cwan\_nat\_gateway\_route](#input\_create\_cwan\_nat\_gateway\_route) | Controls if a nat gateway route should be created to give internet access to the CloudWAN subnets | `bool` | `false` | no | +| [create\_cwan\_subnet\_group](#input\_create\_cwan\_subnet\_group) | Controls if CloudWAN subnet group should be created (n.b. cwan\_subnets must also be set) | `bool` | `true` | no | +| [create\_cwan\_subnet\_route\_table](#input\_create\_cwan\_subnet\_route\_table) | Controls if separate route table for CloudWAN should be created | `bool` | `false` | no | | [create\_database\_internet\_gateway\_route](#input\_create\_database\_internet\_gateway\_route) | Controls if an internet gateway route for public database access should be created | `bool` | `false` | no | | [create\_database\_nat\_gateway\_route](#input\_create\_database\_nat\_gateway\_route) | Controls if a nat gateway route should be created to give internet access to the database subnets | `bool` | `false` | no | | [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Controls if database subnet group should be created (n.b. database\_subnets must also be set) | `bool` | `true` | no | @@ -380,10 +406,32 @@ No modules. | [create\_private\_nat\_gateway\_route](#input\_create\_private\_nat\_gateway\_route) | Controls if a nat gateway route should be created to give internet access to the private subnets | `bool` | `true` | no | | [create\_redshift\_subnet\_group](#input\_create\_redshift\_subnet\_group) | Controls if redshift subnet group should be created | `bool` | `true` | no | | [create\_redshift\_subnet\_route\_table](#input\_create\_redshift\_subnet\_route\_table) | Controls if separate route table for redshift should be created | `bool` | `false` | no | +| [create\_tgw\_internet\_gateway\_route](#input\_create\_tgw\_internet\_gateway\_route) | Controls if an internet gateway route for public transit gateway access should be created | `bool` | `false` | no | +| [create\_tgw\_nat\_gateway\_route](#input\_create\_tgw\_nat\_gateway\_route) | Controls if a nat gateway route should be created to give internet access to the transit gateway subnets | `bool` | `false` | no | +| [create\_tgw\_subnet\_group](#input\_create\_tgw\_subnet\_group) | Controls if transit gateway subnet group should be created (n.b. tgw\_subnets must also be set) | `bool` | `true` | no | +| [create\_tgw\_subnet\_route\_table](#input\_create\_tgw\_subnet\_route\_table) | Controls if separate route table for transit gateway should be created | `bool` | `false` | no | | [create\_vpc](#input\_create\_vpc) | Controls if VPC should be created (it affects almost all resources) | `bool` | `true` | no | | [customer\_gateway\_tags](#input\_customer\_gateway\_tags) | Additional tags for the Customer Gateway | `map(string)` | `{}` | no | | [customer\_gateways](#input\_customer\_gateways) | Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address) | `map(map(any))` | `{}` | no | | [customer\_owned\_ipv4\_pool](#input\_customer\_owned\_ipv4\_pool) | The customer owned IPv4 address pool. Typically used with the `map_customer_owned_ip_on_launch` argument. The `outpost_arn` argument must be specified when configured | `string` | `null` | no | +| [cwan\_acl\_tags](#input\_cwan\_acl\_tags) | Additional tags for the CloudWAN subnets network ACL | `map(string)` | `{}` | no | +| [cwan\_dedicated\_network\_acl](#input\_cwan\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for CloudWAN subnets | `bool` | `false` | no | +| [cwan\_inbound\_acl\_rules](#input\_cwan\_inbound\_acl\_rules) | Transti Gateway subnets inbound network ACL rules | `list(map(string))` | 
[
  {
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_action": "allow",
    "rule_number": 100,
    "to_port": 0
  }
]
| no | +| [cwan\_outbound\_acl\_rules](#input\_cwan\_outbound\_acl\_rules) | CloudWAN subnets outbound network ACL rules | `list(map(string))` | 
[
  {
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_action": "allow",
    "rule_number": 100,
    "to_port": 0
  }
]
| no | +| [cwan\_route\_table\_tags](#input\_cwan\_route\_table\_tags) | Additional tags for the CloudWAN route tables | `map(string)` | `{}` | no | +| [cwan\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_cwan\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no | +| [cwan\_subnet\_enable\_dns64](#input\_cwan\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no | +| [cwan\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_cwan\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no | +| [cwan\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch](#input\_cwan\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true` | `bool` | `true` | no | +| [cwan\_subnet\_group\_name](#input\_cwan\_subnet\_group\_name) | Name of CloudWAN subnet group | `string` | `null` | no | +| [cwan\_subnet\_group\_tags](#input\_cwan\_subnet\_group\_tags) | Additional tags for the CloudWAN subnet group | `map(string)` | `{}` | no | +| [cwan\_subnet\_ipv6\_native](#input\_cwan\_subnet\_ipv6\_native) | Indicates whether to create an IPv6-only subnet. Default: `false` | `bool` | `false` | no | +| [cwan\_subnet\_ipv6\_prefixes](#input\_cwan\_subnet\_ipv6\_prefixes) | Assigns IPv6 CloudWAN subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no | +| [cwan\_subnet\_names](#input\_cwan\_subnet\_names) | Explicit values to use in the Name tag on CloudWAN subnets. If empty, Name tags are generated | `list(string)` | `[]` | no | +| [cwan\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_cwan\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no | +| [cwan\_subnet\_suffix](#input\_cwan\_subnet\_suffix) | Suffix to append to CloudWAN subnets name | `string` | `"db"` | no | +| [cwan\_subnet\_tags](#input\_cwan\_subnet\_tags) | Additional tags for the CloudWAN subnets | `map(string)` | `{}` | no | +| [cwan\_subnets](#input\_cwan\_subnets) | A list of CloudWAN subnets inside the VPC | `list(string)` | `[]` | no | | [database\_acl\_tags](#input\_database\_acl\_tags) | Additional tags for the database subnets network ACL | `map(string)` | `{}` | no | | [database\_dedicated\_network\_acl](#input\_database\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for database subnets | `bool` | `false` | no | | [database\_inbound\_acl\_rules](#input\_database\_inbound\_acl\_rules) | Database subnets inbound network ACL rules | `list(map(string))` | 
[
  {
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_action": "allow",
    "rule_number": 100,
    "to_port": 0
  }
]
| no | @@ -583,6 +631,24 @@ No modules. | [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | `list(string)` | `[]` | no | | [single\_nat\_gateway](#input\_single\_nat\_gateway) | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no | | [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no | +| [tgw\_acl\_tags](#input\_tgw\_acl\_tags) | Additional tags for the transit gateway subnets network ACL | `map(string)` | `{}` | no | +| [tgw\_dedicated\_network\_acl](#input\_tgw\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for transit gateway subnets | `bool` | `false` | no | +| [tgw\_inbound\_acl\_rules](#input\_tgw\_inbound\_acl\_rules) | Transti Gateway subnets inbound network ACL rules | `list(map(string))` | 
