diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..9c404c6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,51 @@
+# Local VSCode settings
+.vscode/*
+
+# Local .terraform directories
+**/.terraform/*
+**/data/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Terragrunt Files
+**/.terragrunt-cache
+**/hcl.swp
+backend.tf
+provider.tf
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Unencrypted Secrets
+**/*decrypted*.yaml
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Kube Control
+kubeconfig
+
+# OSx Files
+**/*.DS_Store*
+
+# IntelliJ Files
+**/*.idea*
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0b80373..10d5bb4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,118 +1,5 @@
-## 1.1.4 (April 23, 2022)
-ENHANCEMENT:
-
- * Added support for `is_enabled` property.
- * Added support for `bypass_policy_lockout_safety_check` property.
-
-CHORE:
-
- * Added default KMS policy to example since removing this causes a great risk to losing access to the key [as per this support document](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html).
-
-## 1.1.3 (April 22, 2022)
-
-BUG:
-
- * Removed lifecycle policy for alias and key as there is no way to paramaterize [this "known limitation" with Terraform. (Issue #22544)](https://github.com/hashicorp/terraform/issues/22544). User can set this outside of the module. (see examples)
-
-## 1.1.2 (April 22, 2022)
-
-BUG:
-
- * Set default for KMS policy to "" so that a default policy is created if none is provided.
-
-CHORE:
- * Renamed aws_kms_alias property for `name` from "alias" to "name" which is less confusing.
-
-ENHANCEMENT:
-
- * Improved input tables in README.
- * Added option to disable/enable SOPS file creation.
-
-## 1.1.1 (April 13, 2022)
-
-CHORE:
-
- * Improved input table in README.
- * Set a data type for the policy variable.
- * Added sops_file provider documentation in README
-
-## 1.1.0 (March 7, 2022)
-
-BREAK/FIX:
-
- * Added 'type' for tag to be map(string)
-
-ENHANCEMENT:
-
- * Added customer_master_key_spec input.
-
-CHORE:
-
- * Updated readme to be more descriptive.
- * Updated examples.
-
-## 1.0.9 (February 24, 2022)
-
-CHORE:
-
- * Using best practices with resource aliases.
-
-## 1.0.8 (February 11, 2022)
-
-ENHANCEMENT:
-
- * Improved readme links to examples.
-
-## 1.0.7 (February 11, 2022)
-
-ENHANCEMENT:
-
- * Improved Terraform & Terragrunt examples.
-
-## 1.0.6 (February 10, 2022)
-
-CHORE:
-
- * Fix links for examples.
-
-## 1.0.5 (February 10, 2022)
-
-ENHANCEMENT:
-
- * Add example link for Terragrunt.
-
-## 1.0.4 (February 10, 2022)
-
-ENHANCEMENT:
-
- * Add latest tag badge to readme.
-
-## 1.0.3 (February 10, 2022)
-
-ENHANCEMENT:
-
- * Added input for multi-region
- * Added input for key rotation
- * Added input for deletion window
- * Added input for key usage
- * Updated README
- * Updated examples
-
-## 1.0.2 (February 10, 2022)
-
-ENHANCEMENT:
-
- * Added descriptions to outputs.
- * Updated README
-
-## 1.0.1 (February 10, 2022)
-
-ENHANCEMENT:
-
- * Updated documentation
-
-## 1.0.0 (February 10, 2022)
+## 1.0.0 (July 21, 2022)
INITIAL:
diff --git a/README.md b/README.md
index d8e2332..a65dcec 100644
--- a/README.md
+++ b/README.md
@@ -8,11 +8,11 @@
-# terraform-aws-kms
+# terraform-aws-transit-gateway-attachment
-Terraform module to create Amazon Customer Managed Key (CMK) including optional use with [Mozilla SOPS](https://github.com/mozilla/sops).
+Terraform module to create one or many Amazon Transit Gateway Attachments to an existing Amazon Transit Gateway.
-[Amazon Key Management Service (KMS)](https://aws.amazon.com/kms/) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
+[Amazon Transit Gateway (TGW)](https://aws.amazon.com/transit-gateway/) connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once. Attachments to your TGW can be made from any account in your organization to enable cross-account connectivity.
## Examples
@@ -21,58 +21,36 @@ Look at our [Terraform example](latest/examples/terraform/) where you can get a
## Usage
-You can create a customer managed key (CMK) for use with the [Mozilla SOPS](https://github.com/mozilla/sops) tool. The module will create the CMK and gives you an option to also create a kms-sops.yaml for you to use with the SOPS tool for encrypting and decrypting files.
+You can create a transit gateway attachment for an existing transit gateway in your organization. You can also create multiple transit gateway attachments if you have more than one transit gateway in your organization that you need to attach in a given account.
