Merge pull request #21 from pablo19sc/main

bug fix + udpating VPC version to latest

.header.md

@@ -80,7 +80,7 @@ central_vpcs = {
                 netmask = 24
                 nat_gateway_configuration = "all_azs"
             }
-            inspection = { netmask = 24 }
+            endpoints = { netmask = 24 }
             transit_gateway = { netmask = 28 }
         }
     }
@@ -100,7 +100,7 @@ central_vpcs = {
         az_count = 2
 
         subnets = {
-            inspection = { netmask = 24 }
+            endpoints = { netmask = 24 }
             transit_gateway = { netmask = 28 }
         }
     }
@@ -132,7 +132,7 @@ central_vpcs = {
         }
 
         subnets = {
-            inspection = { netmask = 24 }
+            endpoints = { netmask = 24 }
             transit_gateway = { netmask = 28 }
         }
     }
@@ -148,7 +148,6 @@ When defining a central Egress VPC, the following subnet configuration is expect
 
 ```hcl
 central_vpcs = {
-
     egress = {
         name = "egress-vpc"
         cidr_block = "10.10.0.0/24"
@@ -173,6 +172,7 @@ central_vpcs = {
                 cidrs = ["10.10.0.32/28", "10.10.0.48/28"]
             }
         }
+    }
 }
 ```
 

README.md

@@ -81,7 +81,7 @@ central_vpcs = {
                 netmask = 24
                 nat_gateway_configuration = "all_azs"
             }
-            inspection = { netmask = 24 }
+            endpoints = { netmask = 24 }
             transit_gateway = { netmask = 28 }
         }
     }
@@ -101,7 +101,7 @@ central_vpcs = {
         az_count = 2
 
         subnets = {
-            inspection = { netmask = 24 }
+            endpoints = { netmask = 24 }
             transit_gateway = { netmask = 28 }
         }
     }
@@ -133,7 +133,7 @@ central_vpcs = {
         }
 
         subnets = {
-            inspection = { netmask = 24 }
+            endpoints = { netmask = 24 }
             transit_gateway = { netmask = 28 }
         }
     }
@@ -149,7 +149,6 @@ When defining a central Egress VPC, the following subnet configuration is expect
 
 ```hcl
 central_vpcs = {
-
     egress = {
         name = "egress-vpc"
         cidr_block = "10.10.0.0/24"
@@ -174,6 +173,7 @@ central_vpcs = {
                 cidrs = ["10.10.0.32/28", "10.10.0.48/28"]
             }
         }
+    }
 }
 ```
 
@@ -370,7 +370,8 @@ Each Spoke VPC segment created is independent between each other, meaning that i
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_aws_network_firewall"></a> [aws\_network\_firewall](#module\_aws\_network\_firewall) | aws-ia/networkfirewall/aws | = 0.0.2 |
-| <a name="module_central_vpcs"></a> [central\_vpcs](#module\_central\_vpcs) | aws-ia/vpc/aws | = 4.0.0 |
+| <a name="module_central_vpcs"></a> [central\_vpcs](#module\_central\_vpcs) | aws-ia/vpc/aws | = 4.3.0 |
+| <a name="module_tags"></a> [tags](#module\_tags) | aws-ia/label/aws | 0.0.5 |
 
