From 0c76c6ac2b5e52867a7d4f13e588ea20145f7001 Mon Sep 17 00:00:00 2001 From: Loren Gordon Date: Mon, 30 Sep 2024 06:55:04 -0700 Subject: [PATCH 1/2] Adds support to tgw and vpc attachments for security group referencing --- README.md | 5 +++-- main.tf | 17 +++++++++-------- modules/cross-account-vpc-attachment/README.md | 5 +++-- modules/cross-account-vpc-attachment/main.tf | 17 +++++++++-------- .../cross-account-vpc-attachment/variables.tf | 10 ++++++++++ .../cross-account-vpc-attachment/versions.tf | 2 +- modules/vpc-attachment/README.md | 5 +++-- modules/vpc-attachment/main.tf | 15 ++++++++------- modules/vpc-attachment/variables.tf | 10 ++++++++++ modules/vpc-attachment/versions.tf | 2 +- variables.tf | 10 ++++++++++ versions.tf | 2 +- 12 files changed, 68 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index d1fb08a..bad56c9 100644 --- a/README.md +++ b/README.md @@ -34,13 +34,13 @@ This module includes several submodules for different workflows and use cases. | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13 | -| [aws](#requirement\_aws) | >= 5.57.0 | +| [aws](#requirement\_aws) | >= 5.69.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.57.0 | +| [aws](#provider\_aws) | >= 5.69.0 | ## Resources @@ -60,6 +60,7 @@ This module includes several submodules for different workflows and use cases. | [prefix\_list\_references](#input\_prefix\_list\_references) | List of TGW prefix list references to add to TGW route tables | 
list(object({
    # `name` used as for_each key
    name           = string
    prefix_list_id = string
    # name from `route_tables` or id of a pre-existing route table
    transit_gateway_route_table = string

    blackhole           = optional(bool, false)
    default_route_table = optional(bool, false)
    # name from `vpc_attachments` or id of a pre-existing tgw attachment
    transit_gateway_attachment = optional(string)
  }))
| `[]` | no | | [route\_tables](#input\_route\_tables) | List of TGW route tables to create with the transit gateway | 
list(object({
    # `name` used as for_each key
    name = string
    tags = map(string)
  }))
| `[]` | no | | [routes](#input\_routes) | List of TGW routes to add to TGW route tables | 
list(object({
    # `name` used as for_each key
    name                   = string
    blackhole              = bool
    default_route_table    = bool
    destination_cidr_block = string
    # name from `vpc_attachments` or id of a pre-existing tgw attachment
    transit_gateway_attachment = string
    # name from `route_tables` or id of a pre-existing route table
    transit_gateway_route_table = string
  }))
| `[]` | no | +| [security\_group\_referencing\_support](#input\_security\_group\_referencing\_support) | Whether Security Group Referencing Support is enabled. Valid values: disable, enable | `string` | `"enable"` | no | | [tags](#input\_tags) | Map of tags to apply to the TGW and associated resources | `map(string)` | `{}` | no | | [vpc\_attachments](#input\_vpc\_attachments) | List of VPC attachments to create with the transit gateway | 
list(object({
    # `name` used as for_each key
    name                   = string
    subnet_ids             = list(string)
    appliance_mode_support = string
    dns_support            = string
    ipv6_support           = string
    tags                   = map(string)
    vpc_routes = list(object({
      # `name` is used as for_each key
      name                        = string
      route_table_id              = string
      destination_cidr_block      = string
      destination_ipv6_cidr_block = string
    }))
    transit_gateway_default_route_table_association = bool
    transit_gateway_default_route_table_propagation = bool
    # name from `route_tables` or id of a pre-existing route table
    transit_gateway_route_table_association = string
    # list of route table names from `route_tables` or ids of pre-existing route tables
    transit_gateway_route_table_propagations = list(string)
  }))
| `[]` | no | | [vpn\_ecmp\_support](#input\_vpn\_ecmp\_support) | Whether VPN Equal Cost Multipath Protocol support is enabled (valid values: disable, enable) | `string` | `"disable"` | no | diff --git a/main.tf b/main.tf index 010d470..4731828 100644 --- a/main.tf +++ b/main.tf @@ -1,12 +1,13 @@ resource "aws_ec2_transit_gateway" "this" { - amazon_side_asn = var.amazon_side_asn - auto_accept_shared_attachments = var.auto_accept_shared_attachments - default_route_table_association = var.default_route_table_association - default_route_table_propagation = var.default_route_table_propagation - description = var.description - dns_support = var.dns_support - tags = var.tags - vpn_ecmp_support = var.vpn_ecmp_support + amazon_side_asn = var.amazon_side_asn + auto_accept_shared_attachments = var.auto_accept_shared_attachments + default_route_table_association = var.default_route_table_association + default_route_table_propagation = var.default_route_table_propagation + description = var.description + dns_support = var.dns_support + security_group_referencing_support = var.security_group_referencing_support + tags = var.tags + vpn_ecmp_support = var.vpn_ecmp_support } module "route_tables" { diff --git a/modules/cross-account-vpc-attachment/README.md b/modules/cross-account-vpc-attachment/README.md index e2f42ce..c0e6517 100644 --- a/modules/cross-account-vpc-attachment/README.md +++ b/modules/cross-account-vpc-attachment/README.md @@ -8,13 +8,13 @@ Terraform module for managing a cross-account Transit Gateway VPC Attachment. | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.15 | -| [aws](#requirement\_aws) | >= 3.15.0 | +| [aws](#requirement\_aws) | >= 5.69.0 | ## Providers | Name | Version | |------|---------| -| [aws.owner](#provider\_aws.owner) | >= 3.15.0 | +| [aws.owner](#provider\_aws.owner) | >= 5.69.0 | ## Resources @@ -33,6 +33,7 @@ Terraform module for managing a cross-account Transit Gateway VPC Attachment. | [dns\_support](#input\_dns\_support) | Whether DNS support is enabled. Valid values: disable, enable. | `string` | `"enable"` | no | | [ipv6\_support](#input\_ipv6\_support) | Whether IPv6 support is enabled. Valid values: disable, enable | `string` | `"disable"` | no | | [routes](#input\_routes) | List of TGW route objects with a target of the VPC attachment in the `aws.owner` account (TGW route tables are *only* in the `aws.owner` account) | 
list(object({
    # `name` is used as for_each key
    name                           = string
    destination_cidr_block         = string
    transit_gateway_route_table_id = string
  }))
| `[]` | no | +| [security\_group\_referencing\_support](#input\_security\_group\_referencing\_support) | Whether Security Group Referencing Support is enabled. Valid values: disable, enable | `string` | `"enable"` | no | | [tags](#input\_tags) | Map of tags to apply to the TGW attachments | `map(string)` | `{}` | no | | [transit\_gateway\_default\_route\_table\_association](#input\_transit\_gateway\_default\_route\_table\_association) | Boolean whether the VPC Attachment should be associated to the Transit Gateway default route table | `bool` | `true` | no | | [transit\_gateway\_default\_route\_table\_propagation](#input\_transit\_gateway\_default\_route\_table\_propagation) | Boolean whether the VPC Attachment should propagate routes to the Transit Gateway propagation default route table | `bool` | `true` | no | diff --git a/modules/cross-account-vpc-attachment/main.tf b/modules/cross-account-vpc-attachment/main.tf index 0d38a82..9fc09ff 100644 --- a/modules/cross-account-vpc-attachment/main.tf +++ b/modules/cross-account-vpc-attachment/main.tf @@ -1,14 +1,15 @@ module "vpc_attachment" { source = "../vpc-attachment" - subnet_ids = var.subnet_ids - transit_gateway_id = var.transit_gateway_id - cross_account = true - appliance_mode_support = var.appliance_mode_support - dns_support = var.dns_support - ipv6_support = var.ipv6_support - tags = var.tags - vpc_routes = [for route in var.vpc_routes : route if route.provider == "aws"] + subnet_ids = var.subnet_ids + transit_gateway_id = var.transit_gateway_id + cross_account = true + appliance_mode_support = var.appliance_mode_support + dns_support = var.dns_support + ipv6_support = var.ipv6_support + security_group_referencing_support = var.security_group_referencing_support + tags = var.tags + vpc_routes = [for route in var.vpc_routes : route if route.provider == "aws"] } module "vpc_accepter" { diff --git a/modules/cross-account-vpc-attachment/variables.tf b/modules/cross-account-vpc-attachment/variables.tf index f322c5f..40b1be4 100644 --- a/modules/cross-account-vpc-attachment/variables.tf +++ b/modules/cross-account-vpc-attachment/variables.tf @@ -59,6 +59,16 @@ variable "routes" { default = [] } +variable "security_group_referencing_support" { + description = "Whether Security Group Referencing Support is enabled. Valid values: disable, enable" + type = string + default = "enable" + validation { + condition = contains(["enable", "disable"], var.security_group_referencing_support) + error_message = "`security_group_referencing_support` must be one of: \"enable\", \"disable\"." + } +} + variable "tags" { description = "Map of tags to apply to the TGW attachments" type = map(string) diff --git a/modules/cross-account-vpc-attachment/versions.tf b/modules/cross-account-vpc-attachment/versions.tf index bb14280..90a5d19 100644 --- a/modules/cross-account-vpc-attachment/versions.tf +++ b/modules/cross-account-vpc-attachment/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.15.0" + version = ">= 5.69.0" configuration_aliases = [ aws.owner diff --git a/modules/vpc-attachment/README.md b/modules/vpc-attachment/README.md index 98c8f3b..45df243 100644 --- a/modules/vpc-attachment/README.md +++ b/modules/vpc-attachment/README.md @@ -9,13 +9,13 @@ as well as any Transit Gateway route table association or propagations, and VPC | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13 | -| [aws](#requirement\_aws) | >= 3.15.0 | +| [aws](#requirement\_aws) | >= 5.69.