feat: enabling the ability for the transit gateway subnets to be conn…

…ected to the nat devices (#2)

Makefile

@@ -0,0 +1,59 @@
+#
+# Copyright (C) 2024  Appvia Ltd <[email protected]>
+#  
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+AUTHOR_EMAIL[email protected]
+
+.PHONY: all security lint format documentation documentation-examples
+
+default: all
+
+all: 
+	$(MAKE) init
+	$(MAKE) validate
+	$(MAKE) security
+	$(MAKE) lint
+	$(MAKE) format
+	$(MAKE) documentation
+	$(MAKE) documentation-examples
+
+security: 
+	@echo "--> Running Security checks"
+	@tfsec .
+
+documentation: 
+	@echo "--> Generating documentation"
+	@terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .
+
+documentation-examples:
+	@echo "--> Generating documentation examples"
+	@find examples -type d -mindepth 1 -maxdepth 1 -exec terraform-docs markdown table --output-file README.md --output-mode inject {} \;
+
+init: 
+	@echo "--> Running terraform init"
+	@terraform init -backend=false
+
+validate:
+	@echo "--> Running terraform validate"
+	@terraform validate
+
+lint:
+	@echo "--> Running tflint"
+	@tflint --init 
+	@tflint -f compact
+
+format: 
+	@echo "--> Running terraform fmt"
+	@terraform fmt -recursive -write=true

README.md

@@ -86,6 +86,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_enable_ssm"></a> [enable\_ssm](#input\_enable\_ssm) | Indicates we should provision SSM private endpoints | `bool` | `false` | no |
 | <a name="input_enable_transit_gateway"></a> [enable\_transit\_gateway](#input\_enable\_transit\_gateway) | Indicates the network should provison nat gateways | `bool` | `false` | no |
 | <a name="input_enable_transit_gateway_appliance_mode"></a> [enable\_transit\_gateway\_appliance\_mode](#input\_enable\_transit\_gateway\_appliance\_mode) | Indicates the network should be connected to a transit gateway in appliance mode | `bool` | `false` | no |
+| <a name="input_enable_transit_gateway_subnet_natgw"></a> [enable\_transit\_gateway\_subnet\_natgw](#input\_enable\_transit\_gateway\_subnet\_natgw) | Indicates if the transit gateway subnets should be connected to a nat gateway | `bool` | `false` | no |
 | <a name="input_ipam_pool_id"></a> [ipam\_pool\_id](#input\_ipam\_pool\_id) | An optional pool id to use for IPAM pool to use | `string` | `""` | no |
 | <a name="input_ipam_pool_name"></a> [ipam\_pool\_name](#input\_ipam\_pool\_name) | An optional pool name to use for IPAM pool to use | `string` | `""` | no |
 | <a name="input_nat_gateway_mode"></a> [nat\_gateway\_mode](#input\_nat\_gateway\_mode) | The configuration mode of the NAT gateways | `string` | `"none"` | no |

locals.tf

@@ -31,7 +31,7 @@ locals {
   # Configuration for the transit subnets 
   transit_subnet = var.enable_transit_gateway ? {
     transit_gateway = {
-      connect_to_public_natgw                         = false
+      connect_to_public_natgw                         = var.enable_transit_gateway_subnet_natgw
       netmask                                         = 28
       tags                                            = var.tags
       transit_gateway_appliance_mode_support          = var.enable_transit_gateway_appliance_mode ? "enable" : "disable"

main.tf

@@ -5,78 +5,6 @@
 # Get the current region 
 data "aws_region" "current" {}
 
-locals {
-  # The id for the transit_gateway_id passed into the module
-  transit_gateway_id = var.enable_transit_gateway ? var.transit_gateway_id : null
-
-  # Is the routes to propagate down the transit gateway 
-  transit_routes = var.enable_transit_gateway && length(var.transit_gateway_routes) > 0 ? var.transit_gateway_routes : null
-
-  # The configuration for the private subnets
-  private_subnet = {
-    private = {
-      connect_to_public_natgw = var.enable_nat_gateway ? true : null
-      netmask                 = var.private_subnet_netmask
-      tags                    = var.tags
-    }
-  }
-
-  # Public subnets are optional
-  public_subnet = var.public_subnet_netmask > 0 ? {
-    public = {
-      connect_to_public_natgw   = var.enable_nat_gateway ? true : null
-      nat_gateway_configuration = var.nat_gateway_mode
-      netmask                   = var.public_subnet_netmask
-      tags                      = var.tags
-    }
-  } : null
-
-  # We use the discovered IPAM pool id if the user has not provided one
-  ipam_pool_id = var.enable_ipam ? data.aws_vpc_ipam_pool.current[0].id : null
-
-  # Configuration for the transit subnets 
-  transit_subnet = var.enable_transit_gateway ? {
-    transit_gateway = {
-      connect_to_public_natgw                         = false
-      netmask                                         = 28
-      tags                                            = var.tags
-      transit_gateway_appliance_mode_support          = var.enable_transit_gateway_appliance_mode ? "enable" : "disable"
-      transit_gateway_default_route_table_association = true
-      transit_gateway_default_route_table_propagation = true
-      transit_gateway_dns_support                     = "enable"
-    }
-  } : null
-
-  # private subnet ranges 
-  private_subnet_cidrs = [for k, x in module.vpc.private_subnet_attributes_by_az : x.cidr_block if startswith(k, "private/")]
-  # private subnet range map 
-  private_subnet_cidr_map = { for k, x in module.vpc.private_subnet_attributes_by_az : x.id => x.cidr_block if startswith(k, "private/") }
-  #
-
-  # public_subnet ranges 
-  public_subnet_cidrs = [for k, x in module.vpc.public_subnet_attributes_by_az : x.cidr_block]
-
-  # The subnet id for the private subnets
-  private_subnet_ids = [for k, x in module.vpc.private_subnet_attributes_by_az : x.id if startswith(k, "private/")]
-  # The subnet id for the public subnets
-  public_subnet_ids = [for k, x in module.vpc.public_subnet_attributes_by_az : x.id]
-  # The subnet id for the transit subnets
-  transit_subnet_ids = [for k, x in module.vpc.tgw_subnet_attributes_by_az : x.id]
-  # The routing tables for the private subnets
-  private_route_table_ids = [for k, x in module.vpc.rt_attributes_by_type_by_az.private : x.id]
-
-  subnets = merge(
-    local.private_subnet,
-    local.public_subnet,
-    local.transit_subnet,
-  )
-
-  # A list of the private endpoints to enable ssm
-  ssm_endpoints = var.enable_ssm ? ["ssmmessages", "ssm", "ec2messages"] : []
-  # enabled_endpotints is a list of all the private endpoints to enable 
-  enabled_endpoints = concat(var.enable_private_endpoints, local.ssm_endpoints)
-}
-
 #
 ## Lookup the IPAM by protocol
 #

variables.tf

@@ -28,6 +28,12 @@ variable "enable_transit_gateway" {
   default     = false
 }
 
+variable "enable_transit_gateway_subnet_natgw" {
+  description = "Indicates if the transit gateway subnets should be connected to a nat gateway"
+  type        = bool
+  default     = false
+}
+
 variable "enable_transit_gateway_appliance_mode" {
   description = "Indicates the network should be connected to a transit gateway in appliance mode"
   type        = bool