From fcc8418f4eac8822551635f67a4cedf98884a635 Mon Sep 17 00:00:00 2001 From: Lucas Leonardo Soto Date: Thu, 9 Feb 2023 13:58:33 -0300 Subject: [PATCH 1/4] DEVOPS-5386: Add sys type subnets --- README.md | 32 ++++++++++++ main.tf | 145 +++++++++++++++++++++++++++++++++++++++++++++++++++ outputs.tf | 51 ++++++++++++++++++ variables.tf | 98 ++++++++++++++++++++++++++++++++++ 4 files changed, 326 insertions(+) diff --git a/README.md b/README.md index 581c5b6f7..cd0af85e1 100644 --- a/README.md +++ b/README.md @@ -293,6 +293,7 @@ No modules. | [aws_network_acl.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | | [aws_network_acl.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | | [aws_network_acl.redshift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | +| [aws_network_acl.sys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | | [aws_network_acl_rule.database_inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | | [aws_network_acl_rule.database_outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | | [aws_network_acl_rule.elasticache_inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | @@ -307,6 +308,8 @@ No modules. | [aws_network_acl_rule.public_outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | | [aws_network_acl_rule.redshift_inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | | [aws_network_acl_rule.redshift_outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | +| [aws_network_acl_rule.sys_inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | +| [aws_network_acl_rule.sys_outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | | [aws_redshift_subnet_group.redshift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_subnet_group) | resource | | [aws_route.database_internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | | [aws_route.database_ipv6_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | @@ -315,12 +318,15 @@ No modules. | [aws_route.private_nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | | [aws_route.public_internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | | [aws_route.public_internet_gateway_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | +| [aws_route.sys_ipv6_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | +| [aws_route.sys_nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | | [aws_route_table.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | | [aws_route_table.elasticache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | | [aws_route_table.intra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | | [aws_route_table.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | | [aws_route_table.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | | [aws_route_table.redshift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | +| [aws_route_table.sys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | | [aws_route_table_association.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | | [aws_route_table_association.elasticache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | | [aws_route_table_association.intra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | @@ -329,6 +335,7 @@ No modules. | [aws_route_table_association.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | | [aws_route_table_association.redshift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | | [aws_route_table_association.redshift_public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_route_table_association.sys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | | [aws_subnet.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | | [aws_subnet.elasticache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | | [aws_subnet.intra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | @@ -336,6 +343,7 @@ No modules. | [aws_subnet.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | | [aws_subnet.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | | [aws_subnet.redshift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_subnet.sys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | | [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource | | [aws_vpc_dhcp_options.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_dhcp_options) | resource | | [aws_vpc_dhcp_options_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_dhcp_options_association) | resource | @@ -345,6 +353,7 @@ No modules. | [aws_vpn_gateway_route_propagation.intra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway_route_propagation) | resource | | [aws_vpn_gateway_route_propagation.