initial commit

Author: m13t

README.md

@@ -34,25 +34,47 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.7 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0.0 |
-| <a name="requirement_awscc"></a> [awscc](#requirement\_awscc) | >= 0.24.0 |
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0.0 |
 
 ## Modules
 
 No modules.
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_ram_principal_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_principal_association) | resource |
+| [aws_ram_resource_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_association) | resource |
+| [aws_ram_resource_share.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_share) | resource |
+| [aws_route53_resolver_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_endpoint) | resource |
+| [aws_route53_resolver_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule) | resource |
+| [aws_route53_zone_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 
 ## Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_resolver_name"></a> [resolver\_name](#input\_resolver\_name) | Name of the Route53 resolver endpoint | `string` | n/a | yes |
+| <a name="input_resolver_subnet_ids"></a> [resolver\_subnet\_ids](#input\_resolver\_subnet\_ids) | List of subnet IDs in which to create the Route53 Outbound Resolver | `list(string)` | n/a | yes |
+| <a name="input_resolver_vpc_id"></a> [resolver\_vpc\_id](#input\_resolver\_vpc\_id) | The ID of the VPC in which to create the Route53 Outbound Resolver | `string` | n/a | yes |
+| <a name="input_resolver_endpoint_type"></a> [resolver\_endpoint\_type](#input\_resolver\_endpoint\_type) | The Route 53 Resolver endpoint IP address type. Valid values: IPV4, IPV6, DUALSTACK. | `string` | `"IPV4"` | no |
+| <a name="input_resolver_protocols"></a> [resolver\_protocols](#input\_resolver\_protocols) | List of protocols that the Route53 Outbound Resolver should support | `list(string)` | <pre>[<br>  "Do53"<br>]</pre> | no |
+| <a name="input_resolver_rule_groups"></a> [resolver\_rule\_groups](#input\_resolver\_rule\_groups) | Map of Route53 Resolver Rules by group. Every rule in each group can be shared with principals via AWS RAM. | <pre>map(object({<br>    name           = optional(string)<br>    ram_principals = optional(list(string), [])<br><br>    rules = list(object({<br>      domain    = string<br>      targets   = list(string)<br>      name      = optional(string)<br>      rule_type = optional(string, "FORWARD")<br>    }))<br>  }))</pre> | `{}` | no |
+| <a name="input_route53_zone_ids"></a> [route53\_zone\_ids](#input\_route53\_zone\_ids) | List of Route53 Zone IDs to be associated with the resolver VPC. | `list(string)` | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to apply to resources created by this module | `map(string)` | `{}` | no |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_endpoint"></a> [endpoint](#output\_endpoint) | Details of the Route53 Outbound Resolver endpoint. |
+| <a name="output_resource_shares"></a> [resource\_shares](#output\_resource\_shares) | Map of AWS RAM Shares by group. |
+| <a name="output_rules"></a> [rules](#output\_rules) | Map of resolver rules by group. |
 <!-- END_TF_DOCS -->

locals.tf

@@ -0,0 +1,24 @@
+locals {
+  replace_regex = "/[\\._\\s]/"
+
+  normalised_rule_groups = {
+    for group, config in var.resolver_rule_groups :
+    group => merge(config, {
+      name = replace(coalesce(config.name, group), local.replace_regex, "-")
+      rules = [
+        for rule in config.rules : merge(rule, {
+          name = replace(coalesce(rule.name, rule.domain), local.replace_regex, "-")
+        })
+      ]
+    })
+  }
+
+  normalised_rules = merge([
+    for group, config in local.normalised_rule_groups : {
+      for rule in config.rules :
+      join("-", [config.name, rule.name]) => merge(rule, {
+        group = group
+      })
+    }
+  ]...)
+}

