feat: Remove obsolete internet gateway if networking provided (#105)

* chore(deps): bump terraform-linters/setup-tflint from 2 to 3

Bumps [terraform-linters/setup-tflint](https://github.com/terraform-linters/setup-tflint) from 2 to 3.
- [Release notes](https://github.com/terraform-linters/setup-tflint/releases)
- [Commits](terraform-linters/setup-tflint@v2...v3)

---
updated-dependencies:
- dependency-name: terraform-linters/setup-tflint
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* chore(deps): bump hashicorp/aws from 4.39.0 to 4.40.0

Bumps [hashicorp/aws](https://github.com/hashicorp/terraform-provider-aws) from 4.39.0 to 4.40.0.
- [Release notes](https://github.com/hashicorp/terraform-provider-aws/releases)
- [Changelog](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md)
- [Commits](hashicorp/terraform-provider-aws@v4.39.0...v4.40.0)

---
updated-dependencies:
- dependency-name: hashicorp/aws
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* terraform-docs: automated action

* feat: make internet_gateway_id optional and create internet_gateway_id if not set

* adapt for review comments

* terraform-docs: automated action

* adapt var description

* terraform-docs: automated action

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Martin Gerlach <[email protected]>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/pullrequest.yml

@@ -18,7 +18,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Setup TFLint
-        uses: terraform-linters/setup-tflint@v2
+        uses: terraform-linters/setup-tflint@v3
 
       - name: Init TFLint
         run: tflint --init

README.md

@@ -103,7 +103,7 @@ resource "aws_s3_bucket_public_access_block" "mwaa" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.39.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.40.0 |
 
 ## Modules
 
@@ -116,6 +116,7 @@ No modules.
 | [aws_eip.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource |
 | [aws_mwaa_environment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mwaa_environment) | resource |
 | [aws_nat_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |
 | [aws_route_table.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
@@ -144,7 +145,7 @@ No modules.
 | <a name="input_dag_s3_path"></a> [dag\_s3\_path](#input\_dag\_s3\_path) | Relative path of the dags folder within the source bucket | `string` | `"dags/"` | no |
 | <a name="input_environment_class"></a> [environment\_class](#input\_environment\_class) | n/a | `string` | `"mw1.small"` | no |
 | <a name="input_environment_name"></a> [environment\_name](#input\_environment\_name) | Name of the MWAA environment | `string` | n/a | yes |
-| <a name="input_internet_gateway_id"></a> [internet\_gateway\_id](#input\_internet\_gateway\_id) | ID of the internet gateway to the VPC | `string` | n/a | yes |
+| <a name="input_internet_gateway_id"></a> [internet\_gateway\_id](#input\_internet\_gateway\_id) | ID of the internet gateway to the VPC, if not set and create\_networking\_config = true an internet gateway will be created | `string` | `null` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS CMK ARN to use by MWAA for data encryption. MUST reference the same KMS key as used by S3 bucket specified by source\_bucket\_arn, if the bucket uses KMS. If not specified, the default AWS owned key for MWAA will be used for backward compatibility with version 1.0.1 of this module. | `string` | `null` | no |
 | <a name="input_max_workers"></a> [max\_workers](#input\_max\_workers) | numeric string, min 1 | `string` | `"10"` | no |
 | <a name="input_min_workers"></a> [min\_workers](#input\_min\_workers) | numeric string, min 1 | `string` | `"1"` | no |

variables.tf

@@ -59,8 +59,9 @@ variable "vpc_id" {
   type        = string
 }
 variable "internet_gateway_id" {
-  description = "ID of the internet gateway to the VPC"
+  description = "ID of the internet gateway to the VPC, if not set and create_networking_config = true an internet gateway will be created"
   type        = string
+  default     = null
 }
 variable "create_networking_config" {
   description = "true if networking resources (subnets, eip, NAT gateway and route table) should be created."

vpc.tf

@@ -1,72 +1,73 @@
-/*
-This module deploys a VPC, with a pair of public and private subnets spread
-across two Availability Zones. It deploys an internet gateway, with a default
-route on the public subnets. It deploys a pair of NAT gateways (one in each
-AZ), and default routes for them in the private subnets.
-*/
-
 resource "aws_subnet" "public" {
-  count = var.create_networking_config ? length(var.public_subnet_cidrs): 0
-  cidr_block = var.public_subnet_cidrs[count.index]
-  vpc_id = var.vpc_id
+  count                   = var.create_networking_config ? length(var.public_subnet_cidrs) : 0
+  cidr_block              = var.public_subnet_cidrs[count.index]
+  vpc_id                  = var.vpc_id
   map_public_ip_on_launch = true
-  availability_zone = count.index % 2 == 0 ? "${var.region}a" : "${var.region}b"
-  tags = merge({
+  availability_zone       = count.index % 2 == 0 ? "${var.region}a" : "${var.region}b"
+  tags                    = merge({
     Name = "mwaa-${var.environment_name}-public-subnet-${count.index}"
   }, var.tags)
 }
 
