Merge pull request #72 from aws-ia/connect-topublic-natgw

change variable parameter name of `route_to_nat` to `connect_to_public_natgw`

Author: drewmullen

.header.md

@@ -28,7 +28,7 @@ module "vpc" {
       # omitting name_prefix defaults value to "private"
       # name_prefix  = "private_with_egress"
       netmask      = 24
-      route_to_nat = "0.0.0.0/0"
+      connect_to_public_natgw = true
     }
   }
 
@@ -56,7 +56,7 @@ subnets = {
     # omitting name_prefix defaults value to "private"
     # name_prefix  = "private"
     netmask      = 24
-    route_to_nat = "0.0.0.0/0"
+    connect_to_public_natgw = true
   }
 
   # can be any valid key name

README.md

@@ -29,7 +29,7 @@ module "vpc" {
       # omitting name_prefix defaults value to "private"
       # name_prefix  = "private_with_egress"
       netmask      = 24
-      route_to_nat = "0.0.0.0/0"
+      connect_to_public_natgw = true
     }
   }
 
@@ -57,7 +57,7 @@ subnets = {
     # omitting name_prefix defaults value to "private"
     # name_prefix  = "private"
     netmask      = 24
-    route_to_nat = "0.0.0.0/0"
+    connect_to_public_natgw = true
   }
 
