diff --git a/README.md b/README.md index 540838a..f0ed9c6 100644 --- a/README.md +++ b/README.md @@ -328,7 +328,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [amazon\_side\_asn](#input\_amazon\_side\_asn) | The ASN for the transit gateway. | `number` | n/a | yes | -| [connectivity\_config](#input\_connectivity\_config) | The type of connectivity options for the transit gateway. |
object({
inspection_with_all = optional(object({
# The name of the inbound route table. Defaults to 'inbound'.
network = optional(object({
# Defines the configuration for the inspection network.
availability_zones = number
# The number of availablity zones to use for the inspection network. Required. Must match the
# number of availability zones you use in the organization, due to symmetric routing requirements.
name = optional(string, "inspection")
# The name of the inspection network. Defaults to 'inspection'.
private_netmask = optional(number, 24)
# The netmask to use for the private network. Defaults to 24
vpc_cidr = optional(string, "100.64.0.0/21")
# The CIDR block to use for the VPC. Defaults to carrier-grade NAT space.
}), null)
return_route_table_name = optional(string, "inspection-return")
}), null)

trusted = optional(object({
# Defines the configuration for the trusted routing
trusted_attachments = optional(list(string), [])
# The list of transit gateway attachments to trust e.g can see all the other untrusted networks. Defaults to an empty list.
trusted_route_table_name = optional(string, "trusted")
# The name of the trusted route table. Defaults to 'trusted'.
trusted_core_route_table_name = optional(string, "trusted-core")
}), null)
})
| n/a | yes | +| [connectivity\_config](#input\_connectivity\_config) | The type of connectivity options for the transit gateway. |
object({
inspection_with_all = optional(object({
# The name of the inbound route table. Defaults to 'inbound'.
network = optional(object({
# Defines the configuration for the inspection network.
availability_zones = number
# The number of availablity zones to use for the inspection network. Required. Must match the
# number of availability zones you use in the organization, due to symmetric routing requirements.
name = optional(string, "inspection")
# The name of the inspection network. Defaults to 'inspection'.
private_netmask = optional(number, 24)
# The netmask to use for the private network. Defaults to 24
vpc_cidr = optional(string, "100.64.0.0/21")
# The CIDR block to use for the VPC. Defaults to carrier-grade NAT space.
}), null)
return_route_table_name = optional(string, "inspection-return")
}), null)

trusted = optional(object({
# Defines the configuration for the trusted routing
trusted_attachments = optional(map(string), {})
# The list of transit gateway attachments to trust e.g can see all the other untrusted networks. Defaults to an empty list.
trusted_route_table_name = optional(string, "trusted")
# The name of the trusted route table. Defaults to 'trusted'.
trusted_core_route_table_name = optional(string, "trusted-core")
}), null)
})
| n/a | yes | | [description](#input\_description) | The description of the transit gateway to provision. | `string` | n/a | yes | | [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | n/a | yes | | [enable\_dns\_support](#input\_enable\_dns\_support) | Whether DNS support is enabled. | `bool` | `true` | no | @@ -336,11 +336,11 @@ The `terraform-docs` utility is used to generate this README. Follow the below s | [enable\_multicast\_support](#input\_enable\_multicast\_support) | Whether multicast support is enabled. | `bool` | `false` | no | | [enable\_vpn\_ecmp\_support](#input\_enable\_vpn\_ecmp\_support) | Whether VPN Equal Cost Multipath Protocol support is enabled. | `bool` | `false` | no | | [name](#input\_name) | The name of the transit gateway to provision. | `string` | `"tgw"` | no | -| [prefix\_lists](#input\_prefix\_lists) | Provides the ability to provision prefix lists, and share them with other accounts. |
list(object({
name = string
entry = list(object({
address_family = optional(string, "IPv4")
cidr = string
description = string
max_entries = number
}))
}))
| `[]` | no | +| [prefix\_lists](#input\_prefix\_lists) | Provides the ability to provision prefix lists, and share them with other accounts. |
list(object({
name = string
entry = list(object({
address_family = optional(string, "IPv4")
cidr = string
description = string
max_entries = number
}))
}))
| `[]` | no | | [prefix\_ram\_principals](#input\_prefix\_ram\_principals) | The list of organizational units or accounts to share the prefix lists with. | `list(string)` | `[]` | no | | [ram\_share\_name](#input\_ram\_share\_name) | The name of the RAM share to create for the transit gateway. | `string` | `"tgw-ram-share"` | no | | [ram\_share\_principals](#input\_ram\_share\_principals) | The list of organizational units or accounts to share the transit gateway with. | `list(string)` | `[]` | no | -| [services](#input\_services) | A collection of features and services associated with this connectivity domain. |
object({
egress = optional(object({
network = object({
# Defines the configuration for an egress network.
availability_zones = optional(number, 2)
# The number of availablity zones to use for the egress network. Defaults to 2.
ipam_pool_id = optional(string, null)
# The ID of the IPAM pool to use for the egress network. Defaults to null.
name = optional(string, "egress")
# The name of the egress network. Defaults to 'egress'.
private_netmask = optional(number, 28)
# The netmask to use for the private network. Defaults to 28.
public_netmask = optional(number, 28)
# The netmask to use for the public network. Defaults to 28.
vpc_cidr = optional(string, null)
# The CIDR block to use for the VPC. Defaults to null, required when not using IPAM
vpc_netmask = optional(string, null)
# The netmask to use for the VPC. Defaults to null, required when using IPAM
})
}), null)
dns = optional(object({
# The list of organizational units or accounts to share the domain rule with.
resolver_name = optional(string, "dns-resolver")

