Merge pull request #335 from binbashar/feature/tgw-cross-region

Feature/tgw cross region
binbashar · Dec 22, 2021 · c9f1563 · c9f1563
2 parents ca075ee + f0aea7d
commit c9f1563
Show file tree

Hide file tree

Showing 94 changed files with 3,923 additions and 156 deletions.
diff --git a/apps-devstg/us-east-1/base-network/config.tf b/apps-devstg/us-east-1/base-network/config.tf
@@ -26,6 +26,20 @@ terraform {
 # Data sources                #
 #=============================#
 
+# TGW
+data "terraform_remote_state" "tgw" {
+  count = var.enable_tgw ? 1 : 0
+
+  backend = "s3"
+
+  config = {
+    region  = var.region
+    profile = "${var.project}-network-devops"
+    bucket  = "${var.project}-network-terraform-backend"
+    key     = "network/transit-gateway/terraform.tfstate"
+  }
+}
+
 #
 # data type from output for notifications
 #
@@ -88,7 +102,7 @@ data "terraform_remote_state" "apps-devstg-vpcs" {
 
   for_each = {
     for k, v in local.apps-devstg-vpcs :
-    k => v if !v["tgw"]
+    k => v if var.enable_tgw
   }
 
   backend = "s3"

diff --git a/apps-devstg/us-east-1/base-network/locals.tf b/apps-devstg/us-east-1/base-network/locals.tf
@@ -173,21 +173,18 @@ locals {
       profile = "${var.project}-apps-devstg-devops"
       bucket  = "${var.project}-apps-devstg-terraform-backend"
       key     = "apps-devstg/network/terraform.tfstate"
-      tgw     = false
     }
     apps-devstg-k8s-eks = {
       region  = var.region
       profile = "${var.project}-apps-devstg-devops"
       bucket  = "${var.project}-apps-devstg-terraform-backend"
       key     = "apps-devstg/k8s-eks/network/terraform.tfstate"
-      tgw     = false
     }
     apps-devstg-k8s-eks-demoapps = {
       region  = var.region
       profile = "${var.project}-apps-devstg-devops"
       bucket  = "${var.project}-apps-devstg-terraform-backend"
       key     = "apps-devstg/k8s-eks-demoapps/network/terraform.tfstate"
-      tgw     = false
     }
   }
 

diff --git a/apps-devstg/us-east-1/base-network/network.tf b/apps-devstg/us-east-1/base-network/network.tf
@@ -52,7 +52,35 @@ locals {
         security_group_ids  = aws_security_group.kms_vpce[0].id
         private_dns_enabled = var.enable_kms_endpoint_private_dns
       } if var.enable_kms_endpoint
-    }
+    },
+    # SSM
+    { for k, v in { ssm = "Interface" } :
+      k => {
+        service             = k
+        service_type        = v
+        subnet_ids          = module.vpc.private_subnets
+        security_group_ids  = [aws_security_group.ssm_vpce[0].id]
+        private_dns_enabled = true
+      } if var.enable_ssm_endpoints
+    },
+    { for k, v in { ec2messages = "Interface" } :
+      k => {
+        service             = k
+        service_type        = v
+        subnet_ids          = module.vpc.private_subnets
+        security_group_ids  = [aws_security_group.ssm_vpce[0].id]
+        private_dns_enabled = true
+      } if var.enable_ssm_endpoints
+    },
+    { for k, v in { ssmmessages = "Interface" } :
+      k => {
+        service             = k
+        service_type        = v
+        subnet_ids          = module.vpc.private_subnets
+        security_group_ids  = [aws_security_group.ssm_vpce[0].id]
+        private_dns_enabled = true
+      } if var.enable_ssm_endpoints
+    },
   )
 }
 
@@ -100,3 +128,63 @@ resource "aws_security_group" "kms_vpce" {
 
   tags = local.tags
 }
+
+#
+# SSM VPC Endpoint: Security Group
+#
+resource "aws_security_group" "ssm_vpce" {
+  #count       = var.enable_kms_endpoint ? 1 : 0
+  count       = 1
+  name        = "ssm_vpce"
+  description = "Allow TLS inbound traffic"
+  vpc_id      = module.vpc.vpc_id
+
+  ingress {
+    description = "TLS from VPC"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = [local.vpc_cidr_block]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = local.tags
+}
+
+####################
+# TGW Route tables #
+####################
+
+# Update public RT
+resource "aws_route" "public_rt_routes_to_tgw" {
+
+  # For TWG CDIR
+  for_each = {
+    for k, v in var.tgw_cidrs :
+    k => v if var.enable_tgw && length(var.tgw_cidrs) > 0
+  }
+
+  # ...add a route into the network public RT
+  route_table_id         = module.vpc.public_route_table_ids[0]
+  destination_cidr_block = each.value
+  transit_gateway_id     = data.terraform_remote_state.tgw[0].outputs.tgw_id
+
+}
+
+# Update private RT
+resource "aws_route" "private_rt_routes_to_tgw" {
+
+  # If TGW enable
+  count = var.enable_tgw ? 1 : 0
+
+  # ...add a route into the network private RT
+  route_table_id         = module.vpc.private_route_table_ids[0]
+  destination_cidr_block = "0.0.0.0/0"
+  transit_gateway_id     = data.terraform_remote_state.tgw[0].outputs.tgw_id
+}
diff --git a/apps-devstg/us-east-1/base-network/variables.tf b/apps-devstg/us-east-1/base-network/variables.tf
@@ -146,8 +146,26 @@ variable "enable_kms_endpoint_private_dns" {
   default     = false
 }
 
