Support transit gateway vpc attachments for subnet-group module

tedilabs · Feb 7, 2024 · 5ea987b · 5ea987b
1 parent 03f8a7d
commit 5ea987b
Show file tree

Hide file tree

Showing 5 changed files with 90 additions and 1 deletion.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.31.1
+0.32.0
diff --git a/modules/subnet-group/README.md b/modules/subnet-group/README.md
@@ -41,6 +41,7 @@ This module creates following resources.
 | [aws_db_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource |
 | [aws_dms_replication_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dms_replication_subnet_group) | resource |
 | [aws_docdb_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_subnet_group) | resource |
+| [aws_ec2_transit_gateway_vpc_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment) | resource |
 | [aws_elasticache_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_subnet_group) | resource |
 | [aws_memorydb_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/memorydb_subnet_group) | resource |
 | [aws_neptune_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_subnet_group) | resource |
@@ -75,6 +76,7 @@ This module creates following resources.
 | <a name="input_shares"></a> [shares](#input\_shares) | (Optional) A list of resource shares via RAM (Resource Access Manager). | <pre>list(object({<br>    name = optional(string)<br><br>    permissions = optional(set(string), ["AWSRAMDefaultPermissionSubnet"])<br><br>    external_principals_allowed = optional(bool, false)<br>    principals                  = optional(set(string), [])<br><br>    tags = optional(map(string), {})<br>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
 | <a name="input_timeouts"></a> [timeouts](#input\_timeouts) | (Optional) How long to wait for the subnet group to be created/deleted. | <pre>object({<br>    create = optional(string, "10m")<br>    delete = optional(string, "20m")<br>  })</pre> | `{}` | no |
+| <a name="input_transit_gateway_attachments"></a> [transit\_gateway\_attachments](#input\_transit\_gateway\_attachments) | (Optional) A list of configurations for Transit Gateway VPC attachments. Each block of `transit_gateway_attachments` as defined below.<br>    (Required) `name` - The name of the Transit Gateway VPC attachment.<br>    (Required) `transit_gateway` - The ID of the Transit Gateway.<br>    (Optional) `appliance_mode_enabled` - Whether Appliance Mode support is enabled. If enabled, a traffic flow between a source and destination uses the same Availability Zone for the VPC attachment for the lifetime of that flow. Defaults to `false`.<br>    (Optional) `dns_support_enabled` - Whether to enable Domain Name System resolution for VPCs attached to this transit gateway. Defaults to `true`.<br>    (Optional) `ipv6_enabled` - Whether to enable IPv6 support. Defaults to `false`.<br>    (Optional) `default_association_route_table_enabled` - Whether to automatically associate transit gateway attachments with this transit gateway's default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways. Defaults to `false`.<br>    (Optional) `default_propagation_route_table_enabled` - Whether to automatically propagate transit gateway attachments with this transit gateway's default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways. Defaults to `false`.<br>    (Optional) `tags` - A map of tags to add to the vpc association. | <pre>list(object({<br>    name                                    = string<br>    transit_gateway                         = string<br>    appliance_mode_enabled                  = optional(bool, false)<br>    dns_support_enabled                     = optional(bool, true)<br>    ipv6_enabled                            = optional(bool, false)<br>    default_association_route_table_enabled = optional(bool, false)<br>    default_propagation_route_table_enabled = optional(bool, false)<br><br>    tags = optional(map(string), {})<br>  }))</pre> | `[]` | no |
 