 resource "aws_subnet" "private" {
-  count = var.create_networking_config ? length(var.private_subnet_cidrs): 0
-  cidr_block = var.private_subnet_cidrs[count.index]
-  vpc_id = var.vpc_id
+  count                   = var.create_networking_config ? length(var.private_subnet_cidrs) : 0
+  cidr_block              = var.private_subnet_cidrs[count.index]
+  vpc_id                  = var.vpc_id
   map_public_ip_on_launch = false
-  availability_zone = count.index % 2 == 0 ? "${var.region}a" : "${var.region}b"
-  tags = merge({
+  availability_zone       = count.index % 2 == 0 ? "${var.region}a" : "${var.region}b"
+  tags                    = merge({
     Name = "mwaa-${var.environment_name}-private-subnet-${count.index}"
   }, var.tags)
 }
 
 resource "aws_eip" "this" {
-  count = var.create_networking_config ? length(var.public_subnet_cidrs): 0
-  vpc = true
-  tags = merge({
+  count = var.create_networking_config ? length(var.public_subnet_cidrs) : 0
+  vpc   = true
+  tags  = merge({
     Name = "mwaa-${var.environment_name}-eip-${count.index}"
   }, var.tags)
 }
 
 resource "aws_nat_gateway" "this" {
-  count = var.create_networking_config ? length(var.public_subnet_cidrs): 0
+  count         = var.create_networking_config ? length(var.public_subnet_cidrs) : 0
   allocation_id = aws_eip.this[count.index].id
-  subnet_id = aws_subnet.public[count.index].id
-  tags = merge({
+  subnet_id     = aws_subnet.public[count.index].id
+  tags          = merge({
     Name = "mwaa-${var.environment_name}-nat-gateway-${count.index}"
   }, var.tags)
 }
 
+resource "aws_internet_gateway" "this" {
+  count  = var.create_networking_config && var.internet_gateway_id==null ? 1 : 0
+  vpc_id = var.vpc_id
+  tags   = merge({
+    Name = "mwaa-${var.environment_name}-internet-gateway"
+  }, var.tags)
+}
+
 resource "aws_route_table" "public" {
-  count = var.create_networking_config ? 1: 0
+  count  = var.create_networking_config ? 1 : 0
   vpc_id = var.vpc_id
   route {
     cidr_block = "0.0.0.0/0"
-    gateway_id = var.internet_gateway_id
+    gateway_id = var.internet_gateway_id!=null ? var.internet_gateway_id : aws_internet_gateway.this[0].id
   }
   tags = merge({
     Name = "mwaa-${var.environment_name}-public-routes"
   }, var.tags)
 }
 
 resource "aws_route_table_association" "public" {
-  count = var.create_networking_config ? length(aws_subnet.public): 0
+  count          = var.create_networking_config ? length(aws_subnet.public) : 0
   route_table_id = aws_route_table.public[0].id
-  subnet_id = aws_subnet.public[count.index].id
+  subnet_id      = aws_subnet.public[count.index].id
 }
 
 resource "aws_route_table" "private" {
-  count = length(aws_nat_gateway.this)
+  count  = length(aws_nat_gateway.this)
   vpc_id = var.vpc_id
   route {
-    cidr_block = "0.0.0.0/0"
+    cidr_block     = "0.0.0.0/0"
     nat_gateway_id = aws_nat_gateway.this[count.index].id
   }
   tags = merge({
@@ -75,27 +76,27 @@ resource "aws_route_table" "private" {
 }
 
 resource "aws_route_table_association" "private" {
-  count = var.create_networking_config ?  length(aws_subnet.private): 0
+  count          = var.create_networking_config ?  length(aws_subnet.private) : 0
   route_table_id = aws_route_table.private[count.index].id
-  subnet_id = aws_subnet.private[count.index].id
+  subnet_id      = aws_subnet.private[count.index].id
 }
 
 resource "aws_security_group" "this" {
   vpc_id = var.vpc_id
-  name = "mwaa-${var.environment_name}-no-ingress-sg"
-  tags = merge({
+  name   = "mwaa-${var.environment_name}-no-ingress-sg"
+  tags   = merge({
     Name = "mwaa-${var.environment_name}-no-ingress-sg"
   }, var.tags  )
   ingress {
     from_port = 0
-    to_port = 0
-    protocol = "-1"
-    self = true
+    to_port   = 0
+    protocol  = "-1"
+    self      = true
   }
   egress {
-    from_port = 0
-    to_port = 0
-    protocol = "-1"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
     cidr_blocks = [
       "0.0.0.0/0"
     ]