+variable "enable_ssm_endpoints" {
+  description = "Enable SSM endpoints"
+  type        = bool
+  default     = false
+}
+
+variable "enable_ssm_endpoints_private_dns" {
+  description = "Enable SSM endpoints"
+  type        = bool
+  default     = false
+}
+
 variable "enable_tgw" {
   description = "Enable Transit Gateway Support"
   type        = bool
   default     = false
 }
+
+variable "tgw_cidrs" {
+  description = "CIDRs to be added as routes to public RT"
+  type        = list(string)
+  default     = []
+}
diff --git a/apps-devstg/us-east-1/base-network/vpc_peerings.tf b/apps-devstg/us-east-1/base-network/vpc_peerings.tf
@@ -5,7 +5,7 @@ module "vpc_peering_apps_devstg_to_eks_clusters" {
 
   for_each = {
     for k, v in local.apps-devstg-vpcs :
-    k => v if !v["tgw"] && k != "apps-devstg-base" # No peerings when TGW enabled or against the base network
+    k => v if !var.enable_tgw && k != "apps-devstg-base" # No peerings when TGW enabled or against the base network
   }
 
   providers = {

diff --git a/apps-devstg/us-east-1/k8s-eks-demoapps/network/config.tf b/apps-devstg/us-east-1/k8s-eks-demoapps/network/config.tf
@@ -33,6 +33,21 @@ terraform {
 # Data sources                #
 #=============================#
 
+# TGW
+data "terraform_remote_state" "tgw" {
+  count = var.enable_tgw ? 1 : 0
+
+  backend = "s3"
+
+  config = {
+    region  = var.region
+    profile = "${var.project}-network-devops"
+    bucket  = "${var.project}-network-terraform-backend"
+    key     = "network/transit-gateway/terraform.tfstate"
+  }
+}
+
+
 #
 # data type from output for tools-ec2
 #

diff --git a/apps-devstg/us-east-1/k8s-eks-demoapps/network/network.tf b/apps-devstg/us-east-1/k8s-eks-demoapps/network/network.tf
@@ -102,3 +102,35 @@ resource "aws_security_group" "kms_vpce" {
 
   tags = local.tags
 }
+
+####################
+# TGW Route tables #
+####################
+
+# Update public RT
+resource "aws_route" "public_rt_routes_to_tgw" {
+
+  # For TWG CDIR
+  for_each = {
+    for k, v in var.tgw_cidrs :
+    k => v if var.enable_tgw && length(var.tgw_cidrs) > 0
+  }
+
+  # ...add a route into the network public RT
+  route_table_id         = module.vpc-eks.public_route_table_ids[0]
+  destination_cidr_block = each.value
+  transit_gateway_id     = data.terraform_remote_state.tgw[0].outputs.tgw_id
+
+}
+
+# Update private RT
+resource "aws_route" "private_rt_routes_to_tgw" {
+
+  # If TGW enable
+  count = var.enable_tgw ? 1 : 0
+
+  # ...add a route into the network private RT
+  route_table_id         = module.vpc-eks.private_route_table_ids[0]
+  destination_cidr_block = "0.0.0.0/0"
+  transit_gateway_id     = data.terraform_remote_state.tgw[0].outputs.tgw_id
+}
diff --git a/apps-devstg/us-east-1/k8s-eks-demoapps/network/variables.tf b/apps-devstg/us-east-1/k8s-eks-demoapps/network/variables.tf
@@ -172,3 +172,9 @@ variable "enable_tgw" {
   type        = bool
   default     = false
 }
+
+variable "tgw_cidrs" {
+  description = "CIDRs to be added as routes to public RT"
+  type        = list(string)
+  default     = []
+}
diff --git a/apps-devstg/us-east-1/k8s-eks/network/config.tf b/apps-devstg/us-east-1/k8s-eks/network/config.tf
@@ -32,6 +32,21 @@ terraform {
 #
 # Data sources
 #
+
+# TGW
+data "terraform_remote_state" "tgw" {
+  count = var.enable_tgw ? 1 : 0
+
+  backend = "s3"
+
+  config = {
+    region  = var.region
+    profile = "${var.project}-network-devops"
+    bucket  = "${var.project}-network-terraform-backend"
+    key     = "network/transit-gateway/terraform.tfstate"
+  }
+}
+
 data "terraform_remote_state" "tools-vpn-server" {
   backend = "s3"
 

