From a172968975f5920b9a7db2e97a20af15fe8e2b3a Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Wed, 17 Nov 2021 18:52:31 -0300 Subject: [PATCH 01/44] Add base-network layer for us-east-2 --- network/us-east-1/base-network/account.tf | 1 - network/us-east-1/base-network/config.tf | 2 + network/us-east-1/security-keys/config.tf | 23 ++ network/us-east-1/security-keys/kms.tf | 72 ++++++ network/us-east-1/security-keys/locals.tf | 6 + network/us-east-1/security-keys/outputs.tf | 22 ++ network/us-east-1/security-keys/ssh.tf | 4 + network/us-east-1/security-keys/variables.tf | 113 +++++++++ network/us-east-2/base-network/README.md | 26 ++ network/us-east-2/base-network/config.tf | 154 +++++++++++ .../base-network/customer_gateways.tf | 61 +++++ network/us-east-2/base-network/locals.tf | 183 ++++++++++++++ .../base-network/network.auto.tfvars | 6 + network/us-east-2/base-network/network.tf | 105 ++++++++ network/us-east-2/base-network/outputs.tf | 71 ++++++ network/us-east-2/base-network/variables.tf | 239 ++++++++++++++++++ .../us-east-2/base-network/vpn_gateways.tf | 86 +++++++ network/us-east-2/security-keys/config.tf | 23 ++ network/us-east-2/security-keys/kms.tf | 72 ++++++ network/us-east-2/security-keys/locals.tf | 6 + network/us-east-2/security-keys/outputs.tf | 22 ++ network/us-east-2/security-keys/ssh.tf | 4 + network/us-east-2/security-keys/variables.tf | 113 +++++++++ 23 files changed, 1413 insertions(+), 1 deletion(-) delete mode 100644 network/us-east-1/base-network/account.tf create mode 100644 network/us-east-1/security-keys/config.tf create mode 100644 network/us-east-1/security-keys/kms.tf create mode 100644 network/us-east-1/security-keys/locals.tf create mode 100644 network/us-east-1/security-keys/outputs.tf create mode 100644 network/us-east-1/security-keys/ssh.tf create mode 100644 network/us-east-1/security-keys/variables.tf create mode 100644 network/us-east-2/base-network/README.md create mode 100644 network/us-east-2/base-network/config.tf create mode 100644 network/us-east-2/base-network/customer_gateways.tf create mode 100644 network/us-east-2/base-network/locals.tf create mode 100644 network/us-east-2/base-network/network.auto.tfvars create mode 100644 network/us-east-2/base-network/network.tf create mode 100644 network/us-east-2/base-network/outputs.tf create mode 100644 network/us-east-2/base-network/variables.tf create mode 100644 network/us-east-2/base-network/vpn_gateways.tf create mode 100644 network/us-east-2/security-keys/config.tf create mode 100644 network/us-east-2/security-keys/kms.tf create mode 100644 network/us-east-2/security-keys/locals.tf create mode 100644 network/us-east-2/security-keys/outputs.tf create mode 100644 network/us-east-2/security-keys/ssh.tf create mode 100644 network/us-east-2/security-keys/variables.tf diff --git a/network/us-east-1/base-network/account.tf b/network/us-east-1/base-network/account.tf deleted file mode 100644 index 8fc4b38cc..000000000 --- a/network/us-east-1/base-network/account.tf +++ /dev/null @@ -1 +0,0 @@ -data "aws_caller_identity" "current" {} diff --git a/network/us-east-1/base-network/config.tf b/network/us-east-1/base-network/config.tf index b7ad4af25..3de6d9f39 100644 --- a/network/us-east-1/base-network/config.tf +++ b/network/us-east-1/base-network/config.tf @@ -54,6 +54,8 @@ terraform { # Data sources # #=============================# +data "aws_caller_identity" "current" {} + # # data type from output for tools-ec2 # diff --git a/network/us-east-1/security-keys/config.tf b/network/us-east-1/security-keys/config.tf new file mode 100644 index 000000000..4ae47b50b --- /dev/null +++ b/network/us-east-1/security-keys/config.tf @@ -0,0 +1,23 @@ +#=============================# +# AWS Provider Settings # +#=============================# +provider "aws" { + region = var.region_secondary + profile = var.profile + shared_credentials_file = "~/.aws/${var.project}/config" +} + +#=============================# +# Backend Config (partial) # +#=============================# +terraform { + required_version = ">= 0.14.11" + + required_providers { + aws = "~> 3.2" + } + + backend "s3" { + key = "network/security-keys-dr/terraform.tfstate" + } +} diff --git a/network/us-east-1/security-keys/kms.tf b/network/us-east-1/security-keys/kms.tf new file mode 100644 index 000000000..0f921230e --- /dev/null +++ b/network/us-east-1/security-keys/kms.tf @@ -0,0 +1,72 @@ +module "kms_key_dr" { + source = "github.com/binbashar/terraform-aws-kms-key.git?ref=0.10.0" + + enabled = true + namespace = var.project + stage = var.environment + name = var.kms_key_name + delimiter = "-" + description = "DR KMS key for Network Account (us-east-2)" + deletion_window_in_days = 7 + enable_key_rotation = true + alias = "alias/${var.project}_${var.environment}_${var.kms_key_name}_key" + policy = data.aws_iam_policy_document.kms.json + tags = local.tags +} + +data "aws_iam_policy_document" "kms" { + statement { + sid = "Enable IAM User Permissions" + effect = "Allow" + actions = ["kms:*"] + resources = ["*"] + + principals { + type = "AWS" + identifiers = [ + "arn:aws:iam::${var.network_account_id}:root" + ] + } + } + + statement { + sid = "Enable S3 Service" + effect = "Allow" + actions = [ + "kms:Encrypt*", + "kms:Decrypt*", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ] + resources = ["*"] + + principals { + type = "Service" + identifiers = ["s3.${var.region_secondary}.amazonaws.com"] + } + } + + statement { + sid = "Enable CloudWatch Logs Service" + effect = "Allow" + actions = [ + "kms:Encrypt*", + "kms:Decrypt*", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ] + resources = ["*"] + + principals { + type = "Service" + identifiers = ["logs.${var.region}.amazonaws.com"] + } + condition { + test = "ArnLike" + variable = "kms:EncryptionContext:aws:logs:arn" + values = ["arn:aws:logs:${var.region_secondary}:${var.appsdevstg_account_id}:*"] + } + } +} diff --git a/network/us-east-1/security-keys/locals.tf b/network/us-east-1/security-keys/locals.tf new file mode 100644 index 000000000..5879674a5 --- /dev/null +++ b/network/us-east-1/security-keys/locals.tf @@ -0,0 +1,6 @@ +locals { + tags = { + Terraform = "true" + Environment = var.environment + } +} diff --git a/network/us-east-1/security-keys/outputs.tf b/network/us-east-1/security-keys/outputs.tf new file mode 100644 index 000000000..c0c78761b --- /dev/null +++ b/network/us-east-1/security-keys/outputs.tf @@ -0,0 +1,22 @@ +# +# KMS aws_kms_key outputs +# +output "aws_kms_key_arn" { + description = "Key ARN" + value = module.kms_key_dr.key_arn +} + +output "aws_kms_key_id" { + description = "KMS Key ID" + value = module.kms_key_dr.key_id +} + +output "aws_kms_key_alias_arn" { + description = "KMS Alias ARN" + value = module.kms_key_dr.alias_arn +} + +output "aws_kms_key_alias_name" { + description = "KMS Alias name" + value = module.kms_key_dr.alias_name +} diff --git a/network/us-east-1/security-keys/ssh.tf b/network/us-east-1/security-keys/ssh.tf new file mode 100644 index 000000000..44d94c6ed --- /dev/null +++ b/network/us-east-1/security-keys/ssh.tf @@ -0,0 +1,4 @@ +resource "aws_key_pair" "compute-ssh-key" { + key_name = var.compute_ssh_key_name + public_key = var.compute_ssh_public_key +} diff --git a/network/us-east-1/security-keys/variables.tf b/network/us-east-1/security-keys/variables.tf new file mode 100644 index 000000000..d0daad46b --- /dev/null +++ b/network/us-east-1/security-keys/variables.tf @@ -0,0 +1,113 @@ +# +# config/backend.config +# +#================================# +# Terraform AWS Backend Settings # +#================================# +variable "region" { + type = string + description = "AWS Region" +} + +variable "profile" { + type = string + description = "AWS Profile (required by the backend but also used for other resources)" +} + +variable "bucket" { + type = string + description = "AWS S3 TF State Backend Bucket" +} + +variable "dynamodb_table" { + type = string + description = "AWS DynamoDB TF Lock state table name" +} + +variable "encrypt" { + type = bool + description = "Enable AWS DynamoDB with server side encryption" +} + +# +# config/base.config +# +#=============================# +# Project Variables # +#=============================# +variable "project" { + type = string + description = "Project Name" +} + +variable "project_long" { + type = string + description = "Project Long Name" +} + +variable "environment" { + type = string + description = "Environment Name" +} + +# +# config/extra.config +# +#=============================# +# Accounts & Extra Vars # +#=============================# +variable "region_secondary" { + type = string + description = "AWS Scondary Region for HA" +} + +variable "root_account_id" { + type = string + description = "Account: Root" +} + +variable "security_account_id" { + type = string + description = "Account: Security & Users Management" +} + +variable "shared_account_id" { + type = string + description = "Account: Shared Resources" +} + +variable "network_account_id" { + type = string + description = "Account: Networking Resources" +} + +variable "appsdevstg_account_id" { + type = string + description = "Account: Dev Modules & Libs" +} + +variable "appsprd_account_id" { + type = string + description = "Account: Prod Modules & Libs" +} + +#===========================================# +# Security # +#===========================================# +variable "compute_ssh_key_name" { + type = string + description = "EC2 ssh public key name" + default = "apps-devstg-default" +} + +variable "compute_ssh_public_key" { + type = string + description = "EC2 ssh public key" + default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3OoNqa58Pu+rhpWX3rGhyziG3XQ2ApsBl2CTqJdK6AEQlrR0FHp95tyeplkkNtqD3ToShMrI1w00CodhLycNFwv8/vlJKrkTWlmv0QXB/erLNBsRjp0BTUraCGqq/sB2qb2zeG/K4zalxVg/KiTzgHZRKSvx5s4ft8I6CHro65UZtA25MC1hKrjOgiRWYG7iz9/Frxrh7yAZiaZjac70EofuT0GXq7S3znuhJ1V8LS2j8sb7JfnbL5Td8RZcgh72rkpNHscs09FUZqOllQV8ZeBBeEBhPOxZ06xVB780GeP1nQf4y7ZdLsIOUZt5g333G2VXtHx1bCo+tSgSxXlVjxwiZf/6kCerBrzanu5Qnd6GUkn0RsvsBITWsqf+wmejJYqS+sgdn0mQg4pvKu4ORigDetr9oE8Veba5LhpyZYjn5um+vQQxgY/P4Dj6uD0rozoH5VBt9QaSggeiJRE7OQKaXD2zJj1toQotSXy/WGhaMJRtY+jynBKvkvGx8y9gXhQd/2OJBu3+fgrse+TrWlMmo+baF4HxF0H+5ug3qmoiSxRgn1GQW2AKev6NcxeO5xGYiJmgUMwSG/BiDB/0cFKk/9F2tNMHBpZIHgTpAmYuOk/h6R3Kqm4nvlb/dULiwKa2a1LWFtRnrdIsgO00jGEOvf8iHxMQfJaLzc4auxQ== binbash-aws-dev@binbash.com.ar" +} + +variable "kms_key_name" { + type = string + description = "KMS key solution name, e.g. 'app' or 'jenkins'" + default = "kms_dr" +} diff --git a/network/us-east-2/base-network/README.md b/network/us-east-2/base-network/README.md new file mode 100644 index 000000000..a8abec49e --- /dev/null +++ b/network/us-east-2/base-network/README.md @@ -0,0 +1,26 @@ +# Transit Gateway (tgw) + +## Requisites +Make sure you have enabled RAM in the Organization account by: + +* Setting RAM to Access enabled in *AWS Organization > Services* + +* **Enable sharing with AWS Organizations** in the AWS console go to *Resource Access Manager > Settings* or via AWS CLI: + + `aws ram enable-sharing-with-aws-organization` + + +## Deployment + +In order to deploy the Transit Gateway follow these steps: + +1. First time deployment: Set to `false` all vpc attachments first in `var.enable_vpc_attach` (consider taking advange of the `network.auto.tfvars` file for this purpose). +2. After deploying the Transit Gateway select the vpc attachment to enable in the `var.enable_vpc_attach` by setting to `true` + + + +References: + +https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html + +https://docs.aws.amazon.com/cli/latest/reference/ram/enable-sharing-with-aws-organization.html diff --git a/network/us-east-2/base-network/config.tf b/network/us-east-2/base-network/config.tf new file mode 100644 index 000000000..7829d1074 --- /dev/null +++ b/network/us-east-2/base-network/config.tf @@ -0,0 +1,154 @@ +#=============================# +# AWS Provider Settings # +#=============================# +provider "aws" { + region = var.region + profile = var.profile + shared_credentials_file = "~/.aws/${var.project}/config" +} + +provider "aws" { + alias = "network" + region = var.region + profile = var.profile + shared_credentials_file = "~/.aws/${var.project}/config" +} + +provider "aws" { + alias = "shared" + region = var.region + profile = "${var.project}-shared-devops" + shared_credentials_file = "~/.aws/${var.project}/config" +} + +provider "aws" { + alias = "apps-devstg" + region = var.region + profile = "${var.project}-apps-devstg-devops" + shared_credentials_file = "~/.aws/${var.project}/config" +} + +provider "aws" { + alias = "apps-prd" + region = var.region + profile = "${var.project}-apps-prd-devops" + shared_credentials_file = "~/.aws/${var.project}/config" +} + +#=============================# +# Backend Config (partial) # +#=============================# +terraform { + required_version = ">= 0.14.11" + + required_providers { + aws = "~> 3.0" + } + + backend "s3" { + key = "network/network-dr/terraform.tfstate" + } +} + +#=============================# +# Data sources # +#=============================# + +data "aws_caller_identity" "current" {} + +# +# data type from output for tools-ec2 +# +data "terraform_remote_state" "tools-vpn-server" { + backend = "s3" + + config = { + region = var.region + profile = "${var.project}-shared-devops" + bucket = "${var.project}-shared-terraform-backend" + key = "shared/vpn/terraform.tfstate" + } +} + +data "terraform_remote_state" "tgw" { + backend = "s3" + + config = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/transit-gateway/terraform.tfstate" + } +} + + +data "terraform_remote_state" "network-firewall" { + backend = "s3" + + config = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/network-firewall/terraform.tfstate" + } +} + +# VPC remote states for network +data "terraform_remote_state" "network-vpcs" { + for_each = var.enable_network_firewall ? local.network-vpcs : {} + + backend = "s3" + + config = { + region = lookup(each.value, "region") + profile = lookup(each.value, "profile") + bucket = lookup(each.value, "bucket") + key = lookup(each.value, "key") + } + +} + +# VPC remote states for shared +data "terraform_remote_state" "shared-vpcs" { + + for_each = local.shared-vpcs + + backend = "s3" + + config = { + region = lookup(each.value, "region") + profile = lookup(each.value, "profile") + bucket = lookup(each.value, "bucket") + key = lookup(each.value, "key") + } +} + +# VPC remote states for apps-devstg +data "terraform_remote_state" "apps-devstg-vpcs" { + + for_each = local.apps-devstg-vpcs + + backend = "s3" + + config = { + region = lookup(each.value, "region") + profile = lookup(each.value, "profile") + bucket = lookup(each.value, "bucket") + key = lookup(each.value, "key") + } +} + +# VPC remote states for apps-prd +data "terraform_remote_state" "apps-prd-vpcs" { + + for_each = local.apps-prd-vpcs + + backend = "s3" + + config = { + region = lookup(each.value, "region") + profile = lookup(each.value, "profile") + bucket = lookup(each.value, "bucket") + key = lookup(each.value, "key") + } +} diff --git a/network/us-east-2/base-network/customer_gateways.tf b/network/us-east-2/base-network/customer_gateways.tf new file mode 100644 index 000000000..0b4a5cd0f --- /dev/null +++ b/network/us-east-2/base-network/customer_gateways.tf @@ -0,0 +1,61 @@ +locals { + customer_gateways = { + cgw1 = { + bgp_asn = 65220 + ip_address = "172.83.124.10" + tunnel1 = { + inside_cidr = "169.254.10.0/30" + preshared_key = "pr3shr3_k3y1" + } + tunnel2 = { + inside_cidr = "169.254.10.4/30" + preshared_key = "pr3shr3_k3y2" + } + vpn_connection_static_routes_only = true + static_routes = ["10.10.0.0/20", "10.30.0.0/20"] + local_ipv4_network_cidr = "10.0.0.0/16" + #remote_ipv4_network_cidr = "0.0.0.0/0" + }, + cgw2 = { + bgp_asn = 65220 + ip_address = "172.83.124.11" + tunnel1 = { + inside_cidr = "169.254.10.8/30" + preshared_key = "pr3shr3_k3y3" # Use a data source to retrieve secrets from a vault + # Other parameters (https://github.com/binbashar/terraform-aws-vpn-gateway#inputs) + #dpd_timeout_action = "" + #dpd_timeout_seconds = 30 + #ike_versions = ["ikev1", "ikev2"] + #phase1_dh_group_numbers = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24] + #phase1_encryption_algorithms = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"] + #phase1_lifetime_seconds = 28800 + #phase2_dh_group_numbers = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24] + #phase2_encryption_algorithms = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"] + #phase2_lifetime_seconds = 3600 + #rekey_fuzz_percentage = 100 + #rekey_margin_time_seconds = 540 + #replay_window_size = 1024 + #startup_action = "add" + } + tunnel2 = { + inside_cidr = "169.254.10.12/30" + preshared_key = "pr3shr3_k3y4" # Use a data source to retrieve secrets from a vault + # Other parameters (https://github.com/binbashar/terraform-aws-vpn-gateway#inputs) + #dpd_timeout_action = "" + #dpd_timeout_seconds = 30 + #ike_versions = ["ikev1", "ikev2"] + #phase1_dh_group_numbers = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24] + #phase1_encryption_algorithms = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"] + #phase1_lifetime_seconds = 28800 + #phase2_dh_group_numbers = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24] + #phase2_encryption_algorithms = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"] + #phase2_lifetime_seconds = 3600 + #rekey_fuzz_percentage = 100 + #rekey_margin_time_seconds = 540 + #replay_window_size = 1024 + #startup_action = "add" + } + #static_routes = ["10.40.0.0/20", "10.50.0.0/20"] + } + } +} diff --git a/network/us-east-2/base-network/locals.tf b/network/us-east-2/base-network/locals.tf new file mode 100644 index 000000000..00311c2c2 --- /dev/null +++ b/network/us-east-2/base-network/locals.tf @@ -0,0 +1,183 @@ +locals { + tags = { + Terraform = "true" + Environment = var.environment + } + + # Network Local Vars + # https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html + vpc_name = "${var.project}-${var.environment}-vpc" + vpc_cidr_block = "172.20.32.0/20" + azs = [ + "${var.region}a", + "${var.region}b", + ] + + private_subnets_cidr = ["172.20.32.0/21"] + private_subnets = [ + "172.20.32.0/23", + "172.20.34.0/23", + ] + + public_subnets_cidr = ["172.20.40.0/21"] + public_subnets = [ + "172.20.40.0/23", + "172.20.42.0/23", + ] +} + +locals { + # private inbounds + private_inbound = flatten([ + for index, state in local.datasources-vpcs : [ + for k, v in state.outputs.private_subnets_cidr : + { + rule_number = 10 * (index(keys(local.datasources-vpcs), index) + 1) + 100 * k + rule_action = "allow" + from_port = 0 + to_port = 65535 + protocol = "all" + cidr_block = state.outputs.private_subnets_cidr[k] + } + ] + ]) + + network_acls = { + # + # Allow / Deny VPC private subnets inbound default traffic + # + default_inbound = [ + { + rule_number = 900 # shared pritunl vpn server + rule_action = "allow" + from_port = 0 + to_port = 65535 + protocol = "all" + cidr_block = "${data.terraform_remote_state.tools-vpn-server.outputs.instance_private_ip}/32" + }, + { + rule_number = 910 # vault hvn vpc + rule_action = "allow" + from_port = 0 + to_port = 65535 + protocol = "all" + cidr_block = var.vpc_vault_hvn_cird + }, + { + rule_number = 920 # NTP traffic + rule_action = "allow" + from_port = 123 + to_port = 123 + protocol = "udp" + cidr_block = "0.0.0.0/0" + }, + { + rule_number = 930 # Fltering known TCP ports (0-1024) + rule_action = "allow" + from_port = 1024 + to_port = 65525 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + }, + { + rule_number = 940 # Fltering known UDP ports (0-1024) + rule_action = "allow" + from_port = 1024 + to_port = 65525 + protocol = "udp" + cidr_block = "0.0.0.0/0" + }, + ] + + # + # Allow VPC private subnets inbound traffic + # + private_inbound = local.private_inbound + } + + # Data source definitions + # + + # shared + shared-vpcs = { + shared-base = { + region = var.region + profile = "${var.project}-shared-devops" + bucket = "${var.project}-shared-terraform-backend" + key = "shared/network/terraform.tfstate" + } + } + + # network + network-vpcs = { + network-firewall = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/network-firewall/terraform.tfstate" + } + } + + # apps-devstg + apps-devstg-vpcs = { + apps-devstg-base = { + region = var.region + profile = "${var.project}-apps-devstg-devops" + bucket = "${var.project}-apps-devstg-terraform-backend" + key = "apps-devstg/network/terraform.tfstate" + } + apps-devstg-k8s-eks = { + region = var.region + profile = "${var.project}-apps-devstg-devops" + bucket = "${var.project}-apps-devstg-terraform-backend" + key = "apps-devstg/k8s-eks/network/terraform.tfstate" + } + apps-devstg-eks-demoapps = { + region = var.region + profile = "${var.project}-apps-devstg-devops" + bucket = "${var.project}-apps-devstg-terraform-backend" + key = "apps-devstg/k8s-eks-demoapps/network/terraform.tfstate" + } + } + + # apps-prd + apps-prd-vpcs = { + apps-prd-base = { + region = var.region + profile = "${var.project}-apps-prd-devops" + bucket = "${var.project}-apps-prd-terraform-backend" + key = "apps-prd/network/terraform.tfstate" + } + #apps-prd-k8s-eks = { + # region = var.region + # profile = "${var.project}-apps-prd-devops" + # bucket = "${var.project}-apps-prd-terraform-backend" + # key = "apps-prd/k8s-eks/network/terraform.tfstate" + #} + } + + datasources-vpcs = merge( + data.terraform_remote_state.network-vpcs, # network + #data.terraform_remote_state.shared-vpcs, # shared + #data.terraform_remote_state.apps-devstg-vpcs, # apps-devstg-vpcs + data.terraform_remote_state.apps-prd-vpcs, # apps-prd-vpcs + ) +} + +locals { + cgws = { for k, v in local.customer_gateways : + k => { + bgp_asn = v["bgp_asn"] + ip_address = v["ip_address"] + } + } + + vpn_static_routes = flatten([for k, v in local.customer_gateways : + [for r in lookup(v, "static_routes", []) : + { + cgw = k + route = r + } + ] + ]) +} diff --git a/network/us-east-2/base-network/network.auto.tfvars b/network/us-east-2/base-network/network.auto.tfvars new file mode 100644 index 000000000..0298bcd70 --- /dev/null +++ b/network/us-east-2/base-network/network.auto.tfvars @@ -0,0 +1,6 @@ +# NAT GW +vpc_enable_nat_gateway = false +vpc_single_nat_gateway = true + +# VPN Gateways +vpc_enable_vpn_gateway = false diff --git a/network/us-east-2/base-network/network.tf b/network/us-east-2/base-network/network.tf new file mode 100644 index 000000000..a4bebbf3f --- /dev/null +++ b/network/us-east-2/base-network/network.tf @@ -0,0 +1,105 @@ +# +# Network Resources +# +module "vpc" { + source = "github.com/binbashar/terraform-aws-vpc.git?ref=v3.11.0" + + name = local.vpc_name + cidr = local.vpc_cidr_block + + azs = local.azs + private_subnets = local.private_subnets + public_subnets = local.public_subnets + + enable_nat_gateway = var.vpc_enable_nat_gateway + single_nat_gateway = var.vpc_single_nat_gateway + enable_dns_hostnames = var.vpc_enable_dns_hostnames + enable_vpn_gateway = var.vpc_enable_vpn_gateway + + # Use a custom network ACL rules for private and public subnets + manage_default_network_acl = var.manage_default_network_acl + public_dedicated_network_acl = var.public_dedicated_network_acl // use dedicated network ACL for the public subnets. + private_dedicated_network_acl = var.private_dedicated_network_acl // use dedicated network ACL for the private subnets. + private_inbound_acl_rules = concat( + local.network_acls["default_inbound"], + local.network_acls["private_inbound"], + ) + + # VPN Gateway + amazon_side_asn = var.vpn_gateway_amazon_side_asn + customer_gateways = var.vpc_enable_vpn_gateway ? local.cgws : {} + + # Tags + tags = local.tags +} + +# VPC Endpoints +locals { + vpc_endpoints = merge({ + # S3 + s3 = { + service = "s3" + service_type = "Gateway" + } + # DynamamoDB + dynamodb = { + service = "dynamodb" + service_type = "Gateway" + } + }, + # KMS + { for k, v in { kms = "Interface" } : + k => { + service = k + service_type = v + security_group_ids = aws_security_group.kms_vpce[0].id + private_dns_enabled = var.enable_kms_endpoint_private_dns + } if var.enable_kms_endpoint + } + ) +} + +module "vpc_endpoints" { + source = "github.com/binbashar/terraform-aws-vpc.git//modules/vpc-endpoints?ref=v3.11.0" + + for_each = local.vpc_endpoints + + vpc_id = module.vpc.vpc_id + + endpoints = { + endpoint = merge(each.value, + { + route_table_ids = concat(module.vpc.private_route_table_ids, module.vpc.public_route_table_ids) + } + ) + } + + tags = local.tags +} + +# +# KMS VPC Endpoint: Security Group +# +resource "aws_security_group" "kms_vpce" { + count = var.enable_kms_endpoint ? 1 : 0 + name = "kms_vpce" + description = "Allow TLS inbound traffic" + vpc_id = module.vpc.vpc_id + + ingress { + description = "TLS from VPC" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = [local.vpc_cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = local.tags +} diff --git a/network/us-east-2/base-network/outputs.tf b/network/us-east-2/base-network/outputs.tf new file mode 100644 index 000000000..11fd5fbe8 --- /dev/null +++ b/network/us-east-2/base-network/outputs.tf @@ -0,0 +1,71 @@ +# VPC ID +output "vpc_id" { + description = "VPC ID" + value = module.vpc.vpc_id +} + +output "vpc_name" { + description = "VPC Name" + value = local.vpc_name +} + +output "vpc_cidr_block" { + description = "VPC CIDR Block" + value = local.vpc_cidr_block +} + +output "availability_zones" { + description = "List of availability zones" + value = local.azs +} + +# Subnets +output "private_subnets" { + description = "List of IDs of private subnets" + value = module.vpc.private_subnets +} + +output "public_subnets" { + description = "List of IDs of public subnets" + value = module.vpc.public_subnets +} + +output "private_subnets_cidr" { + description = "CIDRS of private subnets" + value = local.private_subnets_cidr +} + +output "public_subnets_cidr" { + description = "CIDR of public subnets" + value = local.public_subnets_cidr +} + +output "nat_gateway_ids" { + description = "NAT Gateway IDs" + value = module.vpc.natgw_ids +} + +output "public_route_table_ids" { + description = "List of IDs of public route tables" + value = module.vpc.public_route_table_ids +} + +output "private_route_table_ids" { + description = "List of IDs of private route tables" + value = module.vpc.private_route_table_ids +} + +output "enable_tgw" { + description = "This is set to `true` if the Transit Gateway is enabled" + value = var.enable_tgw +} + +output "enable_vpc_attach" { + description = "VPC attachments per account" + value = var.enable_vpc_attach +} + +output "enable_network_firewall" { + description = "This is set to `true` if the AWS Network Firewall is enabled" + value = var.enable_network_firewall +} diff --git a/network/us-east-2/base-network/variables.tf b/network/us-east-2/base-network/variables.tf new file mode 100644 index 000000000..7f7a5dd61 --- /dev/null +++ b/network/us-east-2/base-network/variables.tf @@ -0,0 +1,239 @@ +# +# config/backend.config +# +#================================# +# Terraform AWS Backend Settings # +#================================# +variable "region" { + type = string + description = "AWS Region" +} + +variable "profile" { + type = string + description = "AWS Profile (required by the backend but also used for other resources)" +} + +variable "bucket" { + type = string + description = "AWS S3 TF State Backend Bucket" +} + +variable "dynamodb_table" { + type = string + description = "AWS DynamoDB TF Lock state table name" +} + +variable "encrypt" { + type = bool + description = "Enable AWS DynamoDB with server side encryption" +} + +# +# config/base.config +# +#=============================# +# Project Variables # +#=============================# +variable "project" { + type = string + description = "Project Name" +} + +variable "project_long" { + type = string + description = "Project Long Name" +} + +variable "environment" { + type = string + description = "Environment Name" +} + +# +# config/extra.config +# +#=============================# +# Accounts & Extra Vars # +#=============================# +variable "region_secondary" { + type = string + description = "AWS Scondary Region for HA" +} + +variable "root_account_id" { + type = string + description = "Account: Root" +} + +variable "security_account_id" { + type = string + description = "Account: Security & Users Management" +} + +variable "shared_account_id" { + type = string + description = "Account: Shared Resources" +} + +variable "appsdevstg_account_id" { + type = string + description = "Account: Dev Modules & Libs" +} + +variable "appsprd_account_id" { + type = string + description = "Account: Prod Modules & Libs" +} + +variable "network_account_id" { + type = string + description = "Account: Networking Resources" +} + +variable "vault_address" { + type = string + description = "Vault Address" +} + +variable "vault_token" { + type = string + description = "Vault Token" +} + +#===========================================# +# Networking # +#===========================================# +variable "vpc_apps_devstg_created" { + description = "true if Apps Dev account VPC is created for Peering purposes" + type = bool + default = true +} + +variable "vpc_apps_devstg_eks_created" { + description = "true if Apps Dev account EKS VPC is created for Peering purposes" + type = bool + default = true +} + +variable "vpc_apps_prd_created" { + description = "true if Apps Prd account VPC is created for Peering purposes" + type = bool + default = true +} + +variable "vpc_vault_hvn_created" { + description = "true if the Hahicorp Vault Cloud HVN account VPC is created for Peering purposes" + type = bool + default = true +} + +variable "vpc_vault_hvn_peering_connection_id" { + description = "Hahicorp Vault Cloud HVN VPC peering ID" + type = string + default = "pcx-0109e4ef7e784ee06" +} + +variable "vpc_vault_hvn_cird" { + description = "Hahicorp Vault Cloud HVN VPC CIDR segment" + type = string + default = "172.25.16.0/20" +} + +variable "vpc_enable_nat_gateway" { + description = "Enable NAT Gatewway" + type = bool + default = false +} + +variable "vpc_single_nat_gateway" { + description = "Single NAT Gatewway" + type = bool + default = true +} + +variable "vpc_enable_dns_hostnames" { + description = "Enable DNS HOSTNAME" + type = bool + default = true +} + +variable "vpc_enable_vpn_gateway" { + description = "Enable VPN Gateway" + type = bool + default = false +} + +variable "enable_kms_endpoint" { + description = "Enable KMS endpoint" + type = bool + default = false +} + +variable "enable_kms_endpoint_private_dns" { + description = "Enable KMS endpoint" + type = bool + default = false +} + +variable "manage_default_network_acl" { + description = "Manage default Network ACL" + type = bool + default = false +} + +variable "public_dedicated_network_acl" { + description = "Manage default Network ACL" + type = bool + default = true +} + +variable "private_dedicated_network_acl" { + description = "Manage default Network ACL" + type = bool + default = true +} + +variable "vpc_endpoints" { + description = "VPC endpoints" + type = any + default = { + s3 = { + service = "s3" + service_type = "Gateway" + } + dynamodb = { + service = "dynamodb" + service_type = "Gateway" + } + } +} + +variable "enable_tgw" { + description = "Enable Transit Gateway Support" + type = bool + default = false +} + +variable "enable_vpc_attach" { + description = "Enable VPC attachments per account" + type = any + default = { + network = false + shared = false + apps-devstg = false + apps-prd = false + } +} + +variable "enable_network_firewall" { + description = "Enable AWS Network Firewall support" + type = bool + default = false +} + +variable "vpn_gateway_amazon_side_asn" { + description = "The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN." + type = number + default = 64512 +} diff --git a/network/us-east-2/base-network/vpn_gateways.tf b/network/us-east-2/base-network/vpn_gateways.tf new file mode 100644 index 000000000..81985ed75 --- /dev/null +++ b/network/us-east-2/base-network/vpn_gateways.tf @@ -0,0 +1,86 @@ +# Network Firewall VPC attachment - Inspection subnets (private) +module "vpn_gateways" { + + source = "github.com/binbashar/terraform-aws-vpn-gateway.git?ref=v2.10.1" + + for_each = { for k, v in local.customer_gateways : + k => v if var.enable_tgw && var.vpc_enable_vpn_gateway + } + + connect_to_transit_gateway = true + vpn_connection_static_routes_only = lookup(each.value, "vpn_connection_static_routes_only", false) + transit_gateway_id = data.terraform_remote_state.tgw.outputs.tgw_id + customer_gateway_id = module.vpc.this_customer_gateway[each.key].id + + # local & remote IPv4 CDIRs + local_ipv4_network_cidr = lookup(each.value, "local_ipv4_network_cidr", "0.0.0.0/0") + remote_ipv4_network_cidr = lookup(each.value, "remote_ipv4_network_cidr", "0.0.0.0/0") + + ########### + # Tunnels # + ########### + # Some values are optional and the default values are used if not specified + + # Tunnel 1 + tunnel1_inside_cidr = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "inside_cidr", null) + tunnel1_preshared_key = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "preshared_key", null) + tunnel1_dpd_timeout_action = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "dpd_timeout_action", null) + tunnel1_dpd_timeout_seconds = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "dpd_timeout_seconds", null) + tunnel1_ike_versions = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "ike_versions", null) + tunnel1_phase1_dh_group_numbers = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "phase1_dh_group_numbers", null) + tunnel1_phase1_encryption_algorithms = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "phase1_encryption_algorithms", null) + tunnel1_phase1_integrity_algorithms = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "phase1_integrity_algorithms", null) + tunnel1_phase1_lifetime_seconds = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "phase1_lifetime_seconds", null) + tunnel1_phase2_dh_group_numbers = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "phase2_dh_group_numbers", null) + tunnel1_phase2_encryption_algorithms = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "phase2_encryption_algorithms", null) + tunnel1_phase2_integrity_algorithms = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "phase2_integrity_algorithms", null) + tunnel1_phase2_lifetime_seconds = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "phase2_lifetime_seconds", null) + tunnel1_rekey_fuzz_percentage = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "rekey_fuzz_percentage", null) + tunnel1_rekey_margin_time_seconds = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "rekey_margin_time_seconds", null) + tunnel1_replay_window_size = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "replay_window_size", null) + tunnel1_startup_action = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "startup_action", null) + + # + # Tunnel 2 + # + tunnel2_inside_cidr = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "inside_cidr", null) + tunnel2_preshared_key = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "preshared_key", null) + tunnel2_dpd_timeout_action = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "dpd_timeout_action", null) + tunnel2_dpd_timeout_seconds = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "dpd_timeout_seconds", null) + tunnel2_ike_versions = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "ike_versions", null) + tunnel2_phase1_dh_group_numbers = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "phase1_dh_group_numbers", null) + tunnel2_phase1_encryption_algorithms = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "phase1_encryption_algorithms", null) + tunnel2_phase1_integrity_algorithms = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "phase1_integrity_algorithms", null) + tunnel2_phase1_lifetime_seconds = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "phase1_lifetime_seconds", null) + tunnel2_phase2_dh_group_numbers = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "phase2_dh_group_numbers", null) + tunnel2_phase2_encryption_algorithms = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "phase2_encryption_algorithms", null) + tunnel2_phase2_integrity_algorithms = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "phase2_integrity_algorithms", null) + tunnel2_phase2_lifetime_seconds = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "phase2_lifetime_seconds", null) + tunnel2_rekey_fuzz_percentage = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "rekey_fuzz_percentage", null) + tunnel2_rekey_margin_time_seconds = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "rekey_margin_time_seconds", null) + tunnel2_replay_window_size = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "replay_window_size", null) + tunnel2_startup_action = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "startup_action", null) +} + +# vpn static routes +resource "aws_ec2_transit_gateway_route" "vpn_static_routes" { + + for_each = { for k, v in local.vpn_static_routes : + k => v if var.enable_tgw && var.vpc_enable_vpn_gateway + } + + destination_cidr_block = lookup(each.value, "route") + transit_gateway_route_table_id = var.enable_tgw && var.enable_network_firewall ? data.terraform_remote_state.tgw.outputs.tgw_inspection_route_table_id : data.terraform_remote_state.tgw.outputs.tgw_route_table_id + transit_gateway_attachment_id = module.vpn_gateways[lookup(each.value, "cgw")].vpn_connection_transit_gateway_attachment_id +} + +# TGW VPN RT associations +resource "aws_ec2_transit_gateway_route_table_association" "vpn-rt-associations" { + + for_each = { for k, v in module.vpn_gateways : + k => v if var.enable_tgw && var.vpc_enable_vpn_gateway + } + + transit_gateway_route_table_id = data.terraform_remote_state.tgw.outputs.tgw_route_table_id + transit_gateway_attachment_id = each.value.vpn_connection_transit_gateway_attachment_id +} diff --git a/network/us-east-2/security-keys/config.tf b/network/us-east-2/security-keys/config.tf new file mode 100644 index 000000000..4ae47b50b --- /dev/null +++ b/network/us-east-2/security-keys/config.tf @@ -0,0 +1,23 @@ +#=============================# +# AWS Provider Settings # +#=============================# +provider "aws" { + region = var.region_secondary + profile = var.profile + shared_credentials_file = "~/.aws/${var.project}/config" +} + +#=============================# +# Backend Config (partial) # +#=============================# +terraform { + required_version = ">= 0.14.11" + + required_providers { + aws = "~> 3.2" + } + + backend "s3" { + key = "network/security-keys-dr/terraform.tfstate" + } +} diff --git a/network/us-east-2/security-keys/kms.tf b/network/us-east-2/security-keys/kms.tf new file mode 100644 index 000000000..0f921230e --- /dev/null +++ b/network/us-east-2/security-keys/kms.tf @@ -0,0 +1,72 @@ +module "kms_key_dr" { + source = "github.com/binbashar/terraform-aws-kms-key.git?ref=0.10.0" + + enabled = true + namespace = var.project + stage = var.environment + name = var.kms_key_name + delimiter = "-" + description = "DR KMS key for Network Account (us-east-2)" + deletion_window_in_days = 7 + enable_key_rotation = true + alias = "alias/${var.project}_${var.environment}_${var.kms_key_name}_key" + policy = data.aws_iam_policy_document.kms.json + tags = local.tags +} + +data "aws_iam_policy_document" "kms" { + statement { + sid = "Enable IAM User Permissions" + effect = "Allow" + actions = ["kms:*"] + resources = ["*"] + + principals { + type = "AWS" + identifiers = [ + "arn:aws:iam::${var.network_account_id}:root" + ] + } + } + + statement { + sid = "Enable S3 Service" + effect = "Allow" + actions = [ + "kms:Encrypt*", + "kms:Decrypt*", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ] + resources = ["*"] + + principals { + type = "Service" + identifiers = ["s3.${var.region_secondary}.amazonaws.com"] + } + } + + statement { + sid = "Enable CloudWatch Logs Service" + effect = "Allow" + actions = [ + "kms:Encrypt*", + "kms:Decrypt*", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ] + resources = ["*"] + + principals { + type = "Service" + identifiers = ["logs.${var.region}.amazonaws.com"] + } + condition { + test = "ArnLike" + variable = "kms:EncryptionContext:aws:logs:arn" + values = ["arn:aws:logs:${var.region_secondary}:${var.appsdevstg_account_id}:*"] + } + } +} diff --git a/network/us-east-2/security-keys/locals.tf b/network/us-east-2/security-keys/locals.tf new file mode 100644 index 000000000..5879674a5 --- /dev/null +++ b/network/us-east-2/security-keys/locals.tf @@ -0,0 +1,6 @@ +locals { + tags = { + Terraform = "true" + Environment = var.environment + } +} diff --git a/network/us-east-2/security-keys/outputs.tf b/network/us-east-2/security-keys/outputs.tf new file mode 100644 index 000000000..c0c78761b --- /dev/null +++ b/network/us-east-2/security-keys/outputs.tf @@ -0,0 +1,22 @@ +# +# KMS aws_kms_key outputs +# +output "aws_kms_key_arn" { + description = "Key ARN" + value = module.kms_key_dr.key_arn +} + +output "aws_kms_key_id" { + description = "KMS Key ID" + value = module.kms_key_dr.key_id +} + +output "aws_kms_key_alias_arn" { + description = "KMS Alias ARN" + value = module.kms_key_dr.alias_arn +} + +output "aws_kms_key_alias_name" { + description = "KMS Alias name" + value = module.kms_key_dr.alias_name +} diff --git a/network/us-east-2/security-keys/ssh.tf b/network/us-east-2/security-keys/ssh.tf new file mode 100644 index 000000000..44d94c6ed --- /dev/null +++ b/network/us-east-2/security-keys/ssh.tf @@ -0,0 +1,4 @@ +resource "aws_key_pair" "compute-ssh-key" { + key_name = var.compute_ssh_key_name + public_key = var.compute_ssh_public_key +} diff --git a/network/us-east-2/security-keys/variables.tf b/network/us-east-2/security-keys/variables.tf new file mode 100644 index 000000000..d0daad46b --- /dev/null +++ b/network/us-east-2/security-keys/variables.tf @@ -0,0 +1,113 @@ +# +# config/backend.config +# +#================================# +# Terraform AWS Backend Settings # +#================================# +variable "region" { + type = string + description = "AWS Region" +} + +variable "profile" { + type = string + description = "AWS Profile (required by the backend but also used for other resources)" +} + +variable "bucket" { + type = string + description = "AWS S3 TF State Backend Bucket" +} + +variable "dynamodb_table" { + type = string + description = "AWS DynamoDB TF Lock state table name" +} + +variable "encrypt" { + type = bool + description = "Enable AWS DynamoDB with server side encryption" +} + +# +# config/base.config +# +#=============================# +# Project Variables # +#=============================# +variable "project" { + type = string + description = "Project Name" +} + +variable "project_long" { + type = string + description = "Project Long Name" +} + +variable "environment" { + type = string + description = "Environment Name" +} + +# +# config/extra.config +# +#=============================# +# Accounts & Extra Vars # +#=============================# +variable "region_secondary" { + type = string + description = "AWS Scondary Region for HA" +} + +variable "root_account_id" { + type = string + description = "Account: Root" +} + +variable "security_account_id" { + type = string + description = "Account: Security & Users Management" +} + +variable "shared_account_id" { + type = string + description = "Account: Shared Resources" +} + +variable "network_account_id" { + type = string + description = "Account: Networking Resources" +} + +variable "appsdevstg_account_id" { + type = string + description = "Account: Dev Modules & Libs" +} + +variable "appsprd_account_id" { + type = string + description = "Account: Prod Modules & Libs" +} + +#===========================================# +# Security # +#===========================================# +variable "compute_ssh_key_name" { + type = string + description = "EC2 ssh public key name" + default = "apps-devstg-default" +} + +variable "compute_ssh_public_key" { + type = string + description = "EC2 ssh public key" + default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3OoNqa58Pu+rhpWX3rGhyziG3XQ2ApsBl2CTqJdK6AEQlrR0FHp95tyeplkkNtqD3ToShMrI1w00CodhLycNFwv8/vlJKrkTWlmv0QXB/erLNBsRjp0BTUraCGqq/sB2qb2zeG/K4zalxVg/KiTzgHZRKSvx5s4ft8I6CHro65UZtA25MC1hKrjOgiRWYG7iz9/Frxrh7yAZiaZjac70EofuT0GXq7S3znuhJ1V8LS2j8sb7JfnbL5Td8RZcgh72rkpNHscs09FUZqOllQV8ZeBBeEBhPOxZ06xVB780GeP1nQf4y7ZdLsIOUZt5g333G2VXtHx1bCo+tSgSxXlVjxwiZf/6kCerBrzanu5Qnd6GUkn0RsvsBITWsqf+wmejJYqS+sgdn0mQg4pvKu4ORigDetr9oE8Veba5LhpyZYjn5um+vQQxgY/P4Dj6uD0rozoH5VBt9QaSggeiJRE7OQKaXD2zJj1toQotSXy/WGhaMJRtY+jynBKvkvGx8y9gXhQd/2OJBu3+fgrse+TrWlMmo+baF4HxF0H+5ug3qmoiSxRgn1GQW2AKev6NcxeO5xGYiJmgUMwSG/BiDB/0cFKk/9F2tNMHBpZIHgTpAmYuOk/h6R3Kqm4nvlb/dULiwKa2a1LWFtRnrdIsgO00jGEOvf8iHxMQfJaLzc4auxQ== binbash-aws-dev@binbash.com.ar" +} + +variable "kms_key_name" { + type = string + description = "KMS key solution name, e.g. 'app' or 'jenkins'" + default = "kms_dr" +} From 8884a1d9eb47d82a62494dd49e103d421e9e50c1 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Thu, 18 Nov 2021 01:41:26 -0300 Subject: [PATCH 02/44] Update TGW datasoueces for us-east-2 --- shared/us-east-2/base-network/locals.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/shared/us-east-2/base-network/locals.tf b/shared/us-east-2/base-network/locals.tf index 1209d20a0..320021cfa 100644 --- a/shared/us-east-2/base-network/locals.tf +++ b/shared/us-east-2/base-network/locals.tf @@ -147,6 +147,7 @@ locals { tgw = false } } + # apps-prd-dr apps-prd-dr-vpcs = {} From 5654cb5c0a728fc120c6eed71b7a77a88666ed96 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Thu, 18 Nov 2021 03:01:51 -0300 Subject: [PATCH 03/44] Add Transit Gateway DR peering --- network/us-east-1/transit-gateway/config.tf | 29 +++++++++++++++++++++ network/us-east-1/transit-gateway/locals.tf | 10 +++++++ network/us-east-1/transit-gateway/tgw-dr.tf | 10 +++++++ 3 files changed, 49 insertions(+) create mode 100644 network/us-east-1/transit-gateway/tgw-dr.tf diff --git a/network/us-east-1/transit-gateway/config.tf b/network/us-east-1/transit-gateway/config.tf index 6bf5fbb01..39e13cd28 100644 --- a/network/us-east-1/transit-gateway/config.tf +++ b/network/us-east-1/transit-gateway/config.tf @@ -68,6 +68,7 @@ data "terraform_remote_state" "tools-vpn-server" { } } +# Network Firewall data "terraform_remote_state" "network-firewall" { backend = "s3" @@ -81,6 +82,19 @@ data "terraform_remote_state" "network-firewall" { } } +# Transit Gateway in the secondary region +data "terraform_remote_state" "tgw-dr" { + + backend = "s3" + + config = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/transit-gateway-dr/terraform.tfstate" + } +} + # VPC remote states for network data "terraform_remote_state" "network-vpcs" { @@ -141,3 +155,18 @@ data "terraform_remote_state" "apps-prd-vpcs" { key = lookup(each.value, "key") } } + +# VPC remote states for network-dr +data "terraform_remote_state" "network-dr-vpcs" { + + for_each = local.network-dr-vpcs + + backend = "s3" + + config = { + region = lookup(each.value, "region") + profile = lookup(each.value, "profile") + bucket = lookup(each.value, "bucket") + key = lookup(each.value, "key") + } +} diff --git a/network/us-east-1/transit-gateway/locals.tf b/network/us-east-1/transit-gateway/locals.tf index 4a087ca2f..3850247e3 100644 --- a/network/us-east-1/transit-gateway/locals.tf +++ b/network/us-east-1/transit-gateway/locals.tf @@ -68,6 +68,16 @@ locals { #} } + # network-dr + network-dr-vpcs = { + network-base = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/network-dr/terraform.tfstate" + } + } + datasources-vpcs = merge( data.terraform_remote_state.network-vpcs, # network #data.terraform_remote_state.shared-vpcs, # shared diff --git a/network/us-east-1/transit-gateway/tgw-dr.tf b/network/us-east-1/transit-gateway/tgw-dr.tf new file mode 100644 index 000000000..d6a8df51b --- /dev/null +++ b/network/us-east-1/transit-gateway/tgw-dr.tf @@ -0,0 +1,10 @@ +resource "aws_ec2_transit_gateway_peering_attachment" "tgw-dr" { + + count = var.enable_tgw && try(data.terraform_remote_state.tgw-dr.outputs.tgw_id != null, false) ? 1 : 0 + + transit_gateway_id = module.tgw[0].transit_gateway_id + peer_region = var.region_secondary + peer_transit_gateway_id = data.terraform_remote_state.tgw-dr.outputs.tgw_id + + tags = local.tags +} From bfd194767ab22860ae416b69d08740753fc724ee Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Thu, 18 Nov 2021 03:05:38 -0300 Subject: [PATCH 04/44] Add Transit Gateway DR peering --- network/us-east-2/transit-gateway/config.tf | 143 +++++++ network/us-east-2/transit-gateway/locals.tf | 52 +++ network/us-east-2/transit-gateway/outputs.tf | 24 ++ .../us-east-2/transit-gateway/tgw.auto.tfvars | 13 + network/us-east-2/transit-gateway/tgw.tf | 357 ++++++++++++++++++ .../us-east-2/transit-gateway/variables.tf | 127 +++++++ .../transit-gateway/vpc_attachments.tf | 225 +++++++++++ 7 files changed, 941 insertions(+) create mode 100644 network/us-east-2/transit-gateway/config.tf create mode 100644 network/us-east-2/transit-gateway/locals.tf create mode 100644 network/us-east-2/transit-gateway/outputs.tf create mode 100644 network/us-east-2/transit-gateway/tgw.auto.tfvars create mode 100644 network/us-east-2/transit-gateway/tgw.tf create mode 100644 network/us-east-2/transit-gateway/variables.tf create mode 100644 network/us-east-2/transit-gateway/vpc_attachments.tf diff --git a/network/us-east-2/transit-gateway/config.tf b/network/us-east-2/transit-gateway/config.tf new file mode 100644 index 000000000..7e693394d --- /dev/null +++ b/network/us-east-2/transit-gateway/config.tf @@ -0,0 +1,143 @@ +#=============================# +# AWS Provider Settings # +#=============================# +provider "aws" { + region = var.region + profile = var.profile + shared_credentials_file = "~/.aws/${var.project}/config" +} + +provider "aws" { + alias = "network" + region = var.region + profile = var.profile + shared_credentials_file = "~/.aws/${var.project}/config" +} + +provider "aws" { + alias = "shared" + region = var.region + profile = "${var.project}-shared-devops" + shared_credentials_file = "~/.aws/${var.project}/config" +} + +provider "aws" { + alias = "apps-devstg" + region = var.region + profile = "${var.project}-apps-devstg-devops" + shared_credentials_file = "~/.aws/${var.project}/config" +} + +provider "aws" { + alias = "apps-prd" + region = var.region + profile = "${var.project}-apps-prd-devops" + shared_credentials_file = "~/.aws/${var.project}/config" +} + +#=============================# +# Backend Config (partial) # +#=============================# +terraform { + required_version = ">= 0.14.11" + + required_providers { + aws = "~> 3.0" + } + + backend "s3" { + key = "network/transit-gateway-dr/terraform.tfstate" + } +} + +#=============================# +# Data sources # +#=============================# + +# +# data type from output for tools-ec2 +# +data "terraform_remote_state" "tools-vpn-server" { + backend = "s3" + + config = { + region = var.region + profile = "${var.project}-shared-devops" + bucket = "${var.project}-shared-terraform-backend" + key = "shared/vpn/terraform.tfstate" + } +} + +data "terraform_remote_state" "network-firewall" { + + backend = "s3" + + config = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/network-firewall/terraform.tfstate" + + } +} + +# VPC remote states for network +data "terraform_remote_state" "network-vpcs" { + + for_each = local.network-vpcs + + backend = "s3" + + config = { + region = lookup(each.value, "region") + profile = lookup(each.value, "profile") + bucket = lookup(each.value, "bucket") + key = lookup(each.value, "key") + } + +} + +# VPC remote states for shared +data "terraform_remote_state" "shared-vpcs" { + + for_each = local.shared-vpcs + + backend = "s3" + + config = { + region = lookup(each.value, "region") + profile = lookup(each.value, "profile") + bucket = lookup(each.value, "bucket") + key = lookup(each.value, "key") + } +} + +# VPC remote states for apps-devstg +data "terraform_remote_state" "apps-devstg-vpcs" { + + for_each = local.apps-devstg-vpcs + + backend = "s3" + + config = { + region = lookup(each.value, "region") + profile = lookup(each.value, "profile") + bucket = lookup(each.value, "bucket") + key = lookup(each.value, "key") + } +} + +# VPC remote states for apps-prd +data "terraform_remote_state" "apps-prd-vpcs" { + + for_each = local.apps-prd-vpcs + + backend = "s3" + + config = { + region = lookup(each.value, "region") + profile = lookup(each.value, "profile") + bucket = lookup(each.value, "bucket") + key = lookup(each.value, "key") + } +} diff --git a/network/us-east-2/transit-gateway/locals.tf b/network/us-east-2/transit-gateway/locals.tf new file mode 100644 index 000000000..621e06417 --- /dev/null +++ b/network/us-east-2/transit-gateway/locals.tf @@ -0,0 +1,52 @@ +locals { + tags = { + Terraform = "true" + Environment = var.environment + ProtectFromDeletion = "true" + } +} + +locals { + # Data source definitions + # + + # shared-dr + shared-dr-vpcs = { + shared-base-dr = { + region = var.region + profile = "${var.project}-shared-devops" + bucket = "${var.project}-shared-terraform-backend" + key = "shared/network-dr/terraform.tfstate" + } + } + + # network-dr + network-dr-vpcs = { + network-base = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/network-dr/terraform.tfstate" + } + } + + # apps-devstg-dr + apps-devstg-dr-vpcs = { + apps-devstg-k8s-eks-dr = { + region = var.region + profile = "${var.project}-apps-devstg-devops" + bucket = "${var.project}-apps-devstg-terraform-backend" + key = "apps-devstg/k8s-eks-dr/network/terraform.tfstate" + } + } + + # apps-prd + apps-prd-vpcs = {} + + datasources-vpcs = merge( + data.terraform_remote_state.network-vpcs, # network + #data.terraform_remote_state.shared-vpcs, # shared + #data.terraform_remote_state.apps-devstg-vpcs, # apps-devstg-vpcs + data.terraform_remote_state.apps-prd-vpcs, # apps-prd-vpcs + ) +} diff --git a/network/us-east-2/transit-gateway/outputs.tf b/network/us-east-2/transit-gateway/outputs.tf new file mode 100644 index 000000000..068860ded --- /dev/null +++ b/network/us-east-2/transit-gateway/outputs.tf @@ -0,0 +1,24 @@ +output "tgw_id" { + description = "Transit Gateway Id" + value = var.enable_tgw ? module.tgw[0].transit_gateway_id : null +} + +output "tgw_route_table_id" { + description = "TGW default route table id" + value = var.enable_tgw ? module.tgw[0].transit_gateway_route_table_id : null +} + +output "tgw_inspection_route_table_id" { + description = "TGW inspection route table id" + value = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? module.tgw_inspection_route_table[0].transit_gateway_route_table_id : null +} + +output "enable_tgw" { + description = "This is set to `true` if the Transit Gateway is enabled" + value = var.enable_tgw +} + +output "enable_vpc_attach" { + description = "VPC attachments per account" + value = var.enable_vpc_attach +} diff --git a/network/us-east-2/transit-gateway/tgw.auto.tfvars b/network/us-east-2/transit-gateway/tgw.auto.tfvars new file mode 100644 index 000000000..25f422f37 --- /dev/null +++ b/network/us-east-2/transit-gateway/tgw.auto.tfvars @@ -0,0 +1,13 @@ +# Transit Gateway +# enable_tgw = false # Set this value in the `config/common.tfvars` + +# TGW VPC Attahcments +enable_vpc_attach = { + network-dr = false + shared-dr = false + apps-devstg-dr = false + apps-prd-dr = false +} + +# Network Firewall +enable_network_firewall = false diff --git a/network/us-east-2/transit-gateway/tgw.tf b/network/us-east-2/transit-gateway/tgw.tf new file mode 100644 index 000000000..e8af5f02c --- /dev/null +++ b/network/us-east-2/transit-gateway/tgw.tf @@ -0,0 +1,357 @@ +# terraform-aws-transit-gateway - vpc attachments +# +# Each vpc attachment config can contain the following fields: +# +# vpc_id - The ID of the VPC for which to create a VPC attachment and route table associations and propagations. +# vpc_cidr - VPC CIDR block. +# subnet_route_table_ids - The IDs of the subnet route tables. The route tables are used to add routes to allow traffix from the subnets in one VPC to the other VPC attachments. +# route_to - A set of names to route traffic from the current environment to the specified environments. +# Example: ["apps-prd", apps-prd-eks"]. Specify either route_to or route_to_cidr_blocks. route_to_cidr_blocks supersedes route_to. +# route_to_cidr_blocks - A set of VPC CIDR blocks to route traffic from the current environment to the specified VPC CIDR blocks. +# Specify either route_to or route_to_cidr_blocks. route_to_cidr_blocks supersedes route_to. +# static_routes - A list of Transit Gateway static route configurations. Note that static routes have a higher precedence than propagated routes. +# transit_gateway_vpc_attachment_id - An existing Transit Gateway Attachment ID. If provided, the module will use it instead of creating a new one. + +# AWS Transit Gateway +module "tgw" { + + source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" + + count = var.enable_tgw ? 1 : 0 + name = "${var.project}-${var.environment}-tgw" + + ram_resource_share_enabled = true + + create_transit_gateway = true + create_transit_gateway_route_table = true + create_transit_gateway_vpc_attachment = false + create_transit_gateway_route_table_association_and_propagation = var.enable_network_firewall ? false : true + + config = merge( + # network private + lookup(var.enable_vpc_attach, "network-dr", false) ? { + for k, v in data.terraform_remote_state.network-vpcs : v.outputs.vpc_id => { + vpc_id = null + vpc_cidr = null + subnet_ids = null + subnet_route_table_ids = null + route_to = null + route_to_cidr_blocks = [] + transit_gateway_vpc_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network[k].transit_gateway_vpc_attachment_ids[k] + + static_routes = [ + { + blackhole = false + destination_cidr_block = "0.0.0.0/0" + } + ] + } + } : {}, + # apps-devstg private + lookup(var.enable_vpc_attach, "apps-devstg-dr", false) ? { + for k, v in data.terraform_remote_state.apps-devstg-vpcs : v.outputs.vpc_id => { + vpc_id = null + vpc_cidr = null + subnet_ids = null + subnet_route_table_ids = null + route_to = null + route_to_cidr_blocks = null + transit_gateway_vpc_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_apps-devstg[k].transit_gateway_vpc_attachment_ids[k] + static_routes = null + } + } : {}, + # apps-prd private + lookup(var.enable_vpc_attach, "apps-prd-dr", false) ? { + for k, v in data.terraform_remote_state.apps-prd-vpcs : v.outputs.vpc_id => { + vpc_id = null + vpc_cidr = null + subnet_ids = null + subnet_route_table_ids = null + route_to = null + route_to_cidr_blocks = null + transit_gateway_vpc_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_apps-prd[k].transit_gateway_vpc_attachment_ids[k] + static_routes = null + } + } : {}, + # shared private + lookup(var.enable_vpc_attach, "shared-dr", false) ? { + for k, v in data.terraform_remote_state.shared-vpcs : v.outputs.vpc_id => { + vpc_id = null + vpc_cidr = null + subnet_ids = null + subnet_route_table_ids = null + route_to = null + route_to_cidr_blocks = null + transit_gateway_vpc_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_shared[k].transit_gateway_vpc_attachment_ids[k] + static_routes = null + } + } : {}, + ) + + tags = local.tags + + providers = { + aws = aws.network + } +} + +# +# Route Table defitions +# +module "tgw_inspection_route_table" { + + source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" + + count = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? 1 : 0 + + name = "${var.project}-${var.environment}-inspection" + + existing_transit_gateway_id = module.tgw[0].transit_gateway_id + create_transit_gateway = false + create_transit_gateway_route_table = true + create_transit_gateway_vpc_attachment = false + create_transit_gateway_route_table_association_and_propagation = false + + config = { + inspection = { + vpc_id = null + vpc_cidr = null + subnet_ids = null + subnet_route_table_ids = null + route_to = null + route_to_cidr_blocks = null + transit_gateway_vpc_attachment_id = null + static_routes = [ + { + blackhole = false + destination_cidr_block = "0.0.0.0/0" + } + ] + } + } + + tags = local.tags + + providers = { + aws = aws.network + } +} + +# +# Network Firewall +# +resource "aws_ec2_transit_gateway_route" "inspection_default" { + count = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? 1 : 0 + + destination_cidr_block = "0.0.0.0/0" + transit_gateway_route_table_id = module.tgw_inspection_route_table[0].transit_gateway_route_table_id + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network_firewall["network-firewall"].transit_gateway_vpc_attachment_ids["network-firewall"] +} + +resource "aws_ec2_transit_gateway_route" "network_firewall_default" { + count = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? 1 : 0 + + destination_cidr_block = "0.0.0.0/0" + transit_gateway_route_table_id = module.tgw[0].transit_gateway_route_table_id + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network["network-base"].transit_gateway_vpc_attachment_ids["network-base"] +} + +resource "aws_ec2_transit_gateway_route_table_association" "network-inspection-association" { + count = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? 1 : 0 + + transit_gateway_route_table_id = module.tgw[0].transit_gateway_route_table_id + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network_firewall["network-firewall"].transit_gateway_vpc_attachment_ids["network-firewall"] +} + +resource "aws_ec2_transit_gateway_route_table_association" "network-base-association" { + count = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? 