 ## Outputs
 
@@ -104,5 +106,6 @@ This module creates following resources.
 | <a name="output_sharing"></a> [sharing](#output\_sharing) | The configuration for sharing of subnets in the subnet group.<br>    `status` - An indication of whether subnets are shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are `NOT_SHARED`, `SHARED_BY_ME` or `SHARED_WITH_ME`.<br>    `shares` - The list of resource shares via RAM (Resource Access Manager). |
 | <a name="output_subnets"></a> [subnets](#output\_subnets) | A list of subnets of the subnet group. |
 | <a name="output_subnets_by_az"></a> [subnets\_by\_az](#output\_subnets\_by\_az) | A map of subnets of the subnet group which are grouped by availability zone id. |
+| <a name="output_transit_gateway_attachments"></a> [transit\_gateway\_attachments](#output\_transit\_gateway\_attachments) | The configuration of Transit Gateway VPC attachments. |
 | <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the VPC which the subnet group belongs to. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/subnet-group/integrations.tf b/modules/subnet-group/integrations.tf
@@ -1,3 +1,35 @@
+###################################################
+# VPC Attachments for Transit Gateway
+###################################################
+
+resource "aws_ec2_transit_gateway_vpc_attachment" "this" {
+  for_each = {
+    for attachment in var.transit_gateway_attachments :
+    attachment.name => attachment
+  }
+
+  vpc_id     = var.vpc_id
+  subnet_ids = values(aws_subnet.this)[*].id
+
+  transit_gateway_id = each.value.transit_gateway
+
+  appliance_mode_support                          = each.value.appliance_mode_enabled ? "enable" : "disable"
+  dns_support                                     = each.value.dns_support_enabled ? "enable" : "disable"
+  ipv6_support                                    = each.value.ipv6_enabled ? "enable" : "disable"
+  transit_gateway_default_route_table_association = each.value.default_association_route_table_enabled
+  transit_gateway_default_route_table_propagation = each.value.default_propagation_route_table_enabled
+
+  tags = merge(
+    {
+      "Name" = each.key
+    },
+    local.module_tags,
+    var.tags,
+    each.value.tags,
+  )
+}
+
+
 ###################################################
 # Subnet Group for DAX
 ###################################################

diff --git a/modules/subnet-group/outputs.tf b/modules/subnet-group/outputs.tf
@@ -111,6 +111,25 @@ output "dns_config" {
   }
 }
 
+output "transit_gateway_attachments" {
+  description = <<EOF
+  The configuration of Transit Gateway VPC attachments.
+  EOF
+  value = {
+    for name, attachment in aws_ec2_transit_gateway_vpc_attachment.this :
+    name => {
+      name            = name
+      transit_gateway = attachment.transit_gateway_id
+
+      appliance_mode_enabled                  = attachment.appliance_mode_support == "enable"
+      dns_support_enabled                     = attachment.dns_support == "enable"
+      ipv6_enabled                            = attachment.ipv6_support == "enable"
+      default_association_route_table_enabled = attachment.transit_gateway_default_route_table_association
+      default_propagation_route_table_enabled = attachment.transit_gateway_default_route_table_propagation
+    }
+  }
+}
+
 output "dax_subnet_group" {
   description = <<EOF
   The configuration of DAX Subnet Group.

diff --git a/modules/subnet-group/variables.tf b/modules/subnet-group/variables.tf
@@ -131,6 +131,41 @@ variable "dns_config" {
   }
 }
 
+variable "transit_gateway_attachments" {
+  description = <<EOF
+  (Optional) A list of configurations for Transit Gateway VPC attachments. Each block of `transit_gateway_attachments` as defined below.
+    (Required) `name` - The name of the Transit Gateway VPC attachment.
+    (Required) `transit_gateway` - The ID of the Transit Gateway.
+    (Optional) `appliance_mode_enabled` - Whether Appliance Mode support is enabled. If enabled, a traffic flow between a source and destination uses the same Availability Zone for the VPC attachment for the lifetime of that flow. Defaults to `false`.
+    (Optional) `dns_support_enabled` - Whether to enable Domain Name System resolution for VPCs attached to this transit gateway. Defaults to `true`.
+    (Optional) `ipv6_enabled` - Whether to enable IPv6 support. Defaults to `false`.
+    (Optional) `default_association_route_table_enabled` - Whether to automatically associate transit gateway attachments with this transit gateway's default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways. Defaults to `false`.
+    (Optional) `default_propagation_route_table_enabled` - Whether to automatically propagate transit gateway attachments with this transit gateway's default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways. Defaults to `false`.
+    (Optional) `tags` - A map of tags to add to the vpc association.
+  EOF
+  type = list(object({
+    name                                    = string
+    transit_gateway                         = string
+    appliance_mode_enabled                  = optional(bool, false)
+    dns_support_enabled                     = optional(bool, true)
+    ipv6_enabled                            = optional(bool, false)
+    default_association_route_table_enabled = optional(bool, false)
+    default_propagation_route_table_enabled = optional(bool, false)
+
+    tags = optional(map(string), {})
+  }))
+  default  = []
+  nullable = false
+
+  validation {
+    condition = alltrue([
+      for attachment in var.transit_gateway_attachments :
+      startswith(attachment.transit_gateway, "tgw-")
+    ])
+    error_message = "Valid value for `transit_gateway` must be the ID of the Transit Gateway."
+  }
+}
+
 variable "dax_subnet_group" {
   description = <<EOF
   (Optional) A configuration of DAX Subnet Group. `dax_subnet_group` as defined below.