   # can be any valid key name
@@ -236,7 +236,7 @@ Please see our [developer documentation](https://github.com/aws-ia/terraform-aws
 |------|-------------|------|---------|:--------:|
 | <a name="input_az_count"></a> [az\_count](#input\_az\_count) | Searches region for # of AZs to use and takes a slice based on count. Assume slice is sorted a-z. | `number` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | Name to give VPC. Note: does not effect subnet names, which get assigned name based on name\_prefix. | `string` | n/a | yes |
-| <a name="input_subnets"></a> [subnets](#input\_subnets) | Configuration of subnets to build in VPC. 1 Subnet per AZ is created. Subnet types are defined as maps with the available keys: "private", "public", "transit\_gateway". Each Subnet type offers its own set of available arguments detailed below.<br><br>**Attributes shared across subnet types:**<br>- `cidrs`       = (Optional\|list(string)) **Cannot set if `netmask` is set.** List of CIDRs to set to subnets. Count of CIDRs defined must match quatity of azs in `az_count`.<br>- `netmask`     = (Optional\|Int) Netmask of the `var.cidr_block` to calculate for each subnet. **Cannot set if `cidrs` is set.**<br>- `name_prefix` = (Optional\|String) A string prefix to use for the name of your subnet and associated resources. Subnet type key name is used if omitted (aka private, public, transit\_gateway). Example `name_prefix = "private"` for `var.subnets.private` is redundant.<br>- `tags`        = (Optional\|map(string)) Tags to set on the subnet and associated resources.<br><br>**Any private subnet type options:**<br>- All shared keys above<br>- `route_to_nat`             = (Optional\|string) Determines if routes to NAT Gateways should be created. Specify the CIDR range or a prefix-list-id that you want routed to nat gateway. Usually `0.0.0.0/0`. Must also set `var.subnets.public.nat_gateway_configuration`.<br>- `route_to_transit_gateway` = (Optional\|string) Optionally create routes from private subnets to transit gateway subnets. Specify the CIDR range or a prefix-list-id that you want routed to the transit gateway.<br><br>**public subnet type options:**<br>- All shared keys above<br>- `nat_gateway_configuration` = (Optional\|string) Determines if NAT Gateways should be created and in how many AZs. Valid values = `"none"`, `"single_az"`, `"all_azs"`. Default = "none". Must also set `var.subnets.private.route_to_nat = true`.<br>- `route_to_transit_gateway`  = (Optional\|string) Optionally create routes from public subnets to transit gateway subnets. Specify the CIDR range or a prefix-list-id that you want routed to the transit gateway.<br><br>**transit\_gateway subnet type options:**<br>- All shared keys above<br>- `route_to_nat`                                    = (Optional\|string) Determines if routes to NAT Gateways should be created. Specify the CIDR range or a prefix-list-id that you want routed to nat gateway. Usually `0.0.0.0/0`. Must also set `var.subnets.public.nat_gateway_configuration`.<br>- `transit_gateway_id`                              = (Required\|string) Transit gateway to attach VPC to.<br>- `transit_gateway_default_route_table_association` = (Optional\|bool) Boolean whether the VPC Attachment should be associated with the EC2 Transit Gateway association default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways.<br>- `transit_gateway_default_route_table_propagation` = (Optional\|bool) Boolean whether the VPC Attachment should propagate routes with the EC2 Transit Gateway propagation default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways.<br>- `transit_gateway_appliance_mode_support`          = (Optional\|string) Whether Appliance Mode is enabled. If enabled, a traffic flow between a source and a destination uses the same Availability Zone for the VPC attachment for the lifetime of that flow. Valid values: `disable` (default) and `enable`.<br>- `transit_gateway_dns_support`                     = (Optional\|string) DNS Support is used if you need the VPC to resolve public IPv4 DNS host names to private IPv4 addresses when queried from instances in another VPC attached to the transit gateway. Valid values: `enable` (default) and `disable`.<br><br>Example:<pre>subnets = {<br>  public = {<br>    netmask                   = 24<br>    nat_gateway_configuration = "single_az"<br>    route_to_transit_gateway  = "10.1.0.0/16"<br>  }<br><br>  private = {<br>    netmask                  = 24<br>    route_to_nat             = "0.0.0.0/0"<br>    route_to_transit_gateway = "10.1.0.0/16"<br>  }<br><br>  transit_gateway = {<br>    netmask                                         = 24<br>    transit_gateway_id                              = aws_ec2_transit_gateway.example.id<br>    route_to_nat                                    = "0.0.0.0/0"<br>    transit_gateway_default_route_table_association = true<br>    transit_gateway_default_route_table_propagation = true<br>  }<br>}</pre> | `any` | n/a | yes |
+| <a name="input_subnets"></a> [subnets](#input\_subnets) | Configuration of subnets to build in VPC. 1 Subnet per AZ is created. Subnet types are defined as maps with the available keys: "private", "public", "transit\_gateway". Each Subnet type offers its own set of available arguments detailed below.<br><br>**Attributes shared across subnet types:**<br>- `cidrs`       = (Optional\|list(string)) **Cannot set if `netmask` is set.** List of CIDRs to set to subnets. Count of CIDRs defined must match quatity of azs in `az_count`.<br>- `netmask`     = (Optional\|Int) Netmask of the `var.cidr_block` to calculate for each subnet. **Cannot set if `cidrs` is set.**<br>- `name_prefix` = (Optional\|String) A string prefix to use for the name of your subnet and associated resources. Subnet type key name is used if omitted (aka private, public, transit\_gateway). Example `name_prefix = "private"` for `var.subnets.private` is redundant.<br>- `tags`        = (Optional\|map(string)) Tags to set on the subnet and associated resources.<br><br>**Any private subnet type options:**<br>- All shared keys above<br>- `connect_to_public_natgw`             = (Optional\|string) Determines if routes to NAT Gateways should be created. Specify the CIDR range or a prefix-list-id that you want routed to nat gateway. Usually `0.0.0.0/0`. Must also set `var.subnets.public.nat_gateway_configuration`.<br>- `route_to_transit_gateway` = (Optional\|string) Optionally create routes from private subnets to transit gateway subnets. Specify the CIDR range or a prefix-list-id that you want routed to the transit gateway.<br><br>**public subnet type options:**<br>- All shared keys above<br>- `nat_gateway_configuration` = (Optional\|string) Determines if NAT Gateways should be created and in how many AZs. Valid values = `"none"`, `"single_az"`, `"all_azs"`. Default = "none". Must also set `var.subnets.private.connect_to_public_natgw = true`.<br>- `route_to_transit_gateway`  = (Optional\|string) Optionally create routes from public subnets to transit gateway subnets. Specify the CIDR range or a prefix-list-id that you want routed to the transit gateway.<br><br>**transit\_gateway subnet type options:**<br>- All shared keys above<br>- `connect_to_public_natgw`                                    = (Optional\|string) Determines if routes to NAT Gateways should be created. Specify the CIDR range or a prefix-list-id that you want routed to nat gateway. Usually `0.0.0.0/0`. Must also set `var.subnets.public.nat_gateway_configuration`.<br>- `transit_gateway_id`                              = (Required\|string) Transit gateway to attach VPC to.<br>- `transit_gateway_default_route_table_association` = (Optional\|bool) Boolean whether the VPC Attachment should be associated with the EC2 Transit Gateway association default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways.<br>- `transit_gateway_default_route_table_propagation` = (Optional\|bool) Boolean whether the VPC Attachment should propagate routes with the EC2 Transit Gateway propagation default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways.<br>- `transit_gateway_appliance_mode_support`          = (Optional\|string) Whether Appliance Mode is enabled. If enabled, a traffic flow between a source and a destination uses the same Availability Zone for the VPC attachment for the lifetime of that flow. Valid values: `disable` (default) and `enable`.<br>- `transit_gateway_dns_support`                     = (Optional\|string) DNS Support is used if you need the VPC to resolve public IPv4 DNS host names to private IPv4 addresses when queried from instances in another VPC attached to the transit gateway. Valid values: `enable` (default) and `disable`.<br><br>Example:<pre>subnets = {<br>  public = {<br>    netmask                   = 24<br>    nat_gateway_configuration = "single_az"<br>    route_to_transit_gateway  = "10.1.0.0/16"<br>  }<br><br>  private = {<br>    netmask                  = 24<br>    connect_to_public_natgw = true<br>    route_to_transit_gateway = "10.1.0.0/16"<br>  }<br><br>  transit_gateway = {<br>    netmask                                         = 24<br>    transit_gateway_id                              = aws_ec2_transit_gateway.example.id<br>    connect_to_public_natgw = true<br>    transit_gateway_default_route_table_association = true<br>    transit_gateway_default_route_table_propagation = true<br>  }<br>}</pre> | `any` | n/a | yes |
 | <a name="input_cidr_block"></a> [cidr\_block](#input\_cidr\_block) | CIDR range to assign to VPC if creating VPC or to associte as a secondary CIDR. Overridden by var.vpc\_id output from data.aws\_vpc. | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to all resources. | `map(string)` | `{}` | no |
 | <a name="input_vpc_enable_dns_hostnames"></a> [vpc\_enable\_dns\_hostnames](#input\_vpc\_enable\_dns\_hostnames) | Indicates whether the instances launched in the VPC get DNS hostnames. If enabled, instances in the VPC get DNS hostnames; otherwise, they do not. Disabled by default for nondefault VPCs. | `bool` | `true` | no |