[
  {
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_action": "allow",
    "rule_number": 100,
    "to_port": 0
  }
]
| no | +| [tgw\_outbound\_acl\_rules](#input\_tgw\_outbound\_acl\_rules) | Transit Gateway subnets outbound network ACL rules | `list(map(string))` | 
[
  {
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_action": "allow",
    "rule_number": 100,
    "to_port": 0
  }
]
| no | +| [tgw\_route\_table\_tags](#input\_tgw\_route\_table\_tags) | Additional tags for the transit gateway route tables | `map(string)` | `{}` | no | +| [tgw\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_tgw\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no | +| [tgw\_subnet\_enable\_dns64](#input\_tgw\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no | +| [tgw\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_tgw\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no | +| [tgw\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch](#input\_tgw\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true` | `bool` | `true` | no | +| [tgw\_subnet\_group\_name](#input\_tgw\_subnet\_group\_name) | Name of transit gateway subnet group | `string` | `null` | no | +| [tgw\_subnet\_group\_tags](#input\_tgw\_subnet\_group\_tags) | Additional tags for the transit gateway subnet group | `map(string)` | `{}` | no | +| [tgw\_subnet\_ipv6\_native](#input\_tgw\_subnet\_ipv6\_native) | Indicates whether to create an IPv6-only subnet. Default: `false` | `bool` | `false` | no | +| [tgw\_subnet\_ipv6\_prefixes](#input\_tgw\_subnet\_ipv6\_prefixes) | Assigns IPv6 transit gateway subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no | +| [tgw\_subnet\_names](#input\_tgw\_subnet\_names) | Explicit values to use in the Name tag on transit gateway subnets. If empty, Name tags are generated | `list(string)` | `[]` | no | +| [tgw\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_tgw\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no | +| [tgw\_subnet\_suffix](#input\_tgw\_subnet\_suffix) | Suffix to append to transit gateway subnets name | `string` | `"db"` | no | +| [tgw\_subnet\_tags](#input\_tgw\_subnet\_tags) | Additional tags for the transit gateway subnets | `map(string)` | `{}` | no | +| [tgw\_subnets](#input\_tgw\_subnets) | A list of transit gateway subnets inside the VPC | `list(string)` | `[]` | no | | [use\_ipam\_pool](#input\_use\_ipam\_pool) | Determines whether IPAM pool is used for CIDR allocation | `bool` | `false` | no | | [vpc\_block\_public\_access\_exclusions](#input\_vpc\_block\_public\_access\_exclusions) | A map of VPC block public access exclusions | `map(any)` | `{}` | no | | [vpc\_block\_public\_access\_options](#input\_vpc\_block\_public\_access\_options) | A map of VPC block public access options | `map(string)` | `{}` | no | @@ -604,6 +670,20 @@ No modules. | [azs](#output\_azs) | A list of availability zones specified as argument to this module | | [cgw\_arns](#output\_cgw\_arns) | List of ARNs of Customer Gateway | | [cgw\_ids](#output\_cgw\_ids) | List of IDs of Customer Gateway | +| [cwan\_internet\_gateway\_route\_id](#output\_cwan\_internet\_gateway\_route\_id) | ID of the CloudWAN internet gateway route | +| [cwan\_ipv6\_egress\_route\_id](#output\_cwan\_ipv6\_egress\_route\_id) | ID of the CloudWAN IPv6 egress route | +| [cwan\_nat\_gateway\_route\_ids](#output\_cwan\_nat\_gateway\_route\_ids) | List of IDs of the CloudWAN nat gateway route | +| [cwan\_network\_acl\_arn](#output\_cwan\_network\_acl\_arn) | ARN of the CloudWAN network ACL | +| [cwan\_network\_acl\_id](#output\_cwan\_network\_acl\_id) | ID of the CloudWAN network ACL | +| [cwan\_route\_table\_association\_ids](#output\_cwan\_route\_table\_association\_ids) | List of IDs of the CloudWAN route table association | +| [cwan\_route\_table\_ids](#output\_cwan\_route\_table\_ids) | List of IDs of CloudWAN route tables | +| [cwan\_subnet\_arns](#output\_cwan\_subnet\_arns) | List of ARNs of CloudWAN subnets | +| [cwan\_subnet\_group](#output\_cwan\_subnet\_group) | ID of CloudWAN subnet group | +| [cwan\_subnet\_group\_name](#output\_cwan\_subnet\_group\_name) | Name of CloudWAN subnet group | +| [cwan\_subnet\_objects](#output\_cwan\_subnet\_objects) | A list of all CloudWAN subnets, containing the full objects. | +| [cwan\_subnets](#output\_cwan\_subnets) | List of IDs of CloudWAN subnets | +| [cwan\_subnets\_cidr\_blocks](#output\_cwan\_subnets\_cidr\_blocks) | List of cidr\_blocks of CloudWAN subnets | +| [cwan\_subnets\_ipv6\_cidr\_blocks](#output\_cwan\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of CloudWAN subnets in an IPv6 enabled VPC | | [database\_internet\_gateway\_route\_id](#output\_database\_internet\_gateway\_route\_id) | ID of the database internet gateway route | | [database\_ipv6\_egress\_route\_id](#output\_database\_ipv6\_egress\_route\_id) | ID of the database IPv6 egress route | | [database\_nat\_gateway\_route\_ids](#output\_database\_nat\_gateway\_route\_ids) | List of IDs of the database nat gateway route | @@ -700,6 +780,20 @@ No modules. | [redshift\_subnets](#output\_redshift\_subnets) | List of IDs of redshift subnets | | [redshift\_subnets\_cidr\_blocks](#output\_redshift\_subnets\_cidr\_blocks) | List of cidr\_blocks of redshift subnets | | [redshift\_subnets\_ipv6\_cidr\_blocks](#output\_redshift\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of redshift subnets in an IPv6 enabled VPC | +| [tgw\_internet\_gateway\_route\_id](#output\_tgw\_internet\_gateway\_route\_id) | ID of the transit gateway internet gateway route | +| [tgw\_ipv6\_egress\_route\_id](#output\_tgw\_ipv6\_egress\_route\_id) | ID of the transit gateway IPv6 egress route | +| [tgw\_nat\_gateway\_route\_ids](#output\_tgw\_nat\_gateway\_route\_ids) | List of IDs of the transit gateway nat gateway route | +| [tgw\_network\_acl\_arn](#output\_tgw\_network\_acl\_arn) | ARN of the transit gateway network ACL | +| [tgw\_network\_acl\_id](#output\_tgw\_network\_acl\_id) | ID of the transit gateway network ACL | +| [tgw\_route\_table\_association\_ids](#output\_tgw\_route\_table\_association\_ids) | List of IDs of the transit gateway route table association | +| [tgw\_route\_table\_ids](#output\_tgw\_route\_table\_ids) | List of IDs of transit gateway route tables | +| [tgw\_subnet\_arns](#output\_tgw\_subnet\_arns) | List of ARNs of transit gateway subnets | +| [tgw\_subnet\_group](#output\_tgw\_subnet\_group) | ID of transit gateway subnet group | +| [tgw\_subnet\_group\_name](#output\_tgw\_subnet\_group\_name) | Name of transit gateway subnet group | +| [tgw\_subnet\_objects](#output\_tgw\_subnet\_objects) | A list of all transit gateway subnets, containing the full objects. | +| [tgw\_subnets](#output\_tgw\_subnets) | List of IDs of transit gateway subnets | +| [tgw\_subnets\_cidr\_blocks](#output\_tgw\_subnets\_cidr\_blocks) | List of cidr\_blocks of transit gateway subnets | +| [tgw\_subnets\_ipv6\_cidr\_blocks](#output\_tgw\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of transit gateway subnets in an IPv6 enabled