1 : 0 + + transit_gateway_route_table_id = module.tgw_inspection_route_table[0].transit_gateway_route_table_id + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network["network-base"].transit_gateway_vpc_attachment_ids["network-base"] +} + +# shared +resource "aws_ec2_transit_gateway_route_table_association" "shared-rt-associations" { + + for_each = { + for k, v in data.terraform_remote_state.shared-vpcs : + k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "shared", false) + } + + transit_gateway_route_table_id = module.tgw_inspection_route_table[0].transit_gateway_route_table_id + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_shared[each.key].transit_gateway_vpc_attachment_ids[each.key] +} + +resource "aws_ec2_transit_gateway_route_table_propagation" "shared-rt-propagations" { + for_each = { + for k, v in data.terraform_remote_state.shared-vpcs : + k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "shared", false) + } + + transit_gateway_route_table_id = module.tgw[0].transit_gateway_route_table_id + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_shared[each.key].transit_gateway_vpc_attachment_ids[each.key] + +} + +# apps-devstg +resource "aws_ec2_transit_gateway_route_table_association" "apps-devstg-rt-associations" { + + for_each = { + for k, v in data.terraform_remote_state.apps-devstg-vpcs : + k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "apps-devstg", false) + } + + transit_gateway_route_table_id = module.tgw_inspection_route_table[0].transit_gateway_route_table_id + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_apps-devstg[each.key].transit_gateway_vpc_attachment_ids[each.key] +} + +resource "aws_ec2_transit_gateway_route_table_propagation" "apps-devstg-rt-propagations" { + for_each = { + for k, v in data.terraform_remote_state.apps-devstg-vpcs : + k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "apps-devstg", false) + } + + transit_gateway_route_table_id = module.tgw[0].transit_gateway_route_table_id + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_apps-devstg[each.key].transit_gateway_vpc_attachment_ids[each.key] + +} + +# apps-prd +resource "aws_ec2_transit_gateway_route_table_association" "apps-prd-rt-associations" { + + for_each = { + for k, v in data.terraform_remote_state.apps-prd-vpcs : + k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "apps-prd", false) + } + + transit_gateway_route_table_id = module.tgw_inspection_route_table[0].transit_gateway_route_table_id + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_apps-prd[each.key].transit_gateway_vpc_attachment_ids[each.key] +} + +resource "aws_ec2_transit_gateway_route_table_propagation" "apps-prd-rt-propagations" { + for_each = { + for k, v in data.terraform_remote_state.apps-prd-vpcs : + k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "apps-prd", false) + } + + transit_gateway_route_table_id = module.tgw[0].transit_gateway_route_table_id + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_apps-prd[each.key].transit_gateway_vpc_attachment_ids[each.key] + +} + +# +# Update network public RT +# +resource "aws_route" "apps_devstg_public_route_to_tgw" { + + # For each vpc... + for_each = { + for k, v in data.terraform_remote_state.apps-devstg-vpcs : + k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-devstg", false) + } + + # ...add a route into the network public RT + route_table_id = data.terraform_remote_state.network-vpcs["network-base"].outputs.public_route_table_ids[0] + destination_cidr_block = each.value.outputs.vpc_cidr_block + transit_gateway_id = module.tgw[0].transit_gateway_id + + depends_on = [module.tgw, module.tgw_vpc_attachments_and_subnet_routes_network] + +} + +resource "aws_route" "apps_prd_public_route_to_tgw" { + + # For each vpc... + for_each = { + for k, v in data.terraform_remote_state.apps-prd-vpcs : + k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-prd", false) + } + + # ...add a route into the network public RT + route_table_id = data.terraform_remote_state.network-vpcs["network-base"].outputs.public_route_table_ids[0] + destination_cidr_block = each.value.outputs.vpc_cidr_block + transit_gateway_id = module.tgw[0].transit_gateway_id + + depends_on = [module.tgw, module.tgw_vpc_attachments_and_subnet_routes_network] + +} + +# Update shared public RT +resource "aws_route" "shared_public_apps_devstg_route_to_tgw" { + + # For each vpc... + for_each = { + for k, v in data.terraform_remote_state.apps-devstg-vpcs : + k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-devstg", false) + } + + # ...add a route into the network public RT + route_table_id = data.terraform_remote_state.shared-vpcs["shared-base"].outputs.public_route_table_ids[0] + destination_cidr_block = each.value.outputs.vpc_cidr_block + transit_gateway_id = module.tgw[0].transit_gateway_id + + depends_on = [module.tgw, module.tgw_vpc_attachments_and_subnet_routes_network] + + provider = aws.shared + +} + +resource "aws_route" "shared_public_apps_prd_route_to_tgw" { + + # For each vpc... + for_each = { + for k, v in data.terraform_remote_state.apps-prd-vpcs : + k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-prd", false) + } + + # ...add a route into the network public RT + route_table_id = data.terraform_remote_state.shared-vpcs["shared-base"].outputs.public_route_table_ids[0] + destination_cidr_block = each.value.outputs.vpc_cidr_block + transit_gateway_id = module.tgw[0].transit_gateway_id + + depends_on = [module.tgw, module.tgw_vpc_attachments_and_subnet_routes_network] + + provider = aws.shared + +} + +# Update Inspection & AWS Network Firewall route tables +data "aws_route_table" "inspection_route_table" { + for_each = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? { + for k, v in data.terraform_remote_state.network-firewall.outputs["inspection_subnets"] : + k => v + } : {} + + subnet_id = each.value +} + +resource "aws_route" "inspection_to_endpoint" { + for_each = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? { + for s in data.terraform_remote_state.network-firewall.outputs["sync_states"][0] : + s["availability_zone"] => s["attachment"] + } : {} + + + route_table_id = data.aws_route_table.inspection_route_table[each.key].id + vpc_endpoint_id = each.value[0]["endpoint_id"] + destination_cidr_block = "0.0.0.0/0" +} + +data "aws_route_table" "network_firewall_route_table" { + for_each = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? { + for k, v in data.terraform_remote_state.network-firewall.outputs["network_firewall_subnets"] : + k => v } : {} + + subnet_id = each.value +} + +resource "aws_route" "network_firewall_tgw" { + for_each = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? { + for s in data.terraform_remote_state.network-firewall.outputs["sync_states"][0] : + s["availability_zone"] => s["attachment"] + } : {} + + route_table_id = data.aws_route_table.network_firewall_route_table[each.key].id + transit_gateway_id = module.tgw[0].transit_gateway_id + destination_cidr_block = "0.0.0.0/0" +} diff --git a/network/us-east-2/transit-gateway/variables.tf b/network/us-east-2/transit-gateway/variables.tf new file mode 100644 index 000000000..0ef36532c --- /dev/null +++ b/network/us-east-2/transit-gateway/variables.tf @@ -0,0 +1,127 @@ +# +# config/backend.config +# +#================================# +# Terraform AWS Backend Settings # +#================================# +variable "region" { + type = string + description = "AWS Region" +} + +variable "profile" { + type = string + description = "AWS Profile (required by the backend but also used for other resources)" +} + +variable "bucket" { + type = string + description = "AWS S3 TF State Backend Bucket" +} + +variable "dynamodb_table" { + type = string + description = "AWS DynamoDB TF Lock state table name" +} + +variable "encrypt" { + type = bool + description = "Enable AWS DynamoDB with server side encryption" +} + +# +# config/base.config +# +#=============================# +# Project Variables # +#=============================# +variable "project" { + type = string + description = "Project Name" +} + +variable "project_long" { + type = string + description = "Project Long Name" +} + +variable "environment" { + type = string + description = "Environment Name" +} + +# +# config/extra.config +# +#=============================# +# Accounts & Extra Vars # +#=============================# +variable "region_secondary" { + type = string + description = "AWS Scondary Region for HA" +} + +variable "root_account_id" { + type = string + description = "Account: Root" +} + +variable "security_account_id" { + type = string + description = "Account: Security & Users Management" +} + +variable "shared_account_id" { + type = string + description = "Account: Shared Resources" +} + +variable "appsdevstg_account_id" { + type = string + description = "Account: Dev Modules & Libs" +} + +variable "appsprd_account_id" { + type = string + description = "Account: Prod Modules & Libs" +} + +variable "network_account_id" { + type = string + description = "Account: Networking Resources" +} + +variable "vault_token" { + type = string +} + +variable "vault_address" { + type = string +} + +#===========================================# +# Transit Gateway # +#===========================================# + +variable "enable_tgw" { + description = "Enable Transit Gateway Support" + type = bool + default = false +} + +variable "enable_vpc_attach" { + description = "Enable VPC attachments per account" + type = any + default = { + network = false + shared = false + apps-devstg = false + apps-prd = false + } +} + +variable "enable_network_firewall" { + description = "Enable AWS Network Firewall support" + type = bool + default = false +} diff --git a/network/us-east-2/transit-gateway/vpc_attachments.tf b/network/us-east-2/transit-gateway/vpc_attachments.tf new file mode 100644 index 000000000..229a57af9 --- /dev/null +++ b/network/us-east-2/transit-gateway/vpc_attachments.tf @@ -0,0 +1,225 @@ +# terraform-aws-transit-gateway - vpc attachments +# +# Each vpc attachment config can contain the following fields: +# +# vpc_id - The ID of the VPC for which to create a VPC attachment and route table associations and propagations. +# vpc_cidr - VPC CIDR block. +# subnet_route_table_ids - The IDs of the subnet route tables. The route tables are used to add routes to allow traffix from the subnets in one VPC to the other VPC attachments. +# route_to - A set of names to route traffic from the current environment to the specified environments. +# Example: ["apps-prd", apps-prd-eks"]. Specify either route_to or route_to_cidr_blocks. route_to_cidr_blocks supersedes route_to. +# route_to_cidr_blocks - A set of VPC CIDR blocks to route traffic from the current environment to the specified VPC CIDR blocks. +# Specify either route_to or route_to_cidr_blocks. route_to_cidr_blocks supersedes route_to. +# static_routes - A list of Transit Gateway static route configurations. Note that static routes have a higher precedence than propagated routes. +# transit_gateway_vpc_attachment_id - An existing Transit Gateway Attachment ID. If provided, the module will use it instead of creating a new one. + +# Network Firewall VPC attachment - Inspection subnets (private) +module "tgw_vpc_attachments_and_subnet_routes_network_firewall" { + + source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" + + for_each = { + for k, v in { + "network-firewall" = data.terraform_remote_state.network-firewall + } : + k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) + } + + name = "${var.project}-${each.key}-vpc" + + # network account can access the Transit Gateway in the network: account since we shared the Transit Gateway with the Organization using Resource Access Manager + existing_transit_gateway_id = module.tgw[0].transit_gateway_id + create_transit_gateway = false + create_transit_gateway_route_table = false + create_transit_gateway_vpc_attachment = true + create_transit_gateway_route_table_association_and_propagation = false + + config = { + (each.key) = { + vpc_id = each.value.outputs.vpc_id + vpc_cidr = each.value.outputs.vpc_cidr_block + subnet_ids = values(each.value.outputs.inspection_subnets) + subnet_route_table_ids = values(each.value.outputs.inspection_route_table_ids) + route_to = null + route_to_cidr_blocks = null + static_routes = null + transit_gateway_vpc_attachment_id = null + } + } + + tags = local.tags + + providers = { + aws = aws.network + } +} + +# network VPC attachments (private) +module "tgw_vpc_attachments_and_subnet_routes_network" { + + source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" + + for_each = { + for k, v in data.terraform_remote_state.network-vpcs : + k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "network", false) + } + + name = "${var.project}-${each.key}-vpc" + + # network account can access the Transit Gateway in the network: account since we shared the Transit Gateway with the Organization using Resource Access Manager + existing_transit_gateway_id = module.tgw[0].transit_gateway_id + existing_transit_gateway_route_table_id = module.tgw[0].transit_gateway_route_table_id + create_transit_gateway = false + create_transit_gateway_route_table = false + create_transit_gateway_vpc_attachment = true + create_transit_gateway_route_table_association_and_propagation = false + + config = { + (each.key) = { + vpc_id = each.value.outputs.vpc_id + vpc_cidr = each.value.outputs.vpc_cidr_block + subnet_ids = each.value.outputs.private_subnets + subnet_route_table_ids = each.value.outputs.private_route_table_ids + route_to = null + route_to_cidr_blocks = null + static_routes = null + transit_gateway_vpc_attachment_id = null + } + } + + tags = local.tags + + providers = { + aws = aws.network + } +} + +# apps-devstg VPC attachments +module "tgw_vpc_attachments_and_subnet_routes_apps-devstg" { + + source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" + + for_each = { + for k, v in data.terraform_remote_state.apps-devstg-vpcs : + k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-devstg", false) + } + + name = "${var.project}-${each.key}-vpc" + + # apps-devstg account can access the Transit Gateway in the network account since we shared the Transit Gateway with the Organization using Resource Access Manager + existing_transit_gateway_id = module.tgw[0].transit_gateway_id + existing_transit_gateway_route_table_id = var.enable_tgw && var.enable_network_firewall ? module.tgw_vpc_attachments_and_subnet_routes_network_firewall["network-firewall"].transit_gateway_route_table_id : module.tgw[0].transit_gateway_route_table_id + create_transit_gateway = false + create_transit_gateway_route_table = false + create_transit_gateway_vpc_attachment = true + create_transit_gateway_route_table_association_and_propagation = false + + config = { + (each.key) = { + vpc_id = each.value.outputs.vpc_id + vpc_cidr = each.value.outputs.vpc_cidr_block + subnet_ids = each.value.outputs.private_subnets + subnet_route_table_ids = each.value.outputs.private_route_table_ids + route_to = null + route_to_cidr_blocks = concat( + ["0.0.0.0/0"], # twg - Add the default route to target the TGW in apps-devstg's private RTs + #[for v in values(data.terraform_remote_state.shared-vpcs) : v.outputs.vpc_cidr_block], # shared - Add shared vpc cidrs to target the TGW in apps-devstg's private RTs + #[for v in values(data.terraform_remote_state.network-vpcs) : v.outputs.vpc_cidr_block], # network - Add network vpc cidrs to target the TGW in apps-devstg's private RTs + ) + static_routes = null + transit_gateway_vpc_attachment_id = null + } + } + + tags = local.tags + + providers = { + aws = aws.apps-devstg + } +} + +# apps-prd VPC attachments +module "tgw_vpc_attachments_and_subnet_routes_apps-prd" { + + source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" + + for_each = { + for k, v in data.terraform_remote_state.apps-prd-vpcs : + k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-prd", false) + } + + name = "${var.project}-${each.key}-vpc" + + # apps-prd account can access the Transit Gateway in the network account since we shared the Transit Gateway with the Organization using Resource Access Manager + existing_transit_gateway_id = module.tgw[0].transit_gateway_id + existing_transit_gateway_route_table_id = var.enable_tgw && var.enable_network_firewall ? module.tgw_inspection_route_table[0].transit_gateway_route_table_id : module.tgw[0].transit_gateway_route_table_id + create_transit_gateway = false + create_transit_gateway_route_table = false + create_transit_gateway_vpc_attachment = true + create_transit_gateway_route_table_association_and_propagation = false + + config = { + (each.key) = { + vpc_id = each.value.outputs.vpc_id + vpc_cidr = each.value.outputs.vpc_cidr_block + subnet_ids = each.value.outputs.private_subnets + subnet_route_table_ids = each.value.outputs.private_route_table_ids + route_to = null + route_to_cidr_blocks = concat( + ["0.0.0.0/0"], # twg - Add the default route to target the TGW in apps-prd's private RTs + #[for v in values(data.terraform_remote_state.shared-vpcs) : v.outputs.vpc_cidr_block], # shared - Add shared vpc cidrs to target the TGW in apps-prd's private RTs + #[for v in values(data.terraform_remote_state.network-vpcs) : v.outputs.vpc_cidr_block], # network - Add network vpc cidrs to target the TGW in apps-prd's private RTs + ) + static_routes = null + transit_gateway_vpc_attachment_id = null + } + } + + tags = local.tags + + providers = { + aws = aws.apps-prd + } +} + +# shared VPC attachments +module "tgw_vpc_attachments_and_subnet_routes_shared" { + + source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" + + for_each = { + for k, v in data.terraform_remote_state.shared-vpcs : + k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "shared", false) + } + + name = "${var.project}-${each.key}-vpc" + + # apps-devstg account can access the Transit Gateway in the network account since we shared the Transit Gateway with the Organization using Resource Access Manager + existing_transit_gateway_id = module.tgw[0].transit_gateway_id + existing_transit_gateway_route_table_id = var.enable_tgw && lookup(var.enable_vpc_attach, "shared", false) ? try(module.tgw_vpc_attachments_and_subnet_routes_network_firewall["network-firewall"].transit_gateway_route_table_id, null) : module.tgw[0].transit_gateway_route_table_id + create_transit_gateway = false + create_transit_gateway_route_table = false + create_transit_gateway_vpc_attachment = true + create_transit_gateway_route_table_association_and_propagation = false + + config = { + (each.key) = { + vpc_id = each.value.outputs.vpc_id + vpc_cidr = each.value.outputs.vpc_cidr_block + subnet_ids = each.value.outputs.private_subnets + subnet_route_table_ids = each.value.outputs.private_route_table_ids + route_to = null + route_to_cidr_blocks = concat( + ["0.0.0.0/0"], # twg - Add the default route to target the TGW in shared's private RTs + #[for v in values(data.terraform_remote_state.network-vpcs) : v.outputs.vpc_cidr_block], # network - Add network vpc cidrs to target the TGW in shared's private RTs + ) + static_routes = null + transit_gateway_vpc_attachment_id = null + } + } + + tags = local.tags + + providers = { + aws = aws.shared + } +} From e592edf0a15e11c18b1e2b29e426dfc3beac4af4 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Fri, 19 Nov 2021 18:43:06 -0300 Subject: [PATCH 05/44] Increase the Terraform required version to 1.09 --- shared/us-east-1/base-network/config.tf | 2 +- shared/us-east-1/notifications/config.tf | 2 +- shared/us-east-1/security-audit/config.tf | 2 +- shared/us-east-1/security-keys/config.tf | 2 +- shared/us-east-2/base-network/build.env | 1 - shared/us-east-2/base-network/config.tf | 2 +- shared/us-east-2/security-keys/config.tf | 2 +- 7 files changed, 6 insertions(+), 7 deletions(-) delete mode 100644 shared/us-east-2/base-network/build.env diff --git a/shared/us-east-1/base-network/config.tf b/shared/us-east-1/base-network/config.tf index 0cfb3b6b9..0d9df6d8c 100644 --- a/shared/us-east-1/base-network/config.tf +++ b/shared/us-east-1/base-network/config.tf @@ -46,7 +46,7 @@ provider "aws" { # Backend Config (partial) # #=============================# terraform { - required_version = ">= 0.14.11" + required_version = ">= 1.0.9" required_providers { aws = "~> 3.0" diff --git a/shared/us-east-1/notifications/config.tf b/shared/us-east-1/notifications/config.tf index 2d42a7107..4ab1007e5 100644 --- a/shared/us-east-1/notifications/config.tf +++ b/shared/us-east-1/notifications/config.tf @@ -24,7 +24,7 @@ provider "vault" { # Backend Config (partial) # #=============================# terraform { - required_version = ">= 0.14.11" + required_version = ">= 1.0.9" required_providers { aws = "~> 3.2" diff --git a/shared/us-east-1/security-audit/config.tf b/shared/us-east-1/security-audit/config.tf index 96fc4261b..2a24e540e 100644 --- a/shared/us-east-1/security-audit/config.tf +++ b/shared/us-east-1/security-audit/config.tf @@ -11,7 +11,7 @@ provider "aws" { # Backend Config (partial) # #=============================# terraform { - required_version = ">= 0.14.11" + required_version = ">= 1.0.9" required_providers { aws = "~> 3.0" diff --git a/shared/us-east-1/security-keys/config.tf b/shared/us-east-1/security-keys/config.tf index 85d32a9be..c7ce195da 100644 --- a/shared/us-east-1/security-keys/config.tf +++ b/shared/us-east-1/security-keys/config.tf @@ -11,7 +11,7 @@ provider "aws" { # Backend Config (partial) # #=============================# terraform { - required_version = ">= 0.14.11" + required_version = ">= 1.0.9" required_providers { aws = "~> 3.0" diff --git a/shared/us-east-2/base-network/build.env b/shared/us-east-2/base-network/build.env deleted file mode 100644 index 30adf62eb..000000000 --- a/shared/us-east-2/base-network/build.env +++ /dev/null @@ -1 +0,0 @@ -TERRAFORM_IMAGE_TAG=0.15.5 diff --git a/shared/us-east-2/base-network/config.tf b/shared/us-east-2/base-network/config.tf index 8370a7de8..169509bb7 100644 --- a/shared/us-east-2/base-network/config.tf +++ b/shared/us-east-2/base-network/config.tf @@ -32,7 +32,7 @@ provider "aws" { # Backend Config (partial) # #=============================# terraform { - required_version = ">= 0.14.11" + required_version = ">= 1.0.9" required_providers { aws = "~> 3.0" diff --git a/shared/us-east-2/security-keys/config.tf b/shared/us-east-2/security-keys/config.tf index b600cbdbb..5fb584eb1 100644 --- a/shared/us-east-2/security-keys/config.tf +++ b/shared/us-east-2/security-keys/config.tf @@ -11,7 +11,7 @@ provider "aws" { # Backend Config (partial) # #=============================# terraform { - required_version = ">= 0.14.11" + required_version = ">= 1.0.9" required_providers { aws = "~> 3.2" From d79a59044ba615b1e65bcfe808f45dae9eeb3f39 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Mon, 22 Nov 2021 23:45:22 -0300 Subject: [PATCH 06/44] Increase the Terraform required version to 1.0.9 --- network/global/base-identities/config.tf | 2 +- network/us-east-1/network-firewall/config.tf | 2 +- network/us-east-1/notifications/config.tf | 2 +- network/us-east-1/security-audit/config.tf | 2 +- network/us-east-1/security-base/config.tf | 2 +- network/us-east-1/security-compliance/config.tf | 2 +- network/us-east-1/security-keys/config.tf | 4 ++-- network/us-east-1/transit-gateway/config.tf | 2 +- network/us-east-2/security-keys/config.tf | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/network/global/base-identities/config.tf b/network/global/base-identities/config.tf index 35b62087f..1a00a8179 100644 --- a/network/global/base-identities/config.tf +++ b/network/global/base-identities/config.tf @@ -11,7 +11,7 @@ provider "aws" { # Backend Config (partial) # #=============================# terraform { - required_version = ">= 0.14.11" + required_version = ">= 1.0.9" required_providers { aws = "~> 3.27" diff --git a/network/us-east-1/network-firewall/config.tf b/network/us-east-1/network-firewall/config.tf index d6e2d8df5..dcbecc861 100644 --- a/network/us-east-1/network-firewall/config.tf +++ b/network/us-east-1/network-firewall/config.tf @@ -11,7 +11,7 @@ provider "aws" { # Backend Config (partial) # #=============================# terraform { - required_version = ">= 0.14.11" + required_version = ">= 1.0.9" required_providers { aws = "~> 3.0" diff --git a/network/us-east-1/notifications/config.tf b/network/us-east-1/notifications/config.tf index 3b35e55a4..e0f4e241f 100644 --- a/network/us-east-1/notifications/config.tf +++ b/network/us-east-1/notifications/config.tf @@ -24,7 +24,7 @@ provider "vault" { # Backend Config (partial) # #=============================# terraform { - required_version = ">= 0.14.11" + required_version = ">= 1.0.9" required_providers { aws = "~> 3.0" diff --git a/network/us-east-1/security-audit/config.tf b/network/us-east-1/security-audit/config.tf index 065677600..b46cc5d9b 100644 --- a/network/us-east-1/security-audit/config.tf +++ b/network/us-east-1/security-audit/config.tf @@ -11,7 +11,7 @@ provider "aws" { # Backend Config (partial) # #=============================# terraform { - required_version = ">= 0.14.11" + required_version = ">= 1.0.9" required_providers { aws = "~> 3.0" diff --git a/network/us-east-1/security-base/config.tf b/network/us-east-1/security-base/config.tf index 77242b64d..8a37e43f8 100644 --- a/network/us-east-1/security-base/config.tf +++ b/network/us-east-1/security-base/config.tf @@ -11,7 +11,7 @@ provider "aws" { # Backend Config (partial) # #=============================# terraform { - required_version = ">= 0.14.11" + required_version = ">= 1.0.9" required_providers { aws = "~> 3.0" diff --git a/network/us-east-1/security-compliance/config.tf b/network/us-east-1/security-compliance/config.tf index fe849f5ba..5823c5e1d 100644 --- a/network/us-east-1/security-compliance/config.tf +++ b/network/us-east-1/security-compliance/config.tf @@ -11,7 +11,7 @@ provider "aws" { # Backend Config (partial) # #=============================# terraform { - required_version = ">= 0.14.11" + required_version = ">= 1.0.9" required_providers { aws = "~> 3.2" diff --git a/network/us-east-1/security-keys/config.tf b/network/us-east-1/security-keys/config.tf index 4ae47b50b..31d5fcf20 100644 --- a/network/us-east-1/security-keys/config.tf +++ b/network/us-east-1/security-keys/config.tf @@ -11,13 +11,13 @@ provider "aws" { # Backend Config (partial) # #=============================# terraform { - required_version = ">= 0.14.11" + required_version = ">= 1.0.9" required_providers { aws = "~> 3.2" } backend "s3" { - key = "network/security-keys-dr/terraform.tfstate" + key = "network/security-keys/terraform.tfstate" } } diff --git a/network/us-east-1/transit-gateway/config.tf b/network/us-east-1/transit-gateway/config.tf index 39e13cd28..6e84fa308 100644 --- a/network/us-east-1/transit-gateway/config.tf +++ b/network/us-east-1/transit-gateway/config.tf @@ -39,7 +39,7 @@ provider "aws" { # Backend Config (partial) # #=============================# terraform { - required_version = ">= 0.14.11" + required_version = ">= 1.0.9" required_providers { aws = "~> 3.0" diff --git a/network/us-east-2/security-keys/config.tf b/network/us-east-2/security-keys/config.tf index 4ae47b50b..52d6e0b60 100644 --- a/network/us-east-2/security-keys/config.tf +++ b/network/us-east-2/security-keys/config.tf @@ -11,7 +11,7 @@ provider "aws" { # Backend Config (partial) # #=============================# terraform { - required_version = ">= 0.14.11" + required_version = ">= 1.0.9" required_providers { aws = "~> 3.2" From 9c9bd4629458a0453b907546aa498204ff542ed4 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Mon, 22 Nov 2021 23:56:35 -0300 Subject: [PATCH 07/44] Increase the Terraform required version to 1.0.9 --- network/us-east-2/base-network/config.tf | 2 +- network/us-east-2/transit-gateway/config.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/network/us-east-2/base-network/config.tf b/network/us-east-2/base-network/config.tf index 7829d1074..854da1aa2 100644 --- a/network/us-east-2/base-network/config.tf +++ b/network/us-east-2/base-network/config.tf @@ -39,7 +39,7 @@ provider "aws" { # Backend Config (partial) # #=============================# terraform { - required_version = ">= 0.14.11" + required_version = ">= 1.0.9" required_providers { aws = "~> 3.0" diff --git a/network/us-east-2/transit-gateway/config.tf b/network/us-east-2/transit-gateway/config.tf index 7e693394d..0a2d8a1c5 100644 --- a/network/us-east-2/transit-gateway/config.tf +++ b/network/us-east-2/transit-gateway/config.tf @@ -39,7 +39,7 @@ provider "aws" { # Backend Config (partial) # #=============================# terraform { - required_version = ">= 0.14.11" + required_version = ">= 1.0.9" required_providers { aws = "~> 3.0" From ed0623400c26aad6901929c44f93530d93b8943a Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Tue, 23 Nov 2021 01:04:25 -0300 Subject: [PATCH 08/44] Add TGW code for DR region --- network/us-east-2/transit-gateway/config.tf | 32 ++++++++++----------- network/us-east-2/transit-gateway/locals.tf | 10 +++---- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/network/us-east-2/transit-gateway/config.tf b/network/us-east-2/transit-gateway/config.tf index 0a2d8a1c5..0eb20de65 100644 --- a/network/us-east-2/transit-gateway/config.tf +++ b/network/us-east-2/transit-gateway/config.tf @@ -57,18 +57,18 @@ terraform { # # data type from output for tools-ec2 # -data "terraform_remote_state" "tools-vpn-server" { +data "terraform_remote_state" "tools-vpn-server-dr" { backend = "s3" config = { region = var.region profile = "${var.project}-shared-devops" bucket = "${var.project}-shared-terraform-backend" - key = "shared/vpn/terraform.tfstate" + key = "shared/vpn-dr/terraform.tfstate" } } -data "terraform_remote_state" "network-firewall" { +data "terraform_remote_state" "network-firewall-dr" { backend = "s3" @@ -76,15 +76,15 @@ data "terraform_remote_state" "network-firewall" { region = var.region profile = "${var.project}-network-devops" bucket = "${var.project}-network-terraform-backend" - key = "network/network-firewall/terraform.tfstate" + key = "network/network-firewall-dr/terraform.tfstate" } } -# VPC remote states for network -data "terraform_remote_state" "network-vpcs" { +# VPC remote states for network-dr +data "terraform_remote_state" "network-dr-vpcs" { - for_each = local.network-vpcs + for_each = local.network-dr-vpcs backend = "s3" @@ -97,10 +97,10 @@ data "terraform_remote_state" "network-vpcs" { } -# VPC remote states for shared -data "terraform_remote_state" "shared-vpcs" { +# VPC remote states for shared-dr +data "terraform_remote_state" "shared-dr-vpcs" { - for_each = local.shared-vpcs + for_each = local.shared-dr-vpcs backend = "s3" @@ -112,10 +112,10 @@ data "terraform_remote_state" "shared-vpcs" { } } -# VPC remote states for apps-devstg -data "terraform_remote_state" "apps-devstg-vpcs" { +# VPC remote states for apps-devstg-dr +data "terraform_remote_state" "apps-devstg-dr-vpcs" { - for_each = local.apps-devstg-vpcs + for_each = local.apps-devstg-dr-vpcs backend = "s3" @@ -127,10 +127,10 @@ data "terraform_remote_state" "apps-devstg-vpcs" { } } -# VPC remote states for apps-prd -data "terraform_remote_state" "apps-prd-vpcs" { +# VPC remote states for apps-prd-dr +data "terraform_remote_state" "apps-prd-dr-vpcs" { - for_each = local.apps-prd-vpcs + for_each = local.apps-prd-dr-vpcs backend = "s3" diff --git a/network/us-east-2/transit-gateway/locals.tf b/network/us-east-2/transit-gateway/locals.tf index 621e06417..57a0bc2e3 100644 --- a/network/us-east-2/transit-gateway/locals.tf +++ b/network/us-east-2/transit-gateway/locals.tf @@ -22,7 +22,7 @@ locals { # network-dr network-dr-vpcs = { - network-base = { + network-base-dr = { region = var.region profile = "${var.project}-network-devops" bucket = "${var.project}-network-terraform-backend" @@ -44,9 +44,9 @@ locals { apps-prd-vpcs = {} datasources-vpcs = merge( - data.terraform_remote_state.network-vpcs, # network - #data.terraform_remote_state.shared-vpcs, # shared - #data.terraform_remote_state.apps-devstg-vpcs, # apps-devstg-vpcs - data.terraform_remote_state.apps-prd-vpcs, # apps-prd-vpcs + data.terraform_remote_state.network-dr-vpcs, # network-dr + data.terraform_remote_state.shared-dr-vpcs, # shared-dr + data.terraform_remote_state.apps-devstg-dr-vpcs, # apps-devstg-dr-vpcs + data.terraform_remote_state.apps-prd-vpcs-dr, # apps-prd-dr-vpcs ) } From 94b86d52383a3caf5176b80f3155bd838e3530f4 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Wed, 24 Nov 2021 02:38:53 -0300 Subject: [PATCH 09/44] Add NFGW definition to secondary region --- network/us-east-2/network-firewall/README.md | 28 +++ network/us-east-2/network-firewall/config.tf | 23 ++ .../us-east-2/network-firewall/firewall.tf | 72 +++++++ network/us-east-2/network-firewall/locals.tf | 42 ++++ network/us-east-2/network-firewall/network.tf | 33 +++ network/us-east-2/network-firewall/outputs.tf | 66 ++++++ .../us-east-2/network-firewall/variables.tf | 202 ++++++++++++++++++ 7 files changed, 466 insertions(+) create mode 100644 network/us-east-2/network-firewall/README.md create mode 100644 network/us-east-2/network-firewall/config.tf create mode 100644 network/us-east-2/network-firewall/firewall.tf create mode 100644 network/us-east-2/network-firewall/locals.tf create mode 100644 network/us-east-2/network-firewall/network.tf create mode 100644 network/us-east-2/network-firewall/outputs.tf create mode 100644 network/us-east-2/network-firewall/variables.tf diff --git a/network/us-east-2/network-firewall/README.md b/network/us-east-2/network-firewall/README.md new file mode 100644 index 000000000..5eba4412a --- /dev/null +++ b/network/us-east-2/network-firewall/README.md @@ -0,0 +1,28 @@ +# Domain list inspection for traffic from outside the Network Firewall VPC +To use domain name filtering for traffic from outside the VPC where you've deployed Network Firewall, you must manually set the `HOME_NET` variable for the rule group. The most common use case for this is a central firewall VPC with traffic coming from other VPCs through a transit gateway. + +Include the `HOME_NET` variable in the dtaeful group definiton as follow: + +``` + # Stateful rules + stateful_rule_groups = { + # rules_source_list examples + stateful-group-1 = { + description = "Stateful Inspection for denying access to domains" + capacity = 100 + rule_variables = { + ip_sets = { + HOME_NET = ["0.0.0.0/0"] + } + } + rules_source_list = { + generated_rules_type = "DENYLIST" + target_types = ["TLS_SNI", "HTTP_HOST"] + targets = [".wikipedia.org", ".bad-domain.com"] + } + } + } +} +``` +**Reference**: [Domain list inspection for traffic from outside the deployment VPC](https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-domain-names.html#:~:text=see%20Domain%20filtering.-,Domain%20list%20inspection%20for%20traffic%20from%20outside%20the%20deployment%20VPC,-To%20use%20domain) + diff --git a/network/us-east-2/network-firewall/config.tf b/network/us-east-2/network-firewall/config.tf new file mode 100644 index 000000000..80bb2828c --- /dev/null +++ b/network/us-east-2/network-firewall/config.tf @@ -0,0 +1,23 @@ +#=============================# +# AWS Provider Settings # +#=============================# +provider "aws" { + region = var.region_secondary + profile = var.profile + shared_credentials_file = "~/.aws/${var.project}/config" +} + +#=============================# +# Backend Config (partial) # +#=============================# +terraform { + required_version = ">= 1.0.9" + + required_providers { + aws = "~> 3.0" + } + + backend "s3" { + key = "network/network-firewall-dr/terraform.tfstate" + } +} diff --git a/network/us-east-2/network-firewall/firewall.tf b/network/us-east-2/network-firewall/firewall.tf new file mode 100644 index 000000000..16a6053ae --- /dev/null +++ b/network/us-east-2/network-firewall/firewall.tf @@ -0,0 +1,72 @@ +module "firewall" { + + count = var.enable_network_firewall ? 