UPGRADE-GUIDE-2.0.md

@@ -2,7 +2,7 @@
 
 - Ability to create arbitrary amounts of subnets types. Previously was only capable of 3 types: public, private, transit gateway. The terms `public` and `transit_gateway` are reserved keywords for those subnet types and all other keys used in var.subnets.<> are assumed to be type **private**.
 - Many private subnet related resources had to be renamed. Most changes are accomplished programatically using a [moved blocks](https://www.terraform.io/language/modules/develop/refactoring) but some require manual `terraform state mv` commands. see below.
-- Can pass cidr or prefix list id to any `route_to_nat` argument. Previously was a boolean that assumed `"0.0.0.0/0"` as the destination cidr.
+- `route_to_nat` has been changed to `connect_to_public_natgw` to clarify the nat is in the public subnet & to diverge from the `route_to` nomenclature which expects a route destination like input.
 - Can pass cidr or prefix list id to `route_to_transit_gateway` argument. Previously was a list of CIDRs that could only accept 1 item.
 - Many changes to Outputs available. Removed outputs marked as deprecated, separated grouped subnet attribute outputs into 3 `public_`, `tgw_`, and `private_`. Since you can have several private subnet declarations we group based on the name scheme `<your_key_name>/az`.
 
@@ -25,7 +25,7 @@ After : `route_to_transit_gateway  = "10.0.0.0/8"`
 
 Before: `route_to_nat = true`
 
-After : `route_to_nat = "0.0.0.0/0"`
+After : `connect_to_public_natgw = true`
 
 ## Statefile Changes
 
@@ -68,7 +68,7 @@ Remediation: See the move commands above.
 
 ### Invalid `for_each` argument
 
-This problem is nuanced. It likely indicates that youre trying to use a prefix list as a `route_to_nat` or `route_to_transit_gateway` value in a subnet argument or transit gateway id. If you're attempting to create a resource and use it as a value in any of subnet definition, you must first [target create](https://learn.hashicorp.com/tutorials/terraform/resource-targeting) those resources. This includes both `aws_ec2_managed_prefix_list` and `aws_ec2_transit_gateway`.
+This problem is nuanced. It likely indicates that youre trying to use a computed value, like a resource id, as an input in the var.subnets map. Common examples would be passing transit_gateway id or prefix_list_id that is created in parallel. You must first [target create](https://learn.hashicorp.com/tutorials/terraform/resource-targeting) those resources. This includes both `aws_ec2_managed_prefix_list` and `aws_ec2_transit_gateway`.
 
