Merge pull request #378 from lorengordon/feat/sg-references

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2.4.1
+current_version = 2.5.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

CHANGELOG.md

@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### [2.5.0](https://github.com/plus3it/terraform-aws-tardigrade-transit-gateway/releases/tag/2.5.0)
+
+**Released**: 2024.09.30
+
+**Summary**:
+
+*   Adds support to tgw and vpc attachments for security group referencing
+
 ### [2.4.1](https://github.com/plus3it/terraform-aws-tardigrade-transit-gateway/releases/tag/2.4.1)
 
 **Released**: 2024.08.26

README.md

@@ -34,13 +34,13 @@ This module includes several submodules for different workflows and use cases.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.57.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.69.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.57.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.69.0 |
 
 ## Resources
 
@@ -60,6 +60,7 @@ This module includes several submodules for different workflows and use cases.
 | <a name="input_prefix_list_references"></a> [prefix\_list\_references](#input\_prefix\_list\_references) | List of TGW prefix list references to add to TGW route tables | <pre>list(object({<br>    # `name` used as for_each key<br>    name           = string<br>    prefix_list_id = string<br>    # name from `route_tables` or id of a pre-existing route table<br>    transit_gateway_route_table = string<br><br>    blackhole           = optional(bool, false)<br>    default_route_table = optional(bool, false)<br>    # name from `vpc_attachments` or id of a pre-existing tgw attachment<br>    transit_gateway_attachment = optional(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_route_tables"></a> [route\_tables](#input\_route\_tables) | List of TGW route tables to create with the transit gateway | <pre>list(object({<br>    # `name` used as for_each key<br>    name = string<br>    tags = map(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_routes"></a> [routes](#input\_routes) | List of TGW routes to add to TGW route tables | <pre>list(object({<br>    # `name` used as for_each key<br>    name                   = string<br>    blackhole              = bool<br>    default_route_table    = bool<br>    destination_cidr_block = string<br>    # name from `vpc_attachments` or id of a pre-existing tgw attachment<br>    transit_gateway_attachment = string<br>    # name from `route_tables` or id of a pre-existing route table<br>    transit_gateway_route_table = string<br>  }))</pre> | `[]` | no |
+| <a name="input_security_group_referencing_support"></a> [security\_group\_referencing\_support](#input\_security\_group\_referencing\_support) | Whether Security Group Referencing Support is enabled. Valid values: disable, enable | `string` | `"enable"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to apply to the TGW and associated resources | `map(string)` | `{}` | no |
 | <a name="input_vpc_attachments"></a> [vpc\_attachments](#input\_vpc\_attachments) | List of VPC attachments to create with the transit gateway | <pre>list(object({<br>    # `name` used as for_each key<br>    name                   = string<br>    subnet_ids             = list(string)<br>    appliance_mode_support = string<br>    dns_support            = string<br>    ipv6_support           = string<br>    tags                   = map(string)<br>    vpc_routes = list(object({<br>      # `name` is used as for_each key<br>      name                        = string<br>      route_table_id              = string<br>      destination_cidr_block      = string<br>      destination_ipv6_cidr_block = string<br>    }))<br>    transit_gateway_default_route_table_association = bool<br>    transit_gateway_default_route_table_propagation = bool<br>    # name from `route_tables` or id of a pre-existing route table<br>    transit_gateway_route_table_association = string<br>    # list of route table names from `route_tables` or ids of pre-existing route tables<br>    transit_gateway_route_table_propagations = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_vpn_ecmp_support"></a> [vpn\_ecmp\_support](#input\_vpn\_ecmp\_support) | Whether VPN Equal Cost Multipath Protocol support is enabled (valid values: disable, enable) | `string` | `"disable"` | no |

main.tf

@@ -1,12 +1,13 @@
 resource "aws_ec2_transit_gateway" "this" {
-  amazon_side_asn                 = var.amazon_side_asn
-  auto_accept_shared_attachments  = var.auto_accept_shared_attachments
-  default_route_table_association = var.default_route_table_association
-  default_route_table_propagation = var.default_route_table_propagation
-  description                     = var.description
-  dns_support                     = var.dns_support
-  tags                            = var.tags
-  vpn_ecmp_support                = var.vpn_ecmp_support
+  amazon_side_asn                    = var.amazon_side_asn
+  auto_accept_shared_attachments     = var.auto_accept_shared_attachments
+  default_route_table_association    = var.default_route_table_association
+  default_route_table_propagation    = var.default_route_table_propagation
+  description                        = var.description
+  dns_support                        = var.dns_support
+  security_group_referencing_support = var.security_group_referencing_support
+  tags                               = var.tags
+  vpn_ecmp_support                   = var.vpn_ecmp_support
 }
 