 ## Resources
 
@@ -406,10 +407,11 @@ Each Spoke VPC segment created is independent between each other, meaning that i
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_central_vpcs"></a> [central\_vpcs](#input\_central\_vpcs) | Configuration of the Central VPCs - used to centralized different services. You can create the following central VPCs: "inspection", "egress", "shared-services", "hybrid-dns", and "ingress".<br>In each Central VPC, You can specify the following attributes:<br>- `vpc_id` = (Optional\|string) **If you specify this value, no other attributes can be set** VPC ID, the VPC will be attached to the Transit Gateway, and its attachment associate/propagated to the corresponding TGW Route Tables.<br>- `cidr_block` = (Optional\|string) CIDR range to assign to the VPC if creating a new VPC.<br>- `az_count` = (Optional\|number) Searches the number of AZs in the region and takes a slice based on this number - the slice is sorted a-z.<br>- `vpc_enable_dns_hostnames` = (Optional\|bool) Indicates whether the instances launched in the VPC get DNS hostnames. Enabled by default.<br>- `vpc_enable_dns_support` = (Optional\|bool) Indicates whether the DNS resolution is supported for the VPC. If enabled, queries to the Amazon provided DNS server at the 169.254.169.253 IP address, or the reserved IP address at the base of the VPC network range "plus two" succeed. If disabled, the Amazon provided DNS service in the VPC that resolves public DNS hostnames to IP addresses is not enabled. Enabled by default.<br>- `vpc_instance_tenancy` = (Optional\|string) The allowed tenancy of instances launched into the VPC.<br>- `vpc_flow_logs` = (Optional\|object(any)) Configuration of the VPC Flow Logs of the VPC configured. Options: "cloudwatch", "s3", "none".<br>- `subnet_configuration` = (Optional\|any) Configuration of the subnets to create in the VPC. Depending the type of central VPC to create, the format (subnets to configure) will be different.<br>To get more information of the format of the variables, check the section "Central VPCs" in the README.<pre></pre> | `any` | n/a | yes |
 | <a name="input_identifier"></a> [identifier](#input\_identifier) | String to identify the whole Hub and Spoke environment. | `string` | n/a | yes |
 | <a name="input_network_definition"></a> [network\_definition](#input\_network\_definition) | "Definition of the IPv4 CIDR configuration. The definition is done by using two variables:"<br>  - `type` = (string) Defines the type of network definition provided. It has to be either `CIDR` (Supernet's CIDR Block) or `PREFIX_LIST` (prefix list ID containing all the CIDR blocks of the network)<br>  - `value` = (string) Either a Supernet's CIDR Block or a prefix list ID. This value needs to be consistent with the `type` provided in this variable.<pre></pre> | <pre>object({<br>    type  = string<br>    value = string<br>  })</pre> | n/a | yes |
+| <a name="input_central_vpcs"></a> [central\_vpcs](#input\_central\_vpcs) | Configuration of the Central VPCs - used to centralized different services. You can create the following central VPCs: "inspection", "egress", "shared-services", "hybrid-dns", and "ingress".<br>In each Central VPC, You can specify the following attributes:<br>- `vpc_id` = (Optional\|string) **If you specify this value, no other attributes can be set** VPC ID, the VPC will be attached to the Transit Gateway, and its attachment associate/propagated to the corresponding TGW Route Tables.<br>- `cidr_block` = (Optional\|string) CIDR range to assign to the VPC if creating a new VPC.<br>- `az_count` = (Optional\|number) Searches the number of AZs in the region and takes a slice based on this number - the slice is sorted a-z.<br>- `vpc_enable_dns_hostnames` = (Optional\|bool) Indicates whether the instances launched in the VPC get DNS hostnames. Enabled by default.