main.tf

@@ -0,0 +1,90 @@
+resource "aws_security_group" "this" {
+  name        = "${var.resolver_name}-sg"
+  description = "Security group for the ${var.resolver_name} resolver endpoint"
+  vpc_id      = var.resolver_vpc_id
+
+  tags = merge(var.tags, {
+    Name = var.resolver_name
+  })
+}
+
+resource "aws_route53_resolver_endpoint" "this" {
+  name                   = var.resolver_name
+  resolver_endpoint_type = var.resolver_endpoint_type
+  protocols              = var.resolver_protocols
+  direction              = "OUTBOUND"
+
+  security_group_ids = [
+    aws_security_group.this.id,
+  ]
+
+  dynamic "ip_address" {
+    for_each = toset(var.resolver_subnet_ids)
+
+    content {
+      subnet_id = ip_address.value
+    }
+  }
+}
+
+resource "aws_route53_resolver_rule" "this" {
+  for_each = local.normalised_rules
+
+  name        = each.value.name
+  domain_name = each.value.domain
+  rule_type   = "FORWARD"
+
+  resolver_endpoint_id = aws_route53_resolver_endpoint.this.id
+
+  dynamic "target_ip" {
+    for_each = each.value.targets
+
+    content {
+      ip = target_ip.value
+    }
+  }
+
+  tags = merge(var.tags, {
+    Name = var.resolver_name
+  })
+}
+
+resource "aws_route53_zone_association" "this" {
+  for_each = toset(var.route53_zone_ids)
+
+  vpc_id  = var.resolver_vpc_id
+  zone_id = each.value
+}
+
+resource "aws_ram_resource_share" "this" {
+  for_each = local.normalised_rule_groups
+
+  name                      = format("%s-resolver", each.value.name)
+  allow_external_principals = false
+
+  tags = merge(var.tags, {
+    Name = each.value.name
+  })
+}
+
+resource "aws_ram_resource_association" "this" {
+  for_each = local.normalised_rules
+
+  resource_arn       = aws_route53_resolver_rule.this[each.key].arn
+  resource_share_arn = aws_ram_resource_share.this[each.value.group].arn
+}
+
+resource "aws_ram_principal_association" "this" {
+  for_each = merge([
+    for k, v in local.normalised_rule_groups : {
+      for p in v.ram_principals :
+      join("-", [k, p]) => {
+        group     = k
+        principal = p
+      }
+    }
+  ]...)
+
+  principal          = each.value.principal
+  resource_share_arn = aws_ram_resource_share.this[each.value.group].arn
+}

outputs.tf

@@ -0,0 +1,14 @@
+output "endpoint" {
+  value       = aws_route53_resolver_endpoint.this
+  description = "Details of the Route53 Outbound Resolver endpoint."
+}
+
+output "rules" {
+  value       = aws_route53_resolver_rule.this
+  description = "Map of resolver rules by group."
+}
+
+output "resource_shares" {
+  value       = aws_ram_resource_share.this
+  description = "Map of AWS RAM Shares by group."
+}

terraform.tf

@@ -7,9 +7,5 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 5.0.0"
     }
-    awscc = {
-      source  = "hashicorp/awscc"
-      version = ">= 0.24.0"
-    }
   }
 }

variables.tf

@@ -0,0 +1,57 @@
+variable "resolver_name" {
+  type        = string
+  description = "Name of the Route53 resolver endpoint"
+}
+
+variable "resolver_vpc_id" {
+  type        = string
+  description = "The ID of the VPC in which to create the Route53 Outbound Resolver"
+}
+
+variable "resolver_subnet_ids" {
+  type        = list(string)
+  description = "List of subnet IDs in which to create the Route53 Outbound Resolver"
+}
+
+variable "resolver_protocols" {
+  type = list(string)
+  default = [
+    "Do53",
+  ]
+  description = "List of protocols that the Route53 Outbound Resolver should support"
+}
+
+variable "resolver_endpoint_type" {
+  type        = string
+  default     = "IPV4"
+  description = "The Route 53 Resolver endpoint IP address type. Valid values: IPV4, IPV6, DUALSTACK."
+}
+
+variable "resolver_rule_groups" {
+  type = map(object({
+    name           = optional(string)
+    ram_principals = optional(list(string), [])
+
+    rules = list(object({
+      domain    = string
+      targets   = list(string)
+      name      = optional(string)
+      rule_type = optional(string, "FORWARD")
+    }))
+  }))
+
+  default     = {}
+  description = "Map of Route53 Resolver Rules by group. Every rule in each group can be shared with principals via AWS RAM."
+}
+
+variable "route53_zone_ids" {
+  type        = list(string)
+  default     = []
+  description = "List of Route53 Zone IDs to be associated with the resolver VPC."
+}
+
+variable "tags" {
+  type        = map(string)
+  default     = {}
+  description = "Map of tags to apply to resources created by this module"
+}