VPC | | [this\_customer\_gateway](#output\_this\_customer\_gateway) | Map of Customer Gateway attributes | | [vgw\_arn](#output\_vgw\_arn) | The ARN of the VPN Gateway | | [vgw\_id](#output\_vgw\_id) | The ID of the VPN Gateway | diff --git a/main.tf b/main.tf index 618aa2c1..d12f63a8 100644 --- a/main.tf +++ b/main.tf @@ -6,6 +6,8 @@ locals { len_redshift_subnets = max(length(var.redshift_subnets), length(var.redshift_subnet_ipv6_prefixes)) len_intra_subnets = max(length(var.intra_subnets), length(var.intra_subnet_ipv6_prefixes)) len_outpost_subnets = max(length(var.outpost_subnets), length(var.outpost_subnet_ipv6_prefixes)) + len_tgw_subnets = max(length(var.tgw_subnets), length(var.tgw_subnet_ipv6_prefixes)) + len_cwan_subnets = max(length(var.cwan_subnets), length(var.cwan_subnet_ipv6_prefixes)) max_subnet_length = max( local.len_private_subnets, @@ -13,6 +15,8 @@ locals { local.len_elasticache_subnets, local.len_database_subnets, local.len_redshift_subnets, + local.len_tgw_subnets, + local.len_cwan_subnets, ) # Use `local.vpc_id` to give a hint to Terraform that subnets should be deleted before secondary CIDR blocks can be free! @@ -78,7 +82,9 @@ resource "aws_vpc_block_public_access_exclusion" "this" { redshift = aws_subnet.redshift[*].id, elasticache = aws_subnet.elasticache[*].id, intra = aws_subnet.intra[*].id, - outpost = aws_subnet.outpost[*].id + outpost = aws_subnet.outpost[*].id, + tgw = aws_subnet.tgw[*].id, + cwan = aws_subnet.cwan[*].id }, each.value.subnet_type, null @@ -1044,6 +1050,371 @@ resource "aws_network_acl_rule" "outpost_outbound" { ipv6_cidr_block = lookup(var.outpost_outbound_acl_rules[count.index], "ipv6_cidr_block", null) } +################################################################################ +# Transit Gateway Subnets +################################################################################ + +locals { + create_tgw_subnets = local.create_vpc && local.len_tgw_subnets > 0 + create_tgw_route_table = local.create_tgw_subnets && var.create_tgw_subnet_route_table +} + +resource "aws_subnet" "tgw" { + count = local.create_tgw_subnets ? local.len_tgw_subnets : 0 + + assign_ipv6_address_on_creation = var.enable_ipv6 && var.tgw_subnet_ipv6_native ? true : var.tgw_subnet_assign_ipv6_address_on_creation + availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null + availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null + cidr_block = var.tgw_subnet_ipv6_native ? null : element(concat(var.tgw_subnets, [""]), count.index) + enable_dns64 = var.enable_ipv6 && var.tgw_subnet_enable_dns64 + enable_resource_name_dns_aaaa_record_on_launch = var.enable_ipv6 && var.tgw_subnet_enable_resource_name_dns_aaaa_record_on_launch + enable_resource_name_dns_a_record_on_launch = !var.tgw_subnet_ipv6_native && var.tgw_subnet_enable_resource_name_dns_a_record_on_launch + ipv6_cidr_block = var.enable_ipv6 && length(var.tgw_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.tgw_subnet_ipv6_prefixes[count.index]) : null + ipv6_native = var.enable_ipv6 && var.tgw_subnet_ipv6_native + private_dns_hostname_type_on_launch = var.tgw_subnet_private_dns_hostname_type_on_launch + vpc_id = local.vpc_id + + tags = merge( + { + Name = try( + var.tgw_subnet_names[count.index], + format("${var.name}-${var.tgw_subnet_suffix}-%s", element(var.azs, count.index), ) + ) + }, + var.tags, + var.tgw_subnet_tags, + ) +} + +resource "aws_db_subnet_group" "tgw" { + count = local.create_tgw_subnets && var.create_tgw_subnet_group ? 1 : 0 + + name = lower(coalesce(var.tgw_subnet_group_name, var.name)) + description = "tgw subnet group for ${var.name}" + subnet_ids = aws_subnet.tgw[*].id + + tags = merge( + { + "Name" = lower(coalesce(var.tgw_subnet_group_name, var.name)) + }, + var.tags, + var.tgw_subnet_group_tags, + ) +} + +resource "aws_route_table" "tgw" { + count = local.create_tgw_route_table ? var.single_nat_gateway || var.create_tgw_internet_gateway_route ? 1 : local.len_tgw_subnets : 0 + + vpc_id = local.vpc_id + + tags = merge( + { + "Name" = var.single_nat_gateway || var.create_tgw_internet_gateway_route ? "${var.name}-${var.tgw_subnet_suffix}" : format( + "${var.name}-${var.tgw_subnet_suffix}-%s", + element(var.azs, count.index), + ) + }, + var.tags, + var.tgw_route_table_tags, + ) +} + +resource "aws_route_table_association" "tgw" { + count = local.create_tgw_subnets ? local.len_tgw_subnets : 0 + + subnet_id = element(aws_subnet.tgw[*].id, count.index) + route_table_id = element( + coalescelist(aws_route_table.tgw[*].id, aws_route_table.private[*].id), + var.create_tgw_subnet_route_table ? var.single_nat_gateway || var.create_tgw_internet_gateway_route ? 0 : count.index : count.index, + ) +} + +resource "aws_route" "tgw_internet_gateway" { + count = local.create_tgw_route_table && var.create_igw && var.create_tgw_internet_gateway_route && !var.create_tgw_nat_gateway_route ? 1 : 0 + + route_table_id = aws_route_table.tgw[0].id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.this[0].id + + timeouts { + create = "5m" + } +} + +resource "aws_route" "tgw_nat_gateway" { + count = local.create_tgw_route_table && !var.create_tgw_internet_gateway_route && var.create_tgw_nat_gateway_route && var.enable_nat_gateway ? var.single_nat_gateway ? 1 : local.len_tgw_subnets : 0 + + route_table_id = element(aws_route_table.tgw[*].id, count.index) + destination_cidr_block = "0.0.0.0/0" + nat_gateway_id = element(aws_nat_gateway.this[*].id, count.index) + + timeouts { + create = "5m" + } +} + +resource "aws_route" "tgw_dns64_nat_gateway" { + count = local.create_tgw_route_table && !var.create_tgw_internet_gateway_route && var.create_tgw_nat_gateway_route && var.enable_nat_gateway && var.enable_ipv6 && var.private_subnet_enable_dns64 ? var.single_nat_gateway ? 1 : local.len_tgw_subnets : 0 + + route_table_id = element(aws_route_table.tgw[*].id, count.index) + destination_ipv6_cidr_block = "64:ff9b::/96" + nat_gateway_id = element(aws_nat_gateway.this[*].id, count.index) + + timeouts { + create = "5m" + } +} + +resource "aws_route" "tgw_ipv6_egress" { + count = local.create_tgw_route_table && var.create_egress_only_igw && var.enable_ipv6 && var.create_tgw_internet_gateway_route ? 1 : 0 + + route_table_id = aws_route_table.tgw[0].id + destination_ipv6_cidr_block = "::/0" + egress_only_gateway_id = aws_egress_only_internet_gateway.this[0].id + + timeouts { + create = "5m" + } +} + +################################################################################ +# Transit Gateway Network ACLs +################################################################################ + +locals { + create_tgw_network_acl = local.create_tgw_subnets && var.tgw_dedicated_network_acl +} + +resource "aws_network_acl" "tgw" { + count = local.create_tgw_network_acl ? 