Merge pull request #100 from pablo19sc/main

adding support for Cloud WAN Appliance mode in attachment
aws-ia · Mar 27, 2023 · f7a9cfb · f7a9cfb
2 parents d09647a + 3188371
commit f7a9cfb
Show file tree

Hide file tree

Showing 13 changed files with 133 additions and 75 deletions.
diff --git a/.header.md b/.header.md
@@ -102,10 +102,11 @@ subnets = {
   }
 
   core_network = {
-    netmask            = 28
-    ipv6_support       = false
-    require_acceptance = true
-    accept_attachment  = true
+    netmask                = 28
+    ipv6_support           = false
+    appliance_mode_support = false
+    require_acceptance     = true
+    accept_attachment      = true
 
     tags = {
       env = "prod"
@@ -226,7 +227,7 @@ This happens when the Core Network's VPC attachment requires acceptance, so it's
 ```terraform
 subnets = {
   core_network = {
-    netmaks            = 28
+    netmask            = 28
     require_acceptance = true
     accept_attachment  = true
   }
@@ -238,7 +239,7 @@ subnets = {
 ```terraform
 subnets = {
   core_network = {
-    netmaks            = 28
+    netmask            = 28
     require_acceptance = true
     accept_attachment  = true
   }
@@ -250,7 +251,7 @@ After you apply and the attachment is accepted (outside the module), change the
 ```terraform
 subnets = {
   core_network = {
-    netmaks            = 28
+    netmask            = 28
     require_acceptance = false
   }
 }

diff --git a/README.md b/README.md
@@ -103,10 +103,11 @@ subnets = {
   }
 
   core_network = {
-    netmask            = 28
-    ipv6_support       = false
-    require_acceptance = true
-    accept_attachment  = true
+    netmask                = 28
+    ipv6_support           = false
+    appliance_mode_support = false
+    require_acceptance     = true
+    accept_attachment      = true
 
     tags = {
       env = "prod"
@@ -227,7 +228,7 @@ This happens when the Core Network's VPC attachment requires acceptance, so it's
 ```terraform
 subnets = {
   core_network = {
-    netmaks            = 28
+    netmask            = 28
     require_acceptance = true
     accept_attachment  = true
   }
@@ -239,7 +240,7 @@ subnets = {
 ```terraform
 subnets = {
   core_network = {
-    netmaks            = 28
+    netmask            = 28
     require_acceptance = true
     accept_attachment  = true
   }
@@ -251,7 +252,7 @@ After you apply and the attachment is accepted (outside the module), change the
 ```terraform
 subnets = {
   core_network = {
-    netmaks            = 28
+    netmask            = 28
     require_acceptance = false
   }
 }
@@ -327,7 +328,7 @@ Please see our [developer documentation](https://github.com/aws-ia/terraform-aws
 |------|-------------|------|---------|:--------:|
 | <a name="input_az_count"></a> [az\_count](#input\_az\_count) | Searches region for # of AZs to use and takes a slice based on count. Assume slice is sorted a-z. | `number` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | Name to give VPC. Note: does not effect subnet names, which get assigned name based on name\_prefix. | `string` | n/a | yes |
-| <a name="input_subnets"></a> [subnets](#input\_subnets) | Configuration of subnets to build in VPC. 1 Subnet per AZ is created. Subnet types are defined as maps with the available keys: "private", "public", "transit\_gateway". Each Subnet type offers its own set of available arguments detailed below.<br><br>**Attributes shared across subnet types:**<br>- `cidrs`       = (Optional\|list(string)) **Cannot set if `netmask` is set.** List of CIDRs to set to subnets. Count of CIDRs defined must match quatity of azs in `az_count`.<br>- `netmask`     = (Optional\|Int) Netmask of the `var.cidr_block` to calculate for each subnet. **Cannot set if `cidrs` is set.**<br>- `name_prefix` = (Optional\|String) A string prefix to use for the name of your subnet and associated resources. Subnet type key name is used if omitted (aka private, public, transit\_gateway). Example `name_prefix = "private"` for `var.subnets.private` is redundant.<br>- `tags`        = (Optional\|map(string)) Tags to set on the subnet and associated resources.<br><br>**Any private subnet type options:**<br>- All shared keys above<br>- `connect_to_public_natgw`             = (Optional\|string) Determines if routes to NAT Gateways should be created. Specify the CIDR range or a prefix-list-id that you want routed to nat gateway. Usually `0.0.0.0/0`. Must also set `var.subnets.public.nat_gateway_configuration`.<br><br>**public subnet type options:**<br>- All shared keys above<br>- `nat_gateway_configuration` = (Optional\|string) Determines if NAT Gateways should be created and in how many AZs. Valid values = `"none"`, `"single_az"`, `"all_azs"`. Default = "none". Must also set `var.subnets.private.connect_to_public_natgw = true`.