# Defines the configuration for the endpoints network.
network = object({
# Defines the configuration for the endpoints network.
availability_zones = optional(number, 2)
# The number of availablity zones to use for the endpoints network. Defaults to 2.
ipam_pool_id = optional(string, null)
# The ID of the IPAM pool to use for the endpoints network. Defaults to null.
name = optional(string, "central-dns")
# The name of the endpoints network. Defaults to 'endpoints'.
private_netmask = optional(number, 24)
# The netmask to use for the private network. Defaults to 24, ensure space for enough aws services.
vpc_cidr = optional(string, null)
# The CIDR block to use for the VPC. Defaults to null, required when not using IPAM
vpc_netmask = optional(string, null)
# The netmask to use for the VPC. Defaults to null, required when using IPAM
}),

domain_rules = optional(list(object({
ram_share_name = optional(string, "central-dns")
# The name of the domain rule - this is mapped to the resource share name
ram_principals = optional(map(string), {})
# The name of the resolver to use. Defaults to 'dns-resolver'.
rules = list(object({
name = string
# The name of the rule - the ram share name is domain.name + "-" + rule.name
# The list of domain rules to apply to the domain.
domain = string
# The domain to apply the rule to.
targets = optional(list(string), [])
# The list of targets to apply the rule to - defaults to local resolver.
}))
})), [])
}), null)

endpoints = optional(object({
# Defines the configuration for the endpoints network.
network = object({
# Defines the configuration for the endpoints network.
availability_zones = optional(number, 2)
# The number of availablity zones to use for the endpoints network. Defaults to 2.
ipam_pool_id = optional(string, null)
# The ID of the IPAM pool to use for the endpoints network. Defaults to null.
name = optional(string, "endpoints")
# The name of the endpoints network. Defaults to 'endpoints'.
private_netmask = optional(number, 24)
# The netmask to use for the private network. Defaults to 24, ensure space for enough aws services.
vpc_cidr = optional(string, null)
# The CIDR block to use for the VPC. Defaults to null, required when not using IPAM
vpc_netmask = optional(string, null)
# The netmask to use for the VPC. Defaults to null, required when using IPAM
})
sharing = optional(object({
# Defines the configuration for the sharing network via AWS RAM
principals = optional(list(string), [])
# The list of organizational units or accounts to share the endpoints resolvers rules with. Defaults to an empty list.
}), null)
services = optional(map(object({
# Defines the configuration for the private endpoints in the shared network.
private_dns_enabled = optional(bool, true)
# Whether private DNS is enabled. Defaults to true.
service_type = optional(string, "Interface")
# The type of service, i.e. Gateway or Interface. Defaults to 'Interface'
service = string
# The name of the service i.e. ec2, ec2messages, ssm, ssmmessages, logs, kms, secretsmanager, s3.awsamazon.com
policy = optional(string, null)
# An optional IAM policy to use for the endpoint. Defaults to null.
})), {
ec2messages = {
service = "ec2messages"
},
ssm = {
service = "ssm"
},
ssmmessages = {
service = "ssmmessages"
},
})
}), null)
ingress = optional(object({
# Defines the configuration for the ingress network.
network = object({
# Defines the configuration for the ingress network.
availability_zones = optional(number, 2)
# The number of availablity zones to use for the ingress network. Defaults to 2.
ipam_pool_id = optional(string, null)
# The ID of the IPAM pool to use for the ingress network. Defaults to null.
name = optional(string, "ingress")
# The name of the ingress network. Defaults to 'ingress'.
private_netmask = number
# The netmask to use for the private network. Required, ensure space for enough aws services.
public_netmask = number
# The netmask to use for the public network. Required, ensure space for enough aws services.
vpc_cidr = optional(string, null)
# The CIDR block to use for the VPC. Defaults to null, required when not using IPAM
vpc_netmask = optional(string, null)
# The netmask to use for the VPC. Defaults to null, required when using IPAM
})
}), null)
})
| `{}` | no | +| [services](#input\_services) | A collection of features and services associated with this connectivity domain. |
object({
egress = optional(object({
network = object({
# Defines the configuration for an egress network.
availability_zones = optional(number, 2)
# The number of availablity zones to use for the egress network. Defaults to 2.
ipam_pool_id = optional(string, null)
# The ID of the IPAM pool to use for the egress network. Defaults to null.
name = optional(string, "egress")
# The name of the egress network. Defaults to 'egress'.
private_netmask = optional(number, 28)
# The netmask to use for the private network. Defaults to 28.
public_netmask = optional(number, 28)
# The netmask to use for the public network. Defaults to 28.
vpc_cidr = optional(string, null)
# The CIDR block to use for the VPC. Defaults to null, required when not using IPAM
vpc_netmask = optional(string, null)
# The netmask to use for the VPC. Defaults to null, required when using IPAM
})
}), null)
dns = optional(object({
# The list of organizational units or accounts to share the domain rule with.
resolver_name = optional(string, "dns-resolver")

