Feature/release01 for AWS Multi Account VPC Peering

examples/complete-vpc-with-vpn/README.md

@@ -52,12 +52,11 @@ No inputs.
 | Name | Description |
 |------|-------------|
 | <a name="output_database_subnets"></a> [database\_subnets](#output\_database\_subnets) | List of IDs of database subnets |
-| <a name="output_intra_subnets"></a> [intra\_subnets](#output\_intra\_subnets) | List of IDs of Intra subnets |
-| <a name="output_private_subnets"></a> [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets |
-| <a name="output_public_subnets"></a> [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets |
-| <a name="output_region"></a> [region](#output\_region) | AWS Region |
 | <a name="output_vpc_cidr_block"></a> [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | AWS Region |
 | <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
+| <a name="output_vpc_intra_subnets"></a> [vpc\_intra\_subnets](#output\_vpc\_intra\_subnets) | List of IDs of Intra subnets |
+| <a name="output_vpc_private_subnets"></a> [vpc\_private\_subnets](#output\_vpc\_private\_subnets) | List of IDs of private subnets |
+| <a name="output_vpc_public_subnets"></a> [vpc\_public\_subnets](#output\_vpc\_public\_subnets) | List of IDs of public subnets |
 | <a name="output_vpn_host_public_ip"></a> [vpn\_host\_public\_ip](#output\_vpn\_host\_public\_ip) | IP Adress of VPN Server |
 | <a name="output_vpn_security_group"></a> [vpn\_security\_group](#output\_vpn\_security\_group) | Security Group ID of VPN Server |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/complete-vpc-with-vpn/main.tf

@@ -1,42 +1,64 @@
 locals {
-  name        = "vpc"
-  region      = "ap-south-1"
-  environment = "prod"
+  vpc_name                                       = "vpc-test"
+  aws_region                                     = "ap-northeast-1"
+  aws_account_id                                 = "767398031518"
+  environment                                    = "prod"
+  kms_user                                       = null
+  vpc_cidr                                       = "10.10.0.0/16"
+  vpc_availability_zones                         = ["ap-northeast-1a", "ap-northeast-1c"]
+  kms_deletion_window_in_days                    = 7
+  enable_key_rotation                            = false
+  is_enabled                                     = true
+  vpc_flow_log_enabled                           = false
+  vpn_server_enabled                             = true
+  vpc_intra_subnet_enabled                       = true
+  vpc_public_subnet_enabled                      = true
+  auto_assign_public_ip                          = true
+  vpc_private_subnet_enabled                     = true
+  vpc_one_nat_gateway_per_az                     = true
+  vpc_database_subnet_enabled                    = true
+  vpc_s3_endpoint_enabled                        = true
+  vpc_ecr_endpoint_enabled                       = true
+  vpn_server_instance_type                       = "t3a.small"
+  vpc_flow_log_cloudwatch_log_group_skip_destroy = false
+  current_identity                               = data.aws_caller_identity.current.arn
+  multi_region                                   = false
+  vpc_public_subnets_counts                      = 2
+  vpc_private_subnets_counts                     = 2
+  vpc_database_subnets_counts                    = 2
+  vpc_intra_subnets_counts                       = 2
   additional_aws_tags = {
     Owner      = "Organization_Name"
     Expires    = "Never"
     Department = "Engineering"
   }
-  kms_user         = null
-  vpc_cidr         = "10.10.0.0/16"
-  current_identity = data.aws_caller_identity.current.arn
 }
 
 data "aws_caller_identity" "current" {}
 
 module "key_pair_vpn" {
   source             = "squareops/keypair/aws"
-  key_name           = format("%s-%s-vpn", local.environment, local.name)
+  key_name           = format("%s-%s-vpn", local.environment, local.vpc_name)
   environment        = local.environment
-  ssm_parameter_path = format("%s-%s-vpn", local.environment, local.name)
+  ssm_parameter_path = format("%s-%s-vpn", local.environment, local.vpc_name)
 }
 
 module "kms" {
   source = "terraform-aws-modules/kms/aws"
 
-  deletion_window_in_days = 7
+  deletion_window_in_days = local.kms_deletion_window_in_days
   description             = "Symetric Key to Enable Encryption at rest using KMS services."
-  enable_key_rotation     = false
-  is_enabled              = true
+  enable_key_rotation     = local.enable_key_rotation
+  is_enabled              = local.is_enabled
   key_usage               = "ENCRYPT_DECRYPT"
-  multi_region            = false
+  multi_region            = local.multi_region
 