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.15.0 | +| [aws](#provider\_aws) | >= 5.69.0 | ## Resources @@ -34,6 +34,7 @@ as well as any Transit Gateway route table association or propagations, and VPC | [cross\_account](#input\_cross\_account) | Boolean whether this is a cross-account Transit Gateway shared via Resource Access Manager | `bool` | `false` | no | | [dns\_support](#input\_dns\_support) | Whether DNS support is enabled. Valid values: disable, enable | `string` | `"enable"` | no | | [ipv6\_support](#input\_ipv6\_support) | Whether IPv6 support is enabled. Valid values: disable, enable | `string` | `"disable"` | no | +| [security\_group\_referencing\_support](#input\_security\_group\_referencing\_support) | Whether Security Group Referencing Support is enabled. Valid values: disable, enable | `string` | `"enable"` | no | | [tags](#input\_tags) | Map of tags to apply to the TGW VPC attachment | `map(string)` | `{}` | no | | [transit\_gateway\_default\_route\_table\_association](#input\_transit\_gateway\_default\_route\_table\_association) | Boolean whether the VPC Attachment should be associated to the Transit Gateway default route table | `bool` | `true` | no | | [transit\_gateway\_default\_route\_table\_propagation](#input\_transit\_gateway\_default\_route\_table\_propagation) | Boolean whether the VPC Attachment should propagate routes to the Transit Gateway propagation default route table | `bool` | `true` | no | diff --git a/modules/vpc-attachment/main.tf b/modules/vpc-attachment/main.tf index 91dc77e..73d9056 100644 --- a/modules/vpc-attachment/main.tf +++ b/modules/vpc-attachment/main.tf @@ -1,11 +1,12 @@ resource "aws_ec2_transit_gateway_vpc_attachment" "this" { - subnet_ids = var.subnet_ids - transit_gateway_id = var.transit_gateway_id - vpc_id = data.aws_subnet.one.vpc_id - appliance_mode_support = var.appliance_mode_support - dns_support = var.dns_support - ipv6_support = var.ipv6_support - tags = var.tags + subnet_ids = var.subnet_ids + transit_gateway_id = var.transit_gateway_id + vpc_id = data.aws_subnet.one.vpc_id + appliance_mode_support = var.appliance_mode_support + dns_support = var.dns_support + ipv6_support = var.ipv6_support + security_group_referencing_support = var.security_group_referencing_support + tags = var.tags # default assocation and propagation values must be: # `true` if transit gateway is owned by another account (shared using RAM) diff --git a/modules/vpc-attachment/variables.tf b/modules/vpc-attachment/variables.tf index 7147ba1..71e0425 100644 --- a/modules/vpc-attachment/variables.tf +++ b/modules/vpc-attachment/variables.tf @@ -44,6 +44,16 @@ variable "ipv6_support" { } } +variable "security_group_referencing_support" { + description = "Whether Security Group Referencing Support is enabled. Valid values: disable, enable" + type = string + default = "enable" + validation { + condition = contains(["enable", "disable"], var.security_group_referencing_support) + error_message = "`security_group_referencing_support` must be one of: \"enable\", \"disable\"." + } +} + variable "transit_gateway_default_route_table_association" { description = "Boolean whether the VPC Attachment should be associated to the Transit Gateway default route table" type = bool diff --git a/modules/vpc-attachment/versions.tf b/modules/vpc-attachment/versions.tf index 849d6a6..be01c2d 100644 --- a/modules/vpc-attachment/versions.tf +++ b/modules/vpc-attachment/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.15.0" + version = ">= 5.69.0" } } } diff --git a/variables.tf b/variables.tf index f6365ab..c252517 100644 --- a/variables.tf +++ b/variables.tf @@ -50,6 +50,16 @@ variable "dns_support" { } } +variable "security_group_referencing_support" { + description = "Whether Security Group Referencing Support is enabled. Valid values: disable, enable" + type = string + default = "enable" + validation { + condition = contains(["enable", "disable"], var.security_group_referencing_support) + error_message = "`security_group_referencing_support` must be one of: \"enable\", \"disable\"." + } +} + variable "tags" { description = "Map of tags to apply to the TGW and associated resources" type = map(string) diff --git a/versions.tf b/versions.tf index a60d232..be01c2d 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.57.0" + version = ">= 5.69.0" } } } From 2096ccea2ec1e3aa6bab131c2f73e8cbac38efc9 Mon Sep 17 00:00:00 2001 From: Loren Gordon Date: Mon, 30 Sep 2024 06:55:08 -0700 Subject: [PATCH 2/2] Bumps version to 2.5.0 --- .bumpversion.cfg | 2 +- CHANGELOG.md | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.bumpversion.cfg b/.bumpversion.cfg index 937726c..b2c4a21 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 2.4.1 +current_version = 2.5.0 commit = True message = Bumps version to {new_version} tag = False diff --git a/CHANGELOG.md b/CHANGELOG.md index 59441d9..0ed35c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +### [2.5.0](https://github.com/plus3it/terraform-aws-tardigrade-transit-gateway/releases/tag/2.5.0) + +**Released**: 2024.09.30 + +**Summary**: + +* Adds support to tgw and vpc attachments for security group referencing + ### [2.4.1](https://github.com/plus3it/terraform-aws-tardigrade-transit-gateway/releases/tag/2.4.1) **Released**: 2024.08.26