1 : 0 + + vpc_id = local.vpc_id + subnet_ids = aws_subnet.tgw[*].id + + tags = merge( + { "Name" = "${var.name}-${var.tgw_subnet_suffix}" }, + var.tags, + var.tgw_acl_tags, + ) +} + +resource "aws_network_acl_rule" "tgw_inbound" { + count = local.create_tgw_network_acl ? length(var.tgw_inbound_acl_rules) : 0 + + network_acl_id = aws_network_acl.tgw[0].id + + egress = false + rule_number = var.tgw_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.tgw_inbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.tgw_inbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.tgw_inbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.tgw_inbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.tgw_inbound_acl_rules[count.index], "icmp_type", null) + protocol = var.tgw_inbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.tgw_inbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.tgw_inbound_acl_rules[count.index], "ipv6_cidr_block", null) +} + +resource "aws_network_acl_rule" "tgw_outbound" { + count = local.create_tgw_network_acl ? length(var.tgw_outbound_acl_rules) : 0 + + network_acl_id = aws_network_acl.tgw[0].id + + egress = true + rule_number = var.tgw_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.tgw_outbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.tgw_outbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.tgw_outbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.tgw_outbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.tgw_outbound_acl_rules[count.index], "icmp_type", null) + protocol = var.tgw_outbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.tgw_outbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.tgw_outbound_acl_rules[count.index], "ipv6_cidr_block", null) +} + +################################################################################ +# CloudWAN Subnets +################################################################################ + +locals { + create_cwan_subnets = local.create_vpc && local.len_cwan_subnets > 0 + create_cwan_route_table = local.create_cwan_subnets && var.create_cwan_subnet_route_table +} + +resource "aws_subnet" "cwan" { + count = local.create_cwan_subnets ? local.len_cwan_subnets : 0 + + assign_ipv6_address_on_creation = var.enable_ipv6 && var.cwan_subnet_ipv6_native ? true : var.cwan_subnet_assign_ipv6_address_on_creation + availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null + availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null + cidr_block = var.cwan_subnet_ipv6_native ? null : element(concat(var.cwan_subnets, [""]), count.index) + enable_dns64 = var.enable_ipv6 && var.cwan_subnet_enable_dns64 + enable_resource_name_dns_aaaa_record_on_launch = var.enable_ipv6 && var.cwan_subnet_enable_resource_name_dns_aaaa_record_on_launch + enable_resource_name_dns_a_record_on_launch = !var.cwan_subnet_ipv6_native && var.cwan_subnet_enable_resource_name_dns_a_record_on_launch + ipv6_cidr_block = var.enable_ipv6 && length(var.cwan_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.cwan_subnet_ipv6_prefixes[count.index]) : null + ipv6_native = var.enable_ipv6 && var.cwan_subnet_ipv6_native + private_dns_hostname_type_on_launch = var.cwan_subnet_private_dns_hostname_type_on_launch + vpc_id = local.vpc_id + + tags = merge( + { + Name = try( + var.cwan_subnet_names[count.index], + format("${var.name}-${var.cwan_subnet_suffix}-%s", element(var.azs, count.index), ) + ) + }, + var.tags, + var.cwan_subnet_tags, + ) +} + +resource "aws_db_subnet_group" "cwan" { + count = local.create_cwan_subnets && var.create_cwan_subnet_group ? 1 : 0 + + name = lower(coalesce(var.cwan_subnet_group_name, var.name)) + description = "CloudWAN subnet group for ${var.name}" + subnet_ids = aws_subnet.cwan[*].id + + tags = merge( + { + "Name" = lower(coalesce(var.cwan_subnet_group_name, var.name)) + }, + var.tags, + var.cwan_subnet_group_tags, + ) +} + +resource "aws_route_table" "cwan" { + count = local.create_cwan_route_table ? var.single_nat_gateway || var.create_cwan_internet_gateway_route ? 1 : local.len_cwan_subnets : 0 + + vpc_id = local.vpc_id + + tags = merge( + { + "Name" = var.single_nat_gateway || var.create_cwan_internet_gateway_route ? "${var.name}-${var.cwan_subnet_suffix}" : format( + "${var.name}-${var.cwan_subnet_suffix}-%s", + element(var.azs, count.index), + ) + }, + var.tags, + var.cwan_route_table_tags, + ) +} + +resource "aws_route_table_association" "cwan" { + count = local.create_cwan_subnets ? local.len_cwan_subnets : 0 + + subnet_id = element(aws_subnet.cwan[*].id, count.index) + route_table_id = element( + coalescelist(aws_route_table.cwan[*].id, aws_route_table.private[*].id), + var.create_cwan_subnet_route_table ? var.single_nat_gateway || var.create_cwan_internet_gateway_route ? 0 : count.index : count.index, + ) +} + +resource "aws_route" "cwan_internet_gateway" { + count = local.create_cwan_route_table && var.create_igw && var.create_cwan_internet_gateway_route && !var.create_cwan_nat_gateway_route ? 1 : 0 + + route_table_id = aws_route_table.cwan[0].id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.this[0].id + + timeouts { + create = "5m" + } +} + +resource "aws_route" "cwan_nat_gateway" { + count = local.create_cwan_route_table && !var.create_cwan_internet_gateway_route && var.create_cwan_nat_gateway_route && var.enable_nat_gateway ? var.single_nat_gateway ? 1 : local.len_cwan_subnets : 0 + + route_table_id = element(aws_route_table.cwan[*].id, count.index) + destination_cidr_block = "0.0.0.0/0" + nat_gateway_id = element(aws_nat_gateway.this[*].id, count.index) + + timeouts { + create = "5m" + } +} + +resource "aws_route" "cwan_dns64_nat_gateway" { + count = local.create_cwan_route_table && !var.create_cwan_internet_gateway_route && var.create_cwan_nat_gateway_route && var.enable_nat_gateway && var.enable_ipv6 && var.private_subnet_enable_dns64 ? var.single_nat_gateway ? 1 : local.len_cwan_subnets : 0 + + route_table_id = element(aws_route_table.cwan[*].id, count.index) + destination_ipv6_cidr_block = "64:ff9b::/96" + nat_gateway_id = element(aws_nat_gateway.this[*].id, count.index) + + timeouts { + create = "5m" + } +} + +resource "aws_route" "cwan_ipv6_egress" { + count = local.create_cwan_route_table && var.create_egress_only_igw && var.enable_ipv6 && var.create_cwan_internet_gateway_route ? 1 : 0 + + route_table_id = aws_route_table.cwan[0].id + destination_ipv6_cidr_block = "::/0" + egress_only_gateway_id = aws_egress_only_internet_gateway.this[0].id + + timeouts { + create = "5m" + } +} + +################################################################################ +# cwan Network ACLs +################################################################################ + +locals { + create_cwan_network_acl = local.create_cwan_subnets && var.cwan_dedicated_network_acl +} + +resource "aws_network_acl" "cwan" { + count = local.create_cwan_network_acl ? 