 module "route_tables" {

modules/cross-account-vpc-attachment/README.md

@@ -8,13 +8,13 @@ Terraform module for managing a cross-account Transit Gateway VPC Attachment.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.15.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.69.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws.owner"></a> [aws.owner](#provider\_aws.owner) | >= 3.15.0 |
+| <a name="provider_aws.owner"></a> [aws.owner](#provider\_aws.owner) | >= 5.69.0 |
 
 ## Resources
 
@@ -33,6 +33,7 @@ Terraform module for managing a cross-account Transit Gateway VPC Attachment.
 | <a name="input_dns_support"></a> [dns\_support](#input\_dns\_support) | Whether DNS support is enabled. Valid values: disable, enable. | `string` | `"enable"` | no |
 | <a name="input_ipv6_support"></a> [ipv6\_support](#input\_ipv6\_support) | Whether IPv6 support is enabled. Valid values: disable, enable | `string` | `"disable"` | no |
 | <a name="input_routes"></a> [routes](#input\_routes) | List of TGW route objects with a target of the VPC attachment in the `aws.owner` account (TGW route tables are *only* in the `aws.owner` account) | <pre>list(object({<br>    # `name` is used as for_each key<br>    name                           = string<br>    destination_cidr_block         = string<br>    transit_gateway_route_table_id = string<br>  }))</pre> | `[]` | no |
+| <a name="input_security_group_referencing_support"></a> [security\_group\_referencing\_support](#input\_security\_group\_referencing\_support) | Whether Security Group Referencing Support is enabled. Valid values: disable, enable | `string` | `"enable"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to apply to the TGW attachments | `map(string)` | `{}` | no |
 | <a name="input_transit_gateway_default_route_table_association"></a> [transit\_gateway\_default\_route\_table\_association](#input\_transit\_gateway\_default\_route\_table\_association) | Boolean whether the VPC Attachment should be associated to the Transit Gateway default route table | `bool` | `true` | no |
 | <a name="input_transit_gateway_default_route_table_propagation"></a> [transit\_gateway\_default\_route\_table\_propagation](#input\_transit\_gateway\_default\_route\_table\_propagation) | Boolean whether the VPC Attachment should propagate routes to the Transit Gateway propagation default route table | `bool` | `true` | no |

modules/cross-account-vpc-attachment/main.tf

@@ -1,14 +1,15 @@
 module "vpc_attachment" {
   source = "../vpc-attachment"
 
-  subnet_ids             = var.subnet_ids
-  transit_gateway_id     = var.transit_gateway_id
-  cross_account          = true
-  appliance_mode_support = var.appliance_mode_support
-  dns_support            = var.dns_support
-  ipv6_support           = var.ipv6_support
-  tags                   = var.tags
-  vpc_routes             = [for route in var.vpc_routes : route if route.provider == "aws"]
+  subnet_ids                         = var.subnet_ids
+  transit_gateway_id                 = var.transit_gateway_id
+  cross_account                      = true
+  appliance_mode_support             = var.appliance_mode_support
+  dns_support                        = var.dns_support
+  ipv6_support                       = var.ipv6_support
+  security_group_referencing_support = var.security_group_referencing_support
+  tags                               = var.tags
+  vpc_routes                         = [for route in var.vpc_routes : route if route.provider == "aws"]
 }
 
 module "vpc_accepter" {

modules/cross-account-vpc-attachment/variables.tf

@@ -59,6 +59,16 @@ variable "routes" {
   default = []
 }
 
+variable "security_group_referencing_support" {
+  description = "Whether Security Group Referencing Support is enabled. Valid values: disable, enable"
+  type        = string
+  default     = "enable"
+  validation {
+    condition     = contains(["enable", "disable"], var.security_group_referencing_support)
+    error_message = "`security_group_referencing_support` must be one of: \"enable\", \"disable\"."
+  }
+}
+
 variable "tags" {
   description = "Map of tags to apply to the TGW attachments"
   type        = map(string)

modules/cross-account-vpc-attachment/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.15.0"
+      version = ">= 5.69.0"
 
       configuration_aliases = [
         aws.owner

modules/vpc-attachment/README.md

@@ -9,13 +9,13 @@ as well as any Transit Gateway route table association or propagations, and VPC
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.15.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.69.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.15.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.69.0 |
 