<br><br>**transit\_gateway subnet type options:**<br>- All shared keys above<br>- `connect_to_public_natgw`                                    = (Optional\|string) Determines if routes to NAT Gateways should be created. Specify the CIDR range or a prefix-list-id that you want routed to nat gateway. Usually `0.0.0.0/0`. Must also set `var.subnets.public.nat_gateway_configuration`.<br>- `transit_gateway_default_route_table_association` = (Optional\|bool) Boolean whether the VPC Attachment should be associated with the EC2 Transit Gateway association default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways.<br>- `transit_gateway_default_route_table_propagation` = (Optional\|bool) Boolean whether the VPC Attachment should propagate routes with the EC2 Transit Gateway propagation default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways.<br>- `transit_gateway_appliance_mode_support`          = (Optional\|string) Whether Appliance Mode is enabled. If enabled, a traffic flow between a source and a destination uses the same Availability Zone for the VPC attachment for the lifetime of that flow. Valid values: `disable` (default) and `enable`.<br>- `transit_gateway_dns_support`                     = (Optional\|string) DNS Support is used if you need the VPC to resolve public IPv4 DNS host names to private IPv4 addresses when queried from instances in another VPC attached to the transit gateway. Valid values: `enable` (default) and `disable`.<br><br>**core\_network subnet type options:**<br>- All shared keys abovce<br>- `connect_to_public_natgw` = (Optional\|string) Determines if routes to NAT Gateways should be created. Specify the CIDR range or a prefix-list-id that you want routed to nat gateway. Usually `0.0.0.0/0`. Must also set `var.subnets.public.nat_gateway_configuration`.<br>- `ipv6_support`            = (Optional\|bool) Boolean whether IPv6 is supported or not in the Cloud WAN's VPC attachment. Default to `false`.<br>- `require_acceptance`      = (Optional\|bool) Boolean whether the core network VPC attachment to create requires acceptance or not. Defaults to `false`.<br>- `accept_attachment`       = (Optional\|bool) Boolean whether the core network VPC attachment is accepted or not in the segment. Only valid if `require_acceptance` is set to `true`. Defaults to `true`.<br><br>Example:<pre>subnets = {<br>  public = {<br>    netmask                   = 24<br>    nat_gateway_configuration = "single_az"<br>  }<br><br>  private = {<br>    netmask                  = 24<br>    connect_to_public_natgw  = true<br>  }<br><br>  transit_gateway = {<br>    netmask                                         = 24<br>    connect_to_public_natgw                         = true<br>    transit_gateway_default_route_table_association = true<br>    transit_gateway_default_route_table_propagation = true<br>  }<br><br>  core_network = {<br>    netmask                 = 24<br>    connect_to_public_natgw = true<br>    ipv6_support            = true<br>    require_acceptance      = true<br>    accept_attachment       = true<br>  }<br>}</pre> | `any` | n/a | yes |
+| <a name="input_subnets"></a> [subnets](#input\_subnets) | Configuration of subnets to build in VPC. 1 Subnet per AZ is created. Subnet types are defined as maps with the available keys: "private", "public", "transit\_gateway". Each Subnet type offers its own set of available arguments detailed below.<br><br>**Attributes shared across subnet types:**<br>- `cidrs`       = (Optional\|list(string)) **Cannot set if `netmask` is set.** List of CIDRs to set to subnets. Count of CIDRs defined must match quatity of azs in `az_count`.<br>- `netmask`     = (Optional\|Int) Netmask of the `var.cidr_block` to calculate for each subnet. **Cannot set if `cidrs` is set.**<br>- `name_prefix` = (Optional\|String) A string prefix to use for the name of your subnet and associated resources. Subnet type key name is used if omitted (aka private, public, transit\_gateway). Example `name_prefix = "private"` for `var.subnets.private` is redundant.<br>- `tags`        = (Optional\|map(string)) Tags to set on the subnet and associated resources.<br><br>**Any private subnet type options:**<br>- All shared keys above<br>- `connect_to_public_natgw`             = (Optional\|string) Determines if routes to NAT Gateways should be created. Specify the CIDR range or a prefix-list-id that you want routed to nat gateway. Usually `0.0.0.0/0`. Must also set `var.subnets.public.nat_gateway_configuration`.