   # Policy
   enable_default_policy                  = true
   key_owners                             = [local.current_identity]
-  key_administrators                     = local.kms_user == null ? ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user
-  key_users                              = local.kms_user == null ? ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user
-  key_service_users                      = local.kms_user == null ? ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user
+  key_administrators                     = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user
+  key_users                              = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user
+  key_service_users                      = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user
   key_symmetric_encryption_users         = [local.current_identity]
   key_hmac_users                         = [local.current_identity]
   key_asymmetric_public_encryption_users = [local.current_identity]
@@ -57,38 +79,45 @@ module "kms" {
       principals = [
         {
           type        = "Service"
-          identifiers = ["logs.${local.region}.amazonaws.com"]
+          identifiers = ["logs.${local.aws_region}.amazonaws.com"]
         }
       ]
     }
   ]
   # Aliases
-  aliases                 = ["${local.name}-KMS"]
+  aliases                 = ["${local.vpc_name}-KMS"]
   aliases_use_name_prefix = true
 }
 
 
 module "vpc" {
-  source                                          = "squareops/vpc/aws"
-  name                                            = local.name
-  region                                          = local.region
-  vpc_cidr                                        = local.vpc_cidr
-  environment                                     = local.environment
-  flow_log_enabled                                = true
-  vpn_key_pair_name                               = module.key_pair_vpn.key_pair_name
-  availability_zones                              = ["ap-south-1a", "ap-south-1b"]
-  vpn_server_enabled                              = true
-  intra_subnet_enabled                            = true
-  public_subnet_enabled                           = true
-  auto_assign_public_ip                           = true
-  private_subnet_enabled                          = true
-  one_nat_gateway_per_az                          = true
-  database_subnet_enabled                         = true
-  vpn_server_instance_type                        = "t3a.small"
-  vpc_s3_endpoint_enabled                         = true
-  vpc_ecr_endpoint_enabled                        = true
-  flow_log_max_aggregation_interval               = 60 # In seconds
-  flow_log_cloudwatch_log_group_skip_destroy      = true
-  flow_log_cloudwatch_log_group_retention_in_days = 90
-  flow_log_cloudwatch_log_group_kms_key_arn       = module.kms.key_arn #Enter your kms key arn
-}
+  source                                              = "../../"
+  name                                                = local.vpc_name
+  aws_region                                          = local.aws_region
+  vpc_cidr                                            = local.vpc_cidr
+  environment                                         = local.environment
+  vpc_flow_log_enabled                                = local.vpc_flow_log_enabled
+  vpn_server_key_pair_name                            = module.key_pair_vpn.key_pair_name
+  vpc_availability_zones                              = local.vpc_availability_zones
+  vpn_server_enabled                                  = local.vpn_server_enabled
+  vpc_intra_subnet_enabled                            = local.vpc_intra_subnet_enabled
+  vpc_public_subnet_enabled                           = local.vpc_public_subnet_enabled
+  auto_assign_public_ip                               = local.auto_assign_public_ip
+  vpc_private_subnet_enabled                          = local.vpc_private_subnet_enabled
+  vpc_one_nat_gateway_per_az                          = local.vpc_one_nat_gateway_per_az
+  vpc_database_subnet_enabled                         = local.vpc_database_subnet_enabled
+  vpn_server_instance_type                            = local.vpn_server_instance_type
+  vpc_s3_endpoint_enabled                             = local.vpc_s3_endpoint_enabled
+  vpc_ecr_endpoint_enabled                            = local.vpc_ecr_endpoint_enabled
+  vpc_flow_log_max_aggregation_interval               = 60 # In seconds
+  vpc_flow_log_cloudwatch_log_group_skip_destroy      = local.vpc_flow_log_cloudwatch_log_group_skip_destroy
+  vpc_flow_log_cloudwatch_log_group_retention_in_days = 90
+  vpc_flow_log_cloudwatch_log_group_kms_key_arn       = module.kms.key_arn #Enter your kms key arn
+  vpc_public_subnets_counts                           = local.vpc_public_subnets_counts
+  vpc_private_subnets_counts                          = local.vpc_private_subnets_counts
+  vpc_database_subnets_counts                         = local.vpc_database_subnets_counts
+  vpc_intra_subnets_counts                            = local.vpc_intra_subnets_counts
+  vpc_endpoint_type_private_s3                        = "Gateway"
+  vpc_endpoint_type_ecr_dkr                           = "Interface"
+  vpc_endpoint_type_ecr_api                           = "Interface"
+}