-### Terraform Example with optional SOPS file and lifecycle policy.
+### Terraform Example with multiple TGW attachment use-case.
```
-module "kms-sops" {
- source = "adamwshero/kms/aws"
- version = "~> 1.1.4"
- is_enabled = true
- name = "alias/devops"
- description = "Used for managing devops-maintained encrypted data."
- deletion_window_in_days = 7
- enable_key_rotation = false
- key_usage = "ENCRYPT_DECRYPT"
- customer_master_key_spec = "SYMMETRIC_DEFAULT"
- bypass_policy_lockout_safety_check = false
- multi_region = false
- enable_sops = true
- sops_file = "${get_terragrunt_dir()}/.sops.yaml"
- prevent_destroy = false
-
- lifecycle = {
- prevent_destroy = true
- }
+locals {
+ env = "dev"
+ account_id = "12345679810"
+ vpc_id = "vpc-1234ab567"
+ tgw_id_1 = "tgw-1111a11111a1a1aa1"
+ tgw_id_2 = "tgw-2222a22222a2a2aa2"
+ subnet_ids = ["10.26.0.0/19", "10.26.32.0/19", "10.26.64.0/19"]
+}
- policy = jsonencode(
- {
- "Sid" : "Enable IAM policies",
- "Effect" : "Allow",
- "Principal" : {
- "AWS" : "arn:aws:iam::${account_id}:root"
- },
- "Action" : "kms:*",
- "Resource" : "*"
- },
- {
- "Version" : "2012-10-17",
- "Id" : "1",
- "Statement" : [
- {
- "Sid" : "Account Permissions",
- "Effect" : "Allow",
- "Principal" : {
- "AWS" : "${data.aws_iam_roles.roles.arns}"
- },
- "Action" : "kms:*",
- "Resource" : "*"
- }
- ]
- }
- )
+module "transit_gateway_attachment" {
+ source = "adamwshero/transit-gateway-attachment/aws"
+ version = "~> 1.0.0"
+ transit_gateway_attachments = {
+ attachment-1 = {
+ vpc_id = local.vpc_id
+ transit_gateway_id = local.tgw_id_1
+ subnet_ids = local.subnet_ids
+ }
+ attachment-2 = {
+ vpc_id = local.vpc_id
+ transit_gateway_id = local.tgw_id_2
+ subnet_ids = local.subnet_ids
+ }
+ }
tags = {
Environment = local.env
Owner = "DevOps"
@@ -81,52 +59,51 @@ module "kms-sops" {
}
```
-### Terragrunt Example with optional SOPS file and lifecycle policy.
+### Terragrunt Example with multiple TGW attachment use-case.
```
locals {
- account = read_terragrunt_config(find_in_parent_folders("terragrunt.hcl"))
- region = read_terragrunt_config(find_in_parent_folders("terragrunt.hcl"))
- environment = read_terragrunt_config(find_in_parent_folders("terragrunt.hcl"))
- sso_admin = "arn:aws:iam::{accountid}:role/my_trusted_role"
- account_id = "12345679810"
+ account = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+ region = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+ product = read_terragrunt_config(find_in_parent_folders("product.hcl"))
+ environment = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+ tags = merge(
+ local.product.locals.tags,
+ local.additional_tags
+ )
+ additional_tags = {
+ }
}
include {
path = find_in_parent_folders()
}
+dependency "vpc" {
+ config_path = "../vpc"
+}
+
terraform {
- source = "git@github.com:adamwshero/terraform-aws-kms.git//.?ref=1.1.4"
+ source = "git@github.com:adamwshero/terraform-aws-transit-gateway-attachment//.?ref=1.0.0"
}
inputs = {
- is_enabled = true
- name = "alias/devops"
- description = "Used for managing devops-maintained encrypted data."