1 : 0 + + vpc_id = local.vpc_id + subnet_ids = aws_subnet.cwan[*].id + + tags = merge( + { "Name" = "${var.name}-${var.cwan_subnet_suffix}" }, + var.tags, + var.cwan_acl_tags, + ) +} + +resource "aws_network_acl_rule" "cwan_inbound" { + count = local.create_cwan_network_acl ? length(var.cwan_inbound_acl_rules) : 0 + + network_acl_id = aws_network_acl.cwan[0].id + + egress = false + rule_number = var.cwan_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.cwan_inbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.cwan_inbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.cwan_inbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.cwan_inbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.cwan_inbound_acl_rules[count.index], "icmp_type", null) + protocol = var.cwan_inbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.cwan_inbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.cwan_inbound_acl_rules[count.index], "ipv6_cidr_block", null) +} + +resource "aws_network_acl_rule" "cwan_outbound" { + count = local.create_cwan_network_acl ? length(var.cwan_outbound_acl_rules) : 0 + + network_acl_id = aws_network_acl.cwan[0].id + + egress = true + rule_number = var.cwan_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.cwan_outbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.cwan_outbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.cwan_outbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.cwan_outbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.cwan_outbound_acl_rules[count.index], "icmp_type", null) + protocol = var.cwan_outbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.cwan_outbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.cwan_outbound_acl_rules[count.index], "ipv6_cidr_block", null) +} + + ################################################################################ # Internet Gateway ################################################################################ diff --git a/outputs.tf b/outputs.tf index 1d1d2783..3bbe102a 100644 --- a/outputs.tf +++ b/outputs.tf @@ -505,6 +505,156 @@ output "intra_network_acl_arn" { value = try(aws_network_acl.intra[0].arn, null) } +################################################################################ +# Transit Gateway Subnets +################################################################################ + +output "tgw_subnet_objects" { + description = "A list of all transit gateway subnets, containing the full objects." + value = aws_subnet.tgw +} + +output "tgw_subnets" { + description = "List of IDs of transit gateway subnets" + value = aws_subnet.tgw[*].id +} + +output "tgw_subnet_arns" { + description = "List of ARNs of transit gateway subnets" + value = aws_subnet.tgw[*].arn +} + +output "tgw_subnets_cidr_blocks" { + description = "List of cidr_blocks of transit gateway subnets" + value = compact(aws_subnet.tgw[*].cidr_block) +} + +output "tgw_subnets_ipv6_cidr_blocks" { + description = "List of IPv6 cidr_blocks of transit gateway subnets in an IPv6 enabled VPC" + value = compact(aws_subnet.tgw[*].ipv6_cidr_block) +} + +output "tgw_subnet_group" { + description = "ID of transit gateway subnet group" + value = try(aws_db_subnet_group.tgw[0].id, null) +} + +output "tgw_subnet_group_name" { + description = "Name of transit gateway subnet group" + value = try(aws_db_subnet_group.tgw[0].name, null) +} + +output "tgw_route_table_ids" { + description = "List of IDs of transit gateway route tables" + # Refer to https://github.com/terraform-aws-modules/terraform-aws-vpc/pull/926 before changing logic + value = length(aws_route_table.tgw[*].id) > 0 ? aws_route_table.tgw[*].id : aws_route_table.private[*].id +} + +output "tgw_internet_gateway_route_id" { + description = "ID of the transit gateway internet gateway route" + value = try(aws_route.tgw_internet_gateway[0].id, null) +} + +output "tgw_nat_gateway_route_ids" { + description = "List of IDs of the transit gateway nat gateway route" + value = aws_route.tgw_nat_gateway[*].id +} + +output "tgw_ipv6_egress_route_id" { + description = "ID of the transit gateway IPv6 egress route" + value = try(aws_route.tgw_ipv6_egress[0].id, null) +} + +output "tgw_route_table_association_ids" { + description = "List of IDs of the transit gateway route table association" + value = aws_route_table_association.tgw[*].id +} + +output "tgw_network_acl_id" { + description = "ID of the transit gateway network ACL" + value = try(aws_network_acl.tgw[0].id, null) +} + +output "tgw_network_acl_arn" { + description = "ARN of the transit gateway network ACL" + value = try(aws_network_acl.tgw[0].arn, null) +} + +################################################################################ +# CloudWAN Subnets +################################################################################ + +output "cwan_subnet_objects" { + description = "A list of all CloudWAN subnets, containing the full objects." + value = aws_subnet.cwan +} + +output "cwan_subnets" { + description = "List of IDs of CloudWAN subnets" + value = aws_subnet.cwan[*].id +} + +output "cwan_subnet_arns" { + description = "List of ARNs of CloudWAN subnets" + value = aws_subnet.cwan[*].arn +} + +output "cwan_subnets_cidr_blocks" { + description = "List of cidr_blocks of CloudWAN subnets" + value = compact(aws_subnet.cwan[*].cidr_block) +} + +output "cwan_subnets_ipv6_cidr_blocks" { + description = "List of IPv6 cidr_blocks of CloudWAN subnets in an IPv6 enabled VPC" + value = compact(aws_subnet.cwan[*].ipv6_cidr_block) +} + +output "cwan_subnet_group" { + description = "ID of CloudWAN subnet group" + value = try(aws_db_subnet_group.cwan[0].id, null) +} + +output "cwan_subnet_group_name" { + description = "Name of CloudWAN subnet group" + value = try(aws_db_subnet_group.cwan[0].name, null) +} + +output "cwan_route_table_ids" { + description = "List of IDs of CloudWAN route tables" + # Refer to https://github.com/terraform-aws-modules/terraform-aws-vpc/pull/926 before changing logic + value = length(aws_route_table.cwan[*].id) > 0 ? aws_route_table.cwan[*].id : aws_route_table.private[*].id +} + +output "cwan_internet_gateway_route_id" { + description = "ID of the CloudWAN internet gateway route" + value = try(aws_route.cwan_internet_gateway[0].id, null) +} + +output "cwan_nat_gateway_route_ids" { + description = "List of IDs of the CloudWAN nat gateway route" + value = aws_route.cwan_nat_gateway[*].id +} + +output "cwan_ipv6_egress_route_id" { + description = "ID of the CloudWAN IPv6 egress route" + value = try(aws_route.cwan_ipv6_egress[0].id, null) +} + +output "cwan_route_table_association_ids" { + description = "List of IDs of the CloudWAN route table association" + value = aws_route_table_association.cwan[*].id +} + +output "cwan_network_acl_id" { + description = "ID of the CloudWAN network ACL" + value = try(aws_network_acl.cwan[0].id, null) +} + +output "cwan_network_acl_arn" { + description = "ARN of the CloudWAN network ACL" + value = try(aws_network_acl.cwan[0].arn, null) +} + ################################################################################ # NAT Gateway ################################################################################ diff --git a/variables.tf b/variables.tf index d8338267..b0b95199 100644 --- a/variables.tf +++ b/variables.tf @@ -1178,6 +1178,322 @@ variable "outpost_acl_tags" { default = {} } +################################################################################ +# Transit Gateway Subnets +################################################################################ + +variable "tgw_subnets" { + description = "A list of transit gateway subnets inside the VPC" + type = list(string) + default = [] +} + +variable "tgw_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false +} + +variable "tgw_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true +} + +variable "tgw_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "tgw_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false +} + +variable "tgw_subnet_ipv6_prefixes" { + description = "Assigns IPv6 transit gateway subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "tgw_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false +} + +variable "tgw_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} + +variable "tgw_subnet_names" { + description = "Explicit values to use in the Name tag on transit gateway subnets. If empty, Name tags are generated" + type = list(string) + default = [] +} + +variable "tgw_subnet_suffix" { + description = "Suffix to append to transit gateway subnets name" + type = string + default = "db" +} + +variable "create_tgw_subnet_route_table" { + description = "Controls if separate route table for transit gateway should be created" + type = bool + default = false +} + +variable "create_tgw_internet_gateway_route" { + description = "Controls if an internet gateway route for public transit gateway access should be created" + type = bool + default = false +} + +variable "create_tgw_nat_gateway_route" { + description = "Controls if a nat gateway route should be created to give internet access to the transit gateway subnets" + type = bool + default = false +} + +variable "tgw_route_table_tags" { + description = "Additional tags for the transit gateway route tables" + type = map(string) + default = {} +} + +variable "tgw_subnet_tags" { + description = "Additional tags for the transit gateway subnets" + type = map(string) + default = {} +} + +variable "create_tgw_subnet_group" { + description = "Controls if transit gateway subnet group should be created (n.b. tgw_subnets must also be set)" + type = bool + default = true +} + +variable "tgw_subnet_group_name" { + description = "Name of transit gateway subnet group" + type = string + default = null +} + +variable "tgw_subnet_group_tags" { + description = "Additional tags for the transit gateway subnet group" + type = map(string) + default = {} +} + +################################################################################ +# Transit Gateway Network ACLs +################################################################################ + +variable "tgw_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for transit gateway subnets" + type = bool + default = false +} + +variable "tgw_inbound_acl_rules" { + description = "Transti Gateway subnets inbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "tgw_outbound_acl_rules" { + description = "Transit Gateway subnets outbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "tgw_acl_tags" { + description = "Additional tags for the transit gateway subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# CloudWAN Subnets +################################################################################ + +variable "cwan_subnets" { + description = "A list of CloudWAN subnets inside the VPC" + type = list(string) + default = [] +} + +variable "cwan_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false +} + +variable "cwan_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true +} + +variable "cwan_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "cwan_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false +} + +variable "cwan_subnet_ipv6_prefixes" { + description = "Assigns IPv6 CloudWAN subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "cwan_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false +} + +variable "cwan_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} + +variable "cwan_subnet_names" { + description = "Explicit values to use in the Name tag on CloudWAN subnets. If empty, Name tags are generated" + type = list(string) + default = [] +} + +variable "cwan_subnet_suffix" { + description = "Suffix to append to CloudWAN subnets name" + type = string + default = "db" +} + +variable "create_cwan_subnet_route_table" { + description = "Controls if separate route table for CloudWAN should be created" + type = bool + default = false +} + +variable "create_cwan_internet_gateway_route" { + description = "Controls if an internet gateway route for public CloudWAN access should be created" + type = bool + default = false +} + +variable "create_cwan_nat_gateway_route" { + description = "Controls if a nat gateway route should be created to give internet access to the CloudWAN subnets" + type = bool + default = false +} + +variable "cwan_route_table_tags" { + description = "Additional tags for the CloudWAN route tables" + type = map(string) + default = {} +} + +variable "cwan_subnet_tags" { + description = "Additional tags for the CloudWAN subnets" + type = map(string) + default = {} +} + +variable "create_cwan_subnet_group" { + description = "Controls if CloudWAN subnet group should be created (n.b. cwan_subnets must also be set)" + type = bool + default = true +} + +variable "cwan_subnet_group_name" { + description = "Name of CloudWAN subnet group" + type = string + default = null +} + +variable "cwan_subnet_group_tags" { + description = "Additional tags for the CloudWAN subnet group" + type = map(string) + default = {} +} + +################################################################################ +# CloudWAN Network ACLs +################################################################################ + +variable "cwan_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for CloudWAN subnets" + type = bool + default = false +} + +variable "cwan_inbound_acl_rules" { + description = "Transti Gateway subnets inbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "cwan_outbound_acl_rules" { + description = "CloudWAN subnets outbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "cwan_acl_tags" { + description = "Additional tags for the CloudWAN subnets network ACL" + type = map(string) + default = {} +} + ################################################################################ # Internet Gateway ################################################################################ From f7d6fa2b20304d1c688b7cbd1065d71ed5276a7a Mon Sep 17 00:00:00 2001 From: wiseelf Date: Tue, 22 Apr 2025 13:04:32 +0200 Subject: [PATCH 2/3] remove db subnet groups from tgw and cwan --- README.md | 12 ------------ main.tf | 32 -------------------------------- outputs.tf | 20 -------------------- variables.tf | 36 ------------------------------------ 4 files changed, 100 deletions(-) diff --git a/README.md b/README.md index 70f9fcfc..4bf48c92 100644 --- a/README.md +++ b/README.md @@ -275,9 +275,7 @@ No modules. |------|------| | [aws_cloudwatch_log_group.flow_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_customer_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/customer_gateway) | resource | -| [aws_db_subnet_group.cwan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource | | [aws_db_subnet_group.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource | -| [aws_db_subnet_group.tgw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource | | [aws_default_network_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl) | resource | | [aws_default_route_table.