1 : 0 + + source = "github.com/binbashar/terraform-aws-network-firewall.git?ref=v0.1.0" + + name = "${var.project}-${var.environment}-firewall-dr" + + description = "AWS Network Firewall for DR" + delete_protection = false + firewall_policy_change_protection = false + subnet_change_protection = false + vpc_id = module.vpc.vpc_id + + stateless_default_actions = ["aws:pass"] + stateless_fragment_default_actions = ["aws:drop"] + + subnet_mapping = module.network_firewall_private_subnets.az_subnet_ids + + # Stateless rule groups + stateless_rule_groups = { + # stateless-group-1 rules + staless-group-1 = { + description = "Staless rules" + priority = 10 + capacity = 100 + rules = [ + { + priority = 1 + actions = ["aws:drop"] + protocols = [1] # ICMP + source = { + address = "0.0.0.0/0" + } + destination = { + address = "0.0.0.0/0" + } + }, + { + priority = 10 + actions = ["aws:forward_to_sfe"] + source = { + address = "0.0.0.0/0" + } + destination = { + address = "0.0.0.0/0" + } + }, + ] + } + } + + # Stateful rules + stateful_rule_groups = { + # rules_source_list examples + stateful-group-1 = { + description = "Stateful Inspection for denying access to domains" + capacity = 100 + rule_variables = { + ip_sets = { + HOME_NET = ["0.0.0.0/0"] + } + } + rules_source_list = { + generated_rules_type = "DENYLIST" + target_types = ["TLS_SNI", "HTTP_HOST"] + targets = [".wikipedia.org", ".bad-domain.com"] + } + } + } +} + diff --git a/network/us-east-2/network-firewall/locals.tf b/network/us-east-2/network-firewall/locals.tf new file mode 100644 index 000000000..c9040e0d7 --- /dev/null +++ b/network/us-east-2/network-firewall/locals.tf @@ -0,0 +1,42 @@ +# Inspection VPC +locals { + + tags = { + Terraform = "true" + Environment = var.environment + } + + # Network Local Vars + # https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html + vpc_name = "${var.project}-${var.environment}-firewall-dr-vpc" + vpc_cidr_block = "172.20.48.0/20" + azs = [ + "${var.region_secondary}a", + #"${var.region_secondary}b", + #"${var.region_secondary}c" + ] + + # This includes the inspection and te firewall subnets + private_subnets_cidr = ["172.20.48.0/20"] + + inspection_subnets_cidr = ["172.20.48.0/21"] + inspection_subnets = [ + "172.20.48.0/23", + #"172.20.50.0/23", + #"172.20.52.0/23", + ] + + network_firewall_subnets_cidr = ["172.20.56.0/21"] + network_firewall_subnets = [ + "172.20.56.0/23", + #"172.20.58.0/23", + #"172.20.60.0/23", + ] + + # AWS Network Firewall + firewall_endpoints = [ + "${var.region_secondary}a", + #"${var.region_secondary}b", + #"${var.region_secondary}c" + ] +} diff --git a/network/us-east-2/network-firewall/network.tf b/network/us-east-2/network-firewall/network.tf new file mode 100644 index 000000000..8e6975372 --- /dev/null +++ b/network/us-east-2/network-firewall/network.tf @@ -0,0 +1,33 @@ +## Inspection VPC +module "vpc" { + source = "github.com/binbashar/terraform-aws-vpc-base?ref=0.26.1" + + assign_generated_ipv6_cidr_block = false + name = local.vpc_name + cidr_block = local.vpc_cidr_block + tags = local.tags +} + +module "inspection_private_subnets" { + source = "github.com/binbashar/terraform-aws-multi-az-subnets?ref=0.14.0" + + name = "${var.project}-${var.environment}-inspection" + vpc_id = module.vpc.vpc_id + availability_zones = local.azs + cidr_block = local.inspection_subnets_cidr[0] + type = "private" + max_subnets = 4 + tags = local.tags +} + +module "network_firewall_private_subnets" { + source = "github.com/binbashar/terraform-aws-multi-az-subnets?ref=0.14.0" + + name = "${var.project}-${var.environment}-firewall" + vpc_id = module.vpc.vpc_id + availability_zones = local.azs + cidr_block = local.network_firewall_subnets_cidr[0] + type = "private" + max_subnets = 4 + tags = local.tags +} diff --git a/network/us-east-2/network-firewall/outputs.tf b/network/us-east-2/network-firewall/outputs.tf new file mode 100644 index 000000000..357534471 --- /dev/null +++ b/network/us-east-2/network-firewall/outputs.tf @@ -0,0 +1,66 @@ +# VPC ID +output "vpc_id" { + description = "VPC ID" + value = module.vpc.vpc_id +} + +output "vpc_name" { + description = "VPC Name" + value = local.vpc_name +} + +output "vpc_cidr_block" { + description = "VPC CIDR Block" + value = local.vpc_cidr_block +} + +# Subnets +output "inspection_subnets" { + description = "Map of AZ names to subnet IDs of inspection subnets" + value = module.inspection_private_subnets.az_subnet_ids +} + +output "network_firewall_subnets" { + description = "Map of AZ names to subnet IDs of network firewall subnets" + value = module.network_firewall_private_subnets.az_subnet_ids +} + +output "private_subnets_cidr" { + description = "CIDRS of private subnets" + value = local.private_subnets_cidr +} +output "inspection_subnets_cidr" { + description = "CIDRS of inspection subnets" + value = local.inspection_subnets_cidr +} + +output "network_firewall_subnets_cidr" { + description = "CIDR of network firewall subnets" + value = local.network_firewall_subnets_cidr +} + +output "network_firewall_route_table_ids" { + description = "Map of AZ names to Route Table IDs of network_firewall route tables" + value = module.network_firewall_private_subnets.az_route_table_ids +} + +output "inspection_route_table_ids" { + description = "Map of AZ names to Route Table IDs of inspection route tables" + value = module.inspection_private_subnets.az_route_table_ids +} + +# Network Firewall +output "network_firewall_status" { + description = "Nested list of information about the current status of the firewall." + value = var.enable_network_firewall ? module.firewall[0].network_firewall_status : [] +} + +output "sync_states" { + description = "Set of subnets configured for use by the firewall." + value = var.enable_network_firewall ? module.firewall[0].network_firewall_status.*.sync_states : [] +} + +output "network_firewall_subnet_id_endpoint_id" { + description = "Map of endpoint_id per subnet_id" + value = var.enable_network_firewall ? { for v in module.firewall[0].network_firewall_status[0]["sync_states"].*.attachment : v[0]["subnet_id"] => v[0]["endpoint_id"] } : {} +} diff --git a/network/us-east-2/network-firewall/variables.tf b/network/us-east-2/network-firewall/variables.tf new file mode 100644 index 000000000..100516e76 --- /dev/null +++ b/network/us-east-2/network-firewall/variables.tf @@ -0,0 +1,202 @@ +# +# config/backend.config +# +#================================# +# Terraform AWS Backend Settings # +#================================# +variable "region" { + type = string + description = "AWS Region" +} + +variable "profile" { + type = string + description = "AWS Profile (required by the backend but also used for other resources)" +} + +variable "bucket" { + type = string + description = "AWS S3 TF State Backend Bucket" +} + +variable "dynamodb_table" { + type = string + description = "AWS DynamoDB TF Lock state table name" +} + +variable "encrypt" { + type = bool + description = "Enable AWS DynamoDB with server side encryption" +} + +# +# config/base.config +# +#=============================# +# Project Variables # +#=============================# +variable "project" { + type = string + description = "Project Name" +} + +variable "project_long" { + type = string + description = "Project Long Name" +} + +variable "environment" { + type = string + description = "Environment Name" +} + +# +# config/extra.config +# +#=============================# +# Accounts & Extra Vars # +#=============================# +variable "region_secondary" { + type = string + description = "AWS Scondary Region for HA" +} + +variable "root_account_id" { + type = string + description = "Account: Root" +} + +variable "security_account_id" { + type = string + description = "Account: Security & Users Management" +} + +variable "shared_account_id" { + type = string + description = "Account: Shared Resources" +} + +variable "appsdevstg_account_id" { + type = string + description = "Account: Dev Modules & Libs" +} + +variable "appsprd_account_id" { + type = string + description = "Account: Prod Modules & Libs" +} + +variable "vault_address" { + type = string + description = "Vault Address" +} + +variable "vault_token" { + type = string + description = "Vault Token" +} + +#===========================================# +# Networking # +#===========================================# +variable "vpc_apps_devstg_created" { + description = "true if Apps Dev account VPC is created for Peering purposes" + type = bool + default = true +} + +variable "vpc_apps_devstg_eks_created" { + description = "true if Apps Dev account EKS VPC is created for Peering purposes" + type = bool + default = true +} + +variable "vpc_apps_prd_created" { + description = "true if Apps Prd account VPC is created for Peering purposes" + type = bool + default = true +} + +variable "vpc_vault_hvn_created" { + description = "true if the Hahicorp Vault Cloud HVN account VPC is created for Peering purposes" + type = bool + default = true +} + +variable "vpc_vault_hvn_peering_connection_id" { + description = "Hahicorp Vault Cloud HVN VPC peering ID" + type = string + default = "pcx-0109e4ef7e784ee06" +} + +variable "vpc_vault_hvn_cird" { + description = "Hahicorp Vault Cloud HVN VPC CIDR segment" + type = string + default = "172.25.16.0/20" +} + +variable "vpc_enable_nat_gateway" { + description = "Enable NAT Gatewway" + type = bool + default = false +} + +variable "vpc_single_nat_gateway" { + description = "Single NAT Gatewway" + type = bool + default = true +} + +variable "vpc_enable_dns_hostnames" { + description = "Enable DNS HOSTNAME" + type = bool + default = true +} + +variable "vpc_enable_vpn_gateway" { + description = "Enable VPN Gateway" + type = bool + default = false +} + +variable "vpc_enable_s3_endpoint" { + description = "Enable S3 endpoint" + type = bool + default = true +} + +variable "vpc_enable_dynamodb_endpoint" { + description = "Enable DynamoDB endpoint" + type = bool + default = true +} + +variable "enable_kms_endpoint" { + description = "Enable KMS endpoint" + type = bool + default = false +} + +variable "manage_default_network_acl" { + description = "Manage default Network ACL" + type = bool + default = false +} + +variable "public_dedicated_network_acl" { + description = "Manage default Network ACL" + type = bool + default = true +} + +variable "private_dedicated_network_acl" { + description = "Manage default Network ACL" + type = bool + default = true +} + +variable "enable_network_firewall" { + description = "Enable AWS Network Firewall support" + type = bool + default = false +} From 86d46169200635e25b12442879611f5432d2a7df Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Wed, 24 Nov 2021 02:59:48 -0300 Subject: [PATCH 10/44] Remove unused data source for the inspection VPC in the network_firewall layer --- network/us-east-1/network-firewall/config.tf | 18 ------------------ network/us-east-1/network-firewall/outputs.tf | 6 +++--- 2 files changed, 3 insertions(+), 21 deletions(-) diff --git a/network/us-east-1/network-firewall/config.tf b/network/us-east-1/network-firewall/config.tf index dcbecc861..49a9f1a7e 100644 --- a/network/us-east-1/network-firewall/config.tf +++ b/network/us-east-1/network-firewall/config.tf @@ -21,21 +21,3 @@ terraform { key = "network/network-firewall/terraform.tfstate" } } - -#=============================# -# Data sources # -#=============================# - -# -# Inspection Network -# -data "terraform_remote_state" "inspection_vpc" { - backend = "s3" - - config = { - region = var.region - profile = "${var.project}-network-devops" - bucket = "${var.project}-network-terraform-backend" - key = "network/network-firewall/terraform.tfstate" - } -} diff --git a/network/us-east-1/network-firewall/outputs.tf b/network/us-east-1/network-firewall/outputs.tf index a6657324b..357534471 100644 --- a/network/us-east-1/network-firewall/outputs.tf +++ b/network/us-east-1/network-firewall/outputs.tf @@ -52,15 +52,15 @@ output "inspection_route_table_ids" { # Network Firewall output "network_firewall_status" { description = "Nested list of information about the current status of the firewall." - value = var.enable_network_firewall && length(data.terraform_remote_state.inspection_vpc.outputs) > 0 ? module.firewall[0].network_firewall_status : [] + value = var.enable_network_firewall ? module.firewall[0].network_firewall_status : [] } output "sync_states" { description = "Set of subnets configured for use by the firewall." - value = var.enable_network_firewall && length(data.terraform_remote_state.inspection_vpc.outputs) > 0 ? module.firewall[0].network_firewall_status.*.sync_states : [] + value = var.enable_network_firewall ? module.firewall[0].network_firewall_status.*.sync_states : [] } output "network_firewall_subnet_id_endpoint_id" { description = "Map of endpoint_id per subnet_id" - value = var.enable_network_firewall && length(data.terraform_remote_state.inspection_vpc.outputs) > 0 ? { for v in module.firewall[0].network_firewall_status[0]["sync_states"].*.attachment : v[0]["subnet_id"] => v[0]["endpoint_id"] } : {} + value = var.enable_network_firewall ? { for v in module.firewall[0].network_firewall_status[0]["sync_states"].*.attachment : v[0]["subnet_id"] => v[0]["endpoint_id"] } : {} } From d3f73813c7236a5e774be7f92adffc015a4d6093 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Wed, 24 Nov 2021 03:07:06 -0300 Subject: [PATCH 11/44] Fix wrong TF data source names --- network/us-east-2/transit-gateway/config.tf | 10 +++++----- network/us-east-2/transit-gateway/locals.tf | 8 ++++---- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/network/us-east-2/transit-gateway/config.tf b/network/us-east-2/transit-gateway/config.tf index 0eb20de65..64b64d46e 100644 --- a/network/us-east-2/transit-gateway/config.tf +++ b/network/us-east-2/transit-gateway/config.tf @@ -2,35 +2,35 @@ # AWS Provider Settings # #=============================# provider "aws" { - region = var.region + region = var.region_secondary profile = var.profile shared_credentials_file = "~/.aws/${var.project}/config" } provider "aws" { alias = "network" - region = var.region + region = var.region_secondary profile = var.profile shared_credentials_file = "~/.aws/${var.project}/config" } provider "aws" { alias = "shared" - region = var.region + region = var.region_secondary profile = "${var.project}-shared-devops" shared_credentials_file = "~/.aws/${var.project}/config" } provider "aws" { alias = "apps-devstg" - region = var.region + region = var.region_secondary profile = "${var.project}-apps-devstg-devops" shared_credentials_file = "~/.aws/${var.project}/config" } provider "aws" { alias = "apps-prd" - region = var.region + region = var.region_secondary profile = "${var.project}-apps-prd-devops" shared_credentials_file = "~/.aws/${var.project}/config" } diff --git a/network/us-east-2/transit-gateway/locals.tf b/network/us-east-2/transit-gateway/locals.tf index 57a0bc2e3..3e05fafd2 100644 --- a/network/us-east-2/transit-gateway/locals.tf +++ b/network/us-east-2/transit-gateway/locals.tf @@ -40,13 +40,13 @@ locals { } } - # apps-prd - apps-prd-vpcs = {} + # apps-prd-dr + apps-prd-dr-vpcs = {} datasources-vpcs = merge( data.terraform_remote_state.network-dr-vpcs, # network-dr data.terraform_remote_state.shared-dr-vpcs, # shared-dr - data.terraform_remote_state.apps-devstg-dr-vpcs, # apps-devstg-dr-vpcs - data.terraform_remote_state.apps-prd-vpcs-dr, # apps-prd-dr-vpcs + data.terraform_remote_state.apps-devstg-dr-vpcs, # apps-devstg-dr + data.terraform_remote_state.apps-prd-dr-vpcs-dr, # apps-prd-dr ) } From 6469a7267ad316e80271f04845272f1575502499 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Wed, 24 Nov 2021 03:22:06 -0300 Subject: [PATCH 12/44] Change TF module referente for DR --- network/us-east-2/base-network/config.tf | 10 ++--- network/us-east-2/transit-gateway/config.tf | 20 +++++----- network/us-east-2/transit-gateway/locals.tf | 2 +- .../transit-gateway/vpc_attachments.tf | 40 +++++++++---------- 4 files changed, 36 insertions(+), 36 deletions(-) diff --git a/network/us-east-2/base-network/config.tf b/network/us-east-2/base-network/config.tf index 854da1aa2..ffa2e6e61 100644 --- a/network/us-east-2/base-network/config.tf +++ b/network/us-east-2/base-network/config.tf @@ -2,35 +2,35 @@ # AWS Provider Settings # #=============================# provider "aws" { - region = var.region + region = var.region_secondary profile = var.profile shared_credentials_file = "~/.aws/${var.project}/config" } provider "aws" { alias = "network" - region = var.region + region = var.region_secondary profile = var.profile shared_credentials_file = "~/.aws/${var.project}/config" } provider "aws" { alias = "shared" - region = var.region + region = var.region_secondary profile = "${var.project}-shared-devops" shared_credentials_file = "~/.aws/${var.project}/config" } provider "aws" { alias = "apps-devstg" - region = var.region + region = var.region_secondary profile = "${var.project}-apps-devstg-devops" shared_credentials_file = "~/.aws/${var.project}/config" } provider "aws" { alias = "apps-prd" - region = var.region + region = var.region_secondary profile = "${var.project}-apps-prd-devops" shared_credentials_file = "~/.aws/${var.project}/config" } diff --git a/network/us-east-2/transit-gateway/config.tf b/network/us-east-2/transit-gateway/config.tf index 64b64d46e..d78f71d0d 100644 --- a/network/us-east-2/transit-gateway/config.tf +++ b/network/us-east-2/transit-gateway/config.tf @@ -57,16 +57,16 @@ terraform { # # data type from output for tools-ec2 # -data "terraform_remote_state" "tools-vpn-server-dr" { - backend = "s3" - - config = { - region = var.region - profile = "${var.project}-shared-devops" - bucket = "${var.project}-shared-terraform-backend" - key = "shared/vpn-dr/terraform.tfstate" - } -} +#data "terraform_remote_state" "tools-vpn-server-dr" { +# backend = "s3" +# +# config = { +# region = var.region_secondary +# profile = "${var.project}-shared-devops" +# bucket = "${var.project}-shared-terraform-backend" +# key = "shared/vpn-dr/terraform.tfstate" +# } +#} data "terraform_remote_state" "network-firewall-dr" { diff --git a/network/us-east-2/transit-gateway/locals.tf b/network/us-east-2/transit-gateway/locals.tf index 3e05fafd2..c08ba04b7 100644 --- a/network/us-east-2/transit-gateway/locals.tf +++ b/network/us-east-2/transit-gateway/locals.tf @@ -47,6 +47,6 @@ locals { data.terraform_remote_state.network-dr-vpcs, # network-dr data.terraform_remote_state.shared-dr-vpcs, # shared-dr data.terraform_remote_state.apps-devstg-dr-vpcs, # apps-devstg-dr - data.terraform_remote_state.apps-prd-dr-vpcs-dr, # apps-prd-dr + data.terraform_remote_state.apps-prd-dr-vpcs, # apps-prd-dr ) } diff --git a/network/us-east-2/transit-gateway/vpc_attachments.tf b/network/us-east-2/transit-gateway/vpc_attachments.tf index 229a57af9..ec50d8734 100644 --- a/network/us-east-2/transit-gateway/vpc_attachments.tf +++ b/network/us-east-2/transit-gateway/vpc_attachments.tf @@ -13,21 +13,21 @@ # transit_gateway_vpc_attachment_id - An existing Transit Gateway Attachment ID. If provided, the module will use it instead of creating a new one. # Network Firewall VPC attachment - Inspection subnets (private) -module "tgw_vpc_attachments_and_subnet_routes_network_firewall" { +module "tgw_vpc_attachments_and_subnet_routes_network_firewall-dr" { source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" for_each = { for k, v in { - "network-firewall" = data.terraform_remote_state.network-firewall + "network-firewall-dr" = data.terraform_remote_state.network-firewall-dr } : - k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) + k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network-dr", false) } name = "${var.project}-${each.key}-vpc" # network account can access the Transit Gateway in the network: account since we shared the Transit Gateway with the Organization using Resource Access Manager - existing_transit_gateway_id = module.tgw[0].transit_gateway_id + existing_transit_gateway_id = module.tgw-dr[0].transit_gateway_id create_transit_gateway = false create_transit_gateway_route_table = false create_transit_gateway_vpc_attachment = true @@ -54,20 +54,20 @@ module "tgw_vpc_attachments_and_subnet_routes_network_firewall" { } # network VPC attachments (private) -module "tgw_vpc_attachments_and_subnet_routes_network" { +module "tgw_vpc_attachments_and_subnet_routes_network-dr" { source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" for_each = { - for k, v in data.terraform_remote_state.network-vpcs : - k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "network", false) + for k, v in data.terraform_remote_state.network-dr-vpcs : + k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "network-dr", false) } name = "${var.project}-${each.key}-vpc" # network account can access the Transit Gateway in the network: account since we shared the Transit Gateway with the Organization using Resource Access Manager - existing_transit_gateway_id = module.tgw[0].transit_gateway_id - existing_transit_gateway_route_table_id = module.tgw[0].transit_gateway_route_table_id + existing_transit_gateway_id = module.tgw-dr[0].transit_gateway_id + existing_transit_gateway_route_table_id = module.tgw-dr[0].transit_gateway_route_table_id create_transit_gateway = false create_transit_gateway_route_table = false create_transit_gateway_vpc_attachment = true @@ -94,20 +94,20 @@ module "tgw_vpc_attachments_and_subnet_routes_network" { } # apps-devstg VPC attachments -module "tgw_vpc_attachments_and_subnet_routes_apps-devstg" { +module "tgw_vpc_attachments_and_subnet_routes_apps-devstg-dr" { source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" for_each = { - for k, v in data.terraform_remote_state.apps-devstg-vpcs : - k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-devstg", false) + for k, v in data.terraform_remote_state.apps-devstg-dr-vpcs : + k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-devstg-dr", false) } name = "${var.project}-${each.key}-vpc" # apps-devstg account can access the Transit Gateway in the network account since we shared the Transit Gateway with the Organization using Resource Access Manager - existing_transit_gateway_id = module.tgw[0].transit_gateway_id - existing_transit_gateway_route_table_id = var.enable_tgw && var.enable_network_firewall ? module.tgw_vpc_attachments_and_subnet_routes_network_firewall["network-firewall"].transit_gateway_route_table_id : module.tgw[0].transit_gateway_route_table_id + existing_transit_gateway_id = module.tgw-dr[0].transit_gateway_id + existing_transit_gateway_route_table_id = var.enable_tgw && var.enable_network_firewall ? module.tgw_vpc_attachments_and_subnet_routes_network_firewall-dr["network-firewall-dr"].transit_gateway_route_table_id : module.tgw-dr[0].transit_gateway_route_table_id create_transit_gateway = false create_transit_gateway_route_table = false create_transit_gateway_vpc_attachment = true @@ -138,7 +138,7 @@ module "tgw_vpc_attachments_and_subnet_routes_apps-devstg" { } # apps-prd VPC attachments -module "tgw_vpc_attachments_and_subnet_routes_apps-prd" { +module "tgw_vpc_attachments_and_subnet_routes_apps-prd-dr" { source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" @@ -150,8 +150,8 @@ module "tgw_vpc_attachments_and_subnet_routes_apps-prd" { name = "${var.project}-${each.key}-vpc" # apps-prd account can access the Transit Gateway in the network account since we shared the Transit Gateway with the Organization using Resource Access Manager - existing_transit_gateway_id = module.tgw[0].transit_gateway_id - existing_transit_gateway_route_table_id = var.enable_tgw && var.enable_network_firewall ? module.tgw_inspection_route_table[0].transit_gateway_route_table_id : module.tgw[0].transit_gateway_route_table_id + existing_transit_gateway_id = module.tgw-dr[0].transit_gateway_id + existing_transit_gateway_route_table_id = var.enable_tgw && var.enable_network_firewall ? module.tgw_inspection_route_table[0].transit_gateway_route_table_id : module.tgw-dr[0].transit_gateway_route_table_id create_transit_gateway = false create_transit_gateway_route_table = false create_transit_gateway_vpc_attachment = true @@ -182,7 +182,7 @@ module "tgw_vpc_attachments_and_subnet_routes_apps-prd" { } # shared VPC attachments -module "tgw_vpc_attachments_and_subnet_routes_shared" { +module "tgw_vpc_attachments_and_subnet_routes_shared-dr" { source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" @@ -194,8 +194,8 @@ module "tgw_vpc_attachments_and_subnet_routes_shared" { name = "${var.project}-${each.key}-vpc" # apps-devstg account can access the Transit Gateway in the network account since we shared the Transit Gateway with the Organization using Resource Access Manager - existing_transit_gateway_id = module.tgw[0].transit_gateway_id - existing_transit_gateway_route_table_id = var.enable_tgw && lookup(var.enable_vpc_attach, "shared", false) ? try(module.tgw_vpc_attachments_and_subnet_routes_network_firewall["network-firewall"].transit_gateway_route_table_id, null) : module.tgw[0].transit_gateway_route_table_id + existing_transit_gateway_id = module.tgw-dr[0].transit_gateway_id + existing_transit_gateway_route_table_id = var.enable_tgw && lookup(var.enable_vpc_attach, "shared-dr", false) ? try(module.tgw_vpc_attachments_and_subnet_routes_network_firewall-dr["network-firewall-dr"].transit_gateway_route_table_id, null) : module.tgw-dr[0].transit_gateway_route_table_id create_transit_gateway = false create_transit_gateway_route_table = false create_transit_gateway_vpc_attachment = true From 00927851555aabb736e4a2bf06dff8cf38361566 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Wed, 24 Nov 2021 17:16:48 -0300 Subject: [PATCH 13/44] Add code for DR region --- network/us-east-2/base-network/config.tf | 76 ++++++------ network/us-east-2/transit-gateway/outputs.tf | 6 +- network/us-east-2/transit-gateway/tgw.tf | 116 +++++++++--------- .../transit-gateway/vpc_attachments.tf | 10 +- 4 files changed, 104 insertions(+), 104 deletions(-) diff --git a/network/us-east-2/base-network/config.tf b/network/us-east-2/base-network/config.tf index ffa2e6e61..b7dea8485 100644 --- a/network/us-east-2/base-network/config.tf +++ b/network/us-east-2/base-network/config.tf @@ -59,43 +59,43 @@ data "aws_caller_identity" "current" {} # # data type from output for tools-ec2 # -data "terraform_remote_state" "tools-vpn-server" { - backend = "s3" - - config = { - region = var.region - profile = "${var.project}-shared-devops" - bucket = "${var.project}-shared-terraform-backend" - key = "shared/vpn/terraform.tfstate" - } -} - -data "terraform_remote_state" "tgw" { - backend = "s3" - - config = { - region = var.region - profile = "${var.project}-network-devops" - bucket = "${var.project}-network-terraform-backend" - key = "network/transit-gateway/terraform.tfstate" - } -} - - -data "terraform_remote_state" "network-firewall" { - backend = "s3" +#data "terraform_remote_state" "tools-vpn-server-dr" { +# backend = "s3" +# +# config = { +# region = var.region +# profile = "${var.project}-shared-devops" +# bucket = "${var.project}-shared-terraform-backend" +# key = "shared/vpn-dr/terraform.tfstate" +# } +#} + +#data "terraform_remote_state" "tgw-dr" { +# backend = "s3" +# +# config = { +# region = var.region +# profile = "${var.project}-network-devops" +# bucket = "${var.project}-network-terraform-backend" +# key = "network/transit-gateway-dr/terraform.tfstate" +# } +#} - config = { - region = var.region - profile = "${var.project}-network-devops" - bucket = "${var.project}-network-terraform-backend" - key = "network/network-firewall/terraform.tfstate" - } -} -# VPC remote states for network -data "terraform_remote_state" "network-vpcs" { - for_each = var.enable_network_firewall ? local.network-vpcs : {} +#data "terraform_remote_state" "network-firewall-dr" { +# backend = "s3" +# +# config = { +# region = var.region +# profile = "${var.project}-network-devops" +# bucket = "${var.project}-network-terraform-backend" +# key = "network/network-firewall-dr/terraform.tfstate" +# } +#} + +# VPC remote states for network-dr +data "terraform_remote_state" "network-dr-vpcs" { + for_each = var.enable_network_firewall ? local.network-dr-vpcs : {} backend = "s3" @@ -108,10 +108,10 @@ data "terraform_remote_state" "network-vpcs" { } -# VPC remote states for shared -data "terraform_remote_state" "shared-vpcs" { +# VPC remote states for shared-dr +data "terraform_remote_state" "shared-dr-vpcs" { - for_each = local.shared-vpcs + for_each = local.shared-dr-vpcs backend = "s3" diff --git a/network/us-east-2/transit-gateway/outputs.tf b/network/us-east-2/transit-gateway/outputs.tf index 068860ded..dc2fc43e7 100644 --- a/network/us-east-2/transit-gateway/outputs.tf +++ b/network/us-east-2/transit-gateway/outputs.tf @@ -1,16 +1,16 @@ output "tgw_id" { description = "Transit Gateway Id" - value = var.enable_tgw ? module.tgw[0].transit_gateway_id : null + value = var.enable_tgw ? module.tgw-dr[0].transit_gateway_id : null } output "tgw_route_table_id" { description = "TGW default route table id" - value = var.enable_tgw ? module.tgw[0].transit_gateway_route_table_id : null + value = var.enable_tgw ? module.tgw-dr[0].transit_gateway_route_table_id : null } output "tgw_inspection_route_table_id" { description = "TGW inspection route table id" - value = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? module.tgw_inspection_route_table[0].transit_gateway_route_table_id : null + value = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network-dr", false) ? module.tgw_inspection_route_table[0].transit_gateway_route_table_id : null } output "enable_tgw" { diff --git a/network/us-east-2/transit-gateway/tgw.tf b/network/us-east-2/transit-gateway/tgw.tf index e8af5f02c..49dda339f 100644 --- a/network/us-east-2/transit-gateway/tgw.tf +++ b/network/us-east-2/transit-gateway/tgw.tf @@ -13,12 +13,12 @@ # transit_gateway_vpc_attachment_id - An existing Transit Gateway Attachment ID. If provided, the module will use it instead of creating a new one. # AWS Transit Gateway -module "tgw" { +module "tgw-dr" { source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" count = var.enable_tgw ? 1 : 0 - name = "${var.project}-${var.environment}-tgw" + name = "${var.project}-${var.environment}-tgw-dr" ram_resource_share_enabled = true @@ -30,14 +30,14 @@ module "tgw" { config = merge( # network private lookup(var.enable_vpc_attach, "network-dr", false) ? { - for k, v in data.terraform_remote_state.network-vpcs : v.outputs.vpc_id => { + for k, v in data.terraform_remote_state.network-dr-vpcs : v.outputs.vpc_id => { vpc_id = null vpc_cidr = null subnet_ids = null subnet_route_table_ids = null route_to = null route_to_cidr_blocks = [] - transit_gateway_vpc_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network[k].transit_gateway_vpc_attachment_ids[k] + transit_gateway_vpc_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network-dr[k].transit_gateway_vpc_attachment_ids[k] static_routes = [ { @@ -49,40 +49,40 @@ module "tgw" { } : {}, # apps-devstg private lookup(var.enable_vpc_attach, "apps-devstg-dr", false) ? { - for k, v in data.terraform_remote_state.apps-devstg-vpcs : v.outputs.vpc_id => { + for k, v in data.terraform_remote_state.apps-devstg-dr-vpcs : v.outputs.vpc_id => { vpc_id = null vpc_cidr = null subnet_ids = null subnet_route_table_ids = null route_to = null route_to_cidr_blocks = null - transit_gateway_vpc_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_apps-devstg[k].transit_gateway_vpc_attachment_ids[k] + transit_gateway_vpc_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_apps-devstg-dr[k].transit_gateway_vpc_attachment_ids[k] static_routes = null } } : {}, # apps-prd private lookup(var.enable_vpc_attach, "apps-prd-dr", false) ? { - for k, v in data.terraform_remote_state.apps-prd-vpcs : v.outputs.vpc_id => { + for k, v in data.terraform_remote_state.apps-prd-dr-vpcs : v.outputs.vpc_id => { vpc_id = null vpc_cidr = null subnet_ids = null subnet_route_table_ids = null route_to = null route_to_cidr_blocks = null - transit_gateway_vpc_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_apps-prd[k].transit_gateway_vpc_attachment_ids[k] + transit_gateway_vpc_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_apps-prd-dr[k].transit_gateway_vpc_attachment_ids[k] static_routes = null } } : {}, # shared private lookup(var.enable_vpc_attach, "shared-dr", false) ? { - for k, v in data.terraform_remote_state.shared-vpcs : v.outputs.vpc_id => { + for k, v in data.terraform_remote_state.shared-dr-vpcs : v.outputs.vpc_id => { vpc_id = null vpc_cidr = null subnet_ids = null subnet_route_table_ids = null route_to = null route_to_cidr_blocks = null - transit_gateway_vpc_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_shared[k].transit_gateway_vpc_attachment_ids[k] + transit_gateway_vpc_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_shared-dr[k].transit_gateway_vpc_attachment_ids[k] static_routes = null } } : {}, @@ -106,7 +106,7 @@ module "tgw_inspection_route_table" { name = "${var.project}-${var.environment}-inspection" - existing_transit_gateway_id = module.tgw[0].transit_gateway_id + existing_transit_gateway_id = module.tgw-dr[0].transit_gateway_id create_transit_gateway = false create_transit_gateway_route_table = true create_transit_gateway_vpc_attachment = false @@ -145,51 +145,51 @@ resource "aws_ec2_transit_gateway_route" "inspection_default" { destination_cidr_block = "0.0.0.0/0" transit_gateway_route_table_id = module.tgw_inspection_route_table[0].transit_gateway_route_table_id - transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network_firewall["network-firewall"].transit_gateway_vpc_attachment_ids["network-firewall"] + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network-firewall-dr["network-firewall-dr"].transit_gateway_vpc_attachment_ids["network-firewall-dr"] } resource "aws_ec2_transit_gateway_route" "network_firewall_default" { count = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? 