feat: adding a complete setup to the examples and testing it (#3)

* feat: adding a complete setup to the examples and testing it * chore: adding the permissions
appvia · Apr 12, 2024 · 470b5cd · 470b5cd
1 parent 98bc436
commit 470b5cd
Show file tree

Hide file tree

Showing 29 changed files with 360 additions and 399 deletions.
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -8,6 +8,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   module-validation:
     uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-validation.yml@main

diff --git a/Makefile b/Makefile
@@ -16,7 +16,7 @@
 #
 AUTHOR_EMAIL[email protected]
 
-.PHONY: all security lint format documentation documentation-examples
+.PHONY: all security lint format documentation documentation-examples validate-all validate validate-examples init
 
 default: all
 
@@ -45,10 +45,24 @@ init:
 	@echo "--> Running terraform init"
 	@terraform init -backend=false
 
+validate-all:
+	@echo "--> Running all validation checks"
+	$(MAKE) validate
+	$(MAKE) validate-examples
+
 validate:
 	@echo "--> Running terraform validate"
+	@terraform init -backend=false
 	@terraform validate
 
+validate-examples:
+	@echo "--> Running terraform validate on examples"
+	@find examples -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \
+		echo "--> Validating $$dir"; \
+		terraform -chdir=$$dir init; \
+		terraform -chdir=$$dir validate; \
+	done
+
 lint:
 	@echo "--> Running tflint"
 	@tflint --init 
@@ -57,3 +71,10 @@ lint:
 format: 
 	@echo "--> Running terraform fmt"
 	@terraform fmt -recursive -write=true
+
+clean:
+	@echo "--> Cleaning up"
+	@find . -type d -name ".terraform" | while read -r dir; do \
+		echo "--> Removing $$dir"; \
+		rm -rf $$dir; \
+	done
diff --git a/README.md b/README.md
diff --git a/endpoints.tf b/endpoints.tf
@@ -0,0 +1,43 @@
+
+## Provision a network for the endpoints vpc 
+module "endpoints_vpc" {
+  count   = local.enable_endpoints ? 1 : 0
+  source  = "appvia/network/aws"
+  version = "0.1.6"
+
+  availability_zones                    = var.connectivity_config.endpoints.network.availability_zones
+  enable_transit_gateway                = true
+  enable_transit_gateway_appliance_mode = true
+  name                                  = var.connectivity_config.endpoints.network.name
+  private_subnet_netmask                = var.connectivity_config.endpoints.network.private_netmask
+  tags                                  = var.tags
+  transit_gateway_id                    = module.tgw.ec2_transit_gateway_id
+  vpc_cidr                              = var.connectivity_config.endpoints.network.vpc_cidr
+}
+
+## Provision if required the shared private endpoints
+module "endpoints" {
+  count   = local.enable_endpoints ? 1 : 0
+  source  = "appvia/private-endpoints/aws"
+  version = "0.1.2"
+
+  name      = var.connectivity_config.endpoints.network.name
+  endpoints = var.connectivity_config.endpoints.services
+  tags      = var.tags
+
+  network = {
+    private_subnet_cidrs = module.endpoints_vpc[0].private_subnet_cidrs
+    vpc_id               = module.endpoints_vpc[0].vpc_id
+  }
+
+  resolvers = {
+    inbound = {
+      create            = true
+      ip_address_offset = 10
+    }
+    outbound = {
+      create            = true
+      ip_address_offset = 12
+    }
+  }
+}
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -27,7 +27,7 @@ No resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to the resources. | `map(string)` | n/a | yes |
 | <a name="input_asn"></a> [asn](#input\_asn) | The ASN of the gateway. | `number` | `64512` | no |
-| <a name="input_name"></a> [name](#input\_name) | The name of the transit gateway to provision. | `string` | `"main-hub"` | no |
+| <a name="input_name"></a> [name](#input\_name) | The name of the transit gateway to provision. | `string` | `"tgw"` | no |
 | <a name="input_ram_principals"></a> [ram\_principals](#input\_ram\_principals) | The AWS RAM principal to share the transit gateway with. | `map(string)` | `{}` | no |
 
 ## Outputs

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -38,15 +38,18 @@ module "hub" {
       }
     }
 
-    trusted = {
-      trusted_attachments = []
+    inspection = {
+      network = {
+        availability_zones     = 3
+        vpc_cidr               = "100.64.0.0/21"
+        name                   = "inspection"
+        private_subnet_netmask = 24
+        public_subnet_netmask  = 24
+      }
     }
 
     endpoints = {
       services = {
-        ec2 = {
-          service = "ec2"
-        },
         ec2messages = {
           service = "ec2messages"
         },

diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
@@ -2,7 +2,7 @@
 variable "name" {
   description = "The name of the transit gateway to provision."
   type        = string
-  default     = "main-hub"
+  default     = "tgw"
 }
 