- deletion_window_in_days = 7
- enable_key_rotation = false
- key_usage = "ENCRYPT_DECRYPT"
- customer_master_key_spec = "SYMMETRIC_DEFAULT"
- bypass_policy_lockout_safety_check = false
- multi_region = false
- enable_sops = true
- sops_file = "${get_terragrunt_dir()}/.sops.yaml"
- prevent_destroy = false
- lifecycle = {
- prevent_destroy = true
+ transit_gateway_attachments = {
+ attachment-1 = {
+ vpc_id = dependency.vpc.outputs.vpc_id
+ transit_gateway_id = local.account.locals.tgw_id_1
+ subnet_ids = dependency.vpc.outputs.private_subnets
+ }
+ attachment-2 = {
+ vpc_id = dependency.vpc.outputs.vpc_id
+ transit_gateway_id = local.account.locals.tgw_id_2
+ subnet_ids = dependency.vpc.outputs.private_subnets
+ }
}
- policy = templatefile("${get_terragrunt_dir()}/policy.json.tpl", {
- sso_admin = local.sso_admin
- account_id = local.account_id
- })
- tags = {
- Environment = local.env.locals.env
- Owner = "DevOps"
- CreatedByTerraform = true
- }
+ tags = local.tags
}
+
```
@@ -134,7 +111,7 @@ inputs = {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | >= 2.67.0 |
+| [aws](#requirement\_aws) | >= 4.0.0 |
| [terraform](#requirement\_terraform) | >= 0.14.0
| [terragrunt](#requirement\_terragrunt) | >= 0.28.0 |
@@ -142,45 +119,39 @@ inputs = {
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 2.67.0 |
+| [aws](#provider\_aws) | >= 4.0.0 |
## Resources
| Name | Type |
|------|------|
-| [aws_kms_key.rsm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_kms_alias.rsm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
-| [sops_file.rsm](https://registry.terraform.io/providers/carlpett/sops/latest/docs/data-sources/file) | resource |
+| [aws_ec2_transit_gateway_vpc_attachment.rsm](https://registry.terraform.io/providers/aaronfeng/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment)
## Available Inputs
-| Name | Resource | Variable | Data Type | Default | Required?
-| --------------------| ------------|----------------------------| -------------|---------------------|----------
-| Alias |aws_kms_alias| `alias` | `string` | `""` | No
-| Description | aws_kms_key | `description` | `string` | `""` | No
-| Deletion Window | aws_kms_key | `deletion_window_in_days` | `number` | `7` | No
-| Enable Key Rotation | aws_kms_key | `enable_key_rotation` | `bool` | `false` | No
-| Key Usage | aws_kms_key | `key_usage` | `string` | `ENCRYPT_DECRYPT` | No
-| Key Spec | aws_kms_key | `customer_master_key_spec` | `string` | `SYMMETRIC_DEFAULT` | No
-| Multi-Region | aws_kms_key | `multi_region` | `bool` | `false` | No
-| Policy | aws_kms_key | `policy` | `string` | `""` | No
-| Tags | aws_kms_key | `tags` | `map(string)`| `""` | No
-| Local SOPS File | sops_file | `sops_file` | `string` | `""` | Yes
-| Enable SOPS File | sops_file | `enable_sops` | `string` | `true` | No
+| Name | Resource | Variable | Data Type | Default | Required?
+| -----------------------| --------------------------------------|---------------------------------------------------|----------------|-----------|----------
+| Create TGW Attachment | aws_ec2_transit_gateway_vpc_attachment| `create_attachment` | `bool` | `true` | Yes
+| VPC Id | aws_ec2_transit_gateway_vpc_attachment| `vpc_id` | `string` | `""` | Yes
+| Subnet Ids | aws_ec2_transit_gateway_vpc_attachment| `subnet_ids` | `list(string)` | `[""]` | Yes
+| Transit Gateway Id | aws_ec2_transit_gateway_vpc_attachment| `transit_gateway_id` | `string` | `true` | Yes
+| Appliance Mode Support | aws_ec2_transit_gateway_vpc_attachment| `appliance_mode_support` | `string` | `disable` | No
+| DNS Support | aws_ec2_transit_gateway_vpc_attachment| `dns_support` | `string` | `enable` | No
+| IPv6 Support | aws_ec2_transit_gateway_vpc_attachment| `ipv6_support` | `string` | `disable` | No
+| Route Table Association| aws_ec2_transit_gateway_vpc_attachment| `transit_gateway_default_route_table_association` | `bool` | `true` | No
+| Route Table Propogation| aws_ec2_transit_gateway_vpc_attachment| `transit_gateway_default_route_table_association` | `bool` | `true` | No
+| Tags | aws_ec2_transit_gateway_vpc_attachment| `tags` | `map(string)` | `None` | No
## Predetermined Inputs
-| Name | Resource | Property | Data Type | Default | Required?
-| --------------------| ------------|---------------------------| -------------|-------------------------|----------
-| Target KMS Key Id |aws_kms_alias| `target_key_id` | `string` |`aws_kms_key.this.key.id`| Yes
-| SOPS File Creation | sops_file | `creation_rules` | `string` | `aws_kms_key.this.arn` | Yes
-| SOPS File Permission| sops_file | `file_permission` | `string` | `0600` | Yes
+| Name | Resource | Property | Data Type | Default | Required?