1 : 0 destination_cidr_block = "0.0.0.0/0" - transit_gateway_route_table_id = module.tgw[0].transit_gateway_route_table_id - transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network["network-base"].transit_gateway_vpc_attachment_ids["network-base"] + transit_gateway_route_table_id = module.tgw-dr[0].transit_gateway_route_table_id + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network-dr["network-base"].transit_gateway_vpc_attachment_ids["network-base"] } resource "aws_ec2_transit_gateway_route_table_association" "network-inspection-association" { count = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? 1 : 0 - transit_gateway_route_table_id = module.tgw[0].transit_gateway_route_table_id - transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network_firewall["network-firewall"].transit_gateway_vpc_attachment_ids["network-firewall"] + transit_gateway_route_table_id = module.tgw-dr[0].transit_gateway_route_table_id + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network-firewall-dr["network-firewall-dr"].transit_gateway_vpc_attachment_ids["network-firewall-dr"] } resource "aws_ec2_transit_gateway_route_table_association" "network-base-association" { count = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? 1 : 0 transit_gateway_route_table_id = module.tgw_inspection_route_table[0].transit_gateway_route_table_id - transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network["network-base"].transit_gateway_vpc_attachment_ids["network-base"] + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network-dr["network-base-dr"].transit_gateway_vpc_attachment_ids["network-base-dr"] } # shared resource "aws_ec2_transit_gateway_route_table_association" "shared-rt-associations" { for_each = { - for k, v in data.terraform_remote_state.shared-vpcs : + for k, v in data.terraform_remote_state.shared-dr-vpcs : k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "shared", false) } transit_gateway_route_table_id = module.tgw_inspection_route_table[0].transit_gateway_route_table_id - transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_shared[each.key].transit_gateway_vpc_attachment_ids[each.key] + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_shared-dr[each.key].transit_gateway_vpc_attachment_ids[each.key] } resource "aws_ec2_transit_gateway_route_table_propagation" "shared-rt-propagations" { for_each = { - for k, v in data.terraform_remote_state.shared-vpcs : + for k, v in data.terraform_remote_state.shared-dr-vpcs : k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "shared", false) } - transit_gateway_route_table_id = module.tgw[0].transit_gateway_route_table_id - transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_shared[each.key].transit_gateway_vpc_attachment_ids[each.key] + transit_gateway_route_table_id = module.tgw-dr[0].transit_gateway_route_table_id + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_shared-dr[each.key].transit_gateway_vpc_attachment_ids[each.key] } @@ -202,17 +202,17 @@ resource "aws_ec2_transit_gateway_route_table_association" "apps-devstg-rt-assoc } transit_gateway_route_table_id = module.tgw_inspection_route_table[0].transit_gateway_route_table_id - transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_apps-devstg[each.key].transit_gateway_vpc_attachment_ids[each.key] + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_apps-devstg-dr[each.key].transit_gateway_vpc_attachment_ids[each.key] } resource "aws_ec2_transit_gateway_route_table_propagation" "apps-devstg-rt-propagations" { for_each = { - for k, v in data.terraform_remote_state.apps-devstg-vpcs : + for k, v in data.terraform_remote_state.apps-devstg-dr-vpcs : k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "apps-devstg", false) } - transit_gateway_route_table_id = module.tgw[0].transit_gateway_route_table_id - transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_apps-devstg[each.key].transit_gateway_vpc_attachment_ids[each.key] + transit_gateway_route_table_id = module.tgw-dr[0].transit_gateway_route_table_id + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_apps-devstg-dr[each.key].transit_gateway_vpc_attachment_ids[each.key] } @@ -221,7 +221,7 @@ resource "aws_ec2_transit_gateway_route_table_association" "apps-prd-rt-associat for_each = { for k, v in data.terraform_remote_state.apps-prd-vpcs : - k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "apps-prd", false) + k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "apps-prd-dr", false) } transit_gateway_route_table_id = module.tgw_inspection_route_table[0].transit_gateway_route_table_id @@ -230,12 +230,12 @@ resource "aws_ec2_transit_gateway_route_table_association" "apps-prd-rt-associat resource "aws_ec2_transit_gateway_route_table_propagation" "apps-prd-rt-propagations" { for_each = { - for k, v in data.terraform_remote_state.apps-prd-vpcs : - k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "apps-prd", false) + for k, v in data.terraform_remote_state.apps-prd-dr-vpcs : + k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "apps-prd-dr", false) } - transit_gateway_route_table_id = module.tgw[0].transit_gateway_route_table_id - transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_apps-prd[each.key].transit_gateway_vpc_attachment_ids[each.key] + transit_gateway_route_table_id = module.tgw-dr[0].transit_gateway_route_table_id + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_apps-prd-dr[each.key].transit_gateway_vpc_attachment_ids[each.key] } @@ -246,16 +246,16 @@ resource "aws_route" "apps_devstg_public_route_to_tgw" { # For each vpc... for_each = { - for k, v in data.terraform_remote_state.apps-devstg-vpcs : - k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-devstg", false) + for k, v in data.terraform_remote_state.apps-devstg-dr-vpcs : + k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-devstg-dr", false) } # ...add a route into the network public RT - route_table_id = data.terraform_remote_state.network-vpcs["network-base"].outputs.public_route_table_ids[0] + route_table_id = data.terraform_remote_state.network-dr-vpcs["network-base-dr"].outputs.public_route_table_ids[0] destination_cidr_block = each.value.outputs.vpc_cidr_block - transit_gateway_id = module.tgw[0].transit_gateway_id + transit_gateway_id = module.tgw-dr[0].transit_gateway_id - depends_on = [module.tgw, module.tgw_vpc_attachments_and_subnet_routes_network] + depends_on = [module.tgw-dr, module.tgw_vpc_attachments_and_subnet_routes_network-dr] } @@ -263,16 +263,16 @@ resource "aws_route" "apps_prd_public_route_to_tgw" { # For each vpc... for_each = { - for k, v in data.terraform_remote_state.apps-prd-vpcs : - k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-prd", false) + for k, v in data.terraform_remote_state.apps-prd-dr-vpcs : + k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-prd-dr", false) } # ...add a route into the network public RT - route_table_id = data.terraform_remote_state.network-vpcs["network-base"].outputs.public_route_table_ids[0] + route_table_id = data.terraform_remote_state.network-dr-vpcs["network-base-dr"].outputs.public_route_table_ids[0] destination_cidr_block = each.value.outputs.vpc_cidr_block - transit_gateway_id = module.tgw[0].transit_gateway_id + transit_gateway_id = module.tgw-dr[0].transit_gateway_id - depends_on = [module.tgw, module.tgw_vpc_attachments_and_subnet_routes_network] + depends_on = [module.tgw-dr, module.tgw_vpc_attachments_and_subnet_routes_network-dr] } @@ -281,16 +281,16 @@ resource "aws_route" "shared_public_apps_devstg_route_to_tgw" { # For each vpc... for_each = { - for k, v in data.terraform_remote_state.apps-devstg-vpcs : - k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-devstg", false) + for k, v in data.terraform_remote_state.apps-devstg-dr-vpcs : + k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-devstg-dr", false) } # ...add a route into the network public RT - route_table_id = data.terraform_remote_state.shared-vpcs["shared-base"].outputs.public_route_table_ids[0] + route_table_id = data.terraform_remote_state.shared-dr-vpcs["shared-base-dr"].outputs.public_route_table_ids[0] destination_cidr_block = each.value.outputs.vpc_cidr_block - transit_gateway_id = module.tgw[0].transit_gateway_id + transit_gateway_id = module.tgw-dr[0].transit_gateway_id - depends_on = [module.tgw, module.tgw_vpc_attachments_and_subnet_routes_network] + depends_on = [module.tgw-dr, module.tgw_vpc_attachments_and_subnet_routes_network-dr] provider = aws.shared @@ -300,16 +300,16 @@ resource "aws_route" "shared_public_apps_prd_route_to_tgw" { # For each vpc... for_each = { - for k, v in data.terraform_remote_state.apps-prd-vpcs : - k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-prd", false) + for k, v in data.terraform_remote_state.apps-prd-dr-vpcs : + k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-prd-dr", false) } # ...add a route into the network public RT - route_table_id = data.terraform_remote_state.shared-vpcs["shared-base"].outputs.public_route_table_ids[0] + route_table_id = data.terraform_remote_state.shared-dr-vpcs["shared-base-dr"].outputs.public_route_table_ids[0] destination_cidr_block = each.value.outputs.vpc_cidr_block - transit_gateway_id = module.tgw[0].transit_gateway_id + transit_gateway_id = module.tgw-dr[0].transit_gateway_id - depends_on = [module.tgw, module.tgw_vpc_attachments_and_subnet_routes_network] + depends_on = [module.tgw-dr, module.tgw_vpc_attachments_and_subnet_routes_network-dr] provider = aws.shared @@ -317,8 +317,8 @@ resource "aws_route" "shared_public_apps_prd_route_to_tgw" { # Update Inspection & AWS Network Firewall route tables data "aws_route_table" "inspection_route_table" { - for_each = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? { - for k, v in data.terraform_remote_state.network-firewall.outputs["inspection_subnets"] : + for_each = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network-dr", false) ? { + for k, v in data.terraform_remote_state.network-firewall-dr.outputs["inspection_subnets-dr"] : k => v } : {} @@ -326,7 +326,7 @@ data "aws_route_table" "inspection_route_table" { } resource "aws_route" "inspection_to_endpoint" { - for_each = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? { + for_each = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network-dr", false) ? { for s in data.terraform_remote_state.network-firewall.outputs["sync_states"][0] : s["availability_zone"] => s["attachment"] } : {} @@ -338,20 +338,20 @@ resource "aws_route" "inspection_to_endpoint" { } data "aws_route_table" "network_firewall_route_table" { - for_each = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? { - for k, v in data.terraform_remote_state.network-firewall.outputs["network_firewall_subnets"] : + for_each = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network-dr", false) ? { + for k, v in data.terraform_remote_state.network-firewall.outputs["network_firewall_subnets-dr"] : k => v } : {} subnet_id = each.value } resource "aws_route" "network_firewall_tgw" { - for_each = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? { + for_each = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network-dr", false) ? { for s in data.terraform_remote_state.network-firewall.outputs["sync_states"][0] : s["availability_zone"] => s["attachment"] } : {} route_table_id = data.aws_route_table.network_firewall_route_table[each.key].id - transit_gateway_id = module.tgw[0].transit_gateway_id + transit_gateway_id = module.tgw-dr[0].transit_gateway_id destination_cidr_block = "0.0.0.0/0" } diff --git a/network/us-east-2/transit-gateway/vpc_attachments.tf b/network/us-east-2/transit-gateway/vpc_attachments.tf index ec50d8734..fc699c1d6 100644 --- a/network/us-east-2/transit-gateway/vpc_attachments.tf +++ b/network/us-east-2/transit-gateway/vpc_attachments.tf @@ -13,7 +13,7 @@ # transit_gateway_vpc_attachment_id - An existing Transit Gateway Attachment ID. If provided, the module will use it instead of creating a new one. # Network Firewall VPC attachment - Inspection subnets (private) -module "tgw_vpc_attachments_and_subnet_routes_network_firewall-dr" { +module "tgw_vpc_attachments_and_subnet_routes_network-firewall-dr" { source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" @@ -107,7 +107,7 @@ module "tgw_vpc_attachments_and_subnet_routes_apps-devstg-dr" { # apps-devstg account can access the Transit Gateway in the network account since we shared the Transit Gateway with the Organization using Resource Access Manager existing_transit_gateway_id = module.tgw-dr[0].transit_gateway_id - existing_transit_gateway_route_table_id = var.enable_tgw && var.enable_network_firewall ? module.tgw_vpc_attachments_and_subnet_routes_network_firewall-dr["network-firewall-dr"].transit_gateway_route_table_id : module.tgw-dr[0].transit_gateway_route_table_id + existing_transit_gateway_route_table_id = var.enable_tgw && var.enable_network_firewall ? module.tgw_vpc_attachments_and_subnet_routes_network-firewall-dr["network-firewall-dr"].transit_gateway_route_table_id : module.tgw-dr[0].transit_gateway_route_table_id create_transit_gateway = false create_transit_gateway_route_table = false create_transit_gateway_vpc_attachment = true @@ -187,15 +187,15 @@ module "tgw_vpc_attachments_and_subnet_routes_shared-dr" { source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" for_each = { - for k, v in data.terraform_remote_state.shared-vpcs : - k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "shared", false) + for k, v in data.terraform_remote_state.shared-dr-vpcs : + k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "shared-dr", false) } name = "${var.project}-${each.key}-vpc" # apps-devstg account can access the Transit Gateway in the network account since we shared the Transit Gateway with the Organization using Resource Access Manager existing_transit_gateway_id = module.tgw-dr[0].transit_gateway_id - existing_transit_gateway_route_table_id = var.enable_tgw && lookup(var.enable_vpc_attach, "shared-dr", false) ? try(module.tgw_vpc_attachments_and_subnet_routes_network_firewall-dr["network-firewall-dr"].transit_gateway_route_table_id, null) : module.tgw-dr[0].transit_gateway_route_table_id + existing_transit_gateway_route_table_id = var.enable_tgw && lookup(var.enable_vpc_attach, "shared-dr", false) ? try(module.tgw_vpc_attachments_and_subnet_routes_network-firewall-dr["network-firewall-dr"].transit_gateway_route_table_id, null) : module.tgw-dr[0].transit_gateway_route_table_id create_transit_gateway = false create_transit_gateway_route_table = false create_transit_gateway_vpc_attachment = true From ddc67502e73332614c05d6ba89a6262e6b2f803d Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Wed, 24 Nov 2021 21:21:29 -0300 Subject: [PATCH 14/44] Add code for the DR region --- network/us-east-2/base-network/config.tf | 12 +-- .../base-network/customer_gateways.tf | 3 +- network/us-east-2/base-network/locals.tf | 83 +++++++----------- .../us-east-2/base-network/vpn_gateways.tf | 86 ------------------- network/us-east-2/transit-gateway/tgw.tf | 12 +-- .../transit-gateway/vpc_attachments.tf | 2 +- 6 files changed, 44 insertions(+), 154 deletions(-) delete mode 100644 network/us-east-2/base-network/vpn_gateways.tf diff --git a/network/us-east-2/base-network/config.tf b/network/us-east-2/base-network/config.tf index b7dea8485..8e2542b0e 100644 --- a/network/us-east-2/base-network/config.tf +++ b/network/us-east-2/base-network/config.tf @@ -123,10 +123,10 @@ data "terraform_remote_state" "shared-dr-vpcs" { } } -# VPC remote states for apps-devstg -data "terraform_remote_state" "apps-devstg-vpcs" { +# VPC remote states for apps-devstg-dr +data "terraform_remote_state" "apps-devstg-dr-vpcs" { - for_each = local.apps-devstg-vpcs + for_each = local.apps-devstg-dr-vpcs backend = "s3" @@ -138,10 +138,10 @@ data "terraform_remote_state" "apps-devstg-vpcs" { } } -# VPC remote states for apps-prd -data "terraform_remote_state" "apps-prd-vpcs" { +# VPC remote states for apps-prd-dr +data "terraform_remote_state" "apps-prd-dr-vpcs" { - for_each = local.apps-prd-vpcs + for_each = local.apps-prd-dr-vpcs backend = "s3" diff --git a/network/us-east-2/base-network/customer_gateways.tf b/network/us-east-2/base-network/customer_gateways.tf index 0b4a5cd0f..a3e6bf175 100644 --- a/network/us-east-2/base-network/customer_gateways.tf +++ b/network/us-east-2/base-network/customer_gateways.tf @@ -1,5 +1,6 @@ locals { - customer_gateways = { + customer_gateways = {} + customer_gateways_ = { cgw1 = { bgp_asn = 65220 ip_address = "172.83.124.10" diff --git a/network/us-east-2/base-network/locals.tf b/network/us-east-2/base-network/locals.tf index 00311c2c2..c8200d95c 100644 --- a/network/us-east-2/base-network/locals.tf +++ b/network/us-east-2/base-network/locals.tf @@ -6,11 +6,11 @@ locals { # Network Local Vars # https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html - vpc_name = "${var.project}-${var.environment}-vpc" + vpc_name = "${var.project}-${var.environment}-dr-vpc" vpc_cidr_block = "172.20.32.0/20" azs = [ - "${var.region}a", - "${var.region}b", + "${var.region_secondary}a", + "${var.region_secondary}b", ] private_subnets_cidr = ["172.20.32.0/21"] @@ -47,14 +47,14 @@ locals { # Allow / Deny VPC private subnets inbound default traffic # default_inbound = [ - { - rule_number = 900 # shared pritunl vpn server - rule_action = "allow" - from_port = 0 - to_port = 65535 - protocol = "all" - cidr_block = "${data.terraform_remote_state.tools-vpn-server.outputs.instance_private_ip}/32" - }, + #{ + # rule_number = 900 # shared pritunl vpn server + # rule_action = "allow" + # from_port = 0 + # to_port = 65535 + # protocol = "all" + # cidr_block = "${data.terraform_remote_state.tools-vpn-server.outputs.instance_private_ip}/32" + #}, { rule_number = 910 # vault hvn vpc rule_action = "allow" @@ -98,69 +98,44 @@ locals { # Data source definitions # - # shared - shared-vpcs = { - shared-base = { + # shared-dr + shared-dr-vpcs = { + shared-dr-base = { region = var.region profile = "${var.project}-shared-devops" bucket = "${var.project}-shared-terraform-backend" - key = "shared/network/terraform.tfstate" + key = "shared/network-dr/terraform.tfstate" } } - # network - network-vpcs = { - network-firewall = { + # network-dr + network-dr-vpcs = { + network-firewall-dr = { region = var.region profile = "${var.project}-network-devops" bucket = "${var.project}-network-terraform-backend" - key = "network/network-firewall/terraform.tfstate" + key = "network/network-firewall-dr/terraform.tfstate" } } - # apps-devstg - apps-devstg-vpcs = { - apps-devstg-base = { + # apps-devstg-dr + apps-devstg-dr-vpcs = { + apps-devstg-k8s-eks-dr = { region = var.region profile = "${var.project}-apps-devstg-devops" bucket = "${var.project}-apps-devstg-terraform-backend" - key = "apps-devstg/network/terraform.tfstate" - } - apps-devstg-k8s-eks = { - region = var.region - profile = "${var.project}-apps-devstg-devops" - bucket = "${var.project}-apps-devstg-terraform-backend" - key = "apps-devstg/k8s-eks/network/terraform.tfstate" - } - apps-devstg-eks-demoapps = { - region = var.region - profile = "${var.project}-apps-devstg-devops" - bucket = "${var.project}-apps-devstg-terraform-backend" - key = "apps-devstg/k8s-eks-demoapps/network/terraform.tfstate" + key = "apps-devstg/k8s-eks-dr/network/terraform.tfstate" } } - # apps-prd - apps-prd-vpcs = { - apps-prd-base = { - region = var.region - profile = "${var.project}-apps-prd-devops" - bucket = "${var.project}-apps-prd-terraform-backend" - key = "apps-prd/network/terraform.tfstate" - } - #apps-prd-k8s-eks = { - # region = var.region - # profile = "${var.project}-apps-prd-devops" - # bucket = "${var.project}-apps-prd-terraform-backend" - # key = "apps-prd/k8s-eks/network/terraform.tfstate" - #} - } + # apps-prd-dr + apps-prd-dr-vpcs = {} datasources-vpcs = merge( - data.terraform_remote_state.network-vpcs, # network - #data.terraform_remote_state.shared-vpcs, # shared - #data.terraform_remote_state.apps-devstg-vpcs, # apps-devstg-vpcs - data.terraform_remote_state.apps-prd-vpcs, # apps-prd-vpcs + data.terraform_remote_state.network-dr-vpcs, # network-dr + data.terraform_remote_state.shared-dr-vpcs, # shared-dr + data.terraform_remote_state.apps-devstg-dr-vpcs, # apps-devstg-dr + data.terraform_remote_state.apps-prd-dr-vpcs, # apps-prd-dr ) } diff --git a/network/us-east-2/base-network/vpn_gateways.tf b/network/us-east-2/base-network/vpn_gateways.tf deleted file mode 100644 index 81985ed75..000000000 --- a/network/us-east-2/base-network/vpn_gateways.tf +++ /dev/null @@ -1,86 +0,0 @@ -# Network Firewall VPC attachment - Inspection subnets (private) -module "vpn_gateways" { - - source = "github.com/binbashar/terraform-aws-vpn-gateway.git?ref=v2.10.1" - - for_each = { for k, v in local.customer_gateways : - k => v if var.enable_tgw && var.vpc_enable_vpn_gateway - } - - connect_to_transit_gateway = true - vpn_connection_static_routes_only = lookup(each.value, "vpn_connection_static_routes_only", false) - transit_gateway_id = data.terraform_remote_state.tgw.outputs.tgw_id - customer_gateway_id = module.vpc.this_customer_gateway[each.key].id - - # local & remote IPv4 CDIRs - local_ipv4_network_cidr = lookup(each.value, "local_ipv4_network_cidr", "0.0.0.0/0") - remote_ipv4_network_cidr = lookup(each.value, "remote_ipv4_network_cidr", "0.0.0.0/0") - - ########### - # Tunnels # - ########### - # Some values are optional and the default values are used if not specified - - # Tunnel 1 - tunnel1_inside_cidr = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "inside_cidr", null) - tunnel1_preshared_key = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "preshared_key", null) - tunnel1_dpd_timeout_action = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "dpd_timeout_action", null) - tunnel1_dpd_timeout_seconds = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "dpd_timeout_seconds", null) - tunnel1_ike_versions = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "ike_versions", null) - tunnel1_phase1_dh_group_numbers = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "phase1_dh_group_numbers", null) - tunnel1_phase1_encryption_algorithms = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "phase1_encryption_algorithms", null) - tunnel1_phase1_integrity_algorithms = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "phase1_integrity_algorithms", null) - tunnel1_phase1_lifetime_seconds = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "phase1_lifetime_seconds", null) - tunnel1_phase2_dh_group_numbers = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "phase2_dh_group_numbers", null) - tunnel1_phase2_encryption_algorithms = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "phase2_encryption_algorithms", null) - tunnel1_phase2_integrity_algorithms = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "phase2_integrity_algorithms", null) - tunnel1_phase2_lifetime_seconds = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "phase2_lifetime_seconds", null) - tunnel1_rekey_fuzz_percentage = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "rekey_fuzz_percentage", null) - tunnel1_rekey_margin_time_seconds = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "rekey_margin_time_seconds", null) - tunnel1_replay_window_size = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "replay_window_size", null) - tunnel1_startup_action = lookup(each.value, "tunnel1", null) == null ? null : lookup(lookup(each.value, "tunnel1"), "startup_action", null) - - # - # Tunnel 2 - # - tunnel2_inside_cidr = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "inside_cidr", null) - tunnel2_preshared_key = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "preshared_key", null) - tunnel2_dpd_timeout_action = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "dpd_timeout_action", null) - tunnel2_dpd_timeout_seconds = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "dpd_timeout_seconds", null) - tunnel2_ike_versions = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "ike_versions", null) - tunnel2_phase1_dh_group_numbers = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "phase1_dh_group_numbers", null) - tunnel2_phase1_encryption_algorithms = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "phase1_encryption_algorithms", null) - tunnel2_phase1_integrity_algorithms = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "phase1_integrity_algorithms", null) - tunnel2_phase1_lifetime_seconds = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "phase1_lifetime_seconds", null) - tunnel2_phase2_dh_group_numbers = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "phase2_dh_group_numbers", null) - tunnel2_phase2_encryption_algorithms = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "phase2_encryption_algorithms", null) - tunnel2_phase2_integrity_algorithms = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "phase2_integrity_algorithms", null) - tunnel2_phase2_lifetime_seconds = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "phase2_lifetime_seconds", null) - tunnel2_rekey_fuzz_percentage = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "rekey_fuzz_percentage", null) - tunnel2_rekey_margin_time_seconds = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "rekey_margin_time_seconds", null) - tunnel2_replay_window_size = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "replay_window_size", null) - tunnel2_startup_action = lookup(each.value, "tunnel2", null) == null ? null : lookup(lookup(each.value, "tunnel2"), "startup_action", null) -} - -# vpn static routes -resource "aws_ec2_transit_gateway_route" "vpn_static_routes" { - - for_each = { for k, v in local.vpn_static_routes : - k => v if var.enable_tgw && var.vpc_enable_vpn_gateway - } - - destination_cidr_block = lookup(each.value, "route") - transit_gateway_route_table_id = var.enable_tgw && var.enable_network_firewall ? data.terraform_remote_state.tgw.outputs.tgw_inspection_route_table_id : data.terraform_remote_state.tgw.outputs.tgw_route_table_id - transit_gateway_attachment_id = module.vpn_gateways[lookup(each.value, "cgw")].vpn_connection_transit_gateway_attachment_id -} - -# TGW VPN RT associations -resource "aws_ec2_transit_gateway_route_table_association" "vpn-rt-associations" { - - for_each = { for k, v in module.vpn_gateways : - k => v if var.enable_tgw && var.vpc_enable_vpn_gateway - } - - transit_gateway_route_table_id = data.terraform_remote_state.tgw.outputs.tgw_route_table_id - transit_gateway_attachment_id = each.value.vpn_connection_transit_gateway_attachment_id -} diff --git a/network/us-east-2/transit-gateway/tgw.tf b/network/us-east-2/transit-gateway/tgw.tf index 49dda339f..20c3c6371 100644 --- a/network/us-east-2/transit-gateway/tgw.tf +++ b/network/us-east-2/transit-gateway/tgw.tf @@ -197,7 +197,7 @@ resource "aws_ec2_transit_gateway_route_table_propagation" "shared-rt-propagatio resource "aws_ec2_transit_gateway_route_table_association" "apps-devstg-rt-associations" { for_each = { - for k, v in data.terraform_remote_state.apps-devstg-vpcs : + for k, v in data.terraform_remote_state.apps-devstg-dr-vpcs : k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "apps-devstg", false) } @@ -220,12 +220,12 @@ resource "aws_ec2_transit_gateway_route_table_propagation" "apps-devstg-rt-propa resource "aws_ec2_transit_gateway_route_table_association" "apps-prd-rt-associations" { for_each = { - for k, v in data.terraform_remote_state.apps-prd-vpcs : + for k, v in data.terraform_remote_state.apps-prd-dr-vpcs : k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "apps-prd-dr", false) } transit_gateway_route_table_id = module.tgw_inspection_route_table[0].transit_gateway_route_table_id - transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_apps-prd[each.key].transit_gateway_vpc_attachment_ids[each.key] + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_apps-prd-dr[each.key].transit_gateway_vpc_attachment_ids[each.key] } resource "aws_ec2_transit_gateway_route_table_propagation" "apps-prd-rt-propagations" { @@ -327,7 +327,7 @@ data "aws_route_table" "inspection_route_table" { resource "aws_route" "inspection_to_endpoint" { for_each = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network-dr", false) ? { - for s in data.terraform_remote_state.network-firewall.outputs["sync_states"][0] : + for s in data.terraform_remote_state.network-firewall-dr.outputs["sync_states"][0] : s["availability_zone"] => s["attachment"] } : {} @@ -339,7 +339,7 @@ resource "aws_route" "inspection_to_endpoint" { data "aws_route_table" "network_firewall_route_table" { for_each = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network-dr", false) ? { - for k, v in data.terraform_remote_state.network-firewall.outputs["network_firewall_subnets-dr"] : + for k, v in data.terraform_remote_state.network-firewall-dr.outputs["network_firewall_subnets-dr"] : k => v } : {} subnet_id = each.value @@ -347,7 +347,7 @@ data "aws_route_table" "network_firewall_route_table" { resource "aws_route" "network_firewall_tgw" { for_each = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network-dr", false) ? { - for s in data.terraform_remote_state.network-firewall.outputs["sync_states"][0] : + for s in data.terraform_remote_state.network-firewall-dr.outputs["sync_states"][0] : s["availability_zone"] => s["attachment"] } : {} diff --git a/network/us-east-2/transit-gateway/vpc_attachments.tf b/network/us-east-2/transit-gateway/vpc_attachments.tf index fc699c1d6..25db3ec30 100644 --- a/network/us-east-2/transit-gateway/vpc_attachments.tf +++ b/network/us-east-2/transit-gateway/vpc_attachments.tf @@ -143,7 +143,7 @@ module "tgw_vpc_attachments_and_subnet_routes_apps-prd-dr" { source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" for_each = { - for k, v in data.terraform_remote_state.apps-prd-vpcs : + for k, v in data.terraform_remote_state.apps-prd-dr-vpcs : k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-prd", false) } From 31bcf5aaec5eb24f184fda7feb247eade110cfea Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Thu, 25 Nov 2021 00:55:40 -0300 Subject: [PATCH 15/44] Add name to the TGWs peering --- network/us-east-1/transit-gateway/tgw-dr.