Skip to content

Commit

Permalink
chore: breaking the main.tf up and allowing for a catch all rule
Browse files Browse the repository at this point in the history
  • Loading branch information
@gambol99
gambol99 committed Apr 8, 2024
1 parent 8c88793 commit 4a0ec2f
Show file tree
Hide file tree
Showing 7 changed files with 193 additions and 159 deletions.
79 changes: 41 additions & 38 deletions README.md
View file

Large diffs are not rendered by default.

38 changes: 23 additions & 15 deletions examples/basic/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,37 +1,45 @@
<!-- BEGIN_TF_DOCS -->

## Requirements

| Name | Version |
| ------------------------------------------------------------------------ | --------- |
| <a name="requirement_terraform"></a> [terraform](#requirement_terraform) | >= 1.0.0 |
| <a name="requirement_aws"></a> [aws](#requirement_aws) | >= 5.0.0 |
| <a name="requirement_awscc"></a> [awscc](#requirement_awscc) | >= 0.11.0 |
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0.0 |
| <a name="requirement_awscc"></a> [awscc](#requirement\_awscc) | >= 0.11.0 |

## Providers

No providers.

## Modules

| Name | Source | Version |
| -------------------------------------------------------------- | ------ | ------- |
| <a name="module_endpoints"></a> [endpoints](#module_endpoints) | ../.. | n/a |
| Name | Source | Version |
|------|--------|---------|
| <a name="module_endpoints"></a> [endpoints](#module\_endpoints) | ../.. | n/a |
| <a name="module_spoke"></a> [spoke](#module\_spoke) | github.com/appvia/terraform-aws-network | main |

## Resources

No resources.

## Inputs

| Name | Description | Type | Default | Required |
| --------------------------------------------------------------------------------------- | ------------------------------------- | ------------- | ------- | :------: |
| <a name="input_transit_gateway_id"></a> [transit_gateway_id](#input_transit_gateway_id) | The ID of the transit gateway | `string` | n/a | yes |
| <a name="input_tags"></a> [tags](#input_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_ipam_pool_id"></a> [ipam\_pool\_id](#input\_ipam\_pool\_id) | The ID of the IPAM pool to use for the VPC | `string` | n/a | yes |
| <a name="input_ram_principals"></a> [ram\_principals](#input\_ram\_principals) | A list of the ARNs of the principals to associate with the resource | `map(string)` | `{}` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
| <a name="input_transit_gateway_id"></a> [transit\_gateway\_id](#input\_transit\_gateway\_id) | The ID of the transit gateway to connect the VPC to | `string` | `null` | no |

## Outputs

No outputs.

| Name | Description |
|------|-------------|
| <a name="output_endpoints"></a> [endpoints](#output\_endpoints) | The attributes of the endpoints we created |
| <a name="output_inbound_resolver_endpoint_id"></a> [inbound\_resolver\_endpoint\_id](#output\_inbound\_resolver\_endpoint\_id) | The id of the inbound resolver if we created one |
| <a name="output_inbound_resolver_ip_addresses"></a> [inbound\_resolver\_ip\_addresses](#output\_inbound\_resolver\_ip\_addresses) | The ip addresses of the inbound resolver if we created one |
| <a name="output_outbound_resolver_endpoint_id"></a> [outbound\_resolver\_endpoint\_id](#output\_outbound\_resolver\_endpoint\_id) | The id of the outbound resolver if we created one |
| <a name="output_outbound_resolver_ip_addresses"></a> [outbound\_resolver\_ip\_addresses](#output\_outbound\_resolver\_ip\_addresses) | The ip addresses of the outbound resolver if we created one |
| <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The id of the vpc we used to provision the endpoints |
<!-- END_TF_DOCS -->

106 changes: 0 additions & 106 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,109 +44,3 @@ module "endpoints" {
}
}
}