<br>- `vpc_enable_dns_support` = (Optional\|bool) Indicates whether the DNS resolution is supported for the VPC. If enabled, queries to the Amazon provided DNS server at the 169.254.169.253 IP address, or the reserved IP address at the base of the VPC network range "plus two" succeed. If disabled, the Amazon provided DNS service in the VPC that resolves public DNS hostnames to IP addresses is not enabled. Enabled by default.<br>- `vpc_instance_tenancy` = (Optional\|string) The allowed tenancy of instances launched into the VPC.<br>- `vpc_flow_logs` = (Optional\|object(any)) Configuration of the VPC Flow Logs of the VPC configured. Options: "cloudwatch", "s3", "none".<br>- `subnet_configuration` = (Optional\|any) Configuration of the subnets to create in the VPC. Depending the type of central VPC to create, the format (subnets to configure) will be different.<br>To get more information of the format of the variables, check the section "Central VPCs" in the README.<pre></pre> | `any` | `{}` | no |
 | <a name="input_spoke_vpcs"></a> [spoke\_vpcs](#input\_spoke\_vpcs) | Variable used to provide the information about the Spoke VPCs to include in the hub and spoke architecture. Information to provide is the following one:<br>  - `routing_domains` = (Optional\|list(string)) Definition of the different routing domains for the Spoke VPCs - for example *prod* or *dev*. If this variable is not provided, all the Spoke VPCs will be associated to a common routing domain (*spokes*).<br>  - `number_vpcs` = (Optional\|number) Total number of Spoke VPCs that have been attached to the Transit Gateway, regardless of the routing domain.<br>  - `vpc_information` = (Optional\|map(string)) Information about the VPCs to include in the architecture. Inside the variable, a map of the following keys is expected:<br>    - `vpc_id` = (Optional\|string) VPC ID. *This value is not used in this version of the module, we keep it as placehoder when adding support for centralized VPC endpoints*.<br>    - `transit_gateway_attachment_id` = (Optional\|string) Transit Gateway VPC attachment ID.<br>    - `routing_domain` = (Optional\|string) Routing domain to include the VPC (Transit Gateway route table association). This value needs to be included in *var.spoke\_vpcs.routing\_domains*.<br>To get more information of the format of the variables, check the section "Spoke VPCs" in the README.<pre></pre> | `any` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to all resources. | `map(string)` | `{}` | no |
 | <a name="input_transit_gateway_attributes"></a> [transit\_gateway\_attributes](#input\_transit\_gateway\_attributes) | Attributes about the new Transit Gateway to create. **If you specify this value, transit\_gateway\_id can't be set**:<br>- `name` = (Optional\|string) Name to apply to the new Transit Gateway.<br>- `description` = (Optional\|string) Description of the Transit Gateway<br>- `amazon_side_asn` = (Optional\|number) Private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is `64512` to `65534` for 16-bit ASNs and `4200000000` to `4294967294` for 32-bit ASNs. It is recommended to configure one to avoid ASN overlap. Default value: `64512`.<br>- `auto_accept_shared_attachments` = (Optional\|string) Wheter the attachment requests are automatically accepted. Valid values: `disable` (default) or `enable`.<br>- `dns_support` = (Optional\|string) Wheter DNS support is enabled. Valid values: `disable` or `enable` (default).<br>- `multicast_support` = (Optional\|string) Wheter Multicas support is enabled. Valid values: `disable` (default) or `enable`.<br>- `transit_gateway_cidr_blocks` = (Optional\|list(string)) One or more IPv4/IPv6 CIDR blocks for the Transit Gateway. Must be a size /24 for IPv4 CIDRs, and /64 for IPv6 CIDRs.<br>- `vpn_ecmp_support` = (Optional\|string) Whever VPN ECMP support is enabled. Valid values: `disable` or `enable` (default).<br>- `tags` = (Optional\|map(string)) Key-value tags to apply to the Transit Gateway.<pre></pre> | `any` | `{}` | no |
 | <a name="input_transit_gateway_id"></a> [transit\_gateway\_id](#input\_transit\_gateway\_id) | Transit Gateway ID. **If you specify this value, transit\_gateway\_attributes can't be set**. | `string` | `null` | no |
 