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network/us-east-1/transit-gateway/tgw-dr.tf b/network/us-east-1/transit-gateway/tgw-dr.tf index d6a8df51b..29081e4c8 100644 --- a/network/us-east-1/transit-gateway/tgw-dr.tf +++ b/network/us-east-1/transit-gateway/tgw-dr.tf @@ -6,5 +6,5 @@ resource "aws_ec2_transit_gateway_peering_attachment" "tgw-dr" { peer_region = var.region_secondary peer_transit_gateway_id = data.terraform_remote_state.tgw-dr.outputs.tgw_id - tags = local.tags + tags = merge({ Name = "tgw - tgw-dr" }, local.tags) } From 563ee63e779d378b9dd1c3803e38e68d65ffe576 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Thu, 25 Nov 2021 05:12:08 -0300 Subject: [PATCH 16/44] Add data source for the primary region --- network/us-east-2/transit-gateway/config.tf | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/network/us-east-2/transit-gateway/config.tf b/network/us-east-2/transit-gateway/config.tf index d78f71d0d..030d9de1a 100644 --- a/network/us-east-2/transit-gateway/config.tf +++ b/network/us-east-2/transit-gateway/config.tf @@ -81,6 +81,19 @@ data "terraform_remote_state" "network-firewall-dr" { } } +data "terraform_remote_state" "tgw" { + + backend = "s3" + + config = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/transit-gateway/terraform.tfstate" + + } +} + # VPC remote states for network-dr data "terraform_remote_state" "network-dr-vpcs" { From 4bb9861ab285af90d7f94f9edb991a08c0feba37 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Thu, 25 Nov 2021 05:12:32 -0300 Subject: [PATCH 17/44] Add TGW Peering accepter --- .../us-east-2/transit-gateway/tgw-peerings-acccepters.tf | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 network/us-east-2/transit-gateway/tgw-peerings-acccepters.tf diff --git a/network/us-east-2/transit-gateway/tgw-peerings-acccepters.tf b/network/us-east-2/transit-gateway/tgw-peerings-acccepters.tf new file mode 100644 index 000000000..991b68185 --- /dev/null +++ b/network/us-east-2/transit-gateway/tgw-peerings-acccepters.tf @@ -0,0 +1,6 @@ +resource "aws_ec2_transit_gateway_peering_attachment_accepter" "tgw-accepters" { + + transit_gateway_attachment_id = data.terraform_remote_state.tgw.outputs.tgw_attachment_id + + tags = merge({ Name = "tgw - tgw-dr accepter" }, local.tags) +} From f47094d30201cf6b3172407ce1b31bce2f6df1ae Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Thu, 25 Nov 2021 10:27:44 -0300 Subject: [PATCH 18/44] Add TGW peering & association --- network/us-east-1/transit-gateway/config.tf | 34 ++++++++++++++ network/us-east-1/transit-gateway/locals.tf | 28 ++++++++++++ network/us-east-1/transit-gateway/outputs.tf | 5 +++ network/us-east-1/transit-gateway/tgw-dr.tf | 10 ----- .../us-east-1/transit-gateway/tgw-peerings.tf | 45 +++++++++++++++++++ .../tgw-peerings-acccepters.tf | 9 ++++ network/us-east-2/transit-gateway/tgw.tf | 20 ++++----- 7 files changed, 131 insertions(+), 20 deletions(-) delete mode 100644 network/us-east-1/transit-gateway/tgw-dr.tf create mode 100644 network/us-east-1/transit-gateway/tgw-peerings.tf diff --git a/network/us-east-1/transit-gateway/config.tf b/network/us-east-1/transit-gateway/config.tf index 6e84fa308..8859153f3 100644 --- a/network/us-east-1/transit-gateway/config.tf +++ b/network/us-east-1/transit-gateway/config.tf @@ -156,6 +156,25 @@ data "terraform_remote_state" "apps-prd-vpcs" { } } +# +# Secondary region +# + +# VPC remote states for share-dr +data "terraform_remote_state" "shared-dr-vpcs" { + + for_each = local.shared-dr-vpcs + + backend = "s3" + + config = { + region = lookup(each.value, "region") + profile = lookup(each.value, "profile") + bucket = lookup(each.value, "bucket") + key = lookup(each.value, "key") + } +} + # VPC remote states for network-dr data "terraform_remote_state" "network-dr-vpcs" { @@ -170,3 +189,18 @@ data "terraform_remote_state" "network-dr-vpcs" { key = lookup(each.value, "key") } } + +# VPC remote states for apps-devstg-dr +data "terraform_remote_state" "apps-devstg-dr-vpcs" { + + for_each = local.apps-devstg-dr-vpcs + + backend = "s3" + + config = { + region = lookup(each.value, "region") + profile = lookup(each.value, "profile") + bucket = lookup(each.value, "bucket") + key = lookup(each.value, "key") + } +} diff --git a/network/us-east-1/transit-gateway/locals.tf b/network/us-east-1/transit-gateway/locals.tf index 3850247e3..76dcd0da5 100644 --- a/network/us-east-1/transit-gateway/locals.tf +++ b/network/us-east-1/transit-gateway/locals.tf @@ -68,6 +68,20 @@ locals { #} } + # + # Secondary region + # + + # shared-dr + shared-dr-vpcs = { + shared-base-dr = { + region = var.region + profile = "${var.project}-shared-devops" + bucket = "${var.project}-shared-terraform-backend" + key = "shared/network-dr/terraform.tfstate" + } + } + # network-dr network-dr-vpcs = { network-base = { @@ -78,6 +92,20 @@ locals { } } + # apps-devstg-dr + apps-devstg-dr-vpcs = { + apps-devstg-k8s-eks-dr = { + region = var.region + profile = "${var.project}-apps-devstg-devops" + bucket = "${var.project}-apps-devstg-terraform-backend" + key = "apps-devstg/k8s-eks-dr/network/terraform.tfstate" + } + } + + # apps-prd-dr + apps-prd-dr-vpcs = {} + + datasources-vpcs = merge( data.terraform_remote_state.network-vpcs, # network #data.terraform_remote_state.shared-vpcs, # shared diff --git a/network/us-east-1/transit-gateway/outputs.tf b/network/us-east-1/transit-gateway/outputs.tf index 068860ded..c6909cbcf 100644 --- a/network/us-east-1/transit-gateway/outputs.tf +++ b/network/us-east-1/transit-gateway/outputs.tf @@ -22,3 +22,8 @@ output "enable_vpc_attach" { description = "VPC attachments per account" value = var.enable_vpc_attach } + +output "tgw_attachment_id" { + description = "TGW attachmenti id" + value = try(aws_ec2_transit_gateway_peering_attachment.tgw-dr[0].id, null) +} diff --git a/network/us-east-1/transit-gateway/tgw-dr.tf b/network/us-east-1/transit-gateway/tgw-dr.tf deleted file mode 100644 index 29081e4c8..000000000 --- a/network/us-east-1/transit-gateway/tgw-dr.tf +++ /dev/null @@ -1,10 +0,0 @@ -resource "aws_ec2_transit_gateway_peering_attachment" "tgw-dr" { - - count = var.enable_tgw && try(data.terraform_remote_state.tgw-dr.outputs.tgw_id != null, false) ? 1 : 0 - - transit_gateway_id = module.tgw[0].transit_gateway_id - peer_region = var.region_secondary - peer_transit_gateway_id = data.terraform_remote_state.tgw-dr.outputs.tgw_id - - tags = merge({ Name = "tgw - tgw-dr" }, local.tags) -} diff --git a/network/us-east-1/transit-gateway/tgw-peerings.tf b/network/us-east-1/transit-gateway/tgw-peerings.tf new file mode 100644 index 000000000..443a0e067 --- /dev/null +++ b/network/us-east-1/transit-gateway/tgw-peerings.tf @@ -0,0 +1,45 @@ +# TGW peering attachment +resource "aws_ec2_transit_gateway_peering_attachment" "tgw-dr" { + + count = var.enable_tgw && try(data.terraform_remote_state.tgw-dr.outputs.tgw_id != null, false) ? 1 : 0 + + transit_gateway_id = module.tgw[0].transit_gateway_id + peer_region = var.region_secondary + peer_transit_gateway_id = data.terraform_remote_state.tgw-dr.outputs.tgw_id + + tags = merge({ Name = "tgw - tgw-dr peering" }, local.tags) +} + +# TGW association +resource "aws_ec2_transit_gateway_route_table_association" "tgw-dr-association" { + count = var.enable_tgw && try(data.terraform_remote_state.tgw-dr.outputs.tgw_id != null, false) ? 1 : 0 + + transit_gateway_route_table_id = module.tgw[0].transit_gateway_route_table_id + transit_gateway_attachment_id = try(aws_ec2_transit_gateway_peering_attachment.tgw-dr[0].id, null) +} + +# Add routes + +# +# shared-dr +# +resource "aws_ec2_transit_gateway_route" "shared-dr" { + + for_each = { for k, v in local.shared-dr-vpcs : k => v if var.enable_tgw && try(data.terraform_remote_state.tgw-dr.outputs.tgw_id != null, false) } + + destination_cidr_block = data.terraform_remote_state.shared-dr-vpcs[each.key].outputs.vpc_cidr_block + transit_gateway_route_table_id = module.tgw[0].transit_gateway_route_table_id + transit_gateway_attachment_id = try(aws_ec2_transit_gateway_peering_attachment.tgw-dr[0].id, null) +} + +# +# apps-devstg-dr +# +resource "aws_ec2_transit_gateway_route" "apps-devstg-dr" { + + for_each = { for k, v in local.apps-devstg-dr-vpcs : k => v if var.enable_tgw && try(data.terraform_remote_state.tgw-dr.outputs.tgw_id != null, false) } + + destination_cidr_block = data.terraform_remote_state.apps-devstg-dr-vpcs[each.key].outputs.vpc_cidr_block + transit_gateway_route_table_id = module.tgw[0].transit_gateway_route_table_id + transit_gateway_attachment_id = try(aws_ec2_transit_gateway_peering_attachment.tgw-dr[0].id, null) +} diff --git a/network/us-east-2/transit-gateway/tgw-peerings-acccepters.tf b/network/us-east-2/transit-gateway/tgw-peerings-acccepters.tf index 991b68185..9759b9513 100644 --- a/network/us-east-2/transit-gateway/tgw-peerings-acccepters.tf +++ b/network/us-east-2/transit-gateway/tgw-peerings-acccepters.tf @@ -1,6 +1,15 @@ +# TGW peering attachment resource "aws_ec2_transit_gateway_peering_attachment_accepter" "tgw-accepters" { transit_gateway_attachment_id = data.terraform_remote_state.tgw.outputs.tgw_attachment_id tags = merge({ Name = "tgw - tgw-dr accepter" }, local.tags) } + +# TGW association +resource "aws_ec2_transit_gateway_route_table_association" "tgw-association" { + count = var.enable_tgw && try(data.terraform_remote_state.tgw.outputs.tgw_id != null, false) ? 1 : 0 + + transit_gateway_route_table_id = module.tgw-dr[0].transit_gateway_route_table_id + transit_gateway_attachment_id = try(aws_ec2_transit_gateway_peering_attachment_accepter.tgw-accepters.id, null) +} diff --git a/network/us-east-2/transit-gateway/tgw.tf b/network/us-east-2/transit-gateway/tgw.tf index 20c3c6371..1d886054f 100644 --- a/network/us-east-2/transit-gateway/tgw.tf +++ b/network/us-east-2/transit-gateway/tgw.tf @@ -141,7 +141,7 @@ module "tgw_inspection_route_table" { # Network Firewall # resource "aws_ec2_transit_gateway_route" "inspection_default" { - count = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? 1 : 0 + count = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network-dr", false) ? 1 : 0 destination_cidr_block = "0.0.0.0/0" transit_gateway_route_table_id = module.tgw_inspection_route_table[0].transit_gateway_route_table_id @@ -149,33 +149,33 @@ resource "aws_ec2_transit_gateway_route" "inspection_default" { } resource "aws_ec2_transit_gateway_route" "network_firewall_default" { - count = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? 1 : 0 + count = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network-dr", false) ? 1 : 0 destination_cidr_block = "0.0.0.0/0" transit_gateway_route_table_id = module.tgw-dr[0].transit_gateway_route_table_id - transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network-dr["network-base"].transit_gateway_vpc_attachment_ids["network-base"] + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network-dr["network-base-dr"].transit_gateway_vpc_attachment_ids["network-base"] } resource "aws_ec2_transit_gateway_route_table_association" "network-inspection-association" { - count = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? 1 : 0 + count = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network-dr", false) ? 1 : 0 transit_gateway_route_table_id = module.tgw-dr[0].transit_gateway_route_table_id transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network-firewall-dr["network-firewall-dr"].transit_gateway_vpc_attachment_ids["network-firewall-dr"] } resource "aws_ec2_transit_gateway_route_table_association" "network-base-association" { - count = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? 1 : 0 + count = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network-dr", false) ? 1 : 0 transit_gateway_route_table_id = module.tgw_inspection_route_table[0].transit_gateway_route_table_id transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network-dr["network-base-dr"].transit_gateway_vpc_attachment_ids["network-base-dr"] } -# shared +# shareda-dr resource "aws_ec2_transit_gateway_route_table_association" "shared-rt-associations" { for_each = { for k, v in data.terraform_remote_state.shared-dr-vpcs : - k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "shared", false) + k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "shared-dr", false) } transit_gateway_route_table_id = module.tgw_inspection_route_table[0].transit_gateway_route_table_id @@ -185,7 +185,7 @@ resource "aws_ec2_transit_gateway_route_table_association" "shared-rt-associatio resource "aws_ec2_transit_gateway_route_table_propagation" "shared-rt-propagations" { for_each = { for k, v in data.terraform_remote_state.shared-dr-vpcs : - k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "shared", false) + k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "shared-dr", false) } transit_gateway_route_table_id = module.tgw-dr[0].transit_gateway_route_table_id @@ -198,7 +198,7 @@ resource "aws_ec2_transit_gateway_route_table_association" "apps-devstg-rt-assoc for_each = { for k, v in data.terraform_remote_state.apps-devstg-dr-vpcs : - k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "apps-devstg", false) + k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "apps-devstg-dr", false) } transit_gateway_route_table_id = module.tgw_inspection_route_table[0].transit_gateway_route_table_id @@ -208,7 +208,7 @@ resource "aws_ec2_transit_gateway_route_table_association" "apps-devstg-rt-assoc resource "aws_ec2_transit_gateway_route_table_propagation" "apps-devstg-rt-propagations" { for_each = { for k, v in data.terraform_remote_state.apps-devstg-dr-vpcs : - k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "apps-devstg", false) + k => v if var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "apps-devstg-dr", false) } transit_gateway_route_table_id = module.tgw-dr[0].transit_gateway_route_table_id From 515fe063d3b50384096ee8d6ce219f0f1e7625ad Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Sat, 27 Nov 2021 00:45:52 -0300 Subject: [PATCH 19/44] Remove tgw per vpc toggling --- shared/us-east-1/base-network/config.tf | 25 ++++--------------- shared/us-east-1/base-network/locals.tf | 7 ------ shared/us-east-1/base-network/vpc_peerings.tf | 10 ++++---- 3 files changed, 10 insertions(+), 32 deletions(-) diff --git a/shared/us-east-1/base-network/config.tf b/shared/us-east-1/base-network/config.tf index 0d9df6d8c..4963ed66a 100644 --- a/shared/us-east-1/base-network/config.tf +++ b/shared/us-east-1/base-network/config.tf @@ -92,10 +92,7 @@ data "terraform_remote_state" "network-vpcs" { # VPC remote states for apps-devstg data "terraform_remote_state" "apps-devstg-vpcs" { - for_each = { - for k, v in local.apps-devstg-vpcs : - k => v if !v["tgw"] - } + for_each = local.apps-devstg-vpcs backend = "s3" @@ -110,10 +107,7 @@ data "terraform_remote_state" "apps-devstg-vpcs" { # VPC remote states for apps-devstg-dr data "terraform_remote_state" "apps-devstg-dr-vpcs" { - for_each = { - for k, v in local.apps-devstg-dr-vpcs : - k => v if !v["tgw"] - } + for_each = local.apps-devstg-dr-vpcs backend = "s3" @@ -128,10 +122,7 @@ data "terraform_remote_state" "apps-devstg-dr-vpcs" { # VPC remote states for apps-prd data "terraform_remote_state" "apps-prd-vpcs" { - for_each = { - for k, v in local.apps-prd-vpcs : - k => v if !v["tgw"] - } + for_each = local.apps-prd-vpcs backend = "s3" @@ -146,10 +137,7 @@ data "terraform_remote_state" "apps-prd-vpcs" { # VPC remote states for apps-prd-dr data "terraform_remote_state" "apps-prd-dr-vpcs" { - for_each = { - for k, v in local.apps-prd-dr-vpcs : - k => v if !v["tgw"] - } + for_each = local.apps-prd-dr-vpcs backend = "s3" @@ -164,10 +152,7 @@ data "terraform_remote_state" "apps-prd-dr-vpcs" { # VPC remote states for apps-devstg-dr data "terraform_remote_state" "shared-dr-vpcs" { - for_each = { - for k, v in local.shared-dr-vpcs : - k => v if !v["tgw"] - } + for_each = local.shared-dr-vpcs backend = "s3" diff --git a/shared/us-east-1/base-network/locals.tf b/shared/us-east-1/base-network/locals.tf index e40b5b501..738d8d9e2 100644 --- a/shared/us-east-1/base-network/locals.tf +++ b/shared/us-east-1/base-network/locals.tf @@ -128,21 +128,18 @@ locals { profile = "${var.project}-apps-devstg-devops" bucket = "${var.project}-apps-devstg-terraform-backend" key = "apps-devstg/network/terraform.tfstate" - tgw = false } apps-devstg-k8s-eks = { region = var.region profile = "${var.project}-apps-devstg-devops" bucket = "${var.project}-apps-devstg-terraform-backend" key = "apps-devstg/k8s-eks/network/terraform.tfstate" - tgw = false } apps-devstg-eks-demoapps = { region = var.region profile = "${var.project}-apps-devstg-devops" bucket = "${var.project}-apps-devstg-terraform-backend" key = "apps-devstg/k8s-eks-demoapps/network/terraform.tfstate" - tgw = false } } @@ -153,7 +150,6 @@ locals { profile = "${var.project}-apps-devstg-devops" bucket = "${var.project}-apps-devstg-terraform-backend" key = "apps-devstg/k8s-eks-dr/network/terraform.tfstate" - tgw = false } } @@ -164,14 +160,12 @@ locals { profile = "${var.project}-apps-prd-devops" bucket = "${var.project}-apps-prd-terraform-backend" key = "apps-prd/network/terraform.tfstate" - tgw = false } apps-prd-k8s-eks = { region = var.region profile = "${var.project}-apps-prd-devops" bucket = "${var.project}-apps-prd-terraform-backend" key = "apps-prd/k8s-eks/network/terraform.tfstate" - tgw = false } } @@ -185,7 +179,6 @@ locals { profile = var.profile bucket = "${var.project}-shared-terraform-backend" key = "shared/network-dr/terraform.tfstate" - tgw = false } } diff --git a/shared/us-east-1/base-network/vpc_peerings.tf b/shared/us-east-1/base-network/vpc_peerings.tf index 4fb77a0ba..6e771b897 100644 --- a/shared/us-east-1/base-network/vpc_peerings.tf +++ b/shared/us-east-1/base-network/vpc_peerings.tf @@ -6,7 +6,7 @@ module "vpc_peering_apps_devstg_to_shared" { for_each = { for k, v in local.apps-devstg-vpcs : - k => v if !v["tgw"] + k => v if var.enable_tgw != true } providers = { @@ -40,7 +40,7 @@ module "vpc_peering_apps_devstg_dr_to_shared" { for_each = { for k, v in local.apps-devstg-dr-vpcs : - k => v if !v["tgw"] + k => v if var.enable_tgw != true } providers = { @@ -74,7 +74,7 @@ module "vpc_peering_apps_prd_to_shared" { for_each = { for k, v in local.apps-prd-vpcs : - k => v if !v["tgw"] + k => v if var.enable_tgw != true } providers = { @@ -108,7 +108,7 @@ module "vpc_peering_apps_prd_dr_to_shared" { for_each = { for k, v in local.apps-prd-dr-vpcs : - k => v if !v["tgw"] + k => v if var.enable_tgw != true } providers = { @@ -142,7 +142,7 @@ module "vpc_peering_shared_dr_to_shared" { for_each = { for k, v in local.shared-dr-vpcs : - k => v if !v["tgw"] + k => v if var.enable_tgw != true } providers = { From 223a990b36342a318d3dae7732f93b64f4ca18d4 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Wed, 1 Dec 2021 00:14:16 -0300 Subject: [PATCH 20/44] Remove tgw flag in config files --- shared/us-east-2/base-network/config.tf | 17 +++++------------ shared/us-east-2/base-network/locals.tf | 3 --- 2 files changed, 5 insertions(+), 15 deletions(-) diff --git a/shared/us-east-2/base-network/config.tf b/shared/us-east-2/base-network/config.tf index 169509bb7..39076df67 100644 --- a/shared/us-east-2/base-network/config.tf +++ b/shared/us-east-2/base-network/config.tf @@ -60,6 +60,7 @@ data "terraform_remote_state" "tools-vpn-server" { # VPC remote states for network data "terraform_remote_state" "network-vpcs" { + for_each = local.network-vpcs backend = "s3" @@ -74,10 +75,8 @@ data "terraform_remote_state" "network-vpcs" { # VPC remote states for shared data "terraform_remote_state" "shared-vpcs" { - for_each = { - for k, v in local.shared-vpcs : - k => v if !v["tgw"] - } + + for_each = local.shared-vpcs backend = "s3" @@ -92,10 +91,7 @@ data "terraform_remote_state" "shared-vpcs" { # VPC remote states for apps-devstg-dr data "terraform_remote_state" "apps-devstg-dr-vpcs" { - for_each = { - for k, v in local.apps-devstg-dr-vpcs : - k => v if !v["tgw"] - } + for_each = local.apps-devstg-dr-vpcs backend = "s3" @@ -110,10 +106,7 @@ data "terraform_remote_state" "apps-devstg-dr-vpcs" { # VPC remote states for apps-prd-dr data "terraform_remote_state" "apps-prd-dr-vpcs" { - for_each = { - for k, v in local.apps-prd-dr-vpcs : - k => v if !v["tgw"] - } + for_each = local.apps-prd-dr-vpcs backend = "s3" diff --git a/shared/us-east-2/base-network/locals.tf b/shared/us-east-2/base-network/locals.tf index 320021cfa..e3857f615 100644 --- a/shared/us-east-2/base-network/locals.tf +++ b/shared/us-east-2/base-network/locals.tf @@ -133,7 +133,6 @@ locals { profile = "${var.project}-shared-devops" bucket = "${var.project}-shared-terraform-backend" key = "shared/network/terraform.tfstate" - tgw = false } } @@ -144,7 +143,6 @@ locals { profile = "${var.project}-apps-devstg-devops" bucket = "${var.project}-apps-devstg-terraform-backend" key = "apps-devstg/k8s-eks-dr/network/terraform.tfstate" - tgw = false } } @@ -159,7 +157,6 @@ locals { profile = var.profile bucket = "${var.project}-shared-terraform-backend" key = "shared/network-dr/terraform.tfstate" - tgw = false } } From 5f6d2097d9dd1390bf3a332a94d31b4b7ac48560 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Wed, 1 Dec 2021 00:22:00 -0300 Subject: [PATCH 21/44] Add TGW routes --- network/global/base-identities/policies.tf | 1 + network/us-east-1/transit-gateway/locals.tf | 2 +- .../us-east-1/transit-gateway/tgw-peerings.tf | 12 ++++ network/us-east-2/transit-gateway/config.tf | 67 +++++++++++++++++++ network/us-east-2/transit-gateway/locals.tf | 63 +++++++++++++++++ .../tgw-peerings-acccepters.tf | 50 ++++++++++++++ 6 files changed, 194 insertions(+), 1 deletion(-) diff --git a/network/global/base-identities/policies.tf b/network/global/base-identities/policies.tf index 94def3199..3cf469ce7 100644 --- a/network/global/base-identities/policies.tf +++ b/network/global/base-identities/policies.tf @@ -179,6 +179,7 @@ resource "aws_iam_policy" "secops_access" { "kms:*", "lambda:*", "logs:*", + "networkmanager:*", "organizations:Describe*", "organizations:List*", "route53:*", diff --git a/network/us-east-1/transit-gateway/locals.tf b/network/us-east-1/transit-gateway/locals.tf index 76dcd0da5..8f9cb80f3 100644 --- a/network/us-east-1/transit-gateway/locals.tf +++ b/network/us-east-1/transit-gateway/locals.tf @@ -84,7 +84,7 @@ locals { # network-dr network-dr-vpcs = { - network-base = { + network-base-dr = { region = var.region profile = "${var.project}-network-devops" bucket = "${var.project}-network-terraform-backend" diff --git a/network/us-east-1/transit-gateway/tgw-peerings.tf b/network/us-east-1/transit-gateway/tgw-peerings.tf index 443a0e067..cc0d5eb4b 100644 --- a/network/us-east-1/transit-gateway/tgw-peerings.tf +++ b/network/us-east-1/transit-gateway/tgw-peerings.tf @@ -20,6 +20,18 @@ resource "aws_ec2_transit_gateway_route_table_association" "tgw-dr-association" # Add routes +# +# network-dr +# +resource "aws_ec2_transit_gateway_route" "network-dr" { + + for_each = { for k, v in local.network-dr-vpcs : k => v if var.enable_tgw && try(data.terraform_remote_state.tgw-dr.outputs.tgw_id != null, false) } + + destination_cidr_block = data.terraform_remote_state.network-dr-vpcs[each.key].outputs.vpc_cidr_block + transit_gateway_route_table_id = module.tgw[0].transit_gateway_route_table_id + transit_gateway_attachment_id = try(aws_ec2_transit_gateway_peering_attachment.tgw-dr[0].id, null) +} + # # shared-dr # diff --git a/network/us-east-2/transit-gateway/config.tf b/network/us-east-2/transit-gateway/config.tf index 030d9de1a..7d1e37d8d 100644 --- a/network/us-east-2/transit-gateway/config.tf +++ b/network/us-east-2/transit-gateway/config.tf @@ -154,3 +154,70 @@ data "terraform_remote_state" "apps-prd-dr-vpcs" { key = lookup(each.value, "key") } } + +# +# Primary region +# + +# VPC remote states for network +data "terraform_remote_state" "network-vpcs" { + + for_each = local.network-vpcs + + backend = "s3" + + config = { + region = lookup(each.value, "region") + profile = lookup(each.value, "profile") + bucket = lookup(each.value, "bucket") + key = lookup(each.value, "key") + } + +} + +# VPC remote states for shared +data "terraform_remote_state" "shared-vpcs" { + + for_each = local.shared-vpcs + + backend = "s3" + + config = { + region = lookup(each.value, "region") + profile = lookup(each.value, "profile") + bucket = lookup(each.value, "bucket") + key = lookup(each.value, "key") + } +} + +# VPC remote states for apps-devstg +data "terraform_remote_state" "apps-devstg-vpcs" { + + for_each = local.apps-devstg-vpcs + + backend = "s3" + + config = { + region = lookup(each.value, "region") + profile = lookup(each.value, "profile") + bucket = lookup(each.value, "bucket") + key = lookup(each.value, "key") + } +} + + +# VPC remote states for apps-prd +data "terraform_remote_state" "apps-prd-vpcs" { + + for_each = local.apps-prd-vpcs + + backend = "s3" + + config = { + region = lookup(each.value, "region") + profile = lookup(each.value, "profile") + bucket = lookup(each.value, "bucket") + key = lookup(each.value, "key") + } +} + diff --git a/network/us-east-2/transit-gateway/locals.tf b/network/us-east-2/transit-gateway/locals.tf index c08ba04b7..e8e2064b7 100644 --- a/network/us-east-2/transit-gateway/locals.tf +++ b/network/us-east-2/transit-gateway/locals.tf @@ -43,6 +43,69 @@ locals { # apps-prd-dr apps-prd-dr-vpcs = {} + # + # Primary region + # + + # shared + shared-vpcs = { + shared-base = { + region = var.region + profile = "${var.project}-shared-devops" + bucket = "${var.project}-shared-terraform-backend" + key = "shared/network/terraform.tfstate" + } + } + + # network + network-vpcs = { + network-base = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/network/terraform.tfstate" + } + } + + # apps-devstg + apps-devstg-vpcs = { + apps-devstg-base = { + region = var.region + profile = "${var.project}-apps-devstg-devops" + bucket = "${var.project}-apps-devstg-terraform-backend" + key = "apps-devstg/network/terraform.tfstate" + } + apps-devstg-k8s-eks = { + region = var.region + profile = "${var.project}-apps-devstg-devops" + bucket = "${var.project}-apps-devstg-terraform-backend" + key = "apps-devstg/k8s-eks/network/terraform.tfstate" + } + apps-devstg-eks-demoapps = { + region = var.region + profile = "${var.project}-apps-devstg-devops" + bucket = "${var.project}-apps-devstg-terraform-backend" + key = "apps-devstg/k8s-eks-demoapps/network/terraform.tfstate" + } + } + + # apps-prd + apps-prd-vpcs = { + apps-prd-base = { + region = var.region + profile = "${var.project}-apps-prd-devops" + bucket = "${var.project}-apps-prd-terraform-backend" + key = "apps-prd/network/terraform.tfstate" + } + #apps-prd-k8s-eks = { + # region = var.region + # profile = "${var.project}-apps-prd-devops" + # bucket = "${var.project}-apps-prd-terraform-backend" + # key = "apps-prd/k8s-eks/network/terraform.tfstate" + #} + } + + datasources-vpcs = merge( data.terraform_remote_state.network-dr-vpcs, # network-dr data.terraform_remote_state.shared-dr-vpcs, # shared-dr diff --git a/network/us-east-2/transit-gateway/tgw-peerings-acccepters.tf b/network/us-east-2/transit-gateway/tgw-peerings-acccepters.tf index 9759b9513..1ca192824 100644 --- a/network/us-east-2/transit-gateway/tgw-peerings-acccepters.tf +++ b/network/us-east-2/transit-gateway/tgw-peerings-acccepters.tf @@ -13,3 +13,53 @@ resource "aws_ec2_transit_gateway_route_table_association" "tgw-association" { transit_gateway_route_table_id = module.tgw-dr[0].transit_gateway_route_table_id transit_gateway_attachment_id = try(aws_ec2_transit_gateway_peering_attachment_accepter.tgw-accepters.id, null) } + +# Add routes + +# +# network +# +resource "aws_ec2_transit_gateway_route" "network" { + + for_each = { for k, v in local.network-vpcs : k => v if var.enable_tgw && try(data.terraform_remote_state.tgw.outputs.tgw_id != null, false) } + + destination_cidr_block = data.terraform_remote_state.network-vpcs[each.key].outputs.vpc_cidr_block + transit_gateway_route_table_id = module.tgw-dr[0].transit_gateway_route_table_id + transit_gateway_attachment_id = try(aws_ec2_transit_gateway_peering_attachment_accepter.tgw-accepters.id, null) +} + +# +# shared +# +resource "aws_ec2_transit_gateway_route" "shared" { + + for_each = { for k, v in local.shared-vpcs : k => v if var.enable_tgw && try(data.terraform_remote_state.tgw.outputs.tgw_id != null, false) } + + destination_cidr_block = data.terraform_remote_state.shared-vpcs[each.key].outputs.vpc_cidr_block + transit_gateway_route_table_id = module.tgw-dr[0].transit_gateway_route_table_id + transit_gateway_attachment_id = try(aws_ec2_transit_gateway_peering_attachment_accepter.tgw-accepters.id, null) +} + +# +# apps-devstg +# +resource "aws_ec2_transit_gateway_route" "apps-devstg" { + + for_each = { for k, v in local.apps-devstg-vpcs : k => v if var.enable_tgw && try(data.terraform_remote_state.tgw.outputs.tgw_id != null, false) } + + destination_cidr_block = data.terraform_remote_state.apps-devstg-vpcs[each.key].outputs.vpc_cidr_block + transit_gateway_route_table_id = module.tgw-dr[0].transit_gateway_route_table_id + transit_gateway_attachment_id = try(aws_ec2_transit_gateway_peering_attachment_accepter.tgw-accepters.id, null) +} + +# +# apps-prd +# +resource "aws_ec2_transit_gateway_route" "apps-prd" { + + for_each = { for k, v in local.apps-prd-vpcs : k => v if var.enable_tgw && try(data.terraform_remote_state.tgw.outputs.tgw_id != null, false) } + + destination_cidr_block = data.terraform_remote_state.apps-prd-vpcs[each.key].outputs.vpc_cidr_block + transit_gateway_route_table_id = module.tgw-dr[0].transit_gateway_route_table_id + transit_gateway_attachment_id = try(aws_ec2_transit_gateway_peering_attachment_accepter.tgw-accepters.id, null) +} From a3fd0b61103aaec7ec493f1d869fa1c5c77e0fc3 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Wed, 1 Dec 2021 01:25:34 -0300 Subject: [PATCH 22/44] Update comments in tgw code --- apps-devstg/us-east-1/base-network/locals.tf | 3 --- apps-devstg/us-east-1/base-network/vpc_peerings.tf | 2 +- apps-prd/us-east-1/base-network/locals.tf | 2 -- apps-prd/us-east-1/base-network/vpc_peerings.tf | 2 +- network/us-east-2/transit-gateway/locals.tf | 2 -- network/us-east-2/transit-gateway/tgw.tf | 8 ++++---- 6 files changed, 6 insertions(+), 13 deletions(-) diff --git a/apps-devstg/us-east-1/base-network/locals.tf b/apps-devstg/us-east-1/base-network/locals.tf index 3d45a595d..2f8b56daf 100644 --- a/apps-devstg/us-east-1/base-network/locals.tf +++ b/apps-devstg/us-east-1/base-network/locals.tf @@ -173,21 +173,18 @@ locals { profile = "${var.project}-apps-devstg-devops" bucket = "${var.project}-apps-devstg-terraform-backend" key = "apps-devstg/network/terraform.tfstate" - tgw = false } apps-devstg-k8s-eks = { region = var.region profile = "${var.project}-apps-devstg-devops" bucket = "${var.project}-apps-devstg-terraform-backend" key = "apps-devstg/k8s-eks/network/terraform.tfstate" - tgw = false } apps-devstg-k8s-eks-demoapps = { region = var.region profile = "${var.project}-apps-devstg-devops" bucket = "${var.project}-apps-devstg-terraform-backend" key = "apps-devstg/k8s-eks-demoapps/network/terraform.tfstate" - tgw = false } } diff --git a/apps-devstg/us-east-1/base-network/vpc_peerings.tf b/apps-devstg/us-east-1/base-network/vpc_peerings.tf index e45757779..0c3e6b15e 100644 --- a/apps-devstg/us-east-1/base-network/vpc_peerings.tf +++ b/apps-devstg/us-east-1/base-network/vpc_peerings.tf @@ -5,7 +5,7 @@ module "vpc_peering_apps_devstg_to_eks_clusters" { for_each = { for k, v in local.apps-devstg-vpcs : - k => v if !v["tgw"] && k != "apps-devstg-base" # No peerings when TGW enabled or against the base network + k => v if !var.enable_tgw && k != "apps-devstg-base" # No peerings when TGW enabled or against the base network } providers = { diff --git a/apps-prd/us-east-1/base-network/locals.tf b/apps-prd/us-east-1/base-network/locals.tf index 0dd894073..d4ff27c34 100644 --- a/apps-prd/us-east-1/base-network/locals.tf +++ b/apps-prd/us-east-1/base-network/locals.tf @@ -172,14 +172,12 @@ locals { profile = "${var.project}-apps-prd-devops" bucket = "${var.project}-apps-prd-terraform-backend" key = "apps-prd/network/terraform.tfstate" - tgw = false } apps-prd-k8s-eks = { region = var.region profile = "${var.project}-apps-prd-devops" bucket = "${var.project}-apps-prd-terraform-backend" key = "apps-prd/k8s-eks/network/terraform.tfstate" - tgw = false } } } diff --git a/apps-prd/us-east-1/base-network/vpc_peerings.tf b/apps-prd/us-east-1/base-network/vpc_peerings.tf index 423d2686c..339ddccc1 100644 --- a/apps-prd/us-east-1/base-network/vpc_peerings.tf +++ b/apps-prd/us-east-1/base-network/vpc_peerings.tf @@ -5,7 +5,7 @@ module "vpc_peering_apps_prd_to_eks_clusters" { for_each = { for k, v in local.apps-prd-vpcs : - k => v if !v["tgw"] && k != "apps-prd-base" # No peerings when TGW enabled or against the base network + k => v if !var.enable_tgw && k != "apps-prd-base" # No peerings when TGW enabled or against the base network } providers = { diff --git