<br><br>**public subnet type options:**<br>- All shared keys above<br>- `nat_gateway_configuration` = (Optional\|string) Determines if NAT Gateways should be created and in how many AZs. Valid values = `"none"`, `"single_az"`, `"all_azs"`. Default = "none". Must also set `var.subnets.private.connect_to_public_natgw = true`.<br><br>**transit\_gateway subnet type options:**<br>- All shared keys above<br>- `connect_to_public_natgw`                                    = (Optional\|string) Determines if routes to NAT Gateways should be created. Specify the CIDR range or a prefix-list-id that you want routed to nat gateway. Usually `0.0.0.0/0`. Must also set `var.subnets.public.nat_gateway_configuration`.<br>- `transit_gateway_default_route_table_association` = (Optional\|bool) Boolean whether the VPC Attachment should be associated with the EC2 Transit Gateway association default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways.<br>- `transit_gateway_default_route_table_propagation` = (Optional\|bool) Boolean whether the VPC Attachment should propagate routes with the EC2 Transit Gateway propagation default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways.<br>- `transit_gateway_appliance_mode_support`          = (Optional\|string) Whether Appliance Mode is enabled. If enabled, a traffic flow between a source and a destination uses the same Availability Zone for the VPC attachment for the lifetime of that flow. Valid values: `disable` (default) and `enable`.<br>- `transit_gateway_dns_support`                     = (Optional\|string) DNS Support is used if you need the VPC to resolve public IPv4 DNS host names to private IPv4 addresses when queried from instances in another VPC attached to the transit gateway. Valid values: `enable` (default) and `disable`.<br><br>**core\_network subnet type options:**<br>- All shared keys abovce<br>- `connect_to_public_natgw` = (Optional\|string) Determines if routes to NAT Gateways should be created. Specify the CIDR range or a prefix-list-id that you want routed to nat gateway. Usually `0.0.0.0/0`. Must also set `var.subnets.public.nat_gateway_configuration`.<br>- `ipv6_support`            = (Optional\|bool) Boolean whether IPv6 is supported or not in the Cloud WAN's VPC attachment. Default to `false`.<br>- `appliance_mode_support`  = (Optional\|bool) Indicates whether appliance mode is supported. If enabled, traffic flow between a source and destination use the same Availability Zone for the VPC attachment for the lifetime of that flow. Defaults to `false`.<br>- `require_acceptance`      = (Optional\|bool) Boolean whether the core network VPC attachment to create requires acceptance or not. Defaults to `false`.<br>- `accept_attachment`       = (Optional\|bool) Boolean whether the core network VPC attachment is accepted or not in the segment. Only valid if `require_acceptance` is set to `true`. Defaults to `true`.<br><br>Example:<pre>subnets = {<br>  public = {<br>    netmask                   = 24<br>    nat_gateway_configuration = "single_az"<br>  }<br><br>  private = {<br>    netmask                  = 24<br>    connect_to_public_natgw  = true<br>  }<br><br>  transit_gateway = {<br>    netmask                                         = 24<br>    connect_to_public_natgw                         = true<br>    transit_gateway_default_route_table_association = true<br>    transit_gateway_default_route_table_propagation = true<br>  }<br><br>  core_network = {<br>    netmask                 = 24<br>    connect_to_public_natgw = true<br>    ipv6_support            = true<br>    appliance_mode_support  = true<br>    require_acceptance      = true<br>    accept_attachment       = true<br>  }<br>}</pre> | `any` | n/a | yes |
 | <a name="input_cidr_block"></a> [cidr\_block](#input\_cidr\_block) | CIDR range to assign to VPC if creating VPC or to associte as a secondary CIDR. Overridden by var.vpc\_id output from data.aws\_vpc. | `string` | `null` | no |
 | <a name="input_core_network"></a> [core\_network](#input\_core\_network) | AWS Cloud WAN's core network information - to create a VPC attachment. Required when `cloud_wan` subnet is defined. Two attributes are required: the `id` and `arn` of the resource. | <pre>object({<br>    id  = string<br>    arn = string<br>  })</pre> | <pre>{<br>  "arn": null,<br>  "id": null<br>}</pre> | no |
 | <a name="input_core_network_routes"></a> [core\_network\_routes](#input\_core\_network\_routes) | Configuration of route(s) to AWS Cloud WAN's core network.<br>For each `public` and/or `private` subnets named in the `subnets` variable, optionally create routes from the subnet to the core network.<br>You can specify either a CIDR range or a prefix-list-id that you want routed to the core network.<br>Example:<pre>core_network_routes = {<br>  public  = "10.0.0.0/8"<br>  private = "pl-123"<br>}</pre> | `any` | `{}` | no |

