Support ram sharing for subnet-group module (#56)

tedilabs · Oct 26, 2023 · 81fd1d0 · 81fd1d0
1 parent 7e6aa40
commit 81fd1d0
Show file tree

Hide file tree

Showing 6 changed files with 86 additions and 10 deletions.
diff --git a/examples/vpc-full/subnet-groups.tf b/examples/vpc-full/subnet-groups.tf
@@ -7,16 +7,16 @@ module "private_subnet_group" {
   # source  = "tedilabs/network/aws//modules/subnet-group"
   # version = "~> 0.2.0"
 
-  name = "test/private"
+  name = "test-private"
 
   vpc_id = module.vpc.id
 
   subnets = {
-    "test/private/az2" = {
+    "test-private/az2" = {
       availability_zone_id = "use1-az2"
       ipv4_cidr            = "10.0.200.0/24"
     }
-    "test/private/az4" = {
+    "test-private/az4" = {
       availability_zone_id = "use1-az4"
       ipv4_cidr            = "10.0.201.0/24"
     }
@@ -85,6 +85,15 @@ module "private_subnet_group" {
     description = "Test Redshift Subnet Group"
   }
 
+
+  ## Sharing
+  shares = [
+    # {
+    #   name = "team1"
+    #   principals = ["123456789012"]
+    # },
+  ]
+
   tags = {
     "project" = "terraform-aws-network-examples"
   }
@@ -95,16 +104,16 @@ module "public_subnet_group" {
   # source  = "tedilabs/network/aws//modules/subnet-group"
   # version = "~> 0.2.0"
 
-  name = "test/public"
+  name = "test-public"
 
   vpc_id = module.vpc.id
 
   subnets = {
-    "test/public/az2" = {
+    "test-public/az2" = {
       availability_zone_id = "use1-az2"
       ipv4_cidr            = "10.0.100.0/24"
     }
-    "test/public/az4" = {
+    "test-public/az4" = {
       availability_zone_id = "use1-az4"
       ipv4_cidr            = "10.0.101.0/24"
     }

diff --git a/modules/subnet-group/README.md b/modules/subnet-group/README.md
@@ -31,6 +31,7 @@ This module creates following resources.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 |
+| <a name="module_share"></a> [share](#module\_share) | tedilabs/account/aws//modules/ram-share | ~> 0.27.0 |
 
 ## Resources
 
@@ -71,6 +72,7 @@ This module creates following resources.
 | <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
 | <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
+| <a name="input_shares"></a> [shares](#input\_shares) | (Optional) A list of resource shares via RAM (Resource Access Manager). | <pre>list(object({<br>    name = optional(string)<br><br>    permissions = optional(set(string), ["AWSRAMDefaultPermissionSubnet"])<br><br>    external_principals_allowed = optional(bool, false)<br>    principals                  = optional(set(string), [])<br><br>    tags = optional(map(string), {})<br>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
 | <a name="input_timeouts"></a> [timeouts](#input\_timeouts) | (Optional) How long to wait for the subnet group to be created/deleted. | <pre>object({<br>    create = optional(string, "10m")<br>    delete = optional(string, "20m")<br>  })</pre> | `{}` | no |
 
@@ -99,6 +101,7 @@ This module creates following resources.
 | <a name="output_public_ipv4_address_assignment"></a> [public\_ipv4\_address\_assignment](#output\_public\_ipv4\_address\_assignment) | The configuration of public IPv4 address assignment.<br>    `enabled` - Whether to automatically assign public IPv4 address to instances launched in the subnet group. |
 | <a name="output_rds_subnet_group"></a> [rds\_subnet\_group](#output\_rds\_subnet\_group) | The configuration of RDS Subnet Group.<br>    `id` - The ID of the RDS Subnet Group.<br>    `arn` - The ARN of the RDS Subnet Group.<br>    `name` - The name of the RDS Subnet Group.<br>    `description` - The description of the RDS Subnet Group. |
 | <a name="output_redshift_subnet_group"></a> [redshift\_subnet\_group](#output\_redshift\_subnet\_group) | The configuration of Redshift Subnet Group.<br>    `id` - The ID of the Redshift Subnet Group.<br>    `arn` - The ARN of the Redshift Subnet Group.<br>    `name` - The name of the Redshift Subnet Group.<br>    `description` - The description of the Redshift Subnet Group. |
+| <a name="output_sharing"></a> [sharing](#output\_sharing) | The configuration for sharing of subnets in the subnet group.<br>    `status` - An indication of whether subnets are shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are `NOT_SHARED`, `SHARED_BY_ME` or `SHARED_WITH_ME`.<br>    `shares` - The list of resource shares via RAM (Resource Access Manager). |
 | <a name="output_subnets"></a> [subnets](#output\_subnets) | A list of subnets of the subnet group. |
 | <a name="output_subnets_by_az"></a> [subnets\_by\_az](#output\_subnets\_by\_az) | A map of subnets of the subnet group which are grouped by availability zone id. |
 | <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the VPC which the subnet group belongs to. |