 variable "asn" {

diff --git a/examples/inspection/main.tf b/examples/inspection/main.tf
@@ -26,11 +26,6 @@ module "hub" {
         public_netmask     = 24
         vpc_cidr           = "100.64.0.0/21"
       }
-      #
-      ## If you want to create the inspection vpc independently, create post the transit gateway creation
-      ## and provide the attachment id afterwards
-      # 
-      # attachment_id = "tgw-attach-1234567890"
     }
   }
 }
diff --git a/examples/trusted/.terraform.lock.hcl b/examples/trusted/.terraform.lock.hcl
diff --git a/examples/trusted/README.md b/examples/trusted/README.md
@@ -28,6 +28,7 @@ No resources.
 | <a name="input_asn"></a> [asn](#input\_asn) | The ASN of the gateway. | `number` | `64512` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name of the transit gateway to provision. | `string` | `"main-hub"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to the resources. | `map(string)` | `{}` | no |
+| <a name="input_trusted_attachments"></a> [trusted\_attachments](#input\_trusted\_attachments) | The list of trusted account IDs. | `list(string)` | `[]` | no |
 
 ## Outputs
 

diff --git a/examples/trusted/main.tf b/examples/trusted/main.tf
@@ -9,18 +9,16 @@ module "hub_trusted" {
 
   name                       = var.name
   description                = "The transit gateway fot all accounts within this region"
-  asn                        = var.asn
+  amazon_side_asn            = var.asn
   enable_dns_support         = true
   enable_external_principals = true
-  enable_ram_share           = true
   enable_multicast_support   = true
   enable_vpn_ecmp_support    = true
-  region                     = var.region
   tags                       = var.tags
 
   connectivity_config = {
     trusted = {
-      trusted_attachments = [var.trusted_attachments]
+      trusted_attachments = var.trusted_attachments
     }
   }
 }

diff --git a/examples/trusted/variables.tf b/examples/trusted/variables.tf
@@ -16,6 +16,12 @@ variable "asn" {
   }
 }
 
+variable "trusted_attachments" {
+  description = "The list of trusted account IDs."
+  type        = list(string)
+  default     = []
+}
+
 variable "tags" {
   description = "A map of tags to assign to the resources."
   type        = map(string)

diff --git a/inspection.tf b/inspection.tf
@@ -1,43 +1,107 @@
 
-locals {
-  ## If inspection is enabled we need get the attachment id for the inspection vpc
-  inspection_attachment_id = local.enable_inspection ? coalesce(var.connectivity_config.inspection.attachment_id, module.inspection_vpc[0].transit_gateway_attachment_id) : null
-}
-
 ## Provision the inspection vpcs if required 
 module "inspection_vpc" {
-  count   = local.enable_inspection_vpc_creation ? 1 : 0
+  count   = local.enable_inspection ? 1 : 0
   source  = "appvia/network/aws"
-  version = "0.1.3"
+  version = "0.1.6"
+
+  availability_zones                     = var.connectivity_config.inspection.network.availability_zones
+  enable_default_route_table_association = false
+  enable_default_route_table_propagation = false
+  enable_transit_gateway                 = true
+  enable_transit_gateway_appliance_mode  = true
+  name                                   = var.connectivity_config.inspection.network.name
+  private_subnet_netmask                 = var.connectivity_config.inspection.network.private_netmask
+  tags                                   = var.tags
+  transit_gateway_id                     = module.tgw.ec2_transit_gateway_id
+  vpc_cidr                               = var.connectivity_config.inspection.network.vpc_cidr
+}
 
-  availability_zones                    = var.connectivity_config.inspection.network.availability_zones
-  enable_transit_gateway                = true
-  enable_transit_gateway_appliance_mode = true
-  name                                  = var.connectivity_config.inspection.network.name
-  private_subnet_netmask                = var.connectivity_config.inspection.network.private_netmask
-  public_subnet_netmask                 = var.connectivity_config.inspection.network.public_netmask
-  tags                                  = var.tags
-  transit_gateway_id                    = module.tgw.ec2_transit_gateway_id
-  vpc_cidr                              = var.connectivity_config.inspection.network.vpc_cidr
+## We create a route table for all the spokes to propagatio into. This route table is associated with 
+## the inspection vpc attachment, and is used to return traffic to the spoke vpcs.
+resource "aws_ec2_transit_gateway_route_table" "inspection_return" {
+  count = local.enable_inspection ? 1 : 0
+
+  tags               = merge(var.tags, { Name = var.connectivity_config.inspection.spokes_route_table_name })
+  transit_gateway_id = module.tgw.ec2_transit_gateway_id
 }
 
-## Provision the inspection layout when required 
-module "inspection" {
-  count  = local.enable_inspection ? 1 : 0
-  source = "./modules/tgw_inspection"
+## We need to associated the inspection vpc attachment with the return route table.
+resource "aws_ec2_transit_gateway_route_table_association" "inspection_inbound" {
+  count = local.enable_inspection ? 1 : 0
 