+| ----------------------------| ---------------------------------------|-------------------------------| -------------|-------------------------|----------
+| - | - | - | - | - | -
+
## Outputs
-| Name | Description |
-|-----------|----------------------------------|
-| CMK Arn | Arn of the customer managed key. |
-| CMK Id | Id of the customer managed key. |
-| SOPS File | Contents of the SOPS file. |
+| Name | Description |
+|-----------------------------|-------------------------------------|
+|Transit Gateway Attachments | map(list(map)) of your attachments. |
diff --git a/examples/terraform/README.md b/examples/terraform/README.md
index c0604a7..9a5496c 100644
--- a/examples/terraform/README.md
+++ b/examples/terraform/README.md
@@ -1,58 +1,31 @@
# Complete Plan Example
```
-data "aws_iam_roles" "roles" {
- name_regex = "AWSReservedSSO_AWSAdministratorAccess_.*"
- path_prefix = "/aws-reserved/sso.amazonaws.com/"
+locals {
+ env = "dev"
+ account_id = "12345679810"
+ vpc_id = "vpc-1234ab567"
+ tgw_id_1 = "tgw-1111a11111a1a1aa1"
+ tgw_id_2 = "tgw-2222a22222a2a2aa2"
+ subnet_ids = ["10.26.0.0/19", "10.26.32.0/19", "10.26.64.0/19"]
}
-module "kms-sops" {
- source = "adamwshero/kms/aws"
- version = "~> 1.1.4"
- is_enabled = true
- name = "alias/devops"
- description = "Used for managing devops-maintained encrypted data."
- deletion_window_in_days = 7
- enable_key_rotation = false
- key_usage = "ENCRYPT_DECRYPT"
- customer_master_key_spec = "SYMMETRIC_DEFAULT"
- bypass_policy_lockout_safety_check = false
- multi_region = false
- enable_sops = true
- sops_file = "${get_terragrunt_dir()}/.sops.yaml"
- prevent_destroy = false
+module "transit_gateway_attachment" {
+ source = "adamwshero/transit-gateway-attachment/aws"
+ version = "~> 1.0.0"
- lifecycle = {
- prevent_destroy = true
- }
-
- policy = jsonencode(
- {
- "Sid" : "Enable IAM policies",
- "Effect" : "Allow",
- "Principal" : {
- "AWS" : "arn:aws:iam::${account_id}:root"
- },
- "Action" : "kms:*",
- "Resource" : "*"
- },
- {
- "Version" : "2012-10-17",
- "Id" : "1",
- "Statement" : [
- {
- "Sid" : "Account Permissions",
- "Effect" : "Allow",
- "Principal" : {
- "AWS" : "${data.aws_iam_roles.roles.arns}"
- },
- "Action" : "kms:*",
- "Resource" : "*"
- }
- ]
+ transit_gateway_attachments = {
+ attachment-1 = {
+ vpc_id = local.vpc_id
+ transit_gateway_id = local.tgw_id_1
+ subnet_ids = local.subnet_ids
}
- )
-
+ attachment-2 = {
+ vpc_id = local.vpc_id
+ transit_gateway_id = local.tgw_id_2
+ subnet_ids = local.subnet_ids
+ }
+ }
tags = {
Environment = local.env
Owner = "DevOps"
diff --git a/examples/terraform/main.tf b/examples/terraform/main.tf
index b1deb4b..aa0d952 100644
--- a/examples/terraform/main.tf
+++ b/examples/terraform/main.tf
@@ -1,56 +1,28 @@
locals {
+ env = "dev"
account_id = "12345679810"
-}
-data "aws_iam_roles" "roles" {
- name_regex = "AWSReservedSSO_AWSAdministratorAccess_.*"
- path_prefix = "/aws-reserved/sso.amazonaws.com/"
+ vpc_id = "vpc-1234ab567"
+ tgw_id_1 = "tgw-1111a11111a1a1aa1"
+ tgw_id_2 = "tgw-2222a22222a2a2aa2"
+ subnet_ids = ["10.26.0.0/19", "10.26.32.0/19", "10.26.64.0/19"]
}
-module "kms-sops" {
- source = "adamwshero/kms/aws"
- version = "~> 1.1.4"
- is_enabled = true
- name = "alias/devops"
- description = "Used for managing devops-maintained encrypted data."