diff --git a/modules/subnet-group/main.tf b/modules/subnet-group/main.tf
@@ -41,16 +41,16 @@ locals {
     values(aws_subnet.this)[*].availability_zone_id
   )
   subnets = [
-    for subnet in aws_subnet.this : {
+    for name, subnet in aws_subnet.this : {
       id   = subnet.id
       arn  = subnet.arn
-      name = subnet.tags["Name"]
+      name = name
 
       availability_zone    = subnet.availability_zone
       availability_zone_id = subnet.availability_zone_id
 
-      cidr_block      = subnet.cidr_block
-      ipv6_cidr_block = subnet.ipv6_cidr_block
+      ipv4_cidr = subnet.cidr_block
+      ipv6_cidr = subnet.ipv6_cidr_block
     }
   ]
 }

diff --git a/modules/subnet-group/outputs.tf b/modules/subnet-group/outputs.tf
@@ -262,3 +262,15 @@ output "redshift_subnet_group" {
     : null
   )
 }
+
+output "sharing" {
+  description = <<EOF
+  The configuration for sharing of subnets in the subnet group.
+    `status` - An indication of whether subnets are shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are `NOT_SHARED`, `SHARED_BY_ME` or `SHARED_WITH_ME`.
+    `shares` - The list of resource shares via RAM (Resource Access Manager).
+  EOF
+  value = {
+    status = length(module.share) > 0 ? "SHARED_BY_ME" : "NOT_SHARED"
+    shares = module.share
+  }
+}
diff --git a/modules/subnet-group/ram-share.tf b/modules/subnet-group/ram-share.tf
@@ -0,0 +1,31 @@
+###################################################
+# Resource Sharing by RAM (Resource Access Manager)
+###################################################
+
+module "share" {
+  source  = "tedilabs/account/aws//modules/ram-share"
+  version = "~> 0.27.0"
+
+  for_each = {
+    for share in var.shares :
+    share.name => share
+  }
+
+  name = "vpc.subnet-group.${var.name}.${each.key}"
+
+  resources = values(aws_subnet.this)[*].arn
+
+  permissions = each.value.permissions
+
+  external_principals_allowed = each.value.external_principals_allowed
+  principals                  = each.value.principals
+
+  resource_group_enabled = false
+  module_tags_enabled    = false
+
+  tags = merge(
+    local.module_tags,
+    var.tags,
+    each.value.tags,
+  )
+}
diff --git a/modules/subnet-group/variables.tf b/modules/subnet-group/variables.tf
@@ -306,3 +306,24 @@ variable "resource_group_description" {
   default     = "Managed by Terraform."
   nullable    = false
 }
+
+
+###################################################
+# Resource Sharing by RAM (Resource Access Manager)
+###################################################
+
+variable "shares" {
+  description = "(Optional) A list of resource shares via RAM (Resource Access Manager)."
+  type = list(object({
+    name = optional(string)
+
+    permissions = optional(set(string), ["AWSRAMDefaultPermissionSubnet"])
+
+    external_principals_allowed = optional(bool, false)
+    principals                  = optional(set(string), [])
+
+    tags = optional(map(string), {})
+  }))
+  default  = []
+  nullable = false
+}