a/network/us-east-2/transit-gateway/locals.tf b/network/us-east-2/transit-gateway/locals.tf index e8e2064b7..dde5644a1 100644 --- a/network/us-east-2/transit-gateway/locals.tf +++ b/network/us-east-2/transit-gateway/locals.tf @@ -4,9 +4,7 @@ locals { Environment = var.environment ProtectFromDeletion = "true" } -} -locals { # Data source definitions # diff --git a/network/us-east-2/transit-gateway/tgw.tf b/network/us-east-2/transit-gateway/tgw.tf index 1d886054f..91aac69b7 100644 --- a/network/us-east-2/transit-gateway/tgw.tf +++ b/network/us-east-2/transit-gateway/tgw.tf @@ -28,7 +28,7 @@ module "tgw-dr" { create_transit_gateway_route_table_association_and_propagation = var.enable_network_firewall ? false : true config = merge( - # network private + # network-dr private lookup(var.enable_vpc_attach, "network-dr", false) ? { for k, v in data.terraform_remote_state.network-dr-vpcs : v.outputs.vpc_id => { vpc_id = null @@ -47,7 +47,7 @@ module "tgw-dr" { ] } } : {}, - # apps-devstg private + # apps-devstg-dr private lookup(var.enable_vpc_attach, "apps-devstg-dr", false) ? { for k, v in data.terraform_remote_state.apps-devstg-dr-vpcs : v.outputs.vpc_id => { vpc_id = null @@ -60,7 +60,7 @@ module "tgw-dr" { static_routes = null } } : {}, - # apps-prd private + # apps-prd-dr private lookup(var.enable_vpc_attach, "apps-prd-dr", false) ? { for k, v in data.terraform_remote_state.apps-prd-dr-vpcs : v.outputs.vpc_id => { vpc_id = null @@ -73,7 +73,7 @@ module "tgw-dr" { static_routes = null } } : {}, - # shared private + # shared-dr private lookup(var.enable_vpc_attach, "shared-dr", false) ? { for k, v in data.terraform_remote_state.shared-dr-vpcs : v.outputs.vpc_id => { vpc_id = null From b2dda4dbe46e532d161ed7ec2a210d3c5e301aeb Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Fri, 3 Dec 2021 11:00:43 -0300 Subject: [PATCH 23/44] Add vpc attachment appliance mode support --- .../us-east-1/transit-gateway/vpc_attachments.tf | 15 ++++++++++----- .../us-east-2/transit-gateway/vpc_attachments.tf | 15 ++++++++++----- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/network/us-east-1/transit-gateway/vpc_attachments.tf b/network/us-east-1/transit-gateway/vpc_attachments.tf index 229a57af9..69e77a590 100644 --- a/network/us-east-1/transit-gateway/vpc_attachments.tf +++ b/network/us-east-1/transit-gateway/vpc_attachments.tf @@ -15,7 +15,7 @@ # Network Firewall VPC attachment - Inspection subnets (private) module "tgw_vpc_attachments_and_subnet_routes_network_firewall" { - source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" + source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.6.0" for_each = { for k, v in { @@ -32,6 +32,7 @@ module "tgw_vpc_attachments_and_subnet_routes_network_firewall" { create_transit_gateway_route_table = false create_transit_gateway_vpc_attachment = true create_transit_gateway_route_table_association_and_propagation = false + vpc_attachment_appliance_mode_support = "enable" config = { (each.key) = { @@ -56,7 +57,7 @@ module "tgw_vpc_attachments_and_subnet_routes_network_firewall" { # network VPC attachments (private) module "tgw_vpc_attachments_and_subnet_routes_network" { - source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" + source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.6.0" for_each = { for k, v in data.terraform_remote_state.network-vpcs : @@ -72,6 +73,7 @@ module "tgw_vpc_attachments_and_subnet_routes_network" { create_transit_gateway_route_table = false create_transit_gateway_vpc_attachment = true create_transit_gateway_route_table_association_and_propagation = false + vpc_attachment_appliance_mode_support = "enable" config = { (each.key) = { @@ -96,7 +98,7 @@ module "tgw_vpc_attachments_and_subnet_routes_network" { # apps-devstg VPC attachments module "tgw_vpc_attachments_and_subnet_routes_apps-devstg" { - source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" + source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.6.0" for_each = { for k, v in data.terraform_remote_state.apps-devstg-vpcs : @@ -112,6 +114,7 @@ module "tgw_vpc_attachments_and_subnet_routes_apps-devstg" { create_transit_gateway_route_table = false create_transit_gateway_vpc_attachment = true create_transit_gateway_route_table_association_and_propagation = false + vpc_attachment_appliance_mode_support = "enable" config = { (each.key) = { @@ -140,7 +143,7 @@ module "tgw_vpc_attachments_and_subnet_routes_apps-devstg" { # apps-prd VPC attachments module "tgw_vpc_attachments_and_subnet_routes_apps-prd" { - source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" + source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.6.0" for_each = { for k, v in data.terraform_remote_state.apps-prd-vpcs : @@ -156,6 +159,7 @@ module "tgw_vpc_attachments_and_subnet_routes_apps-prd" { create_transit_gateway_route_table = false create_transit_gateway_vpc_attachment = true create_transit_gateway_route_table_association_and_propagation = false + vpc_attachment_appliance_mode_support = "enable" config = { (each.key) = { @@ -184,7 +188,7 @@ module "tgw_vpc_attachments_and_subnet_routes_apps-prd" { # shared VPC attachments module "tgw_vpc_attachments_and_subnet_routes_shared" { - source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" + source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.6.0" for_each = { for k, v in data.terraform_remote_state.shared-vpcs : @@ -200,6 +204,7 @@ module "tgw_vpc_attachments_and_subnet_routes_shared" { create_transit_gateway_route_table = false create_transit_gateway_vpc_attachment = true create_transit_gateway_route_table_association_and_propagation = false + vpc_attachment_appliance_mode_support = "enable" config = { (each.key) = { diff --git a/network/us-east-2/transit-gateway/vpc_attachments.tf b/network/us-east-2/transit-gateway/vpc_attachments.tf index 25db3ec30..afca1ef00 100644 --- a/network/us-east-2/transit-gateway/vpc_attachments.tf +++ b/network/us-east-2/transit-gateway/vpc_attachments.tf @@ -15,7 +15,7 @@ # Network Firewall VPC attachment - Inspection subnets (private) module "tgw_vpc_attachments_and_subnet_routes_network-firewall-dr" { - source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" + source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.6.0" for_each = { for k, v in { @@ -32,6 +32,7 @@ module "tgw_vpc_attachments_and_subnet_routes_network-firewall-dr" { create_transit_gateway_route_table = false create_transit_gateway_vpc_attachment = true create_transit_gateway_route_table_association_and_propagation = false + vpc_attachment_appliance_mode_support = "enable" config = { (each.key) = { @@ -56,7 +57,7 @@ module "tgw_vpc_attachments_and_subnet_routes_network-firewall-dr" { # network VPC attachments (private) module "tgw_vpc_attachments_and_subnet_routes_network-dr" { - source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" + source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.6.0" for_each = { for k, v in data.terraform_remote_state.network-dr-vpcs : @@ -72,6 +73,7 @@ module "tgw_vpc_attachments_and_subnet_routes_network-dr" { create_transit_gateway_route_table = false create_transit_gateway_vpc_attachment = true create_transit_gateway_route_table_association_and_propagation = false + vpc_attachment_appliance_mode_support = "enable" config = { (each.key) = { @@ -96,7 +98,7 @@ module "tgw_vpc_attachments_and_subnet_routes_network-dr" { # apps-devstg VPC attachments module "tgw_vpc_attachments_and_subnet_routes_apps-devstg-dr" { - source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" + source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.6.0" for_each = { for k, v in data.terraform_remote_state.apps-devstg-dr-vpcs : @@ -112,6 +114,7 @@ module "tgw_vpc_attachments_and_subnet_routes_apps-devstg-dr" { create_transit_gateway_route_table = false create_transit_gateway_vpc_attachment = true create_transit_gateway_route_table_association_and_propagation = false + vpc_attachment_appliance_mode_support = "enable" config = { (each.key) = { @@ -140,7 +143,7 @@ module "tgw_vpc_attachments_and_subnet_routes_apps-devstg-dr" { # apps-prd VPC attachments module "tgw_vpc_attachments_and_subnet_routes_apps-prd-dr" { - source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" + source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.6.0" for_each = { for k, v in data.terraform_remote_state.apps-prd-dr-vpcs : @@ -156,6 +159,7 @@ module "tgw_vpc_attachments_and_subnet_routes_apps-prd-dr" { create_transit_gateway_route_table = false create_transit_gateway_vpc_attachment = true create_transit_gateway_route_table_association_and_propagation = false + vpc_attachment_appliance_mode_support = "enable" config = { (each.key) = { @@ -184,7 +188,7 @@ module "tgw_vpc_attachments_and_subnet_routes_apps-prd-dr" { # shared VPC attachments module "tgw_vpc_attachments_and_subnet_routes_shared-dr" { - source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" + source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.6.0" for_each = { for k, v in data.terraform_remote_state.shared-dr-vpcs : @@ -200,6 +204,7 @@ module "tgw_vpc_attachments_and_subnet_routes_shared-dr" { create_transit_gateway_route_table = false create_transit_gateway_vpc_attachment = true create_transit_gateway_route_table_association_and_propagation = false + vpc_attachment_appliance_mode_support = "enable" config = { (each.key) = { From 6c20cd19d3ae175141f949037b84b1c23bcf3dd6 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Mon, 6 Dec 2021 21:44:31 -0300 Subject: [PATCH 24/44] Update netwrok local.tf files --- network/us-east-1/transit-gateway/locals.tf | 2 -- network/us-east-2/transit-gateway/locals.tf | 1 - 2 files changed, 3 deletions(-) diff --git a/network/us-east-1/transit-gateway/locals.tf b/network/us-east-1/transit-gateway/locals.tf index 8f9cb80f3..f609e85d7 100644 --- a/network/us-east-1/transit-gateway/locals.tf +++ b/network/us-east-1/transit-gateway/locals.tf @@ -4,9 +4,7 @@ locals { Environment = var.environment ProtectFromDeletion = "true" } -} -locals { # Data source definitions # diff --git a/network/us-east-2/transit-gateway/locals.tf b/network/us-east-2/transit-gateway/locals.tf index dde5644a1..17794dfd3 100644 --- a/network/us-east-2/transit-gateway/locals.tf +++ b/network/us-east-2/transit-gateway/locals.tf @@ -103,7 +103,6 @@ locals { #} } - datasources-vpcs = merge( data.terraform_remote_state.network-dr-vpcs, # network-dr data.terraform_remote_state.shared-dr-vpcs, # shared-dr From edc6cfe4327b9cf073d07a23c3b609e88de7047c Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Mon, 6 Dec 2021 22:57:30 -0300 Subject: [PATCH 25/44] Change protection tag in scp policy to be consistent --- root/global/organizations/policies_scp.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/global/organizations/policies_scp.tf b/root/global/organizations/policies_scp.tf index 781d915a7..82b06ce32 100644 --- a/root/global/organizations/policies_scp.tf +++ b/root/global/organizations/policies_scp.tf @@ -183,7 +183,7 @@ resource "aws_organizations_policy" "tag_protection" { }, "ForAnyValue:StringEquals": { "aws:TagKeys": [ - "protectFromDeletion" + "ProtectFromDeletion" ] } } From bdb24c70090bc920e620653585cccbaf58b683ec Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Wed, 8 Dec 2021 13:22:34 -0300 Subject: [PATCH 26/44] Change TGW toggle conditional --- shared/us-east-2/base-network/vpc_peerings.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/us-east-2/base-network/vpc_peerings.tf b/shared/us-east-2/base-network/vpc_peerings.tf index 4d8c8df97..961967841 100644 --- a/shared/us-east-2/base-network/vpc_peerings.tf +++ b/shared/us-east-2/base-network/vpc_peerings.tf @@ -6,7 +6,7 @@ module "vpc_peering_apps_devstg_dr_to_shared_dr" { for_each = { for k, v in local.apps-devstg-dr-vpcs : - k => v if !v["tgw"] + k => v if var.enable_tgw != true } providers = { From 54504d0b99e9576e3c1e9213a3d076a3b4be7fff Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Wed, 8 Dec 2021 18:00:03 -0300 Subject: [PATCH 27/44] Add netwrok account and tgw variables --- network/us-east-1/network-firewall/variables.tf | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/network/us-east-1/network-firewall/variables.tf b/network/us-east-1/network-firewall/variables.tf index 100516e76..6fa317e93 100644 --- a/network/us-east-1/network-firewall/variables.tf +++ b/network/us-east-1/network-firewall/variables.tf @@ -85,6 +85,10 @@ variable "appsprd_account_id" { type = string description = "Account: Prod Modules & Libs" } +variable "network_account_id" { + type = string + description = "Account: Networking Resources" +} variable "vault_address" { type = string @@ -96,6 +100,16 @@ variable "vault_token" { description = "Vault Token" } +#===========================================# +# Transit Gateway # +#===========================================# + +variable "enable_tgw" { + description = "Enable Transit Gateway Support" + type = bool + default = false +} + #===========================================# # Networking # #===========================================# From cd39cba822897e698df9cf253553f66b71b27307 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Wed, 8 Dec 2021 18:13:51 -0300 Subject: [PATCH 28/44] Add network account and tgw variables --- network/us-east-1/network-firewall/variables.tf | 1 + network/us-east-2/network-firewall/variables.tf | 15 +++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/network/us-east-1/network-firewall/variables.tf b/network/us-east-1/network-firewall/variables.tf index 6fa317e93..f9202b1cb 100644 --- a/network/us-east-1/network-firewall/variables.tf +++ b/network/us-east-1/network-firewall/variables.tf @@ -85,6 +85,7 @@ variable "appsprd_account_id" { type = string description = "Account: Prod Modules & Libs" } + variable "network_account_id" { type = string description = "Account: Networking Resources" diff --git a/network/us-east-2/network-firewall/variables.tf b/network/us-east-2/network-firewall/variables.tf index 100516e76..f9202b1cb 100644 --- a/network/us-east-2/network-firewall/variables.tf +++ b/network/us-east-2/network-firewall/variables.tf @@ -86,6 +86,11 @@ variable "appsprd_account_id" { description = "Account: Prod Modules & Libs" } +variable "network_account_id" { + type = string + description = "Account: Networking Resources" +} + variable "vault_address" { type = string description = "Vault Address" @@ -96,6 +101,16 @@ variable "vault_token" { description = "Vault Token" } +#===========================================# +# Transit Gateway # +#===========================================# + +variable "enable_tgw" { + description = "Enable Transit Gateway Support" + type = bool + default = false +} + #===========================================# # Networking # #===========================================# From e1f7fb4f06e68f42aff4c017eef1faa8ff4fc449 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Wed, 8 Dec 2021 18:31:32 -0300 Subject: [PATCH 29/44] Fix network firewall outputs in the secondary region --- network/us-east-2/network-firewall/outputs.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/network/us-east-2/network-firewall/outputs.tf b/network/us-east-2/network-firewall/outputs.tf index 357534471..51087b4e8 100644 --- a/network/us-east-2/network-firewall/outputs.tf +++ b/network/us-east-2/network-firewall/outputs.tf @@ -15,12 +15,12 @@ output "vpc_cidr_block" { } # Subnets -output "inspection_subnets" { +output "inspection_subnets-dr" { description = "Map of AZ names to subnet IDs of inspection subnets" value = module.inspection_private_subnets.az_subnet_ids } -output "network_firewall_subnets" { +output "network_firewall_subnets-dr" { description = "Map of AZ names to subnet IDs of network firewall subnets" value = module.network_firewall_private_subnets.az_subnet_ids } From caa71fd05a7cb4988e64e2bce5b298997667de26 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Thu, 9 Dec 2021 00:59:32 -0300 Subject: [PATCH 30/44] Add ssm endpoints for shared-dr --- shared/us-east-2/base-network/network.tf | 123 ++++++++++++++++++--- shared/us-east-2/base-network/variables.tf | 12 ++ 2 files changed, 121 insertions(+), 14 deletions(-) diff --git a/shared/us-east-2/base-network/network.tf b/shared/us-east-2/base-network/network.tf index e35b259bb..3dac46f32 100644 --- a/shared/us-east-2/base-network/network.tf +++ b/shared/us-east-2/base-network/network.tf @@ -2,7 +2,7 @@ # Network Resources # module "vpc" { - source = "github.com/binbashar/terraform-aws-vpc.git?ref=v2.78.0" + source = "github.com/binbashar/terraform-aws-vpc.git?ref=v3.11.0" name = local.vpc_name cidr = local.vpc_cidr_block @@ -11,20 +11,15 @@ module "vpc" { private_subnets = local.private_subnets public_subnets = local.public_subnets - enable_nat_gateway = var.vpc_enable_nat_gateway - single_nat_gateway = var.vpc_single_nat_gateway - enable_dns_hostnames = var.vpc_enable_dns_hostnames - enable_vpn_gateway = var.vpc_enable_vpn_gateway - enable_s3_endpoint = var.vpc_enable_s3_endpoint - enable_dynamodb_endpoint = var.vpc_enable_dynamodb_endpoint + enable_nat_gateway = var.vpc_enable_nat_gateway + single_nat_gateway = var.vpc_single_nat_gateway + enable_dns_hostnames = var.vpc_enable_dns_hostnames + enable_vpn_gateway = var.vpc_enable_vpn_gateway - enable_kms_endpoint = var.enable_kms_endpoint - kms_endpoint_private_dns_enabled = var.enable_kms_endpoint_private_dns - kms_endpoint_security_group_ids = var.enable_kms_endpoint ? [aws_security_group.kms_vpce[0].id] : [] - - manage_default_network_acl = var.manage_default_network_acl - public_dedicated_network_acl = var.public_dedicated_network_acl // use dedicated network ACL for the public subnets. - private_dedicated_network_acl = var.private_dedicated_network_acl // use dedicated network ACL for the private subnets. + # Use a custom network ACL rules for private and public subnets + manage_default_network_acl = false + public_dedicated_network_acl = true + private_dedicated_network_acl = true private_inbound_acl_rules = concat( local.network_acls["default_inbound"], local.network_acls["private_inbound"], @@ -33,6 +28,78 @@ module "vpc" { tags = local.tags } +locals { + vpc_endpoints = merge({ + # S3 + s3 = { + service = "s3" + service_type = "Gateway" + } + # DynamamoDB + dynamodb = { + service = "dynamodb" + service_type = "Gateway" + } + }, + # KMS + { for k, v in { kms = "Interface" } : + k => { + service = k + service_type = v + security_group_ids = [aws_security_group.kms_vpce[0].id] + private_dns_enabled = var.enable_kms_endpoint_private_dns + } if var.enable_kms_endpoint + }, + # SSM + { for k, v in { ssm = "Interface" } : + k => { + service = k + service_type = v + subnet_ids = module.vpc.private_subnets + security_group_ids = [aws_security_group.ssm_vpce[0].id] + private_dns_enabled = true + } if var.enable_ssm_endpoints + + }, + { for k, v in { ec2messages = "Interface" } : + k => { + service = k + service_type = v + subnet_ids = module.vpc.private_subnets + security_group_ids = [aws_security_group.ssm_vpce[0].id] + private_dns_enabled = true + } if var.enable_ssm_endpoints + }, + { for k, v in { ssmmessages = "Interface" } : + k => { + service = k + service_type = v + subnet_ids = module.vpc.private_subnets + security_group_ids = [aws_security_group.ssm_vpce[0].id] + private_dns_enabled = true + } if var.enable_ssm_endpoints + }, + ) +} + +module "vpc_endpoints" { + source = "github.com/binbashar/terraform-aws-vpc.git//modules/vpc-endpoints?ref=v3.11.0" + + for_each = local.vpc_endpoints + + vpc_id = module.vpc.vpc_id + + endpoints = { + endpoint = merge(each.value, + { + route_table_ids = concat(module.vpc.private_route_table_ids, module.vpc.public_route_table_ids) + } + ) + } + + tags = local.tags +} + # # KMS VPC Endpoint: Security Group # @@ -59,3 +126,31 @@ resource "aws_security_group" "kms_vpce" { tags = local.tags } + +# +# SSM VPC Endpoint: Security Group +# +resource "aws_security_group" "ssm_vpce" { + #count = var.enable_kms_endpoint ? 1 : 0 + count = 1 + name = "ssm_vpce" + description = "Allow TLS inbound traffic" + vpc_id = module.vpc.vpc_id + + ingress { + description = "TLS from VPC" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = [local.vpc_cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = local.tags +} diff --git a/shared/us-east-2/base-network/variables.tf b/shared/us-east-2/base-network/variables.tf index 59348214a..4f61cdf7d 100644 --- a/shared/us-east-2/base-network/variables.tf +++ b/shared/us-east-2/base-network/variables.tf @@ -188,6 +188,18 @@ variable "enable_kms_endpoint_private_dns" { default = false } +variable "enable_ssm_endpoints" { + description = "Enable SSM endpoints" + type = bool + default = false +} + +variable "enable_ssm_endpoints_private_dns" { + description = "Enable SSM endpoints" + type = bool + default = false +} + variable "manage_default_network_acl" { description = "Manage default Network ACL" type = bool From bd53d486cfbb48c10d2244ffdcbdf3b003af585b Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Thu, 9 Dec 2021 01:02:46 -0300 Subject: [PATCH 31/44] Add ssm endpoints for apps-prd --- apps-prd/us-east-1/base-network/config.tf | 2 +- apps-prd/us-east-1/base-network/network.tf | 61 +++++++++++++++++++- apps-prd/us-east-1/base-network/variables.tf | 12 ++++ 3 files changed, 72 insertions(+), 3 deletions(-) diff --git a/apps-prd/us-east-1/base-network/config.tf b/apps-prd/us-east-1/base-network/config.tf index 4ccc19865..2950ccb05 100644 --- a/apps-prd/us-east-1/base-network/config.tf +++ b/apps-prd/us-east-1/base-network/config.tf @@ -89,7 +89,7 @@ data "terraform_remote_state" "apps-prd-vpcs" { for_each = { for k, v in local.apps-prd-vpcs : - k => v if !v["tgw"] + k => v if var.enable_tgw } backend = "s3" diff --git a/apps-prd/us-east-1/base-network/network.tf b/apps-prd/us-east-1/base-network/network.tf index 64aaa54f9..23b1f04d3 100644 --- a/apps-prd/us-east-1/base-network/network.tf +++ b/apps-prd/us-east-1/base-network/network.tf @@ -49,12 +49,41 @@ locals { k => { service = k service_type = v - security_group_ids = aws_security_group.kms_vpce[0].id + security_group_ids = [aws_security_group.kms_vpce[0].id] private_dns_enabled = var.enable_kms_endpoint_private_dns } if var.enable_kms_endpoint - } + }, + # SSM + { for k, v in { ssm = "Interface" } : + k => { + service = k + service_type = v + subnet_ids = module.vpc.private_subnets + security_group_ids = [aws_security_group.ssm_vpce[0].id] + private_dns_enabled = true + } if var.enable_ssm_endpoints + }, + { for k, v in { ec2messages = "Interface" } : + k => { + service = k + service_type = v + subnet_ids = module.vpc.private_subnets + security_group_ids = [aws_security_group.ssm_vpce[0].id] + private_dns_enabled = true + } if var.enable_ssm_endpoints + }, + { for k, v in { ssmmessages = "Interface" } : + k => { + service = k + service_type = v + subnet_ids = module.vpc.private_subnets + security_group_ids = [aws_security_group.ssm_vpce[0].id] + private_dns_enabled = true + } if var.enable_ssm_endpoints + }, ) } + module "vpc_endpoints" { source = "github.com/binbashar/terraform-aws-vpc.git//modules/vpc-endpoints?ref=v3.11.0" @@ -99,3 +128,31 @@ resource "aws_security_group" "kms_vpce" { tags = local.tags } + +# +# SSM VPC Endpoint: Security Group +# +resource "aws_security_group" "ssm_vpce" { + #count = var.enable_kms_endpoint ? 1 : 0 + count = 1 + name = "ssm_vpce" + description = "Allow TLS inbound traffic" + vpc_id = module.vpc.vpc_id + + ingress { + description = "TLS from VPC" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = [local.vpc_cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = local.tags +} diff --git a/apps-prd/us-east-1/base-network/variables.tf b/apps-prd/us-east-1/base-network/variables.tf index f4819ea47..2fcac46fd 100644 --- a/apps-prd/us-east-1/base-network/variables.tf +++ b/apps-prd/us-east-1/base-network/variables.tf @@ -136,6 +136,18 @@ variable "enable_kms_endpoint_private_dns" { default = false } +variable "enable_ssm_endpoints" { + description = "Enable SSM endpoints" + type = bool + default = false +} + +variable "enable_ssm_endpoints_private_dns" { + description = "Enable SSM endpoints" + type = bool + default = false +} + variable "manage_default_network_acl" { description = "Manage default Network ACL" type = bool From b3c8ac7e480d5a3f5d1fa15ef37baeac5653122d Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Mon, 13 Dec 2021 19:33:03 -0300 Subject: [PATCH 32/44] Add ssm endpoints for apps-prd --- apps-prd/us-east-1/base-network/network.auto.tfvars | 1 + 1 file changed, 1 insertion(+) diff --git a/apps-prd/us-east-1/base-network/network.auto.tfvars b/apps-prd/us-east-1/base-network/network.auto.tfvars index 88c5f3e43..bc4e8ce1a 100644 --- a/apps-prd/us-east-1/base-network/network.auto.tfvars +++ b/apps-prd/us-east-1/base-network/network.auto.tfvars @@ -1 +1,2 @@ vpc_enable_nat_gateway = false +enable_ssm_endpoints = true From bfd8c6bcf62f42e9a5677a2f105f3b2b9771b440 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Sat, 18 Dec 2021 10:15:21 -0300 Subject: [PATCH 33/44] Fix Cross region TGWs RT associations when NFW enabaled --- network/us-east-1/transit-gateway/tgw-peerings.tf | 2 +- network/us-east-2/transit-gateway/tgw-peerings-acccepters.tf | 2 +- network/us-east-2/transit-gateway/tgw.tf | 4 ++-- network/us-east-2/transit-gateway/vpc_attachments.tf | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/network/us-east-1/transit-gateway/tgw-peerings.tf b/network/us-east-1/transit-gateway/tgw-peerings.tf index cc0d5eb4b..97a28e95f 100644 --- a/network/us-east-1/transit-gateway/tgw-peerings.tf +++ b/network/us-east-1/transit-gateway/tgw-peerings.tf @@ -14,7 +14,7 @@ resource "aws_ec2_transit_gateway_peering_attachment" "tgw-dr" { resource "aws_ec2_transit_gateway_route_table_association" "tgw-dr-association" { count = var.enable_tgw && try(data.terraform_remote_state.tgw-dr.outputs.tgw_id != null, false) ? 1 : 0 - transit_gateway_route_table_id = module.tgw[0].transit_gateway_route_table_id + transit_gateway_route_table_id = var.enable_network_firewall ? module.tgw_inspection_route_table[0].transit_gateway_route_table_id : module.tgw[0].transit_gateway_route_table_id transit_gateway_attachment_id = try(aws_ec2_transit_gateway_peering_attachment.tgw-dr[0].id, null) } diff --git a/network/us-east-2/transit-gateway/tgw-peerings-acccepters.tf b/network/us-east-2/transit-gateway/tgw-peerings-acccepters.tf index 1ca192824..8aa781817 100644 --- a/network/us-east-2/transit-gateway/tgw-peerings-acccepters.tf +++ b/network/us-east-2/transit-gateway/tgw-peerings-acccepters.tf @@ -10,7 +10,7 @@ resource "aws_ec2_transit_gateway_peering_attachment_accepter" "tgw-accepters" { resource "aws_ec2_transit_gateway_route_table_association" "tgw-association" { count = var.enable_tgw && try(data.terraform_remote_state.tgw.outputs.tgw_id != null, false) ? 1 : 0 - transit_gateway_route_table_id = module.tgw-dr[0].transit_gateway_route_table_id + transit_gateway_route_table_id = var.enable_network_firewall ? module.tgw_inspection_route_table[0].transit_gateway_route_table_id : module.tgw-dr[0].transit_gateway_route_table_id transit_gateway_attachment_id = try(aws_ec2_transit_gateway_peering_attachment_accepter.tgw-accepters.id, null) } diff --git a/network/us-east-2/transit-gateway/tgw.tf b/network/us-east-2/transit-gateway/tgw.tf index 91aac69b7..e922f6666 100644 --- a/network/us-east-2/transit-gateway/tgw.tf +++ b/network/us-east-2/transit-gateway/tgw.tf @@ -102,7 +102,7 @@ module "tgw_inspection_route_table" { source = "github.com/binbashar/terraform-aws-transit-gateway?ref=0.4.0" - count = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? 1 : 0 + count = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network-dr", false) ? 1 : 0 name = "${var.project}-${var.environment}-inspection" @@ -153,7 +153,7 @@ resource "aws_ec2_transit_gateway_route" "network_firewall_default" { destination_cidr_block = "0.0.0.0/0" transit_gateway_route_table_id = module.tgw-dr[0].transit_gateway_route_table_id - transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network-dr["network-base-dr"].transit_gateway_vpc_attachment_ids["network-base"] + transit_gateway_attachment_id = module.tgw_vpc_attachments_and_subnet_routes_network-dr["network-base-dr"].transit_gateway_vpc_attachment_ids["network-base-dr"] } resource "aws_ec2_transit_gateway_route_table_association" "network-inspection-association" { diff --git a/network/us-east-2/transit-gateway/vpc_attachments.tf b/network/us-east-2/transit-gateway/vpc_attachments.tf index afca1ef00..16fb535f9 100644 --- a/network/us-east-2/transit-gateway/vpc_attachments.tf +++ b/network/us-east-2/transit-gateway/vpc_attachments.tf @@ -38,7 +38,7 @@ module "tgw_vpc_attachments_and_subnet_routes_network-firewall-dr" { (each.key) = { vpc_id = each.value.outputs.vpc_id vpc_cidr = each.value.outputs.vpc_cidr_block - subnet_ids = values(each.value.outputs.inspection_subnets) + subnet_ids = values(each.value.outputs.inspection_subnets-dr) subnet_route_table_ids = values(each.value.outputs.inspection_route_table_ids) route_to = null route_to_cidr_blocks = null From 5f6487f642123f897fb0139a9cf126f102cb36a9 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Tue, 21 Dec 2021 14:23:23 -0300 Subject: [PATCH 34/44] Add public & private route to TGW for apps-prd-k8s --- apps-prd/us-east-1/k8s-eks/network/config.tf | 14 ++++++++ apps-prd/us-east-1/k8s-eks/network/network.tf | 32 +++++++++++++++++++ .../us-east-1/k8s-eks/network/variables.tf | 6 ++++ 3 files changed, 52 insertions(+) diff --git a/apps-prd/us-east-1/k8s-eks/network/config.tf b/apps-prd/us-east-1/k8s-eks/network/config.tf index 334ede154..47905ba3f 100644 --- a/apps-prd/us-east-1/k8s-eks/network/config.tf +++ b/apps-prd/us-east-1/k8s-eks/network/config.tf @@ -33,6 +33,20 @@ terraform { # Data sources # #=============================# +# TGW +data "terraform_remote_state" "tgw" { + count = var.enable_tgw ? 1 : 0 + + backend = "s3" + + config = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/transit-gateway/terraform.tfstate" + } +} + # # data type from output for tools-ec2 # diff --git a/apps-prd/us-east-1/k8s-eks/network/network.tf b/apps-prd/us-east-1/k8s-eks/network/network.tf index e6b6994f0..2b5b64649 100644 --- a/apps-prd/us-east-1/k8s-eks/network/network.tf +++ b/apps-prd/us-east-1/k8s-eks/network/network.tf @@ -99,3 +99,35 @@ resource "aws_security_group" "kms_vpce" { tags = local.tags } + +#################### +# TGW Route tables # +#################### + +# Update public RT +resource "aws_route" "public_rt_routes_to_tgw" { + + # For TWG CDIR + for_each = { + for k, v in var.tgw_cidrs : + k => v if var.enable_tgw && length(var.tgw_cidrs) > 0 + } + + # ...add a route into the network public RT + route_table_id = module.vpc-eks.public_route_table_ids[0] + destination_cidr_block = each.value + transit_gateway_id = data.terraform_remote_state.tgw[0].outputs.tgw_id + +} + +# Update private RT +resource "aws_route" "private_rt_routes_to_tgw" { + + # If TGW enable + count = var.enable_tgw ? 1 : 0 + + # ...add a route into the network private RT + route_table_id = module.vpc-eks.private_route_table_ids[0] + destination_cidr_block = "0.0.0.0/0" + transit_gateway_id = data.terraform_remote_state.tgw[0].outputs.tgw_id +} diff --git a/apps-prd/us-east-1/k8s-eks/network/variables.tf b/apps-prd/us-east-1/k8s-eks/network/variables.tf index 0ee51ac6b..331693e86 100644 --- a/apps-prd/us-east-1/k8s-eks/network/variables.tf +++ b/apps-prd/us-east-1/k8s-eks/network/variables.tf @@ -161,3 +161,9 @@ variable "enable_tgw" { type = bool default = false } + +variable "tgw_cidrs" { + description = "CIDRs to be added as routes to public RT" + type = list(string) + default = [] +} From 52f0c186f80d06b41e92ed0cfd22ad808e0e0022 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Tue, 21 Dec 2021 21:03:11 -0300 Subject: [PATCH 35/44] * Add public & private route to TGW for apps-devstg * Add SSM support --- apps-devstg/us-east-1/base-network/config.tf | 16 +++- apps-devstg/us-east-1/base-network/network.tf | 90 ++++++++++++++++++- .../us-east-1/base-network/variables.tf | 18 ++++ 3 files changed, 122 insertions(+), 2 deletions(-) diff --git a/apps-devstg/us-east-1/base-network/config.tf b/apps-devstg/us-east-1/base-network/config.tf index 7f54f0233..0624d3bef 100644 --- a/apps-devstg/us-east-1/base-network/config.tf +++ b/apps-devstg/us-east-1/base-network/config.tf @@ -26,6 +26,20 @@ terraform { # Data sources # #=============================# +# TGW +data "terraform_remote_state" "tgw" { + count = var.enable_tgw ? 