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table) | resource | | [aws_default_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource | @@ -389,7 +387,6 @@ No modules. | [cidr](#input\_cidr) | (Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id` | `string` | `"10.0.0.0/16"` | no | | [create\_cwan\_internet\_gateway\_route](#input\_create\_cwan\_internet\_gateway\_route) | Controls if an internet gateway route for public CloudWAN access should be created | `bool` | `false` | no | | [create\_cwan\_nat\_gateway\_route](#input\_create\_cwan\_nat\_gateway\_route) | Controls if a nat gateway route should be created to give internet access to the CloudWAN subnets | `bool` | `false` | no | -| [create\_cwan\_subnet\_group](#input\_create\_cwan\_subnet\_group) | Controls if CloudWAN subnet group should be created (n.b. cwan\_subnets must also be set) | `bool` | `true` | no | | [create\_cwan\_subnet\_route\_table](#input\_create\_cwan\_subnet\_route\_table) | Controls if separate route table for CloudWAN should be created | `bool` | `false` | no | | [create\_database\_internet\_gateway\_route](#input\_create\_database\_internet\_gateway\_route) | Controls if an internet gateway route for public database access should be created | `bool` | `false` | no | | [create\_database\_nat\_gateway\_route](#input\_create\_database\_nat\_gateway\_route) | Controls if a nat gateway route should be created to give internet access to the database subnets | `bool` | `false` | no | @@ -408,7 +405,6 @@ No modules. | [create\_redshift\_subnet\_route\_table](#input\_create\_redshift\_subnet\_route\_table) | Controls if separate route table for redshift should be created | `bool` | `false` | no | | [create\_tgw\_internet\_gateway\_route](#input\_create\_tgw\_internet\_gateway\_route) | Controls if an internet gateway route for public transit gateway access should be created | `bool` | `false` | no | | [create\_tgw\_nat\_gateway\_route](#input\_create\_tgw\_nat\_gateway\_route) | Controls if a nat gateway route should be created to give internet access to the transit gateway subnets | `bool` | `false` | no | -| [create\_tgw\_subnet\_group](#input\_create\_tgw\_subnet\_group) | Controls if transit gateway subnet group should be created (n.b. tgw\_subnets must also be set) | `bool` | `true` | no | | [create\_tgw\_subnet\_route\_table](#input\_create\_tgw\_subnet\_route\_table) | Controls if separate route table for transit gateway should be created | `bool` | `false` | no | | [create\_vpc](#input\_create\_vpc) | Controls if VPC should be created (it affects almost all resources) | `bool` | `true` | no | | [customer\_gateway\_tags](#input\_customer\_gateway\_tags) | Additional tags for the Customer Gateway | `map(string)` | `{}` | no | @@ -423,8 +419,6 @@ No modules. | [cwan\_subnet\_enable\_dns64](#input\_cwan\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no | | [cwan\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_cwan\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no | | [cwan\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch](#input\_cwan\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true` | `bool` | `true` | no | -| [cwan\_subnet\_group\_name](#input\_cwan\_subnet\_group\_name) | Name of CloudWAN subnet group | `string` | `null` | no | -| [cwan\_subnet\_group\_tags](#input\_cwan\_subnet\_group\_tags) | Additional tags for the CloudWAN subnet group | `map(string)` | `{}` | no | | [cwan\_subnet\_ipv6\_native](#input\_cwan\_subnet\_ipv6\_native) | Indicates whether to create an IPv6-only subnet. Default: `false` | `bool` | `false` | no | | [cwan\_subnet\_ipv6\_prefixes](#input\_cwan\_subnet\_ipv6\_prefixes) | Assigns IPv6 CloudWAN subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no | | [cwan\_subnet\_names](#input\_cwan\_subnet\_names) | Explicit values to use in the Name tag on CloudWAN subnets. If empty, Name tags are generated | `list(string)` | `[]` | no | @@ -640,8 +634,6 @@ No modules. | [tgw\_subnet\_enable\_dns64](#input\_tgw\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no | | [tgw\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_tgw\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no | | [tgw\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch](#input\_tgw\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true` | `bool` | `true` | no | -| [tgw\_subnet\_group\_name](#input\_tgw\_subnet\_group\_name) | Name of transit gateway subnet group | `string` | `null` | no | -| [tgw\_subnet\_group\_tags](#input\_tgw\_subnet\_group\_tags) | Additional tags for the transit gateway subnet group | `map(string)` | `{}` | no | | [tgw\_subnet\_ipv6\_native](#input\_tgw\_subnet\_ipv6\_native) | Indicates whether to create an IPv6-only subnet. Default: `false` | `bool` | `false` | no | | [tgw\_subnet\_ipv6\_prefixes](#input\_tgw\_subnet\_ipv6\_prefixes) | Assigns IPv6 transit gateway subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no | | [tgw\_subnet\_names](#input\_tgw\_subnet\_names) | Explicit values to use in the Name tag on transit gateway subnets. If empty, Name tags are generated | `list(string)` | `[]` | no | @@ -678,8 +670,6 @@ No modules. | [cwan\_route\_table\_association\_ids](#output\_cwan\_route\_table\_association\_ids) | List of IDs of the CloudWAN route table association | | [cwan\_route\_table\_ids](#output\_cwan\_route\_table\_ids) | List of IDs of CloudWAN route tables | | [cwan\_subnet\_arns](#output\_cwan\_subnet\_arns) | List of ARNs of CloudWAN subnets | -| [cwan\_subnet\_group](#output\_cwan\_subnet\_group) | ID of CloudWAN subnet group | -| [cwan\_subnet\_group\_name](#output\_cwan\_subnet\_group\_name) | Name of CloudWAN subnet group | | [cwan\_subnet\_objects](#output\_cwan\_subnet\_objects) | A list of all CloudWAN subnets, containing the full objects. | | [cwan\_subnets](#output\_cwan\_subnets) | List of IDs of CloudWAN subnets | | [cwan\_subnets\_cidr\_blocks](#output\_cwan\_subnets\_cidr\_blocks) | List of cidr\_blocks of CloudWAN subnets | @@ -788,8 +778,6 @@ No modules. | [tgw\_route\_table\_association\_ids](#output\_tgw\_route\_table\_association\_ids) | List of IDs of the transit gateway route table association | | [tgw\_route\_table\_ids](#output\_tgw\_route\_table\_ids) | List of IDs of transit gateway route tables | | [tgw\_subnet\_arns](#output\_tgw\_subnet\_arns) | List of ARNs of transit gateway subnets | -| [tgw\_subnet\_group](#output\_tgw\_subnet\_group) | ID of transit gateway subnet group | -| [tgw\_subnet\_group\_name](#output\_tgw\_subnet\_group\_name) | Name of transit gateway subnet group | | [tgw\_subnet\_objects](#output\_tgw\_subnet\_objects) | A list of all transit gateway subnets, containing the full objects. | | [tgw\_subnets](#output\_tgw\_subnets) | List of IDs of transit gateway subnets | | [tgw\_subnets\_cidr\_blocks](#output\_tgw\_subnets\_cidr\_blocks) | List of cidr\_blocks of transit gateway subnets | diff --git a/main.tf b/main.tf index d12f63a8..fca8eab9 100644 --- a/main.tf +++ b/main.tf @@ -1086,22 +1086,6 @@ resource "aws_subnet" "tgw" { ) } -resource "aws_db_subnet_group" "tgw" { - count = local.create_tgw_subnets && var.create_tgw_subnet_group ? 