examples/central_egress_ingress/.header.md

@@ -3,11 +3,10 @@
 This example builds a central Ingress and Egress VPCs. The following resources are built:
 
 - Built by the **Hub and Spoke module**:
-  - AWS Transit Gateway Route Tables: 1 Ingress, 1 Egress, 1 Spokes.
+  - AWS Transit Gateway Route Tables: 1 Ingress, 1 Egress.
   - Transit Gateway routes.
   - Ingress and Egress VPC.
 - Built outside the module:
-  - AWS Transit Gateway.
   - Managed Prefix List
 
 ## Deployment instructions

examples/central_egress_ingress/README.md

@@ -4,11 +4,10 @@
 This example builds a central Ingress and Egress VPCs. The following resources are built:
 
 - Built by the **Hub and Spoke module**:
-  - AWS Transit Gateway Route Tables: 1 Ingress, 1 Egress, 1 Spokes.
+  - AWS Transit Gateway Route Tables: 1 Ingress, 1 Egress.
   - Transit Gateway routes.
   - Ingress and Egress VPC.
 - Built outside the module:
-  - AWS Transit Gateway.
   - Managed Prefix List
 
 ## Deployment instructions
@@ -33,8 +32,7 @@ This example builds a central Ingress and Egress VPCs. The following resources a
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_hub-and-spoke"></a> [hub-and-spoke](#module\_hub-and-spoke) | aws-ia/network-hubandspoke/aws | 3.0.0 |
-| <a name="module_spoke_vpcs"></a> [spoke\_vpcs](#module\_spoke\_vpcs) | aws-ia/vpc/aws | 4.0.0 |
+| <a name="module_hub-and-spoke"></a> [hub-and-spoke](#module\_hub-and-spoke) | aws-ia/network-hubandspoke/aws | 3.1.0 |
 
 ## Resources
 
@@ -49,13 +47,11 @@ This example builds a central Ingress and Egress VPCs. The following resources a
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS Region - to build the Hub and Spoke. | `string` | `"eu-west-1"` | no |
 | <a name="input_identifier"></a> [identifier](#input\_identifier) | Project identifier. | `string` | `"central-egress-ingress"` | no |
-| <a name="input_spoke_vpcs"></a> [spoke\_vpcs](#input\_spoke\_vpcs) | Spoke VPCs. | `map(any)` | <pre>{<br>  "vpc1": {<br>    "cidr_block": "10.0.0.0/24",<br>    "number_azs": 2,<br>    "routing_domain": "prod"<br>  },<br>  "vpc2": {<br>    "cidr_block": "10.0.1.0/24",<br>    "number_azs": 2,<br>    "routing_domain": "prod"<br>  }<br>}</pre> | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | <a name="output_central_vpcs"></a> [central\_vpcs](#output\_central\_vpcs) | Central VPCs created. |
-| <a name="output_spoke_vpcs"></a> [spoke\_vpcs](#output\_spoke\_vpcs) | Spoke VPCs created. |
 | <a name="output_transit_gateway_id"></a> [transit\_gateway\_id](#output\_transit\_gateway\_id) | ID of the AWS Transit Gateway resource. |
 <!-- END_TF_DOCS -->

examples/central_egress_ingress/main.tf

@@ -19,7 +19,7 @@ resource "aws_ec2_transit_gateway" "tgw" {
 # Hub and Spoke module - we only centralize the Egress and Ingress traffic
 module "hub-and-spoke" {
   source  = "aws-ia/network-hubandspoke/aws"
-  version = "3.0.0"
+  version = "3.1.0"
 
   identifier         = var.identifier
   transit_gateway_id = aws_ec2_transit_gateway.tgw.id
@@ -52,46 +52,11 @@ module "hub-and-spoke" {
       }
     }
   }
-
-  spoke_vpcs = {
-    number_vpcs     = length(var.spoke_vpcs)
-    routing_domains = ["prod"]
-    vpc_information = { for k, v in module.spoke_vpcs : k => {
-      vpc_id                        = v.vpc_attributes.id
-      transit_gateway_attachment_id = v.transit_gateway_attachment_id
-      routing_domain                = var.spoke_vpcs[k].routing_domain
-    } }
-  }
 }
 
 # Managed prefix list (to pass to the Hub and Spoke module)
 resource "aws_ec2_managed_prefix_list" "network_prefix_list" {
   name           = "Network's Prefix List"
   address_family = "IPv4"
   max_entries    = 2
-}
-
-# Spoke VPCs 
-module "spoke_vpcs" {
-  for_each = var.spoke_vpcs
-  source   = "aws-ia/vpc/aws"
-  version  = "4.0.0"
-
-  name       = each.key
-  cidr_block = each.value.cidr_block
-  az_count   = each.value.number_azs
-
-  transit_gateway_id = aws_ec2_transit_gateway.tgw.id
-  transit_gateway_routes = {
-    workloads = "0.0.0.0/0"
-  }
-
-  subnets = {
-    workload = { netmask = 28 }
-    transit_gateway = {
-      netmask                                         = 28
-      transit_gateway_default_route_table_association = false
-      transit_gateway_default_route_table_propagation = false
-    }
-  }
 }