- deletion_window_in_days = 7
- enable_key_rotation = false
- key_usage = "ENCRYPT_DECRYPT"
- customer_master_key_spec = "SYMMETRIC_DEFAULT"
- bypass_policy_lockout_safety_check = false
- multi_region = false
- enable_sops = true
- sops_file = "${get_terragrunt_dir()}/.sops.yaml"
- prevent_destroy = false
- lifecycle = {
- prevent_destroy = true
- }
+module "transit_gateway_attachment" {
+ source = "adamwshero/transit-gateway-attachment/aws"
+ version = "~> 1.0.0"
- policy = jsonencode(
- {
- "Sid" : "Enable IAM policies",
- "Effect" : "Allow",
- "Principal" : {
- "AWS" : "arn:aws:iam::${account_id}:root"
- },
- "Action" : "kms:*",
- "Resource" : "*"
- },
- {
- "Version" : "2012-10-17",
- "Id" : "1",
- "Statement" : [
- {
- "Sid" : "Account Permissions",
- "Effect" : "Allow",
- "Principal" : {
- "AWS" : "${data.aws_iam_roles.roles.arns}"
- },
- "Action" : "kms:*",
- "Resource" : "*"
- }
- ]
+ transit_gateway_attachments = {
+ attachment-1 = {
+ vpc_id = local.vpc_id
+ transit_gateway_id = local.tgw_id_1
+ subnet_ids = local.subnet_ids
}
- )
+ attachment-2 = {
+ vpc_id = local.vpc_id
+ transit_gateway_id = local.tgw_id_2
+ subnet_ids = local.subnet_ids
+ }
+ }
tags = {
Environment = local.env
Owner = "DevOps"
diff --git a/examples/terraform/provider.tf b/examples/terraform/provider.tf
index 724fdfb..6fceb81 100644
--- a/examples/terraform/provider.tf
+++ b/examples/terraform/provider.tf
@@ -3,7 +3,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 3.0"
+ version = "~> 4.0"
}
}
}
diff --git a/examples/terraform/variables.tf b/examples/terraform/variables.tf
index c7b7aed..9e1585b 100644
--- a/examples/terraform/variables.tf
+++ b/examples/terraform/variables.tf
@@ -1,4 +1,66 @@
-variable "env" {
- type = map(any)
- default = {}
+#################
+# TGW Attachment
+#################
+variable "create_transit_gateway_vpc_attachment" {
+ description = "Determines whether to create the attachment or not."
+ type = bool
+ default = true
+}
+variable "vpc_id" {
+ description = "(Required) Identifier of EC2 VPC."
+ type = string
+ default = ""
+}
+
+variable "subnet_ids" {
+ description = "(Required) Identifiers of EC2 Subnets."
+ type = list(string)
+ default = [""]
+}
+
+variable "transit_gateway_id" {
+ description = "Required) Identifier of EC2 Transit Gateway."
+ type = string
+ default = ""
+}
+
+variable "appliance_mode_support" {
+ description = "(Optional) Whether Appliance Mode support is enabled. If enabled, a traffic flow between a source and destination uses the same Availability Zone for the VPC attachment for the lifetime of that flow. Valid values: `disable`, `enable`. Default value: `disable`."
+ type = string
+ default = "disable"
+}
+
+variable "dns_support" {
+ description = "Optional) Whether DNS support is `enabled`. Valid values: `disable`, `enable`. Default value: `enable`."
+ type = string
+ default = "enable"
+}
+
+variable "ipv6_support" {
+ description = "(Optional) Whether IPv6 support is `enabled`. Valid values: `disable`, `enable`. Default value: `disable`."
+ type = string
+ default = "disable"
+}
+
+variable "transit_gateway_default_route_table_association" {
+ description = "(Optional) Boolean whether the VPC Attachment should be associated with the EC2 Transit Gateway association default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways. Default value: `true`."
+ type = bool
+ default = true
+}
+
+variable "transit_gateway_default_route_table_propagation" {
+ description = "(Optional) Boolean whether the VPC Attachment should propagate routes with the EC2 Transit Gateway propagation default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways. Default value: `true`."
+ type = bool
+ default = true
+}
+
+variable "transit_gateway_attachments" {
+ description = "Map of objects that define the transit gateway attachments to be created"
+ type = any
+ default = {}
+}
+
+variable "tags" {
+ description = "(Optional) Key-value tags for the EC2 Transit Gateway VPC Attachment. If configured with a provider `default_tags` configuration block present, tags with matching keys will overwrite those defined at the provider-level."