diff --git a/examples/cloud_wan/README.md b/examples/cloud_wan/README.md
@@ -16,28 +16,27 @@ This example shows how you can use this module with `core_network` subnets, and
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.27.0 |
-| <a name="requirement_awscc"></a> [awscc](#requirement\_awscc) | >= 0.36.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.27.0 |
-| <a name="provider_awscc.awsccnvirginia"></a> [awscc.awsccnvirginia](#provider\_awscc.awsccnvirginia) | >= 0.36.0 |
+| <a name="provider_aws.awsnvirginia"></a> [aws.awsnvirginia](#provider\_aws.awsnvirginia) | >= 4.27.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_ireland_vpc"></a> [ireland\_vpc](#module\_ireland\_vpc) | aws-ia/vpc/aws | >= 3.0.2 |
-| <a name="module_nvirginia_vpc"></a> [nvirginia\_vpc](#module\_nvirginia\_vpc) | aws-ia/vpc/aws | >= 3.0.2 |
+| <a name="module_ireland_vpc"></a> [ireland\_vpc](#module\_ireland\_vpc) | aws-ia/vpc/aws | >= 4.0.0 |
+| <a name="module_nvirginia_vpc"></a> [nvirginia\_vpc](#module\_nvirginia\_vpc) | aws-ia/vpc/aws | >= 4.0.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [awscc_networkmanager_core_network.core_network](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/networkmanager_core_network) | resource |
-| [awscc_networkmanager_global_network.global_network](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/networkmanager_global_network) | resource |
+| [aws_networkmanager_core_network.core_network](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkmanager_core_network) | resource |
+| [aws_networkmanager_global_network.global_network](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkmanager_global_network) | resource |
 | [aws_networkmanager_core_network_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/networkmanager_core_network_policy_document) | data source |
 