examples/central_egress_ingress/outputs.tf

@@ -11,9 +11,4 @@ output "transit_gateway_id" {
 output "central_vpcs" {
   description = "Central VPCs created."
   value       = { for k, v in module.hub-and-spoke.central_vpcs : k => v.vpc_attributes.id }
-}
-
-output "spoke_vpcs" {
-  description = "Spoke VPCs created."
-  value       = { for k, v in module.spoke_vpcs : k => v.vpc_attributes.id }
 }

examples/central_egress_ingress/variables.tf

@@ -13,21 +13,4 @@ variable "identifier" {
   type        = string
   description = "Project identifier."
   default     = "central-egress-ingress"
-}
-
-variable "spoke_vpcs" {
-  type        = map(any)
-  description = "Spoke VPCs."
-  default = {
-    "vpc1" = {
-      cidr_block     = "10.0.0.0/24"
-      number_azs     = 2
-      routing_domain = "prod"
-    }
-    "vpc2" = {
-      cidr_block     = "10.0.1.0/24"
-      number_azs     = 2
-      routing_domain = "prod"
-    }
-  }
 }

examples/central_inspection/.header.md

@@ -4,7 +4,7 @@ This example centralizes the traffic inspection and egress traffic within the sa
 
 - Built by the **Hub and Spoke module**:
   - AWS Transit Gateway.
-  - AWS Transit Gateway Route Tables: 1 Inspection, 2 Spokes (production and non-production).
+  - AWS Transit Gateway Inspection Route Tables.
   - Transit Gateway routes.
   - Inspection VPC - with public subnets for Internet access.
   - AWS Network Firewall (and routes in the Inspection VPC to the firewall endpoints).

examples/central_inspection/README.md

@@ -5,7 +5,7 @@ This example centralizes the traffic inspection and egress traffic within the sa
 
 - Built by the **Hub and Spoke module**:
   - AWS Transit Gateway.
-  - AWS Transit Gateway Route Tables: 1 Inspection, 2 Spokes (production and non-production).
+  - AWS Transit Gateway Inspection Route Tables.
   - Transit Gateway routes.
   - Inspection VPC - with public subnets for Internet access.
   - AWS Network Firewall (and routes in the Inspection VPC to the firewall endpoints).
@@ -34,8 +34,7 @@ This example centralizes the traffic inspection and egress traffic within the sa
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_hub-and-spoke"></a> [hub-and-spoke](#module\_hub-and-spoke) | aws-ia/network-hubandspoke/aws | 3.0.0 |
-| <a name="module_spoke_vpcs"></a> [spoke\_vpcs](#module\_spoke\_vpcs) | aws-ia/vpc/aws | 4.0.0 |
+| <a name="module_hub-and-spoke"></a> [hub-and-spoke](#module\_hub-and-spoke) | aws-ia/network-hubandspoke/aws | 3.0.1 |
 
 ## Resources
 
@@ -51,14 +50,12 @@ This example centralizes the traffic inspection and egress traffic within the sa
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS Region - to build the Hub and Spoke. | `string` | `"eu-west-1"` | no |
 | <a name="input_identifier"></a> [identifier](#input\_identifier) | Project identifier. | `string` | `"central-inspection"` | no |
-| <a name="input_spoke_vpcs"></a> [spoke\_vpcs](#input\_spoke\_vpcs) | Spoke VPCs. | `map(any)` | <pre>{<br>  "nonprod-vpc": {<br>    "cidr_block": "10.0.1.0/24",<br>    "number_azs": 2,<br>    "routing_domain": "nonprod"<br>  },<br>  "prod-vpc": {<br>    "cidr_block": "10.0.0.0/24",<br>    "number_azs": 2,<br>    "routing_domain": "prod"<br>  }<br>}</pre> | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | <a name="output_central_vpcs"></a> [central\_vpcs](#output\_central\_vpcs) | Central VPCs created. |
 | <a name="output_network_firewall"></a> [network\_firewall](#output\_network\_firewall) | AWS Network Firewall ID. |
-| <a name="output_spoke_vpcs"></a> [spoke\_vpcs](#output\_spoke\_vpcs) | Spoke VPCs created. |
 | <a name="output_transit_gateway_id"></a> [transit\_gateway\_id](#output\_transit\_gateway\_id) | ID of the AWS Transit Gateway resource. |
 <!-- END_TF_DOCS -->