# Defines the configuration for the endpoints network.
network = object({
# Defines the configuration for the endpoints network.
availability_zones = optional(number, 2)
# The number of availablity zones to use for the endpoints network. Defaults to 2.
ipam_pool_id = optional(string, null)
# The ID of the IPAM pool to use for the endpoints network. Defaults to null.
name = optional(string, "central-dns")
# The name of the endpoints network. Defaults to 'endpoints'.
private_netmask = optional(number, 24)
# The netmask to use for the private network. Defaults to 24, ensure space for enough aws services.
vpc_cidr = optional(string, null)
# The CIDR block to use for the VPC. Defaults to null, required when not using IPAM
vpc_netmask = optional(string, null)
# The netmask to use for the VPC. Defaults to null, required when using IPAM
}),

domain_rules = optional(list(object({
ram_share_name = optional(string, "central-dns")
# The name of the domain rule - this is mapped to the resource share name
ram_principals = optional(map(string), {})
# The name of the resolver to use. Defaults to 'dns-resolver'.
rules = list(object({
name = string
# The name of the rule - the ram share name is domain.name + "-" + rule.name
# The list of domain rules to apply to the domain.
domain = string
# The domain to apply the rule to.
targets = optional(list(string), [])
# The list of targets to apply the rule to - defaults to local resolver.
}))
})), [])
}), null)