1 : 0 + + backend = "s3" + + config = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/transit-gateway/terraform.tfstate" + } +} + # # data type from output for notifications # @@ -88,7 +102,7 @@ data "terraform_remote_state" "apps-devstg-vpcs" { for_each = { for k, v in local.apps-devstg-vpcs : - k => v if !v["tgw"] + k => v if var.enable_tgw } backend = "s3" diff --git a/apps-devstg/us-east-1/base-network/network.tf b/apps-devstg/us-east-1/base-network/network.tf index 88644c4e5..5046f7c74 100644 --- a/apps-devstg/us-east-1/base-network/network.tf +++ b/apps-devstg/us-east-1/base-network/network.tf @@ -52,7 +52,35 @@ locals { security_group_ids = aws_security_group.kms_vpce[0].id private_dns_enabled = var.enable_kms_endpoint_private_dns } if var.enable_kms_endpoint - } + }, + # SSM + { for k, v in { ssm = "Interface" } : + k => { + service = k + service_type = v + subnet_ids = module.vpc.private_subnets + security_group_ids = [aws_security_group.ssm_vpce[0].id] + private_dns_enabled = true + } if var.enable_ssm_endpoints + }, + { for k, v in { ec2messages = "Interface" } : + k => { + service = k + service_type = v + subnet_ids = module.vpc.private_subnets + security_group_ids = [aws_security_group.ssm_vpce[0].id] + private_dns_enabled = true + } if var.enable_ssm_endpoints + }, + { for k, v in { ssmmessages = "Interface" } : + k => { + service = k + service_type = v + subnet_ids = module.vpc.private_subnets + security_group_ids = [aws_security_group.ssm_vpce[0].id] + private_dns_enabled = true + } if var.enable_ssm_endpoints + }, ) } @@ -100,3 +128,63 @@ resource "aws_security_group" "kms_vpce" { tags = local.tags } + +# +# SSM VPC Endpoint: Security Group +# +resource "aws_security_group" "ssm_vpce" { + #count = var.enable_kms_endpoint ? 1 : 0 + count = 1 + name = "ssm_vpce" + description = "Allow TLS inbound traffic" + vpc_id = module.vpc.vpc_id + + ingress { + description = "TLS from VPC" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = [local.vpc_cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = local.tags +} + +#################### +# TGW Route tables # +#################### + +# Update public RT +resource "aws_route" "public_rt_routes_to_tgw" { + + # For TWG CDIR + for_each = { + for k, v in var.tgw_cidrs : + k => v if var.enable_tgw && length(var.tgw_cidrs) > 0 + } + + # ...add a route into the network public RT + route_table_id = module.vpc.public_route_table_ids[0] + destination_cidr_block = each.value + transit_gateway_id = data.terraform_remote_state.tgw[0].outputs.tgw_id + +} + +# Update private RT +resource "aws_route" "private_rt_routes_to_tgw" { + + # If TGW enable + count = var.enable_tgw ? 1 : 0 + + # ...add a route into the network private RT + route_table_id = module.vpc.private_route_table_ids[0] + destination_cidr_block = "0.0.0.0/0" + transit_gateway_id = data.terraform_remote_state.tgw[0].outputs.tgw_id +} diff --git a/apps-devstg/us-east-1/base-network/variables.tf b/apps-devstg/us-east-1/base-network/variables.tf index 905a9df68..7274e9d91 100644 --- a/apps-devstg/us-east-1/base-network/variables.tf +++ b/apps-devstg/us-east-1/base-network/variables.tf @@ -146,8 +146,26 @@ variable "enable_kms_endpoint_private_dns" { default = false } +variable "enable_ssm_endpoints" { + description = "Enable SSM endpoints" + type = bool + default = false +} + +variable "enable_ssm_endpoints_private_dns" { + description = "Enable SSM endpoints" + type = bool + default = false +} + variable "enable_tgw" { description = "Enable Transit Gateway Support" type = bool default = false } + +variable "tgw_cidrs" { + description = "CIDRs to be added as routes to public RT" + type = list(string) + default = [] +} From 2845e32ead85d7f4019cf4ea651ecf1c575c5d7c Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Tue, 21 Dec 2021 21:22:33 -0300 Subject: [PATCH 36/44] Add public & private route to TGW for apps-devstg-k8s-eks --- .../us-east-1/k8s-eks/network/config.tf | 15 +++++++++ .../us-east-1/k8s-eks/network/network.tf | 32 +++++++++++++++++++ .../us-east-1/k8s-eks/network/variables.tf | 6 ++++ 3 files changed, 53 insertions(+) diff --git a/apps-devstg/us-east-1/k8s-eks/network/config.tf b/apps-devstg/us-east-1/k8s-eks/network/config.tf index 856b63767..89816dcc0 100644 --- a/apps-devstg/us-east-1/k8s-eks/network/config.tf +++ b/apps-devstg/us-east-1/k8s-eks/network/config.tf @@ -32,6 +32,21 @@ terraform { # # Data sources # + +# TGW +data "terraform_remote_state" "tgw" { + count = var.enable_tgw ? 1 : 0 + + backend = "s3" + + config = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/transit-gateway/terraform.tfstate" + } +} + data "terraform_remote_state" "tools-vpn-server" { backend = "s3" diff --git a/apps-devstg/us-east-1/k8s-eks/network/network.tf b/apps-devstg/us-east-1/k8s-eks/network/network.tf index e6b6994f0..2b5b64649 100644 --- a/apps-devstg/us-east-1/k8s-eks/network/network.tf +++ b/apps-devstg/us-east-1/k8s-eks/network/network.tf @@ -99,3 +99,35 @@ resource "aws_security_group" "kms_vpce" { tags = local.tags } + +#################### +# TGW Route tables # +#################### + +# Update public RT +resource "aws_route" "public_rt_routes_to_tgw" { + + # For TWG CDIR + for_each = { + for k, v in var.tgw_cidrs : + k => v if var.enable_tgw && length(var.tgw_cidrs) > 0 + } + + # ...add a route into the network public RT + route_table_id = module.vpc-eks.public_route_table_ids[0] + destination_cidr_block = each.value + transit_gateway_id = data.terraform_remote_state.tgw[0].outputs.tgw_id + +} + +# Update private RT +resource "aws_route" "private_rt_routes_to_tgw" { + + # If TGW enable + count = var.enable_tgw ? 1 : 0 + + # ...add a route into the network private RT + route_table_id = module.vpc-eks.private_route_table_ids[0] + destination_cidr_block = "0.0.0.0/0" + transit_gateway_id = data.terraform_remote_state.tgw[0].outputs.tgw_id +} diff --git a/apps-devstg/us-east-1/k8s-eks/network/variables.tf b/apps-devstg/us-east-1/k8s-eks/network/variables.tf index 845c5d5e5..afa8c9040 100644 --- a/apps-devstg/us-east-1/k8s-eks/network/variables.tf +++ b/apps-devstg/us-east-1/k8s-eks/network/variables.tf @@ -172,3 +172,9 @@ variable "enable_tgw" { type = bool default = false } + +variable "tgw_cidrs" { + description = "CIDRs to be added as routes to public RT" + type = list(string) + default = [] +} From 1a321c0d8754a4e1549c8255faf6bcb4665dc598 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Tue, 21 Dec 2021 21:30:49 -0300 Subject: [PATCH 37/44] Add public & private route to TGW for apps-devstg-k8s-eks-demoapps --- .../k8s-eks-demoapps/network/config.tf | 15 +++++++++ .../k8s-eks-demoapps/network/network.tf | 32 +++++++++++++++++++ .../k8s-eks-demoapps/network/variables.tf | 6 ++++ .../us-east-2/k8s-eks/network/config.tf | 20 ++++++++++-- .../us-east-2/k8s-eks/network/network.tf | 32 +++++++++++++++++++ 5 files changed, 103 insertions(+), 2 deletions(-) diff --git a/apps-devstg/us-east-1/k8s-eks-demoapps/network/config.tf b/apps-devstg/us-east-1/k8s-eks-demoapps/network/config.tf index 4c372f5c5..18f9d1453 100644 --- a/apps-devstg/us-east-1/k8s-eks-demoapps/network/config.tf +++ b/apps-devstg/us-east-1/k8s-eks-demoapps/network/config.tf @@ -33,6 +33,21 @@ terraform { # Data sources # #=============================# +# TGW +data "terraform_remote_state" "tgw" { + count = var.enable_tgw ? 1 : 0 + + backend = "s3" + + config = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/transit-gateway/terraform.tfstate" + } +} + + # # data type from output for tools-ec2 # diff --git a/apps-devstg/us-east-1/k8s-eks-demoapps/network/network.tf b/apps-devstg/us-east-1/k8s-eks-demoapps/network/network.tf index 2a56602f5..bc005fe08 100644 --- a/apps-devstg/us-east-1/k8s-eks-demoapps/network/network.tf +++ b/apps-devstg/us-east-1/k8s-eks-demoapps/network/network.tf @@ -102,3 +102,35 @@ resource "aws_security_group" "kms_vpce" { tags = local.tags } + +#################### +# TGW Route tables # +#################### + +# Update public RT +resource "aws_route" "public_rt_routes_to_tgw" { + + # For TWG CDIR + for_each = { + for k, v in var.tgw_cidrs : + k => v if var.enable_tgw && length(var.tgw_cidrs) > 0 + } + + # ...add a route into the network public RT + route_table_id = module.vpc-eks.public_route_table_ids[0] + destination_cidr_block = each.value + transit_gateway_id = data.terraform_remote_state.tgw[0].outputs.tgw_id + +} + +# Update private RT +resource "aws_route" "private_rt_routes_to_tgw" { + + # If TGW enable + count = var.enable_tgw ? 1 : 0 + + # ...add a route into the network private RT + route_table_id = module.vpc-eks.private_route_table_ids[0] + destination_cidr_block = "0.0.0.0/0" + transit_gateway_id = data.terraform_remote_state.tgw[0].outputs.tgw_id +} diff --git a/apps-devstg/us-east-1/k8s-eks-demoapps/network/variables.tf b/apps-devstg/us-east-1/k8s-eks-demoapps/network/variables.tf index fdc2c4f43..52fca1098 100644 --- a/apps-devstg/us-east-1/k8s-eks-demoapps/network/variables.tf +++ b/apps-devstg/us-east-1/k8s-eks-demoapps/network/variables.tf @@ -172,3 +172,9 @@ variable "enable_tgw" { type = bool default = false } + +variable "tgw_cidrs" { + description = "CIDRs to be added as routes to public RT" + type = list(string) + default = [] +} diff --git a/apps-devstg/us-east-2/k8s-eks/network/config.tf b/apps-devstg/us-east-2/k8s-eks/network/config.tf index f268c7f48..3ef5e0cc0 100644 --- a/apps-devstg/us-east-2/k8s-eks/network/config.tf +++ b/apps-devstg/us-east-2/k8s-eks/network/config.tf @@ -29,9 +29,24 @@ terraform { } } -# +#=============================# # Data sources -# +#=============================# + +# TGW +data "terraform_remote_state" "tgw-dr" { + count = var.enable_tgw ? 1 : 0 + + backend = "s3" + + config = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/transit-gateway-dr/terraform.tfstate" + } +} + data "terraform_remote_state" "tools-vpn-server" { backend = "s3" @@ -42,6 +57,7 @@ data "terraform_remote_state" "tools-vpn-server" { key = "shared/vpn/terraform.tfstate" } } + # # VPC remote states for network data "terraform_remote_state" "network-vpcs" { diff --git a/apps-devstg/us-east-2/k8s-eks/network/network.tf b/apps-devstg/us-east-2/k8s-eks/network/network.tf index 38a3eb038..714d6203c 100644 --- a/apps-devstg/us-east-2/k8s-eks/network/network.tf +++ b/apps-devstg/us-east-2/k8s-eks/network/network.tf @@ -101,3 +101,35 @@ resource "aws_security_group" "kms_vpce" { tags = local.tags } + +#################### +# TGW Route tables # +#################### + +# Update public RT +resource "aws_route" "public_rt_routes_to_tgw" { + + # For TWG CDIR + for_each = { + for k, v in var.tgw_cidrs : + k => v if var.enable_tgw && length(var.tgw_cidrs) > 0 + } + + # ...add a route into the network public RT + route_table_id = module.vpc-eks.public_route_table_ids[0] + destination_cidr_block = each.value + transit_gateway_id = data.terraform_remote_state.tgw-dr[0].outputs.tgw_id + +} + +# Update private RT +resource "aws_route" "private_rt_routes_to_tgw" { + + # If TGW enable + count = var.enable_tgw ? 1 : 0 + + # ...add a route into the network private RT + route_table_id = module.vpc-eks.private_route_table_ids[0] + destination_cidr_block = "0.0.0.0/0" + transit_gateway_id = data.terraform_remote_state.tgw-dr[0].outputs.tgw_id +} From 8ebd689151cba090e3b23f5ee07be8ac895a4662 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Tue, 21 Dec 2021 21:38:41 -0300 Subject: [PATCH 38/44] Add public & private route to TGW for network account --- network/us-east-1/base-network/config.tf | 14 +++++++++ network/us-east-1/base-network/network.tf | 32 +++++++++++++++++++++ network/us-east-1/base-network/variables.tf | 6 ++++ 3 files changed, 52 insertions(+) diff --git a/network/us-east-1/base-network/config.tf b/network/us-east-1/base-network/config.tf index 3de6d9f39..d3f8044af 100644 --- a/network/us-east-1/base-network/config.tf +++ b/network/us-east-1/base-network/config.tf @@ -56,6 +56,20 @@ terraform { data "aws_caller_identity" "current" {} +# TGW +data "terraform_remote_state" "tgw" { + count = var.enable_tgw ? 1 : 0 + + backend = "s3" + + config = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/transit-gateway/terraform.tfstate" + } +} + # # data type from output for tools-ec2 # diff --git a/network/us-east-1/base-network/network.tf b/network/us-east-1/base-network/network.tf index b39614905..1db854e39 100644 --- a/network/us-east-1/base-network/network.tf +++ b/network/us-east-1/base-network/network.tf @@ -82,3 +82,35 @@ resource "aws_security_group" "kms_vpce" { depends_on = [module.vpc] } + +#################### +# TGW Route tables # +#################### + +# Update public RT +resource "aws_route" "public_rt_routes_to_tgw" { + + # For TWG CDIR + for_each = { + for k, v in var.tgw_cidrs : + k => v if var.enable_tgw && length(var.tgw_cidrs) > 0 + } + + # ...add a route into the network public RT + route_table_id = module.vpc-eks.public_route_table_ids[0] + destination_cidr_block = each.value + transit_gateway_id = data.terraform_remote_state.tgw[0].outputs.tgw_id + +} + +# Update private RT +resource "aws_route" "private_rt_routes_to_tgw" { + + # If TGW enable + count = var.enable_tgw ? 1 : 0 + + # ...add a route into the network private RT + route_table_id = module.vpc-eks.private_route_table_ids[0] + destination_cidr_block = "0.0.0.0/0" + transit_gateway_id = data.terraform_remote_state.tgw[0].outputs.tgw_id +} diff --git a/network/us-east-1/base-network/variables.tf b/network/us-east-1/base-network/variables.tf index da8c5598a..c79781c4e 100644 --- a/network/us-east-1/base-network/variables.tf +++ b/network/us-east-1/base-network/variables.tf @@ -232,6 +232,12 @@ variable "enable_vpc_attach" { } } +variable "tgw_cidrs" { + description = "CIDRs to be added as routes to public RT" + type = list(string) + default = [] +} + variable "enable_network_firewall" { description = "Enable AWS Network Firewall support" type = bool From ec505a1d1dda784f99ec7060b66332bd7b8d8da1 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Tue, 21 Dec 2021 21:43:31 -0300 Subject: [PATCH 39/44] Add public & private route to TGW for shared account --- shared/us-east-1/base-network/config.tf | 14 ++++++++ shared/us-east-1/base-network/network.tf | 32 +++++++++++++++++++ shared/us-east-1/base-network/variables.tf | 6 ++++ shared/us-east-1/base-network/vpc_peerings.tf | 3 +- 4 files changed, 54 insertions(+), 1 deletion(-) diff --git a/shared/us-east-1/base-network/config.tf b/shared/us-east-1/base-network/config.tf index 4963ed66a..627d62551 100644 --- a/shared/us-east-1/base-network/config.tf +++ b/shared/us-east-1/base-network/config.tf @@ -61,6 +61,20 @@ terraform { # Data sources # #=============================# +# TGW +data "terraform_remote_state" "tgw" { + count = var.enable_tgw ? 1 : 0 + + backend = "s3" + + config = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/transit-gateway/terraform.tfstate" + } +} + # # data type from output for tools-ec2 # diff --git a/shared/us-east-1/base-network/network.tf b/shared/us-east-1/base-network/network.tf index 6b9b49034..602f3dcf8 100644 --- a/shared/us-east-1/base-network/network.tf +++ b/shared/us-east-1/base-network/network.tf @@ -98,3 +98,35 @@ resource "aws_security_group" "kms_vpce" { tags = local.tags } + +#################### +# TGW Route tables # +#################### + +# Update public RT +resource "aws_route" "public_rt_routes_to_tgw" { + + # For TWG CDIR + for_each = { + for k, v in var.tgw_cidrs : + k => v if var.enable_tgw && length(var.tgw_cidrs) > 0 + } + + # ...add a route into the network public RT + route_table_id = module.vpc.public_route_table_ids[0] + destination_cidr_block = each.value + transit_gateway_id = data.terraform_remote_state.tgw[0].outputs.tgw_id + +} + +# Update private RT +resource "aws_route" "private_rt_routes_to_tgw" { + + # If TGW enable + count = var.enable_tgw ? 1 : 0 + + # ...add a route into the network private RT + route_table_id = module.vpc.private_route_table_ids[0] + destination_cidr_block = "0.0.0.0/0" + transit_gateway_id = data.terraform_remote_state.tgw[0].outputs.tgw_id +} diff --git a/shared/us-east-1/base-network/variables.tf b/shared/us-east-1/base-network/variables.tf index 7d449596a..a7ca7e7d2 100644 --- a/shared/us-east-1/base-network/variables.tf +++ b/shared/us-east-1/base-network/variables.tf @@ -199,3 +199,9 @@ variable "enable_tgw" { type = bool default = false } + +variable "tgw_cidrs" { + description = "CIDRs to be added as routes to public RT" + type = list(string) + default = [] +} diff --git a/shared/us-east-1/base-network/vpc_peerings.tf b/shared/us-east-1/base-network/vpc_peerings.tf index 6e771b897..2c67ece04 100644 --- a/shared/us-east-1/base-network/vpc_peerings.tf +++ b/shared/us-east-1/base-network/vpc_peerings.tf @@ -6,7 +6,8 @@ module "vpc_peering_apps_devstg_to_shared" { for_each = { for k, v in local.apps-devstg-vpcs : - k => v if var.enable_tgw != true + #k => v if var.enable_tgw != true + k => v } providers = { From 1988f35af2f086019457834d82c1935aa06f880a Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Tue, 21 Dec 2021 21:46:23 -0300 Subject: [PATCH 40/44] Add network.auto.tfvars for the network base --- shared/us-east-1/base-network/network.auto.tfvars | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 shared/us-east-1/base-network/network.auto.tfvars diff --git a/shared/us-east-1/base-network/network.auto.tfvars b/shared/us-east-1/base-network/network.auto.tfvars new file mode 100644 index 000000000..0298bcd70 --- /dev/null +++ b/shared/us-east-1/base-network/network.auto.tfvars @@ -0,0 +1,6 @@ +# NAT GW +vpc_enable_nat_gateway = false +vpc_single_nat_gateway = true + +# VPN Gateways +vpc_enable_vpn_gateway = false From 1ddcf86c6086e4953d709b0e4b39b368a6417cfe Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Tue, 21 Dec 2021 23:51:56 -0300 Subject: [PATCH 41/44] Add public & private route to TGW for apps-prd-k8s-eks --- apps-devstg/us-east-2/k8s-eks/network/variables.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/apps-devstg/us-east-2/k8s-eks/network/variables.tf b/apps-devstg/us-east-2/k8s-eks/network/variables.tf index 42dcaef2b..4cae11c13 100644 --- a/apps-devstg/us-east-2/k8s-eks/network/variables.tf +++ b/apps-devstg/us-east-2/k8s-eks/network/variables.tf @@ -172,3 +172,9 @@ variable "enable_tgw" { type = bool default = false } + +variable "tgw_cidrs" { + description = "CIDRs to be added as routes to public RT" + type = list(string) + default = [] +} From a3c834cc37f9a7d75b633d1c8a1edfe8388611ca Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Wed, 22 Dec 2021 00:05:35 -0300 Subject: [PATCH 42/44] Add public & private route to TGW for network-dr account --- network/us-east-2/base-network/config.tf | 14 +++++++++++ network/us-east-2/base-network/network.tf | 28 +++++++++++++++++++++ network/us-east-2/base-network/variables.tf | 7 ++++++ 3 files changed, 49 insertions(+) diff --git a/network/us-east-2/base-network/config.tf b/network/us-east-2/base-network/config.tf index 8e2542b0e..39f0f92d6 100644 --- a/network/us-east-2/base-network/config.tf +++ b/network/us-east-2/base-network/config.tf @@ -56,6 +56,20 @@ terraform { data "aws_caller_identity" "current" {} +# TGW +data "terraform_remote_state" "tgw-dr" { + count = var.enable_tgw ? 1 : 0 + + backend = "s3" + + config = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/transit-gateway-dr/terraform.tfstate" + } +} + # # data type from output for tools-ec2 # diff --git a/network/us-east-2/base-network/network.tf b/network/us-east-2/base-network/network.tf index a4bebbf3f..821d52174 100644 --- a/network/us-east-2/base-network/network.tf +++ b/network/us-east-2/base-network/network.tf @@ -103,3 +103,31 @@ resource "aws_security_group" "kms_vpce" { tags = local.tags } + +# Update public RT +resource "aws_route" "public_rt_routes_to_tgw" { + + # For TWG CDIR + for_each = { + for k, v in var.tgw_cidrs : + k => v if var.enable_tgw && length(var.tgw_cidrs) > 0 + } + + # ...add a route into the network public RT + route_table_id = module.vpc-eks.public_route_table_ids[0] + destination_cidr_block = each.value + transit_gateway_id = data.terraform_remote_state.tgw-dr[0].outputs.tgw_id + +} + +# Update private RT +resource "aws_route" "private_rt_routes_to_tgw" { + + # If TGW enable + count = var.enable_tgw ? 1 : 0 + + # ...add a route into the network private RT + route_table_id = module.vpc-eks.private_route_table_ids[0] + destination_cidr_block = "0.0.0.0/0" + transit_gateway_id = data.terraform_remote_state.tgw-dr[0].outputs.tgw_id +} diff --git a/network/us-east-2/base-network/variables.tf b/network/us-east-2/base-network/variables.tf index 7f7a5dd61..3aa78d459 100644 --- a/network/us-east-2/base-network/variables.tf +++ b/network/us-east-2/base-network/variables.tf @@ -215,6 +215,13 @@ variable "enable_tgw" { default = false } +variable "tgw_cidrs" { + description = "CIDRs to be added as routes to public RT" + type = list(string) + default = [] +} + + variable "enable_vpc_attach" { description = "Enable VPC attachments per account" type = any From b21fb3803e0c7a58a110219535d25018b4ac9913 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Wed, 22 Dec 2021 00:18:54 -0300 Subject: [PATCH 43/44] Add TGW multi region support --- apps-prd/us-east-1/base-network/config.tf | 15 ++++++++ apps-prd/us-east-1/base-network/network.tf | 32 +++++++++++++++++ apps-prd/us-east-1/base-network/variables.tf | 6 ++++ network/us-east-1/transit-gateway/locals.tf | 4 +-- network/us-east-1/transit-gateway/tgw.tf | 37 -------------------- network/us-east-2/transit-gateway/tgw.tf | 36 ------------------- shared/us-east-2/base-network/config.tf | 15 ++++++++ shared/us-east-2/base-network/network.tf | 32 +++++++++++++++++ shared/us-east-2/base-network/variables.tf | 6 ++++ 9 files changed, 108 insertions(+), 75 deletions(-) diff --git a/apps-prd/us-east-1/base-network/config.tf b/apps-prd/us-east-1/base-network/config.tf index 2950ccb05..6ecbc3e9d 100644 --- a/apps-prd/us-east-1/base-network/config.tf +++ b/apps-prd/us-east-1/base-network/config.tf @@ -26,6 +26,20 @@ terraform { # Data sources # #=============================# +# TGW +data "terraform_remote_state" "tgw" { + count = var.enable_tgw ? 1 : 0 + + backend = "s3" + + config = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/transit-gateway/terraform.tfstate" + } +} + # # data type from output for notifications # @@ -33,6 +47,7 @@ data "terraform_remote_state" "notifications" { backend = "s3" config = { + region = var.region profile = var.profile bucket = var.bucket diff --git a/apps-prd/us-east-1/base-network/network.tf b/apps-prd/us-east-1/base-network/network.tf index 23b1f04d3..5494476e2 100644 --- a/apps-prd/us-east-1/base-network/network.tf +++ b/apps-prd/us-east-1/base-network/network.tf @@ -156,3 +156,35 @@ resource "aws_security_group" "ssm_vpce" { tags = local.tags } + +#################### +# TGW Route tables # +#################### + +# Update public RT +resource "aws_route" "public_rt_routes_to_tgw" { + + # For TWG CDIR + for_each = { + for k, v in var.tgw_cidrs : + k => v if var.enable_tgw && length(var.tgw_cidrs) > 0 + } + + # ...add a route into the network public RT + route_table_id = module.vpc.public_route_table_ids[0] + destination_cidr_block = each.value + transit_gateway_id = data.terraform_remote_state.tgw[0].outputs.tgw_id + +} + +# Update private RT +resource "aws_route" "private_rt_routes_to_tgw" { + + # If TGW enable + count = var.enable_tgw ? 1 : 0 + + # ...add a route into the network private RT + route_table_id = module.vpc.private_route_table_ids[0] + destination_cidr_block = "0.0.0.0/0" + transit_gateway_id = data.terraform_remote_state.tgw[0].outputs.tgw_id +} diff --git a/apps-prd/us-east-1/base-network/variables.tf b/apps-prd/us-east-1/base-network/variables.tf index 2fcac46fd..b5efe51ba 100644 --- a/apps-prd/us-east-1/base-network/variables.tf +++ b/apps-prd/us-east-1/base-network/variables.tf @@ -171,3 +171,9 @@ variable "enable_tgw" { type = bool default = false } + +variable "tgw_cidrs" { + description = "CIDRs to be added as routes to public RT" + type = list(string) + default = [] +} diff --git a/network/us-east-1/transit-gateway/locals.tf b/network/us-east-1/transit-gateway/locals.tf index f609e85d7..9383cf822 100644 --- a/network/us-east-1/transit-gateway/locals.tf +++ b/network/us-east-1/transit-gateway/locals.tf @@ -60,9 +60,9 @@ locals { } #apps-prd-k8s-eks = { # region = var.region - # profile = "${var.project}-apps-prd-devops" + # profile = "${var.project}-apps-prd-devops" # bucket = "${var.project}-apps-prd-terraform-backend" - # key = "apps-prd/k8s-eks/network/terraform.tfstate" + # key = "apps-prd/k8s-eks/network/terraform.tfstate" #} } diff --git a/network/us-east-1/transit-gateway/tgw.tf b/network/us-east-1/transit-gateway/tgw.tf index 1555658e7..a98961d75 100644 --- a/network/us-east-1/transit-gateway/tgw.tf +++ b/network/us-east-1/transit-gateway/tgw.tf @@ -259,43 +259,6 @@ resource "aws_route" "apps_devstg_public_route_to_tgw" { } -resource "aws_route" "apps_prd_public_route_to_tgw" { - - # For each vpc... - for_each = { - for k, v in data.terraform_remote_state.apps-prd-vpcs : - k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-prd", false) - } - - # ...add a route into the network public RT - route_table_id = data.terraform_remote_state.network-vpcs["network-base"].outputs.public_route_table_ids[0] - destination_cidr_block = each.value.outputs.vpc_cidr_block - transit_gateway_id = module.tgw[0].transit_gateway_id - - depends_on = [module.tgw, module.tgw_vpc_attachments_and_subnet_routes_network] - -} - -# Update shared public RT -resource "aws_route" "shared_public_apps_devstg_route_to_tgw" { - - # For each vpc... - for_each = { - for k, v in data.terraform_remote_state.apps-devstg-vpcs : - k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-devstg", false) - } - - # ...add a route into the network public RT - route_table_id = data.terraform_remote_state.shared-vpcs["shared-base"].outputs.public_route_table_ids[0] - destination_cidr_block = each.value.outputs.vpc_cidr_block - transit_gateway_id = module.tgw[0].transit_gateway_id - - depends_on = [module.tgw, module.tgw_vpc_attachments_and_subnet_routes_network] - - provider = aws.shared - -} - resource "aws_route" "shared_public_apps_prd_route_to_tgw" { # For each vpc... diff --git a/network/us-east-2/transit-gateway/tgw.tf b/network/us-east-2/transit-gateway/tgw.tf index e922f6666..ae6f9f5a1 100644 --- a/network/us-east-2/transit-gateway/tgw.tf +++ b/network/us-east-2/transit-gateway/tgw.tf @@ -242,23 +242,6 @@ resource "aws_ec2_transit_gateway_route_table_propagation" "apps-prd-rt-propagat # # Update network public RT # -resource "aws_route" "apps_devstg_public_route_to_tgw" { - - # For each vpc... - for_each = { - for k, v in data.terraform_remote_state.apps-devstg-dr-vpcs : - k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-devstg-dr", false) - } - - # ...add a route into the network public RT - route_table_id = data.terraform_remote_state.network-dr-vpcs["network-base-dr"].outputs.public_route_table_ids[0] - destination_cidr_block = each.value.outputs.vpc_cidr_block - transit_gateway_id = module.tgw-dr[0].transit_gateway_id - - depends_on = [module.tgw-dr, module.tgw_vpc_attachments_and_subnet_routes_network-dr] - -} - resource "aws_route" "apps_prd_public_route_to_tgw" { # For each vpc... @@ -277,25 +260,6 @@ resource "aws_route" "apps_prd_public_route_to_tgw" { } # Update shared public RT -resource "aws_route" "shared_public_apps_devstg_route_to_tgw" { - - # For each vpc... - for_each = { - for k, v in data.terraform_remote_state.apps-devstg-dr-vpcs : - k => v if var.enable_tgw && lookup(var.enable_vpc_attach, "apps-devstg-dr", false) - } - - # ...add a route into the network public RT - route_table_id = data.terraform_remote_state.shared-dr-vpcs["shared-base-dr"].outputs.public_route_table_ids[0] - destination_cidr_block = each.value.outputs.vpc_cidr_block - transit_gateway_id = module.tgw-dr[0].transit_gateway_id - - depends_on = [module.tgw-dr, module.tgw_vpc_attachments_and_subnet_routes_network-dr] - - provider = aws.shared - -} - resource "aws_route" "shared_public_apps_prd_route_to_tgw" { # For each vpc... diff --git a/shared/us-east-2/base-network/config.tf b/shared/us-east-2/base-network/config.tf index 39076df67..85d23f607 100644 --- a/shared/us-east-2/base-network/config.tf +++ b/shared/us-east-2/base-network/config.tf @@ -47,6 +47,21 @@ terraform { # Data sources # #=============================# +# TGW +data "terraform_remote_state" "tgw-dr" { + count = var.enable_tgw ? 1 : 0 + + backend = "s3" + + config = { + region = var.region + profile = "${var.project}-network-devops" + bucket = "${var.project}-network-terraform-backend" + key = "network/transit-gateway-dr/terraform.tfstate" + } +} + + data "terraform_remote_state" "tools-vpn-server" { backend = "s3" diff --git a/shared/us-east-2/base-network/network.tf b/shared/us-east-2/base-network/network.tf index 3dac46f32..b15e360c9 100644 --- a/shared/us-east-2/base-network/network.tf +++ b/shared/us-east-2/base-network/network.tf @@ -154,3 +154,35 @@ resource "aws_security_group" "ssm_vpce" { tags = local.tags } + +#################### +# TGW Route tables # +#################### + +# Update public RT +resource "aws_route" "public_rt_routes_to_tgw" { + + # For TWG CDIR + for_each = { + for k, v in var.tgw_cidrs : + k => v if var.enable_tgw && length(var.tgw_cidrs) > 0 + } + + # ...add a route into the network public RT + route_table_id = module.vpc.public_route_table_ids[0] + destination_cidr_block = each.value + transit_gateway_id = data.terraform_remote_state.tgw-dr[0].outputs.tgw_id + +} + +# Update private RT +resource "aws_route" "private_rt_routes_to_tgw" { + + # If TGW enable + count = var.enable_tgw ? 1 : 0 + + # ...add a route into the network private RT + route_table_id = module.vpc.private_route_table_ids[0] + destination_cidr_block = "0.0.0.0/0" + transit_gateway_id = data.terraform_remote_state.tgw-dr[0].outputs.tgw_id +} diff --git a/shared/us-east-2/base-network/variables.tf b/shared/us-east-2/base-network/variables.tf index 4f61cdf7d..2b2bcfacd 100644 --- a/shared/us-east-2/base-network/variables.tf +++ b/shared/us-east-2/base-network/variables.tf @@ -223,3 +223,9 @@ variable "enable_tgw" { type = bool default = false } + +variable "tgw_cidrs" { + description = "CIDRs to be added as routes to public RT" + type = list(string) + default = [] +} From f0aea7dd8056db5548ce9c701e702db0749a0671 Mon Sep 17 00:00:00 2001 From: "Luis M. Gallardo D" Date: Wed, 22 Dec 2021 13:30:41 -0300 Subject: [PATCH 44/44] Add multi region tgw + ngw deployment in network root README --- network/README.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/network/README.md b/network/README.md index e2bfc75a9..ff3fbc658 100644 --- a/network/README.md +++ b/network/README.md @@ -7,7 +7,7 @@ In case you are using AWS Transit Gateway, you need to enable the Network Firewa In order to enable Network Firewall using a Transit Gateway perform the following order: -1. Enable NAT Gateway in the `network` account. Edit the `../network/us-east-1/base-network/network.auto.tfvars' file: +1. Enable NAT Gateway in the `network` account. Edit the `../network/us-east-1/base-network/network.auto.tfvars` file: ``` # NAT GW @@ -38,7 +38,7 @@ enable_vpc_attach = { enable_network_firewall = true ``` -3 Enable the transit gateway by adding the following lines in the `../config/common.tfvars` file: +3. Enable the transit gateway by adding the following lines in the `../config/common.tfvars` file: ``` # Networking @@ -50,3 +50,12 @@ enable_tgw = true Then apply the changes in the Transit Gateway layer. 4. Finally edit the `network-firewall` layer according to your needs and apply the changes. + + +# Multi Region Transit Gateways + Network Firewall + +In order to deploy a Transit Gateway and a Network Firewall in a secondary region follow these steps: + +1. In the secondary region deploy the Transit Gateway and the Network Firewall as done in the primary region. +2. Then go to the Transit Gateway layer in the primary region to deploy the Transit Gateways peering defined in the `../network/us-east-1/base-network/tgw-peerings.tf` file. This will create a peering request to the Transit gateway in the secondary region. +3. Go to the Transit Gateway layer in the secondary region to accept the request as defined in the `../network/us-east-2/base-network/tgw-accepters.tf` file.