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway_route_propagation) | resource | | [aws_vpn_gateway_route_propagation.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway_route_propagation) | resource | +| [aws_vpn_gateway_route_propagation.sys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway_route_propagation) | resource | | [aws_iam_policy_document.flow_log_cloudwatch_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -500,6 +509,7 @@ No modules. | [propagate\_intra\_route\_tables\_vgw](#input\_propagate\_intra\_route\_tables\_vgw) | Should be true if you want route table propagation | `bool` | `false` | no | | [propagate\_private\_route\_tables\_vgw](#input\_propagate\_private\_route\_tables\_vgw) | Should be true if you want route table propagation | `bool` | `false` | no | | [propagate\_public\_route\_tables\_vgw](#input\_propagate\_public\_route\_tables\_vgw) | Should be true if you want route table propagation | `bool` | `false` | no | +| [propagate\_sys\_route\_tables\_vgw](#input\_propagate\_sys\_route\_tables\_vgw) | Should be true if you want route table propagation | `bool` | `false` | no | | [public\_acl\_tags](#input\_public\_acl\_tags) | Additional tags for the public subnets network ACL | `map(string)` | `{}` | no | | [public\_dedicated\_network\_acl](#input\_public\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for public subnets | `bool` | `false` | no | | [public\_inbound\_acl\_rules](#input\_public\_inbound\_acl\_rules) | Public subnets inbound network ACLs | `list(map(string))` | 
[
  {
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_action": "allow",
    "rule_number": 100,
    "to_port": 0
  }
]
| no | @@ -529,6 +539,18 @@ No modules. | [reuse\_nat\_ips](#input\_reuse\_nat\_ips) | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external\_nat\_ip\_ids' variable | `bool` | `false` | no | | [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | `list(string)` | `[]` | no | | [single\_nat\_gateway](#input\_single\_nat\_gateway) | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no | +| [sys\_acl\_tags](#input\_sys\_acl\_tags) | Additional tags for the sys subnets network ACL | `map(string)` | `{}` | no | +| [sys\_dedicated\_network\_acl](#input\_sys\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for sys subnets | `bool` | `false` | no | +| [sys\_inbound\_acl\_rules](#input\_sys\_inbound\_acl\_rules) | Sys subnets inbound network ACLs | `list(map(string))` | 
[
  {
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_action": "allow",
    "rule_number": 100,
    "to_port": 0
  }
]
| no | +| [sys\_outbound\_acl\_rules](#input\_sys\_outbound\_acl\_rules) | Sys subnets outbound network ACLs | `list(map(string))` | 
[
  {
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_action": "allow",
    "rule_number": 100,
    "to_port": 0
  }
]
| no | +| [sys\_route\_table\_tags](#input\_sys\_route\_table\_tags) | Additional tags for the sys route tables | `map(string)` | `{}` | no | +| [sys\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_sys\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on sys subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no | +| [sys\_subnet\_ipv6\_prefixes](#input\_sys\_subnet\_ipv6\_prefixes) | Assigns IPv6 sys subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no | +| [sys\_subnet\_names](#input\_sys\_subnet\_names) | Explicit values to use in the Name tag on sys subnets. If empty, Name tags are generated. | `list(string)` | `[]` | no | +| [sys\_subnet\_suffix](#input\_sys\_subnet\_suffix) | Suffix to append to sys subnets name | `string` | `"sys"` | no | +| [sys\_subnet\_tags](#input\_sys\_subnet\_tags) | Additional tags for the sys subnets | `map(string)` | `{}` | no | +| [sys\_subnet\_tags\_per\_az](#input\_sys\_subnet\_tags\_per\_az) | Additional tags for the sys subnets where the primary key is the AZ | `map(map(string))` | `{}` | no | +| [sys\_subnets](#input\_sys\_subnets) | A list of sys subnets inside the VPC | `list(string)` | `[]` | no | | [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no | | [use\_ipam\_pool](#input\_use\_ipam\_pool) | Determines whether IPAM pool is used for CIDR allocation | `bool` | `false` | no | | [vpc\_flow\_log\_permissions\_boundary](#input\_vpc\_flow\_log\_permissions\_boundary) | The ARN of the Permissions Boundary for the VPC Flow Log IAM Role | `string` | `null` | no | @@ -633,6 +655,16 @@ No modules. | [redshift\_subnets](#output\_redshift\_subnets) | List of IDs of redshift subnets | | [redshift\_subnets\_cidr\_blocks](#output\_redshift\_subnets\_cidr\_blocks) | List of cidr\_blocks of redshift