examples/complete-vpc-with-vpn/outputs.tf

@@ -1,8 +1,3 @@
-output "region" {
-  description = "AWS Region"
-  value       = local.region
-}
-
 output "vpc_id" {
   description = "The ID of the VPC"
   value       = module.vpc.vpc_id
@@ -13,24 +8,24 @@ output "vpc_cidr_block" {
   value       = module.vpc.vpc_cidr_block
 }
 
-output "public_subnets" {
+output "vpc_public_subnets" {
   description = "List of IDs of public subnets"
-  value       = module.vpc.public_subnets
+  value       = module.vpc.vpc_public_subnets
 }
 
-output "private_subnets" {
+output "vpc_private_subnets" {
   description = "List of IDs of private subnets"
-  value       = module.vpc.private_subnets
+  value       = module.vpc.vpc_private_subnets
 }
 
 output "database_subnets" {
   description = "List of IDs of database subnets"
   value       = module.vpc.database_subnets
 }
 
-output "intra_subnets" {
+output "vpc_intra_subnets" {
   description = "List of IDs of Intra subnets"
-  value       = module.vpc.intra_subnets
+  value       = module.vpc.vpc_intra_subnets
 }
 
 output "vpn_host_public_ip" {
@@ -41,4 +36,4 @@ output "vpn_host_public_ip" {
 output "vpn_security_group" {
   description = "Security Group ID of VPN Server"
   value       = module.vpc.vpn_security_group
-}
+}

examples/complete-vpc-with-vpn/providers.tf

@@ -1,5 +1,5 @@
 provider "aws" {
-  region = local.region
+  region = local.aws_region
   default_tags {
     tags = local.additional_aws_tags
   }

examples/multi-account-vpc-peering/main.tf

@@ -0,0 +1,25 @@
+locals {
+  accepter_name    = "tenent-peering"
+  accepter_region  = "us-east-1"
+  accepter_vpc_id  = "vpc-07a2c1d0328341493"
+  requester_name   = "management-peering"
+  requester_region = "ap-northeast-1"
+  requester_vpc_id = "vpc-0ce36808b9b133608"
+  additional_tags = {
+    Owner   = "tenent"
+    Tenancy = "dedicated"
+  }
+}
+
+module "vpc_peering" {
+  source                            = "../../modules/vpc_peering"
+  accepter_name                     = local.accepter_name
+  vpc_peering_accepter_vpc_id       = local.accepter_vpc_id
+  vpc_peering_accepter_vpc_region   = local.accepter_region
+  requester_name                    = local.requester_name
+  vpc_peering_requester_vpc_id      = local.requester_vpc_id
+  vpc_peering_requester_vpc_region  = local.requester_region
+  vpc_peering_multi_account_enabled = true
+  vpc_peering_requester_aws_profile = "peer"
+  vpc_peering_accepter_aws_profile  = "accepter"
+}

examples/multi-account-vpc-peering/output.tf

@@ -0,0 +1,9 @@
+output "vpc_peering_connection_id" {
+  description = "Peering connection ID"
+  value       = module.vpc_peering.vpc_peering_connection_id
+}
+
+output "vpc_peering_accept_status" {
+  description = "Accept status for the connection"
+  value       = module.vpc_peering.vpc_peering_accept_status
+}

examples/multi-account-vpc-peering/provider.tf

@@ -0,0 +1,17 @@
+provider "aws" {
+  alias          = "peer"
+  region         = "ap-northeast-1"
+  aws_account_id = ""
+  default_tags {
+    tags = local.additional_tags
+  }
+}
+
+provider "aws" {
+  alias          = "accepter"
+  region         = "ap-northeast-1"
+  aws_account_id = ""
+  default_tags {
+    tags = local.additional_tags
+  }
+}

examples/vpc-with-peering/provider.tf

@@ -1,5 +1,5 @@
 provider "aws" {
-  region = local.region
+  region = local.accepter_region
   default_tags {
     tags = local.additional_tags
   }