+ type = map(string)
}
diff --git a/examples/terragrunt/account.hcl b/examples/terragrunt/account.hcl
new file mode 100644
index 0000000..cb209da
--- /dev/null
+++ b/examples/terragrunt/account.hcl
@@ -0,0 +1,7 @@
+locals {
+ account_name = "my-account"
+ account_id = "111111111111"
+ tgw_id_1 = "tgw-1111a11111a1a1aa1"
+ tgw_id_2 = "tgw-2222a22222a2a2aa2"
+ tags = {}
+}
diff --git a/examples/terragrunt/env.hcl b/examples/terragrunt/env.hcl
new file mode 100644
index 0000000..de612ce
--- /dev/null
+++ b/examples/terragrunt/env.hcl
@@ -0,0 +1,24 @@
+ // Global Properties
+locals {
+ account = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+ region = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+ product = read_terragrunt_config(find_in_parent_folders("product.hcl"))
+ environment = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+
+ // Namespace Properties
+ env = "dev"
+ account_id = local.account_vars.locals.account_id
+ account_name = local.account_vars.locals.account_name
+ product_name = local.product_vars.locals.product_name
+
+ // Global Tags
+ tags = merge(
+ local.common_vars.locals.tags,
+ local.account_vars.locals.tags,
+ local.region_vars.locals.tags,
+ local.product_vars.locals.tags,
+ {
+ environment = local.env
+ }
+ )
+}
diff --git a/examples/terragrunt/kms/README.md b/examples/terragrunt/kms/README.md
deleted file mode 100644
index 1af7a10..0000000
--- a/examples/terragrunt/kms/README.md
+++ /dev/null
@@ -1,46 +0,0 @@
-# Complete Plan Example
-
-```
-locals {
- account = read_terragrunt_config(find_in_parent_folders("terragrunt.hcl"))
- region = read_terragrunt_config(find_in_parent_folders("terragrunt.hcl"))
- environment = read_terragrunt_config(find_in_parent_folders("terragrunt.hcl"))
- sso_admin = "arn:aws:iam::{accountid}:role/my_trusted_role"
-}
-
-include {
- path = find_in_parent_folders()
-}
-
-terraform {
- source = "git@github.com:adamwshero/terraform-aws-kms.git//.?ref=1.1.4"
-}
-
-inputs = {
- is_enabled = true
- name = "alias/devops"
- description = "Used for managing devops-maintained encrypted data."
- deletion_window_in_days = 7
- enable_key_rotation = false
- key_usage = "ENCRYPT_DECRYPT"
- customer_master_key_spec = "SYMMETRIC_DEFAULT"
- bypass_policy_lockout_safety_check = false
- multi_region = false
- enable_sops = true
- sops_file = "${get_terragrunt_dir()}/.sops.yaml"
- prevent_destroy = false
-
- lifecycle = {
- prevent_destroy = true
- }
-
- policy = templatefile("${get_terragrunt_dir()}/policy.json.tpl", {
- sso_admin = local.account_vars.locals.sso_admin
- })
- tags = {
- Environment = local.env.locals.env
- Owner = "DevOps"
- CreatedByTerraform = true
- }
-}
-```
\ No newline at end of file
diff --git a/examples/terragrunt/kms/kms-policy.json.tpl b/examples/terragrunt/kms/kms-policy.json.tpl
deleted file mode 100644
index 3ce0e04..0000000
--- a/examples/terragrunt/kms/kms-policy.json.tpl
+++ /dev/null
@@ -1,24 +0,0 @@
-{
- "Id": "key-policy-1",
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "Enable IAM policies",
- "Effect": "Allow",
- "Principal": {
- "AWS": "arn:aws:iam::${account_id}:root"
- },
- "Action": "kms:*",
- "Resource": "*"
- },
- {
- "Sid": "GrantSSOAdminAccessToCMK",
- "Effect": "Allow",
- "Principal": {
- "AWS": "${sso_admin}"
- },
- "Action": "kms:*",
- "Resource": "*"
- }
- ]
-}
\ No newline at end of file
diff --git a/examples/terragrunt/kms/terragrunt.hcl b/examples/terragrunt/kms/terragrunt.hcl
deleted file mode 100644
index 5da3834..0000000
--- a/examples/terragrunt/kms/terragrunt.hcl
+++ /dev/null
@@ -1,43 +0,0 @@
-locals {
- account = read_terragrunt_config(find_in_parent_folders("terragrunt.hcl"))
- region = read_terragrunt_config(find_in_parent_folders("terragrunt.hcl"))
- environment = read_terragrunt_config(find_in_parent_folders("terragrunt.hcl"))
- sso_admin = "arn:aws:iam::{accountid}:role/my_trusted_role"
- account_id = "12345678910"
-}
-
-include {
- path = find_in_parent_folders()
-}
-
-terraform {
- source = "git@github.com:adamwshero/terraform-aws-kms.git//.?ref=1.1.4"
-}
-
-inputs = {
- is_enabled = true
- name = "alias/devops"
- description = "Used for managing devops-maintained encrypted data."