 ## Resources
 
@@ -34,6 +34,7 @@ as well as any Transit Gateway route table association or propagations, and VPC
 | <a name="input_cross_account"></a> [cross\_account](#input\_cross\_account) | Boolean whether this is a cross-account Transit Gateway shared via Resource Access Manager | `bool` | `false` | no |
 | <a name="input_dns_support"></a> [dns\_support](#input\_dns\_support) | Whether DNS support is enabled. Valid values: disable, enable | `string` | `"enable"` | no |
 | <a name="input_ipv6_support"></a> [ipv6\_support](#input\_ipv6\_support) | Whether IPv6 support is enabled. Valid values: disable, enable | `string` | `"disable"` | no |
+| <a name="input_security_group_referencing_support"></a> [security\_group\_referencing\_support](#input\_security\_group\_referencing\_support) | Whether Security Group Referencing Support is enabled. Valid values: disable, enable | `string` | `"enable"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to apply to the TGW VPC attachment | `map(string)` | `{}` | no |
 | <a name="input_transit_gateway_default_route_table_association"></a> [transit\_gateway\_default\_route\_table\_association](#input\_transit\_gateway\_default\_route\_table\_association) | Boolean whether the VPC Attachment should be associated to the Transit Gateway default route table | `bool` | `true` | no |
 | <a name="input_transit_gateway_default_route_table_propagation"></a> [transit\_gateway\_default\_route\_table\_propagation](#input\_transit\_gateway\_default\_route\_table\_propagation) | Boolean whether the VPC Attachment should propagate routes to the Transit Gateway propagation default route table | `bool` | `true` | no |

modules/vpc-attachment/main.tf

@@ -1,11 +1,12 @@
 resource "aws_ec2_transit_gateway_vpc_attachment" "this" {
-  subnet_ids             = var.subnet_ids
-  transit_gateway_id     = var.transit_gateway_id
-  vpc_id                 = data.aws_subnet.one.vpc_id
-  appliance_mode_support = var.appliance_mode_support
-  dns_support            = var.dns_support
-  ipv6_support           = var.ipv6_support
-  tags                   = var.tags
+  subnet_ids                         = var.subnet_ids
+  transit_gateway_id                 = var.transit_gateway_id
+  vpc_id                             = data.aws_subnet.one.vpc_id
+  appliance_mode_support             = var.appliance_mode_support
+  dns_support                        = var.dns_support
+  ipv6_support                       = var.ipv6_support
+  security_group_referencing_support = var.security_group_referencing_support
+  tags                               = var.tags
 
   # default assocation and propagation values must be:
   #   `true` if transit gateway is owned by another account (shared using RAM)

modules/vpc-attachment/variables.tf

@@ -44,6 +44,16 @@ variable "ipv6_support" {
   }
 }
 
+variable "security_group_referencing_support" {
+  description = "Whether Security Group Referencing Support is enabled. Valid values: disable, enable"
+  type        = string
+  default     = "enable"
+  validation {
+    condition     = contains(["enable", "disable"], var.security_group_referencing_support)
+    error_message = "`security_group_referencing_support` must be one of: \"enable\", \"disable\"."
+  }
+}
+
 variable "transit_gateway_default_route_table_association" {
   description = "Boolean whether the VPC Attachment should be associated to the Transit Gateway default route table"
   type        = bool

modules/vpc-attachment/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.15.0"
+      version = ">= 5.69.0"
     }
   }
 }

variables.tf

@@ -50,6 +50,16 @@ variable "dns_support" {
   }
 }
 
+variable "security_group_referencing_support" {
+  description = "Whether Security Group Referencing Support is enabled. Valid values: disable, enable"
+  type        = string
+  default     = "enable"
+  validation {
+    condition     = contains(["enable", "disable"], var.security_group_referencing_support)
+    error_message = "`security_group_referencing_support` must be one of: \"enable\", \"disable\"."
+  }
+}
+
 variable "tags" {
   description = "Map of tags to apply to the TGW and associated resources"
   type        = map(string)

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.57.0"
+      version = ">= 5.69.0"
     }
   }
 }