1 : 0 - - name = lower(coalesce(var.tgw_subnet_group_name, var.name)) - description = "tgw subnet group for ${var.name}" - subnet_ids = aws_subnet.tgw[*].id - - tags = merge( - { - "Name" = lower(coalesce(var.tgw_subnet_group_name, var.name)) - }, - var.tags, - var.tgw_subnet_group_tags, - ) -} - resource "aws_route_table" "tgw" { count = local.create_tgw_route_table ? var.single_nat_gateway || var.create_tgw_internet_gateway_route ? 1 : local.len_tgw_subnets : 0 @@ -1268,22 +1252,6 @@ resource "aws_subnet" "cwan" { ) } -resource "aws_db_subnet_group" "cwan" { - count = local.create_cwan_subnets && var.create_cwan_subnet_group ? 1 : 0 - - name = lower(coalesce(var.cwan_subnet_group_name, var.name)) - description = "CloudWAN subnet group for ${var.name}" - subnet_ids = aws_subnet.cwan[*].id - - tags = merge( - { - "Name" = lower(coalesce(var.cwan_subnet_group_name, var.name)) - }, - var.tags, - var.cwan_subnet_group_tags, - ) -} - resource "aws_route_table" "cwan" { count = local.create_cwan_route_table ? var.single_nat_gateway || var.create_cwan_internet_gateway_route ? 1 : local.len_cwan_subnets : 0 diff --git a/outputs.tf b/outputs.tf index 3bbe102a..91ba79e0 100644 --- a/outputs.tf +++ b/outputs.tf @@ -534,16 +534,6 @@ output "tgw_subnets_ipv6_cidr_blocks" { value = compact(aws_subnet.tgw[*].ipv6_cidr_block) } -output "tgw_subnet_group" { - description = "ID of transit gateway subnet group" - value = try(aws_db_subnet_group.tgw[0].id, null) -} - -output "tgw_subnet_group_name" { - description = "Name of transit gateway subnet group" - value = try(aws_db_subnet_group.tgw[0].name, null) -} - output "tgw_route_table_ids" { description = "List of IDs of transit gateway route tables" # Refer to https://github.com/terraform-aws-modules/terraform-aws-vpc/pull/926 before changing logic @@ -609,16 +599,6 @@ output "cwan_subnets_ipv6_cidr_blocks" { value = compact(aws_subnet.cwan[*].ipv6_cidr_block) } -output "cwan_subnet_group" { - description = "ID of CloudWAN subnet group" - value = try(aws_db_subnet_group.cwan[0].id, null) -} - -output "cwan_subnet_group_name" { - description = "Name of CloudWAN subnet group" - value = try(aws_db_subnet_group.cwan[0].name, null) -} - output "cwan_route_table_ids" { description = "List of IDs of CloudWAN route tables" # Refer to https://github.com/terraform-aws-modules/terraform-aws-vpc/pull/926 before changing logic diff --git a/variables.tf b/variables.tf index b0b95199..1fa5bec8 100644 --- a/variables.tf +++ b/variables.tf @@ -1272,24 +1272,6 @@ variable "tgw_subnet_tags" { default = {} } -variable "create_tgw_subnet_group" { - description = "Controls if transit gateway subnet group should be created (n.b. tgw_subnets must also be set)" - type = bool - default = true -} - -variable "tgw_subnet_group_name" { - description = "Name of transit gateway subnet group" - type = string - default = null -} - -variable "tgw_subnet_group_tags" { - description = "Additional tags for the transit gateway subnet group" - type = map(string) - default = {} -} - ################################################################################ # Transit Gateway Network ACLs ################################################################################ @@ -1430,24 +1412,6 @@ variable "cwan_subnet_tags" { default = {} } -variable "create_cwan_subnet_group" { - description = "Controls if CloudWAN subnet group should be created (n.b. cwan_subnets must also be set)" - type = bool - default = true -} - -variable "cwan_subnet_group_name" { - description = "Name of CloudWAN subnet group" - type = string - default = null -} - -variable "cwan_subnet_group_tags" { - description = "Additional tags for the CloudWAN subnet group" - type = map(string) - default = {} -} - ################################################################################ # CloudWAN Network ACLs ################################################################################ From 013eae25079aa759a23770800bc9053964942c7a Mon Sep 17 00:00:00 2001 From: wiseelf Date: Tue, 22 Apr 2025 13:08:16 +0200 Subject: [PATCH 3/3] default subnet suffix --- README.md | 4 ++-- variables.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 4bf48c92..9c43a256 100644 --- a/README.md +++ b/README.md @@ -423,7 +423,7 @@ No modules. | [cwan\_subnet\_ipv6\_prefixes](#input\_cwan\_subnet\_ipv6\_prefixes) | Assigns IPv6 CloudWAN subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no | | [cwan\_subnet\_names](#input\_cwan\_subnet\_names) | Explicit values to use in the Name tag on CloudWAN subnets. If empty, Name tags are generated | `list(string)` | `[]` | no | | [cwan\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_cwan\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no | -| [cwan\_subnet\_suffix](#input\_cwan\_subnet\_suffix) | Suffix to append to CloudWAN subnets name | `string` | `"db"` | no | +| [cwan\_subnet\_suffix](#input\_cwan\_subnet\_suffix) | Suffix to append to CloudWAN subnets name | `string` | `"cwan"` | no | | [cwan\_subnet\_tags](#input\_cwan\_subnet\_tags) | Additional tags for the CloudWAN subnets | `map(string)` | `{}` | no | | [cwan\_subnets](#input\_cwan\_subnets) | A list of CloudWAN subnets inside the VPC | `list(string)` | `[]` | no | | [database\_acl\_tags](#input\_database\_acl\_tags) | Additional tags for the database subnets network ACL | `map(string)` | `{}` | no | @@ -638,7 +638,7 @@ No modules. | [tgw\_subnet\_ipv6\_prefixes](#input\_tgw\_subnet\_ipv6\_prefixes) | Assigns IPv6 transit gateway subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no | | [tgw\_subnet\_names](#input\_tgw\_subnet\_names) | Explicit values to use in the Name tag on transit gateway subnets. If empty, Name tags are generated | `list(string)` | `[]` | no | | [tgw\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_tgw\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no | -| [tgw\_subnet\_suffix](#input\_tgw\_subnet\_suffix) | Suffix to append to transit gateway subnets name | `string` | `"db"` | no | +| [tgw\_subnet\_suffix](#input\_tgw\_subnet\_suffix) | Suffix to append to transit gateway subnets name | `string` | `"tgw"` | no | | [tgw\_subnet\_tags](#input\_tgw\_subnet\_tags) | Additional tags for the transit gateway subnets | `map(string)` | `{}` | no | | [tgw\_subnets](#input\_tgw\_subnets) | A list of transit gateway subnets inside the VPC | `list(string)` | `[]` | no | | [use\_ipam\_pool](#input\_use\_ipam\_pool) | Determines whether IPAM pool is used for CIDR allocation | `bool` | `false` | no | diff --git a/variables.tf b/variables.tf index 1fa5bec8..4aa4931e 100644 --- a/variables.tf +++ b/variables.tf @@ -1239,7 +1239,7 @@ variable "tgw_subnet_names" { variable "tgw_subnet_suffix" { description = "Suffix to append to transit gateway subnets name" type = string - default = "db" + default = "tgw" } variable "create_tgw_subnet_route_table" { @@ -1379,7 +1379,7 @@ variable "cwan_subnet_names" { variable "cwan_subnet_suffix" { description = "Suffix to append to CloudWAN subnets name" type = string - default = "db" + default = "cwan" } variable "create_cwan_subnet_route_table" {