- deletion_window_in_days = 7
- enable_key_rotation = false
- key_usage = "ENCRYPT_DECRYPT"
- customer_master_key_spec = "SYMMETRIC_DEFAULT"
- bypass_policy_lockout_safety_check = false
- multi_region = false
- enable_sops = true
- sops_file = "${get_terragrunt_dir()}/.sops.yaml"
- prevent_destroy = false
- lifecycle = {
- prevent_destroy = true
- }
-
- policy = templatefile("${get_terragrunt_dir()}/policy.json.tpl", {
- sso_admin = local.sso_admin
- account_id = local.account_id
- })
- tags = {
- Environment = local.env.locals.env
- Owner = "DevOps"
- CreatedByTerraform = true
- }
-}
diff --git a/examples/terragrunt/product.hcl b/examples/terragrunt/product.hcl
new file mode 100644
index 0000000..2e16fb9
--- /dev/null
+++ b/examples/terragrunt/product.hcl
@@ -0,0 +1,15 @@
+locals {
+ prefix = "my-prefix"
+ product_name = "my-product"
+
+ tags = {
+ environment = "dev"
+ application = "MyApplication"
+ automation = "terraform"
+ cost_center = "development"
+ customer = "contoso"
+ notification_email = "my-team@contoso.com"
+ production = false
+ team_name = "devops"
+ }
+}
diff --git a/examples/terragrunt/transit-gateway-attachment/README.md b/examples/terragrunt/transit-gateway-attachment/README.md
new file mode 100644
index 0000000..fe9f488
--- /dev/null
+++ b/examples/terragrunt/transit-gateway-attachment/README.md
@@ -0,0 +1,45 @@
+# Complete Plan Example
+
+```
+locals {
+ account = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+ region = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+ product = read_terragrunt_config(find_in_parent_folders("product.hcl"))
+ environment = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+ tags = merge(
+ local.product.locals.tags,
+ local.additional_tags
+ )
+ additional_tags = {
+ }
+}
+
+include {
+ path = find_in_parent_folders()
+}
+
+dependency "vpc" {
+ config_path = "../vpc"
+}
+
+terraform {
+ source = "git@github.com:adamwshero/terraform-aws-transit-gateway-attachment//.?ref=1.0.0"
+}
+
+inputs = {
+ transit_gateway_attachments = {
+ attachment-1 = {
+ vpc_id = dependency.vpc.outputs.vpc_id
+ transit_gateway_id = local.account.locals.tgw_id_1
+ subnet_ids = dependency.vpc.outputs.private_subnets
+ }
+ attachment-2 = {
+ vpc_id = dependency.vpc.outputs.vpc_id
+ transit_gateway_id = local.account.locals.tgw_id_2
+ subnet_ids = dependency.vpc.outputs.private_subnets
+ }
+ }
+
+ tags = local.tags
+}
+```
\ No newline at end of file
diff --git a/examples/terragrunt/transit-gateway-attachment/terragrunt.hcl b/examples/terragrunt/transit-gateway-attachment/terragrunt.hcl
new file mode 100644
index 0000000..d14325f
--- /dev/null
+++ b/examples/terragrunt/transit-gateway-attachment/terragrunt.hcl
@@ -0,0 +1,41 @@
+locals {
+ account = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+ region = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+ product = read_terragrunt_config(find_in_parent_folders("product.hcl"))
+ environment = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+ tags = merge(
+ local.product.locals.tags,
+ local.additional_tags
+ )
+ additional_tags = {
+ }
+}
+
+include {
+ path = find_in_parent_folders()
+}
+
+dependency "vpc" {
+ config_path = "../vpc"
+}
+
+terraform {
+ source = "git@github.com:adamwshero/terraform-aws-transit-gateway-attachment//.?ref=1.0.0"
+}
+
+inputs = {
+ transit_gateway_attachments = {
+ attachment-1 = {
+ vpc_id = dependency.vpc.outputs.vpc_id
+ transit_gateway_id = local.account.locals.tgw_id_1
+ subnet_ids = dependency.vpc.outputs.private_subnets
+ }
+ attachment-2 = {
+ vpc_id = dependency.vpc.outputs.vpc_id
+ transit_gateway_id = local.account.locals.tgw_id_2
+ subnet_ids = dependency.vpc.outputs.private_subnets
+ }
+ }
+
+ tags = local.tags
+}
diff --git a/main.tf b/main.tf
index da13472..72dbd06 100644
--- a/main.tf
+++ b/main.tf
@@ -1,27 +1,15 @@
-resource "aws_kms_key" "this" {
- is_enabled = var.is_enabled
- description = var.description
- deletion_window_in_days = var.deletion_window_in_days
- customer_master_key_spec = var.customer_master_key_spec
- bypass_policy_lockout_safety_check = var.bypass_policy_lockout_safety_check
- enable_key_rotation = var.enable_key_rotation
- key_usage = var.key_usage
- multi_region = var.multi_region
- policy = var.policy
- tags = var.tags
-}
+resource "aws_ec2_transit_gateway_vpc_attachment" "this" {
+ for_each = { for k, v in var.transit_gateway_attachments : k => v if var.create_attachment }
-resource "aws_kms_alias" "this" {
- name = var.name
- target_key_id = aws_kms_key.this.key_id
-}
+ vpc_id = each.value.vpc_id
+ subnet_ids = each.value.subnet_ids
+ transit_gateway_id = each.value.transit_gateway_id
+ appliance_mode_support = var.appliance_mode_support
+ dns_support = var.dns_support
+ ipv6_support = var.ipv6_support
-resource "local_file" "this" {
- content = < aws_ec2_transit_gateway_vpc_attachment.this[transit_gateway_attachments].*[0].*
+ }
}
diff --git a/variables.tf b/variables.tf
index 3b288c2..6da1266 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,78 +1,66 @@
#################
-# KMS Alias Vars
+# TGW Attachment
#################
-variable "name" {
- description = "(Optional) The display name of the alias. The name must start with the word 'alias' followed by a forward slash (alias/)"
- type = string
- default = ""
+variable "create_attachment" {
+ description = "Determines whether to create the attachment or not."