endpoints = optional(object({
# Defines the configuration for the endpoints network.
network = object({
# Defines the configuration for the endpoints network.
availability_zones = optional(number, 2)
# The number of availablity zones to use for the endpoints network. Defaults to 2.
ipam_pool_id = optional(string, null)
# The ID of the IPAM pool to use for the endpoints network. Defaults to null.
name = optional(string, "endpoints")
# The name of the endpoints network. Defaults to 'endpoints'.
private_netmask = optional(number, 24)
# The netmask to use for the private network. Defaults to 24, ensure space for enough aws services.
vpc_cidr = optional(string, null)
# The CIDR block to use for the VPC. Defaults to null, required when not using IPAM
vpc_netmask = optional(string, null)
# The netmask to use for the VPC. Defaults to null, required when using IPAM
})
sharing = optional(object({
# Defines the configuration for the sharing network via AWS RAM
principals = optional(list(string), [])
# The list of organizational units or accounts to share the endpoints resolvers rules with. Defaults to an empty list.
}), null)
services = optional(map(object({
# Defines the configuration for the private endpoints in the shared network.
private_dns_enabled = optional(bool, true)
# Whether private DNS is enabled. Defaults to true.
service_type = optional(string, "Interface")
# The type of service, i.e. Gateway or Interface. Defaults to 'Interface'
service = string
# The name of the service i.e. ec2, ec2messages, ssm, ssmmessages, logs, kms, secretsmanager, s3.awsamazon.com
policy = optional(string, null)
# An optional IAM policy to use for the endpoint. Defaults to null.
})), {
ec2messages = {
service = "ec2messages"
},
ssm = {
service = "ssm"
},
ssmmessages = {
service = "ssmmessages"
},
})
}), null)
ingress = optional(object({
# Defines the configuration for the ingress network.
network = object({
# Defines the configuration for the ingress network.
availability_zones = optional(number, 2)
# The number of availablity zones to use for the ingress network. Defaults to 2.
ipam_pool_id = optional(string, null)
# The ID of the IPAM pool to use for the ingress network. Defaults to null.
name = optional(string, "ingress")
# The name of the ingress network. Defaults to 'ingress'.
private_netmask = number
# The netmask to use for the private network. Required, ensure space for enough aws services.
public_netmask = number
# The netmask to use for the public network. Required, ensure space for enough aws services.
vpc_cidr = optional(string, null)
# The CIDR block to use for the VPC. Defaults to null, required when not using IPAM
vpc_netmask = optional(string, null)
# The netmask to use for the VPC. Defaults to null, required when using IPAM
})
}), null)
})
| `{}` | no | ## Outputs diff --git a/examples/inspection/README.md b/examples/inspection/README.md index 0ae4ab9..6f4a543 100644 --- a/examples/inspection/README.md +++ b/examples/inspection/README.md @@ -27,7 +27,7 @@ No resources. |------|-------------|------|---------|:--------:| | [asn](#input\_asn) | The ASN of the gateway. | `number` | `64512` | no | | [name](#input\_name) | The name of the transit gateway to provision. | `string` | `"main-hub"` | no | -| [tags](#input\_tags) | A map of tags to assign to the resources. | `map(string)` |
{
"Environment": "test",
"GitRepo": "https://github.com/appvia/terraform-aws-connectivity"
}
| no | +| [tags](#input\_tags) | A map of tags to assign to the resources. | `map(string)` |
{
"Environment": "test",
"GitRepo": "https://github.com/appvia/terraform-aws-connectivity"
}
| no | ## Outputs diff --git a/examples/trusted/README.md b/examples/trusted/README.md index 0d54cc5..7af0529 100644 --- a/examples/trusted/README.md +++ b/examples/trusted/README.md @@ -29,7 +29,7 @@ No resources. | [name](#input\_name) | The name of the transit gateway to provision. | `string` | `"main-hub"` | no | | [ram\_principals](#input\_ram\_principals) | The AWS RAM principal to share the transit gateway with. | `map(string)` | `{}` | no | | [tags](#input\_tags) | A map of tags to assign to the resources. | `map(string)` | `{}` | no | -| [trusted\_attachments](#input\_trusted\_attachments) | The list of trusted account IDs. | `list(string)` | `[]` | no | +| [trusted\_attachments](#input\_trusted\_attachments) | The list of trusted account IDs. | `map(string)` | `{}` | no | ## Outputs diff --git a/examples/trusted/variables.tf b/examples/trusted/variables.tf index 48d49a3..5413b41 100644 --- a/examples/trusted/variables.tf +++ b/examples/trusted/variables.tf @@ -18,8 +18,8 @@ variable "asn" { variable "trusted_attachments" { description = "The list of trusted account IDs." - type = list(string) - default = [] + type = map(string) + default = {} } variable "tags" { diff --git a/trusted.tf b/trusted.tf index 0fed2fe..e970f47 100644 --- a/trusted.tf +++ b/trusted.tf @@ -30,7 +30,7 @@ resource "aws_ec2_transit_gateway_route_table_association" "trusted" { ## table. This will allow traffic to flow from the trusted routing table to the trusted ## routing table. resource "aws_ec2_transit_gateway_route_table_propagation" "trusted" { - for_each = local.enable_trusted == true ? toset(var.connectivity_config.trusted.trusted_attachments) : toset([]) + for_each = local.enable_trusted == true ? var.connectivity_config.trusted.trusted_attachments : {} transit_gateway_attachment_id = each.value transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.trusted[0].id diff --git a/variables.tf b/variables.tf index f8de864..6cf84fe 100644 --- a/variables.tf +++ b/variables.tf @@ -179,7 +179,7 @@ variable "connectivity_config" { trusted = optional(object({ # Defines the configuration for the trusted routing - trusted_attachments = optional(list(string), []) + trusted_attachments = optional(map(string), {}) # The list of transit gateway attachments to trust e.g can see all the other untrusted networks. Defaults to an empty list. trusted_route_table_name = optional(string, "trusted") # The name of the trusted route table. Defaults to 'trusted'.