 Alternative to target creates, see the [transit_gateway test](https://github.com/aws-ia/terraform-aws-vpc/blob/main/test/examples_transit_gateway__test.go) for an example, we create both in a separate root and pass as variables
 

contributing.md

@@ -67,7 +67,7 @@ route_table_attributes_by_type_by_az = {
       ```terraform
         **private subnet type options:**
           - All shared keys above
-          - `route_to_nat`             = (Optional|bool) <>
+          - `connect_to_public_natgw`  = (Optional|bool) <>
           - `route_to_transit_gateway` = (Optional|list(string)) <>
       ```
 

data.tf

@@ -13,9 +13,9 @@ locals {
 
   # constructed list of <private_subnet_key>/az
   private_per_az = flatten([for az in local.azs : [for subnet in local.private_subnet_names : "${subnet}/${az}"]])
-  # list of private subnet keys with route_to_nat = true
-  private_subnets_nat_routed = [for type in local.private_subnet_names : type if can(var.subnets[type].route_to_nat)]
-  # private subnets with cidrs per az if route_to_nat = true ...  "privatetwo/us-east-1a"
+  # list of private subnet keys with connect_to_public_natgw = true
+  private_subnets_nat_routed = [for type in local.private_subnet_names : type if can(var.subnets[type].connect_to_public_natgw)]
+  # private subnets with cidrs per az if connect_to_public_natgw = true ...  "privatetwo/us-east-1a"
   private_subnet_names_nat_routed = [for subnet in local.private_per_az : subnet if contains(local.private_subnets_nat_routed, split("/", subnet)[0])]
 
   private_subnets_tgw_routed          = [for type in local.private_subnet_names : type if can(var.subnets[type].route_to_transit_gateway)]

examples/ipam/main.tf

@@ -14,8 +14,8 @@ module "vpc" {
       nat_gateway_configuration = "all_azs"
     }
     private = {
-      netmask      = 24
-      route_to_nat = "0.0.0.0/0"
+      netmask                 = 24
+      connect_to_public_natgw = true
     }
   }
 }

examples/public_private_flow_logs/main.tf

@@ -16,8 +16,8 @@ module "vpc" {
     private = {
       # omitting name_prefix defaults value to "private"
       # name_prefix  = "private"
-      netmask      = 24
-      route_to_nat = "0.0.0.0/0"
+      netmask                 = 24
+      connect_to_public_natgw = true
     }
   }
 

examples/transit_gateway/main.tf

@@ -1,6 +1,7 @@
 module "vpc" {
-  source  = "aws-ia/vpc/aws"
-  version = ">= 2.0.0"
+  # source  = "aws-ia/vpc/aws"
+  # version = ">= 2.0.0"
+  source = "../.."
 
   name       = "tgw"
   cidr_block = "10.0.0.0/16"
@@ -15,7 +16,7 @@ module "vpc" {
 
     private_with_egress = {
       netmask                  = 24
-      route_to_nat             = "0.0.0.0/0"
+      connect_to_public_natgw  = true
       route_to_transit_gateway = var.prefix_list_id
     }
 
@@ -26,7 +27,7 @@ module "vpc" {
     transit_gateway = {
       netmask                                         = 28
       transit_gateway_id                              = var.tgw_id
-      route_to_nat                                    = "0.0.0.0/0"
+      connect_to_public_natgw                         = true
       transit_gateway_default_route_table_association = true
       transit_gateway_default_route_table_propagation = true
       transit_gateway_appliance_mode_support          = "enable"

main.tf

@@ -158,7 +158,7 @@ resource "aws_route" "private_to_nat" {
   for_each = toset(try(local.private_subnet_names_nat_routed, []))
 
   route_table_id         = awscc_ec2_route_table.private[each.key].id
-  destination_cidr_block = var.subnets[split("/", each.key)[0]].route_to_nat
+  destination_cidr_block = "0.0.0.0/0"
   # try to get nat for AZ, else use singular nat
   nat_gateway_id = try(aws_nat_gateway.main[split("/", each.key)[1]].id, aws_nat_gateway.main[local.nat_configuration[0]].id)
 }
@@ -208,11 +208,11 @@ resource "awscc_ec2_subnet_route_table_association" "tgw" {
 }
 
 resource "aws_route" "tgw_to_nat" {
-  for_each = (can(var.subnets.transit_gateway.route_to_nat) && contains(local.subnet_keys, "public")) ? toset(local.azs) : toset([])
+  for_each = (can(var.subnets.transit_gateway.connect_to_public_natgw) && contains(local.subnet_keys, "public")) ? toset(local.azs) : toset([])
 
 
   route_table_id         = awscc_ec2_route_table.tgw[each.key].id
-  destination_cidr_block = var.subnets.transit_gateway.route_to_nat
+  destination_cidr_block = "0.0.0.0/0"
   # try to get nat for AZ, else use singular nat
   nat_gateway_id = try(aws_nat_gateway.main[each.key].id, aws_nat_gateway.main[local.nat_configuration[0]].id)
 }