 ## Inputs

diff --git a/examples/cloud_wan/main.tf b/examples/cloud_wan/main.tf
@@ -1,21 +1,17 @@
 
 # VPC module (North Virginia)
 module "nvirginia_vpc" {
-  source  = "aws-ia/vpc/aws"
-  version = ">= 3.0.2"
-
-  providers = {
-    aws   = aws.awsnvirginia
-    awscc = awscc.awsccnvirginia
-  }
+  source    = "aws-ia/vpc/aws"
+  version   = ">= 4.0.0"
+  providers = { aws = aws.awsnvirginia }
 
   name       = "nvirginia-vpc"
   cidr_block = "10.0.0.0/24"
   az_count   = 2
 
   core_network = {
-    id  = awscc_networkmanager_core_network.core_network.core_network_id
-    arn = awscc_networkmanager_core_network.core_network.core_network_arn
+    id  = aws_networkmanager_core_network.core_network.id
+    arn = aws_networkmanager_core_network.core_network.arn
   }
   core_network_routes = {
     workload = "0.0.0.0/0"
@@ -24,10 +20,11 @@ module "nvirginia_vpc" {
   subnets = {
     workload = { netmask = 28 }
     core_network = {
-      netmask            = 28
-      ipv6_support       = false
-      require_acceptance = true
-      accept_attachment  = true
+      netmask                = 28
+      ipv6_support           = false
+      appliance_mode_support = true
+      require_acceptance     = true
+      accept_attachment      = true
 
       tags = {
         env = "prod"
@@ -38,21 +35,17 @@ module "nvirginia_vpc" {
 
 # VPC module (Ireland)
 module "ireland_vpc" {
-  source  = "aws-ia/vpc/aws"
-  version = ">= 3.0.2"
-
-  providers = {
-    aws   = aws.awsireland
-    awscc = awscc.awsccireland
-  }
+  source    = "aws-ia/vpc/aws"
+  version   = ">= 4.0.0"
+  providers = { aws = aws.awsireland }
 
   name       = "ireland-vpc"
   cidr_block = "10.0.1.0/24"
   az_count   = 2
 
   core_network = {
-    id  = awscc_networkmanager_core_network.core_network.core_network_id
-    arn = awscc_networkmanager_core_network.core_network.core_network_arn
+    id  = aws_networkmanager_core_network.core_network.id
+    arn = aws_networkmanager_core_network.core_network.arn
   }
   core_network_routes = {
     workload = "0.0.0.0/0"
@@ -73,22 +66,21 @@ module "ireland_vpc" {
 }
 
 # Global Network
-resource "awscc_networkmanager_global_network" "global_network" {
-  provider = awscc.awsccnvirginia
+resource "aws_networkmanager_global_network" "global_network" {
+  provider = aws.awsnvirginia
 
   description = "Global Network - VPC module"
 }
 
 # Core Network
-resource "awscc_networkmanager_core_network" "core_network" {
-  provider = awscc.awsccnvirginia
+resource "aws_networkmanager_core_network" "core_network" {
+  provider = aws.awsnvirginia
 
   description       = "Core Network - VPC module"
-  global_network_id = awscc_networkmanager_global_network.global_network.id
+  global_network_id = aws_networkmanager_global_network.global_network.id
   policy_document   = jsonencode(jsondecode(data.aws_networkmanager_core_network_policy_document.policy.json))
 
-  tags = [{
-    key   = "Name",
-    value = "Core Network - VPC module"
-  }]
+  tags = {
+    Name = "Core Network - VPC module"
+  }
 }
diff --git a/examples/cloud_wan/outputs.tf b/examples/cloud_wan/outputs.tf
@@ -9,12 +9,12 @@ output "vpcs" {
 
 output "global_network" {
   description = "Global Network ID."
-  value       = awscc_networkmanager_global_network.global_network.id
+  value       = aws_networkmanager_global_network.global_network.id
 }
 
 output "core_network" {
   description = "Core Network ID."
-  value       = awscc_networkmanager_core_network.core_network.core_network_id
+  value       = aws_networkmanager_core_network.core_network.id
 }
 
 output "core_network_vpc_attachments" {