+ type = bool
+ default = true
}
-
-###############
-# KMS Key Vars
-###############
-variable "is_enabled" {
- description = "(Optional) Specifies whether the key is enabled. Defaults to true."
- type = bool
- default = true
-}
-variable "description" {
- description = "(Optional) The description of the key as viewed in AWS console."
+variable "vpc_id" {
+ description = "(Required) Identifier of EC2 VPC."
type = string
default = ""
}
-variable "deletion_window_in_days" {
- description = "(Optional) The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately."
- type = number
- default = 7
-}
-variable "customer_master_key_spec" {
- description = "(Optional) Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html)."
- type = string
- default = "SYMMETRIC_DEFAULT"
-}
-variable "bypass_policy_lockout_safety_check" {
- description = "(Optional) A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html). The default value is false."
- type = bool
- default = false
+
+variable "subnet_ids" {
+ description = "(Required) Identifiers of EC2 Subnets."
+ type = list(string)
+ default = [""]
}
-variable "enable_key_rotation" {
- description = "(Optional) Specifies whether key rotation is enabled. Defaults to false."
- type = bool
- default = false
+variable "transit_gateway_id" {
+ description = "(Required) Identifier of EC2 Transit Gateway."
+ type = string
+ default = ""
}
-variable "key_usage" {
- description = "(Optional) Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT or SIGN_VERIFY. Defaults to ENCRYPT_DECRYPT."
- type = string
- default = "ENCRYPT_DECRYPT"
+
+variable "appliance_mode_support" {
+ description = "(Optional) Whether Appliance Mode support is enabled. If enabled, a traffic flow between a source and destination uses the same Availability Zone for the VPC attachment for the lifetime of that flow. Valid values: `disable`, `enable`. Default value: `disable`."
+ type = string
+ default = "disable"
}
-variable "multi_region" {
- description = "(Optional) Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false."
- type = bool
- default = false
+
+variable "dns_support" {
+ description = "(Optional) Whether DNS support is `enabled`. Valid values: `disable`, `enable`. Default value: `enable`."
+ type = string
+ default = "enable"
}
-variable "policy" {
- description = "(Optional) A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws_iam_policy_document, in the form that designates a principal, can be used. For more information about building policy documents with Terraform, see the [AWS KMS Policy Guide](https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html)."
- type = string
- default = ""
+
+variable "ipv6_support" {
+ description = "(Optional) Whether IPv6 support is `enabled`. Valid values: `disable`, `enable`. Default value: `disable`."
+ type = string
+ default = "disable"
}
-variable "tags" {
- description = "(Optional) A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level."
- type = map(string)
+
+variable "transit_gateway_default_route_table_association" {
+ description = "(Optional) Boolean whether the VPC Attachment should be associated with the EC2 Transit Gateway association default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways. Default value: `true`."
+ type = bool
+ default = true
}
-############
-# SOPS Vars
-############
-variable "sops_file" {
- description = "(Required) name of the file and path to the encrypted file."
- type = string
- default = ""
+variable "transit_gateway_default_route_table_propagation" {
+ description = "(Optional) Boolean whether the VPC Attachment should propagate routes with the EC2 Transit Gateway propagation default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways. Default value: `true`."
+ type = bool
+ default = true
}
-variable "enable_sops" {
- description = "(Optional) Enables or disables SOPS file creation. Only creates CMK if false."
- type = bool
- default = true
+variable "transit_gateway_attachments" {
+ description = "Map of objects that define the transit gateway attachments to be created"
+ type = any
+ default = {}
}
+variable "tags" {
+ description = "(Optional) Key-value tags for the EC2 Transit Gateway VPC Attachment. If configured with a provider `default_tags` configuration block present, tags with matching keys will overwrite those defined at the provider-level."
+ type = map(string)
+}