Merge pull request #16 from pablo19sc/main

New Spoke VPC format - removing previous --target dependencies
aws-ia · Feb 7, 2023 · 7d165ac · 7d165ac
2 parents 74ae8a0 + 8c1eaec
commit 7d165ac
Show file tree

Hide file tree

Showing 24 changed files with 328 additions and 218 deletions.
diff --git a/.header.md b/.header.md
@@ -294,31 +294,32 @@ central_vpcs = {
 
 ### Spoke VPCs
 
-This variable is used to provide the Hub and Spoke module the neccessary information about the Spoke VPCs created. Note that the module does not create the VPCs, and the information you pass is the VPC IDs, and Transit Gateway VPC attachment IDs. It is recommended the use of the following [AWS VPC Module](https://github.com/aws-ia/terraform-aws-vpc) to simplify your infrastructure creation - also because the Hub and Spoke module makes use of the VPC module to create the Central VPCs.
+This variable is used to provide the Hub and Spoke module the neccessary information about the Spoke VPCs created. Note that the module does not create the VPCs, and the information you pass is the routing domains you want to create, and the Spoke VPC information (VPC IDs and Transit Gateway VPC attachment IDs). It is recommended the use of the following [AWS VPC Module](https://github.com/aws-ia/terraform-aws-vpc) to simplify your infrastructure creation - also because the Hub and Spoke module makes use of the VPC module to create the Central VPCs.
 
-Within this variable, a map of routing domains is expected. The *key* of each map will defined that specific routing domain (e.g. prod, nonprod, etc.) and a Transit Gateway Route Table for that routing domain will be created. Inside each routing domain definition, you can define a map of VPCs with the following attributes:
+Within this variable, the following attributes are expected:
 
-- `vpc_id` = (Optional|string) VPC ID. *This value is not used in this version of the module, we keep it as placehoder when adding support for centralized VPC endpoints*.
-- `transit_gateway_attachment_id` = (Optional|string) Transit Gateway VPC attachment ID.
+- `routing_domains` = (Optional|list(string)) Definition of the different routing domains for the Spoke VPCs - for example *prod* or *dev*. If this variable is not provided, all the Spoke VPCs will be associated to a common routing domain (*spokes*).
+- `number_vpcs` = (Optional|number) Total number of Spoke VPCs that have been attached to the Transit Gateway, regardless of the routing domain.
+- `vpc_information` = (Optional|map(string)) Information about the VPCs to include in the architecture. Inside the variable, a map of the following keys is expected:
+ - `vpc_id` = (Optional|string) VPC ID. *This value is not used in this version of the module, we keep it as placehoder when adding support for centralized VPC endpoints*.
+ - `transit_gateway_attachment_id` = (Optional|string) Transit Gateway VPC attachment ID.
+ - `routing_domain` = (Optional|string) Routing domain to include the VPC (Transit Gateway route table association). This value needs to be included in *var.spoke_vpcs.routing_domains*.
 
 ```hcl
 spoke_vpcs = {
- production = {
- prod1 = {
- vpc_id = vpc-ID1
+ routing_domains = ["prod", "nonprod"]
+ number_vpcs = 2
+ vpc_information = {
+ prod = {
+ vpc_id = vpc-ID1
  transit_gateway_attachment_id = tgw-attach-ID1
+ routing_domain = "prod"
  }
- prod2 = {
- vpc_id = vpc-ID2
- transit_gateway_attachment_id = tgw-attach-ID2
- }
- }
- nonproduction = {
  nonprod = {
- vpc_id = vpc-ID
- transit_gateway_attachment_id = tgw-attach-ID
+ vpc_id = vpc-ID2
+ transit_gateway_attachment_id = tgw-attach-ID2
+ routing_domain = "nonprod"
  }
- }
  }
 }
 ```
@@ -346,17 +347,6 @@ network_definition = {
 
 ### Deployment Considerations
 
-#### Terraform Apply - Target
-
-Due to some limitations with Terraform, some resources need to be created beforehand (using `-target`):
-
-- Spoke VPCs' Transit Gateway VPC attachment IDs - needed to create the Transit Gateway Route Tables (for each segment), and the Transit Gateway Associations and Propagations. To deploy everything without problems, you can proceed in two ways:
- - Do `-target` of the Transit Gateway attachments of your Spoke VPCs, and then proceed to deploy the Hub and Spoke architecture.
- - Deploy your Spoke VPCs and Hub and Spoke module without the `spoke_vpcs` variable. Once all the resources are created, add this attribute to the definition and update the Hub and Spoke architecture (as now the TGW attachments are created).
-- Managed Prefix List - if building an AWS Network Firewall resource in the Inspection VPC, as the module gets the list of CIDRs from the prefix list to create the routes to the Inspection endpoints. Terraform needs to know this value when created before creating the VPC routes.
-
-In the *./examples* folder you can find different deployment examples where you can check how you can use `-target` to deploy all the resources without problems.
-
 #### Cross-segment (Spoke VPCs) communication
 
 Each Spoke VPC segment created is independent between each other, meaning that inter-segment communication is not allowed. However, if you add an Inspection VPC with the traffic inspection flow as `all` or `east-west`, potentially you can have communication between segments. **You need to block or allow inter-segment communication in the firewall solution deployed**.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -6,6 +6,6 @@ repos:
  repo: https://github.com/aws-ia/pre-commit-configs
  # To update run:
  # pre-commit autoupdate --freeze
- rev: 80ed3f0a164f282afaac0b6aec70e20f7e541932 # frozen: v1.5.0
+ rev: c7091ec774495a41986bd9c5ea59152655ec4f3a # frozen: v1.6.2
  hooks:
  - id: aws-ia-meta-hook
diff --git a/.tflint.hcl b/.tflint.hcl
@@ -3,7 +3,7 @@
 
 plugin "aws" {
  enabled = true
- version = "0.14.0"
+ version = "0.21.2"
  source = "github.com/terraform-linters/tflint-ruleset-aws"
 }