subnets | | [redshift\_subnets\_ipv6\_cidr\_blocks](#output\_redshift\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of redshift subnets in an IPv6 enabled VPC | +| [sys\_ipv6\_egress\_route\_ids](#output\_sys\_ipv6\_egress\_route\_ids) | List of IDs of the ipv6 egress route | +| [sys\_nat\_gateway\_route\_ids](#output\_sys\_nat\_gateway\_route\_ids) | List of IDs of the sys nat gateway route | +| [sys\_network\_acl\_arn](#output\_sys\_network\_acl\_arn) | ARN of the sys network ACL | +| [sys\_network\_acl\_id](#output\_sys\_network\_acl\_id) | ID of the sys network ACL | +| [sys\_route\_table\_association\_ids](#output\_sys\_route\_table\_association\_ids) | List of IDs of the sys route table association | +| [sys\_route\_table\_ids](#output\_sys\_route\_table\_ids) | List of IDs of sys route tables | +| [sys\_subnet\_arns](#output\_sys\_subnet\_arns) | List of ARNs of sys subnets | +| [sys\_subnets](#output\_sys\_subnets) | List of IDs of sys subnets | +| [sys\_subnets\_cidr\_blocks](#output\_sys\_subnets\_cidr\_blocks) | List of cidr\_blocks of sys subnets | +| [sys\_subnets\_ipv6\_cidr\_blocks](#output\_sys\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of sys subnets in an IPv6 enabled VPC | | [this\_customer\_gateway](#output\_this\_customer\_gateway) | Map of Customer Gateway attributes | | [vgw\_arn](#output\_vgw\_arn) | The ARN of the VPN Gateway | | [vgw\_id](#output\_vgw\_id) | The ID of the VPN Gateway | diff --git a/main.tf b/main.tf index 7da643e60..fa5aa0b65 100644 --- a/main.tf +++ b/main.tf @@ -4,6 +4,7 @@ locals { length(var.elasticache_subnets), length(var.database_subnets), length(var.redshift_subnets), + length(var.sys_subnets), ) nat_gateway_count = var.single_nat_gateway ? 1 : var.one_nat_gateway_per_az ? length(var.azs) : local.max_subnet_length @@ -352,6 +353,28 @@ resource "aws_route_table" "intra" { ) } +################################################################################ +# Sys routes +# There are as many routing tables as the number of NAT gateways +################################################################################ + +resource "aws_route_table" "sys" { + count = local.create_vpc && local.max_subnet_length > 0 ? local.nat_gateway_count : 0 + + vpc_id = local.vpc_id + + tags = merge( + { + "Name" = var.single_nat_gateway ? "${var.name}-${var.sys_subnet_suffix}" : format( + "${var.name}-${var.sys_subnet_suffix}-%s", + element(var.azs, count.index), + ) + }, + var.tags, + var.sys_route_table_tags, + ) +} + ################################################################################ # Public subnet ################################################################################ @@ -589,6 +612,34 @@ resource "aws_subnet" "intra" { ) } +################################################################################ +# Sys subnet +################################################################################ + +resource "aws_subnet" "sys" { + count = local.create_vpc && length(var.sys_subnets) > 0 ? length(var.sys_subnets) : 0 + + vpc_id = local.vpc_id + cidr_block = var.sys_subnets[count.index] + availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null + availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null + assign_ipv6_address_on_creation = var.sys_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.sys_subnet_assign_ipv6_address_on_creation + + ipv6_cidr_block = var.enable_ipv6 && length(var.sys_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.sys_subnet_ipv6_prefixes[count.index]) : null + + tags = merge( + { + Name = try( + var.sys_subnet_names[count.index], + format("${var.name}-${var.sys_subnet_suffix}-%s", element(var.azs, count.index)) + ) + }, + var.tags, + var.sys_subnet_tags, + lookup(var.sys_subnet_tags_per_az, element(var.azs, count.index), {}) + ) +} + ################################################################################ # Default Network ACLs ################################################################################ @@ -999,6 +1050,57 @@ resource "aws_network_acl_rule" "elasticache_outbound" { ipv6_cidr_block = lookup(var.elasticache_outbound_acl_rules[count.index], "ipv6_cidr_block", null) } +################################################################################ +# Sys Network ACLs +################################################################################ + +resource "aws_network_acl" "sys" { + count = local.create_vpc && var.sys_dedicated_network_acl && length(var.sys_subnets) > 0 ? 