diff --git a/apps-devstg/us-east-1/k8s-eks/network/network.tf b/apps-devstg/us-east-1/k8s-eks/network/network.tf
@@ -99,3 +99,35 @@ resource "aws_security_group" "kms_vpce" {
 
   tags = local.tags
 }
+
+####################
+# TGW Route tables #
+####################
+
+# Update public RT
+resource "aws_route" "public_rt_routes_to_tgw" {
+
+  # For TWG CDIR
+  for_each = {
+    for k, v in var.tgw_cidrs :
+    k => v if var.enable_tgw && length(var.tgw_cidrs) > 0
+  }
+
+  # ...add a route into the network public RT
+  route_table_id         = module.vpc-eks.public_route_table_ids[0]
+  destination_cidr_block = each.value
+  transit_gateway_id     = data.terraform_remote_state.tgw[0].outputs.tgw_id
+
+}
+
+# Update private RT
+resource "aws_route" "private_rt_routes_to_tgw" {
+
+  # If TGW enable
+  count = var.enable_tgw ? 1 : 0
+
+  # ...add a route into the network private RT
+  route_table_id         = module.vpc-eks.private_route_table_ids[0]
+  destination_cidr_block = "0.0.0.0/0"
+  transit_gateway_id     = data.terraform_remote_state.tgw[0].outputs.tgw_id
+}
diff --git a/apps-devstg/us-east-1/k8s-eks/network/variables.tf b/apps-devstg/us-east-1/k8s-eks/network/variables.tf
@@ -172,3 +172,9 @@ variable "enable_tgw" {
   type        = bool
   default     = false
 }
+
+variable "tgw_cidrs" {
+  description = "CIDRs to be added as routes to public RT"
+  type        = list(string)
+  default     = []
+}
diff --git a/apps-devstg/us-east-2/k8s-eks/network/config.tf b/apps-devstg/us-east-2/k8s-eks/network/config.tf
@@ -29,9 +29,24 @@ terraform {
   }
 }
 
-#
+#=============================#
 # Data sources
-#
+#=============================#
+
+# TGW
+data "terraform_remote_state" "tgw-dr" {
+  count = var.enable_tgw ? 1 : 0
+
+  backend = "s3"
+
+  config = {
+    region  = var.region
+    profile = "${var.project}-network-devops"
+    bucket  = "${var.project}-network-terraform-backend"
+    key     = "network/transit-gateway-dr/terraform.tfstate"
+  }
+}
+
 data "terraform_remote_state" "tools-vpn-server" {
   backend = "s3"
 
@@ -42,6 +57,7 @@ data "terraform_remote_state" "tools-vpn-server" {
     key     = "shared/vpn/terraform.tfstate"
   }
 }
+
 #
 # VPC remote states for network
 data "terraform_remote_state" "network-vpcs" {

diff --git a/apps-devstg/us-east-2/k8s-eks/network/network.tf b/apps-devstg/us-east-2/k8s-eks/network/network.tf
@@ -101,3 +101,35 @@ resource "aws_security_group" "kms_vpce" {
 
   tags = local.tags
 }
+
+####################
+# TGW Route tables #
+####################
+
+# Update public RT
+resource "aws_route" "public_rt_routes_to_tgw" {
+
+  # For TWG CDIR
+  for_each = {
+    for k, v in var.tgw_cidrs :
+    k => v if var.enable_tgw && length(var.tgw_cidrs) > 0
+  }
+
+  # ...add a route into the network public RT
+  route_table_id         = module.vpc-eks.public_route_table_ids[0]
+  destination_cidr_block = each.value
+  transit_gateway_id     = data.terraform_remote_state.tgw-dr[0].outputs.tgw_id
+
+}
+
+# Update private RT
+resource "aws_route" "private_rt_routes_to_tgw" {
+
+  # If TGW enable
+  count = var.enable_tgw ? 1 : 0
+
+  # ...add a route into the network private RT
+  route_table_id         = module.vpc-eks.private_route_table_ids[0]
+  destination_cidr_block = "0.0.0.0/0"
+  transit_gateway_id     = data.terraform_remote_state.tgw-dr[0].outputs.tgw_id
+}