-  attachment_id                      = local.inspection_attachment_id
-  tags                               = var.tags
-  transit_gateway_return_table_name  = var.connectivity_config.inspection.spokes_route_table_name
-  transit_gateway_inbound_table_name = var.connectivity_config.inspection.inbound_route_table_name
-  transit_gateway_id                 = module.tgw.ec2_transit_gateway_id
+  replace_existing_association   = true
+  transit_gateway_attachment_id  = module.inspection_vpc[0].transit_gateway_attachment_id
+  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.inspection_return[0].id
 }
 
-## We add to add a default route into the spokes (return) route table to egress via the egress vpc 
+## The default route table is setup as the default association for all attachments; we need to 
+## add an default route here to funnel all traffic to the inspection vpc.
+resource "aws_ec2_transit_gateway_route" "inspection_inbound" {
+  count = local.enable_inspection ? 1 : 0
+
+  destination_cidr_block         = "0.0.0.0/0"
+  transit_gateway_attachment_id  = module.inspection_vpc[0].transit_gateway_attachment_id
+  transit_gateway_route_table_id = module.tgw.ec2_transit_gateway_association_default_route_table_id
+}
+
+## If the egress vpc is enabled, we need to add a default route to the return traffic routing table, 
+## to allow traffic to egress via it.
 resource "aws_ec2_transit_gateway_route" "inspection_egress" {
   count = local.enable_inspection && local.enable_egress ? 1 : 0
 
   destination_cidr_block         = "0.0.0.0/0"
   transit_gateway_attachment_id  = module.egress_vpc[0].transit_gateway_attachment_id
-  transit_gateway_route_table_id = module.inspection[0].inbound_route_table_id
+  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.inspection_return[0].id
+}
+
+## We need to associate the endpoints vpc   
+resource "aws_ec2_transit_gateway_route_table_association" "inspection_endpoints" {
+  count = local.enable_inspection == true && local.enable_endpoints == true ? 1 : 0
+
+  replace_existing_association   = true
+  transit_gateway_attachment_id  = module.endpoints_vpc[0].transit_gateway_attachment_id
+  transit_gateway_route_table_id = module.tgw.ec2_transit_gateway_association_default_route_table_id
+}
+
+## We need to associate the ingress vpc 
+resource "aws_ec2_transit_gateway_route_table_association" "inspection_ingress" {
+  count = local.enable_inspection == true && local.enable_ingress == true ? 1 : 0
+
+  replace_existing_association   = true
+  transit_gateway_attachment_id  = module.ingress_vpc[0].transit_gateway_attachment_id
+  transit_gateway_route_table_id = module.tgw.ec2_transit_gateway_association_default_route_table_id
+}
+
+## We need to associate the egress vpc 
+resource "aws_ec2_transit_gateway_route_table_association" "inspection_egress" {
+  count = local.enable_inspection == true && local.enable_egress == true ? 1 : 0
+
+  replace_existing_association   = true
+  transit_gateway_attachment_id  = module.egress_vpc[0].transit_gateway_attachment_id
+  transit_gateway_route_table_id = module.tgw.ec2_transit_gateway_association_default_route_table_id
+}
+
+## We need to propagate the endpoints_vpc into the return route table 
+resource "aws_ec2_transit_gateway_route_table_propagation" "inspection_endpoints" {
+  count = local.enable_inspection == true && local.enable_endpoints == true ? 1 : 0
+
+  transit_gateway_attachment_id  = module.endpoints_vpc[0].transit_gateway_attachment_id
+  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.inspection_return[0].id
+}
+
+## We need to propagate the ingress_vpc into the return route table 
+resource "aws_ec2_transit_gateway_route_table_propagation" "inspection_ingress" {
+  count = local.enable_inspection == true && local.enable_ingress == true ? 1 : 0
+
+  transit_gateway_attachment_id  = module.ingress_vpc[0].transit_gateway_attachment_id
+  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.inspection_return[0].id
+}
+
+## We need to propagate the egress_vpc into the return route spokes_route_table_name
+resource "aws_ec2_transit_gateway_route_table_propagation" "inspection_egress" {
+  count = local.enable_inspection == true && local.enable_egress == true ? 1 : 0
+
+  transit_gateway_attachment_id  = module.egress_vpc[0].transit_gateway_attachment_id
+  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.inspection_return[0].id
 }
diff --git a/locals.tf b/locals.tf
@@ -0,0 +1,13 @@
+
+locals {
+  ## Indicates the inspection connectivity layout 
+  enable_inspection = var.connectivity_config.inspection != null
+  ## Indicates the trusted network connectivity layout 
+  enable_trusted = var.connectivity_config.trusted != null
+  ## Indicates if we have egress configuration 
+  enable_egress = var.connectivity_config.egress != null
+  ## Indicates if we have ingress configuration 
+  enable_ingress = var.connectivity_config.ingress != null
+  ## Indicates if we should provision a endpoints vpc 
+  enable_endpoints = var.connectivity_config.endpoints != null
+}