1 : 0 + + vpc_id = local.vpc_id + subnet_ids = aws_subnet.sys[*].id + + tags = merge( + { "Name" = "${var.name}-${var.sys_subnet_suffix}" }, + var.tags, + var.sys_acl_tags, + ) +} + +resource "aws_network_acl_rule" "sys_inbound" { + count = local.create_vpc && var.sys_dedicated_network_acl && length(var.sys_subnets) > 0 ? length(var.sys_inbound_acl_rules) : 0 + + network_acl_id = aws_network_acl.sys[0].id + + egress = false + rule_number = var.sys_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.sys_inbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.sys_inbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.sys_inbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.sys_inbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.sys_inbound_acl_rules[count.index], "icmp_type", null) + protocol = var.sys_inbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.sys_inbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.sys_inbound_acl_rules[count.index], "ipv6_cidr_block", null) +} + +resource "aws_network_acl_rule" "sys_outbound" { + count = local.create_vpc && var.sys_dedicated_network_acl && length(var.sys_subnets) > 0 ? length(var.sys_outbound_acl_rules) : 0 + + network_acl_id = aws_network_acl.sys[0].id + + egress = true + rule_number = var.sys_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.sys_outbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.sys_outbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.sys_outbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.sys_outbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.sys_outbound_acl_rules[count.index], "icmp_type", null) + protocol = var.sys_outbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.sys_outbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.sys_outbound_acl_rules[count.index], "ipv6_cidr_block", null) +} + ################################################################################ # NAT Gateway ################################################################################ @@ -1070,6 +1172,26 @@ resource "aws_route" "private_ipv6_egress" { egress_only_gateway_id = element(aws_egress_only_internet_gateway.this[*].id, 0) } +resource "aws_route" "sys_nat_gateway" { + count = local.create_vpc && var.enable_nat_gateway ? local.nat_gateway_count : 0 + + route_table_id = element(aws_route_table.sys[*].id, count.index) + destination_cidr_block = var.nat_gateway_destination_cidr_block + nat_gateway_id = element(aws_nat_gateway.this[*].id, count.index) + + timeouts { + create = "5m" + } +} + +resource "aws_route" "sys_ipv6_egress" { + count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 ? length(var.sys_subnets) : 0 + + route_table_id = element(aws_route_table.sys[*].id, count.index) + destination_ipv6_cidr_block = "::/0" + egress_only_gateway_id = element(aws_egress_only_internet_gateway.this[*].id, 0) +} + ################################################################################ # Route table association ################################################################################ @@ -1151,6 +1273,16 @@ resource "aws_route_table_association" "public" { route_table_id = aws_route_table.public[0].id } +resource "aws_route_table_association" "sys" { + count = local.create_vpc && length(var.sys_subnets) > 0 ? length(var.sys_subnets) : 0 + + subnet_id = element(aws_subnet.sys[*].id, count.index) + route_table_id = element( + aws_route_table.sys[*].id, + var.single_nat_gateway ? 0 : count.index, + ) +} + ################################################################################ # Customer Gateways ################################################################################ @@ -1234,6 +1366,19 @@ resource "aws_vpn_gateway_route_propagation" "intra" { ) } +resource "aws_vpn_gateway_route_propagation" "sys" { + count = local.create_vpc && var.propagate_sys_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? length(var.sys_subnets) : 0 + + route_table_id = element(aws_route_table.sys[*].id, count.index) + vpn_gateway_id = element( + concat( + aws_vpn_gateway.this[*].id, + aws_vpn_gateway_attachment.this[*].vpn_gateway_id, + ), + count.index, + ) +} + ################################################################################ # Defaults ################################################################################ diff --git a/outputs.tf b/outputs.tf index 9d93dda4b..333000925 100644 --- a/outputs.tf +++ b/outputs.tf @@ -223,6 +223,27 @@ output "intra_subnets_ipv6_cidr_blocks" { value = compact(aws_subnet.intra[*].ipv6_cidr_block) } +output "sys_subnets" { + description = "List of IDs of sys subnets" + value = aws_subnet.sys[*].id +} + +output "sys_subnet_arns" { + description = "List of ARNs of sys subnets" + value = aws_subnet.sys[*].arn +} + +output "sys_subnets_cidr_blocks" { + description = "List of cidr_blocks of sys subnets" + value = compact(aws_subnet.sys[*].cidr_block) +} + +output "sys_subnets_ipv6_cidr_blocks" { + description = "List of IPv6 cidr_blocks of sys subnets in an IPv6 enabled VPC" + value = compact(aws_subnet.sys[*].ipv6_cidr_block) +} + + output "elasticache_subnet_group" { description = "ID of elasticache subnet group" value = try(aws_elasticache_subnet_group.elasticache[0].id, "") @@ -263,6 +284,11 @@ output "intra_route_table_ids" { value = aws_route_table.intra[*].id } +output "sys_route_table_ids" { + description = "List of IDs of sys route tables" + value = aws_route_table.sys[*].id +} + output "public_internet_gateway_route_id" { description = "ID of the internet gateway route" value = try(aws_route.public_internet_gateway[0].id, "") @@ -328,6 +354,21 @@ output "intra_route_table_association_ids" { value = aws_route_table_association.intra[*].id } +output "sys_nat_gateway_route_ids" { + description = "List of IDs of the sys nat gateway route" + value = aws_route.sys_nat_gateway[*].id +} + +output "sys_ipv6_egress_route_ids" { + description = "List of IDs of the ipv6 egress route" + value = aws_route.sys_ipv6_egress[*].id +} + +output "sys_route_table_association_ids" { + description = "List of IDs of the sys route table association" + value = aws_route_table_association.sys[*].id +} + output "public_route_table_association_ids" { description = "List of IDs of the public route table association" value = aws_route_table_association.public[*].id @@ -513,6 +554,16 @@ output "elasticache_network_acl_arn" { value = try(aws_network_acl.elasticache[0].arn, "") } +output "sys_network_acl_id" { + description = "ID of the sys network ACL" + value = try(aws_network_acl.sys[0].id, "") +} + +output "sys_network_acl_arn" { + description = "ARN of the sys network ACL" + value = try(aws_network_acl.sys[0].arn, "") +} + # VPC flow log output "vpc_flow_log_id" { description = "The ID of the Flow Log resource" diff --git a/variables.tf b/variables.tf index 4bd5da093..d8917addb 100644 --- a/variables.tf +++ b/variables.tf @@ -64,6 +64,12 @@ variable "intra_subnet_ipv6_prefixes" { default = [] } +variable "sys_subnet_ipv6_prefixes" { + description = "Assigns IPv6 sys subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + variable "assign_ipv6_address_on_creation" { description = "Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" type = bool @@ -112,6 +118,12 @@ variable "intra_subnet_assign_ipv6_address_on_creation" { default = null } +variable "sys_subnet_assign_ipv6_address_on_creation" { + description = "Assign IPv6 address on sys subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" + type = bool + default = null +} + variable "secondary_cidr_blocks" { description = "List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool" type = list(string) @@ -136,6 +148,12 @@ variable "private_subnet_suffix" { default = "private" } +variable "sys_subnet_suffix" { + description = "Suffix to append to sys subnets name" + type = string + default = "sys" +} + variable "public_subnet_names" { description = "Explicit values to use in the Name tag on public subnets. If empty, Name tags are generated." type = list(string) @@ -178,6 +196,12 @@ variable "elasticache_subnet_names" { default = [] } +variable "sys_subnet_names" { + description = "Explicit values to use in the Name tag on sys subnets. If empty, Name tags are generated." + type = list(string) + default = [] +} + variable "outpost_subnet_suffix" { description = "Suffix to append to outpost subnets name" type = string @@ -250,6 +274,12 @@ variable "intra_subnets" { default = [] } +variable "sys_subnets" { + description = "A list of sys subnets inside the VPC" + type = list(string) + default = [] +} + variable "create_database_subnet_route_table" { description = "Controls if separate route table for database should be created" type = bool @@ -432,6 +462,12 @@ variable "propagate_public_route_tables_vgw" { default = false } +variable "propagate_sys_route_tables_vgw" { + description = "Should be true if you want route table propagation" + type = bool + default = false +} + variable "manage_default_route_table" { description = "Should be true to manage default route table" type = bool @@ -510,6 +546,18 @@ variable "outpost_subnet_tags" { default = {} } +variable "sys_subnet_tags" { + description = "Additional tags for the sys subnets" + type = map(string) + default = {} +} + +variable "sys_subnet_tags_per_az" { + description = "Additional tags for the sys subnets where the primary key is the AZ" + type = map(map(string)) + default = {} +} + variable "public_route_table_tags" { description = "Additional tags for the public route tables" type = map(string) @@ -546,6 +594,12 @@ variable "intra_route_table_tags" { default = {} } +variable "sys_route_table_tags" { + description = "Additional tags for the sys route tables" + type = map(string) + default = {} +} + variable "database_subnet_group_name" { description = "Name of database subnet group" type = string @@ -648,6 +702,12 @@ variable "elasticache_acl_tags" { default = {} } +variable "sys_acl_tags" { + description = "Additional tags for the sys subnets network ACL" + type = map(string) + default = {} +} + variable "dhcp_options_tags" { description = "Additional tags for the DHCP option set (requires enable_dhcp_options set to true)" type = map(string) @@ -823,6 +883,12 @@ variable "elasticache_dedicated_network_acl" { default = false } +variable "sys_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for sys subnets" + type = bool + default = false +} + variable "default_network_acl_ingress" { description = "List of maps of ingress rules to set on the Default Network ACL" type = list(map(string)) @@ -1095,6 +1161,38 @@ variable "elasticache_outbound_acl_rules" { ] } +variable "sys_inbound_acl_rules" { + description = "Sys subnets inbound network ACLs" + type = list(map(string)) + + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "sys_outbound_acl_rules" { + description = "Sys subnets outbound network ACLs" + type = list(map(string)) + + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + variable "manage_default_security_group" { description = "Should be true to adopt and manage default security group" type = bool From 92a7b7494d3c7c5d8714681a1032dfc0d1197b48 Mon Sep 17 00:00:00 2001 From: Sol Malisani Date: Mon, 10 Apr 2023 12:55:29 -0300 Subject: [PATCH 2/4] NOTICKER: Fix condition in RT sys count --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index fa5aa0b65..e8c975bed 100644 --- a/main.tf +++ b/main.tf @@ -359,7 +359,7 @@ resource "aws_route_table" "intra" { ################################################################################ resource "aws_route_table" "sys" { - count = local.create_vpc && local.max_subnet_length > 0 ? local.nat_gateway_count : 0 + count = local.create_vpc && length(var.sys_subnets) > 0 ? 1 : 0 vpc_id = local.vpc_id From 7ff885faa06652912904d657bae91a474880802c Mon Sep 17 00:00:00 2001 From: Sol Malisani Date: Mon, 10 Apr 2023 15:01:47 -0300 Subject: [PATCH 3/4] NOTICKET: Update number of RT to number of sys subnets --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index e8c975bed..3ee6f92c2 100644 --- a/main.tf +++ b/main.tf @@ -355,11 +355,11 @@ resource "aws_route_table" "intra" { ################################################################################ # Sys routes -# There are as many routing tables as the number of NAT gateways +# There are as many routing tables as the number of sys subnets ################################################################################ resource "aws_route_table" "sys" { - count = local.create_vpc && length(var.sys_subnets) > 0 ? 1 : 0 + count = local.create_vpc && length(var.sys_subnets) > 0 ? length(var.sys_subnets) : 0 vpc_id = local.vpc_id From 6d4dbfddfe22c3dbe9520cdee93d9caf37c95905 Mon Sep 17 00:00:00 2001 From: Jorge Arribas Date: Mon, 11 Nov 2024 10:48:42 -0300 Subject: [PATCH 4/4] DEVOPS-7638: DRP improve vpc --- main.tf | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 3ee6f92c2..79ab65c91 100644 --- a/main.tf +++ b/main.tf @@ -33,8 +33,6 @@ resource "aws_vpc" "this" { instance_tenancy = var.instance_tenancy enable_dns_hostnames = var.enable_dns_hostnames enable_dns_support = var.enable_dns_support - enable_classiclink = null # https://github.com/hashicorp/terraform/issues/31730 - enable_classiclink_dns_support = null # https://github.com/hashicorp/terraform/issues/31730 tags = merge( { "Name" = var.name }, @@ -1112,7 +1110,7 @@ locals { resource "aws_eip" "nat" { count = local.create_vpc && var.enable_nat_gateway && false == var.reuse_nat_ips ? local.nat_gateway_count : 0 - vpc = true + domain = "vpc" tags = merge( { @@ -1388,7 +1386,6 @@ resource "aws_default_vpc" "this" { enable_dns_support = var.default_vpc_enable_dns_support enable_dns_hostnames = var.default_vpc_enable_dns_hostnames - enable_classiclink = null # https://github.com/hashicorp/terraform/issues/31730 tags = merge( { "Name" = coalesce(var.default_vpc_name, "default") },