## Provision the security group for the dns resolvers
# tfsec:ignore:aws-ec2-no-public-egress-sgr
module "dns_security_group" {
count = local.enable_dns_security_group ? 1 : 0
source = "terraform-aws-modules/security-group/aws"
version = "5.1.2"

name = "dns-resolvers-${var.name}"
description = "Allow DNS traffic to the route53 resolvers"
ingress_cidr_blocks = ["10.0.0.0/8"]
ingress_rules = ["dns-tcp", "dns-udp"]
egress_rules = ["dns-tcp", "dns-udp"]
tags = merge(var.tags, { "Name" : "dns-resolvers-${var.name}" })
vpc_id = module.vpc[0].vpc_id
}

## Provision an inbound resolver if required
resource "aws_route53_resolver_endpoint" "inbound" {
count = local.enable_inbound_resolver ? 1 : 0

name = "inbound-${var.name}"
direction = "INBOUND"
protocols = var.resolvers.inbound.protocols
security_group_ids = [module.dns_security_group[0].security_group_id]
tags = var.tags

dynamic "ip_address" {
for_each = local.inbound_resolver_addresses

content {
subnet_id = ip_address.key
ip = ip_address.value
}
}
}

## Provision an outbound resolver if required
resource "aws_route53_resolver_endpoint" "outbound" {
count = local.enable_outbound_resolver ? 1 : 0

name = "outbound-${var.name}"
direction = "OUTBOUND"
protocols = var.resolvers.outbound.protocols
security_group_ids = [module.dns_security_group[0].security_group_id]
tags = var.tags

dynamic "ip_address" {
for_each = local.outbound_resolver_addresses

content {
subnet_id = ip_address.key
ip = ip_address.value
}
}
}

## Provision the resolver rules per aws service
resource "aws_route53_resolver_rule" "endpoints" {
for_each = local.endpoints_rules

domain_name = each.key
name = format("%s-%s", var.name, each.value.service)
rule_type = "FORWARD"
resolver_endpoint_id = local.outbound_resolver_id
tags = merge(var.tags, { "Name" : format("resolver-rule-%s", each.value.service) })

dynamic "target_ip" {
for_each = local.inbound_resolver_ip_addresses

content {
ip = target_ip.value
}
}

depends_on = [
module.endpoints
]
}

## Provision the AWS RAM share - so we can share the rules with other accounts
resource "aws_ram_resource_share" "endpoints" {
for_each = local.endpoints_rules

allow_external_principals = false
name = format("%s-%s-endpoints", var.sharing.share_prefix, each.value.service)
tags = merge(var.tags, { "Name" : format("%s-%s-endpoints", var.sharing.share_prefix, each.value.service) })
}

## Associate each of the resolver rules with the resource share
resource "aws_ram_resource_association" "endpoints" {
for_each = local.endpoints_rules

resource_arn = aws_route53_resolver_rule.endpoints[each.key].arn
resource_share_arn = aws_ram_resource_share.endpoints[each.key].arn
}

## Associate the ram shares with the principals
module "ram_share" {
for_each = local.endpoints_rules
source = "./modules/ram_share"

ram_principals = var.sharing.principals
ram_resource_share_arn = aws_ram_resource_share.endpoints[each.key].arn
tags = var.tags
}
27 changes: 27 additions & 0 deletions ram.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@

## Provision the AWS RAM share - so we can share the rules with other accounts
resource "aws_ram_resource_share" "endpoints" {
for_each = local.endpoints_rules

allow_external_principals = false
name = format("%s-%s-endpoints", var.sharing.share_prefix, each.value.service)
tags = merge(var.tags, { "Name" : format("%s-%s-endpoints", var.sharing.share_prefix, each.value.service) })
}

## Associate each of the resolver rules with the resource share
resource "aws_ram_resource_association" "endpoints" {
for_each = local.endpoints_rules

resource_arn = aws_route53_resolver_rule.endpoints[each.key].arn
resource_share_arn = aws_ram_resource_share.endpoints[each.key].arn
}

## Associate the ram shares with the principals
module "ram_share" {
for_each = local.endpoints_rules
source = "./modules/ram_share"

ram_principals = var.sharing.principals
ram_resource_share_arn = aws_ram_resource_share.endpoints[each.key].arn
tags = var.tags
}
56 changes: 56 additions & 0 deletions resolvers.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@

## Provision the security group for the dns resolvers
# tfsec:ignore:aws-ec2-no-public-egress-sgr
module "dns_security_group" {
count = local.enable_dns_security_group ? 1 : 0
source = "terraform-aws-modules/security-group/aws"
version = "5.1.2"

name = "dns-resolvers-${var.name}"
description = "Allow DNS traffic to the route53 resolvers"
ingress_cidr_blocks = ["10.0.0.0/8"]
ingress_rules = ["dns-tcp", "dns-udp"]
egress_rules = ["dns-tcp", "dns-udp"]
tags = merge(var.tags, { "Name" : "dns-resolvers-${var.name}" })
vpc_id = module.vpc[0].vpc_id
}

## Provision an inbound resolver if required
resource "aws_route53_resolver_endpoint" "inbound" {
count = local.enable_inbound_resolver ? 1 : 0

name = "inbound-${var.name}"
direction = "INBOUND"
protocols = var.resolvers.inbound.protocols
security_group_ids = [module.dns_security_group[0].security_group_id]
tags = var.tags

dynamic "ip_address" {
for_each = local.inbound_resolver_addresses

content {
subnet_id = ip_address.key
ip = ip_address.value
}
}
}

## Provision an outbound resolver if required
resource "aws_route53_resolver_endpoint" "outbound" {
count = local.enable_outbound_resolver ? 1 : 0

name = "outbound-${var.name}"
direction = "OUTBOUND"
protocols = var.resolvers.outbound.protocols
security_group_ids = [module.dns_security_group[0].security_group_id]
tags = var.tags

dynamic "ip_address" {
for_each = local.outbound_resolver_addresses

content {
subnet_id = ip_address.key
ip = ip_address.value
}
}
}
42 changes: 42 additions & 0 deletions rules.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@

## Provision the resolver rules per aws service, unless we are creating a single resolver rule
resource "aws_route53_resolver_rule" "endpoints" {
for_each = var.resolvers.create_single_resolver_rule ? {} : local.endpoints_rules

domain_name = each.key
name = format("%s-%s", var.name, each.value.service)
rule_type = "FORWARD"
resolver_endpoint_id = local.outbound_resolver_id
tags = merge(var.tags, { "Name" : format("resolver-rule-%s", each.value.service) })

dynamic "target_ip" {
for_each = local.inbound_resolver_ip_addresses

content {
ip = target_ip.value
}
}

depends_on = [module.endpoints]
}

## Provision a single resolver rule for all endpoints
resource "aws_route53_resolver_rule" "endpoints_single" {
count = var.resolvers.create_single_resolver_rule ? 1 : 0

domain_name = "${local.region}.amazonaws.com"
name = "${var.name}-resolver-rule-all"
rule_type = "FORWARD"
resolver_endpoint_id = local.outbound_resolver_id
tags = merge(var.tags, { "Name" : "${var.name}-resolver-rule-all" })

dynamic "target_ip" {
for_each = local.inbound_resolver_ip_addresses

content {
ip = target_ip.value
}
}

depends_on = [module.endpoints]
}
4 changes: 4 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@
variable "resolvers" {
description = "The resolvers to provision"
type = object({
# Indicates we create a single resolver rule, rather than one per service_type
create_single_resolver_rule = optional(bool, false)
# The configuration for the inbound resolver
inbound = object({
# Whether to create the resolver
create = optional(bool, true)
Expand All @@ -12,6 +15,7 @@ variable "resolvers" {
# When not creating the resolver, this is the name of the resolver to use
use_existing = optional(string, null)
})
# The configuration for the outbound resolver
outbound = object({
# Whether to create the resolver
create = optional(bool, true)
Expand Down

0 comments on commit 4a0ec2f

Please sign in to comment.