Merge pull request #56 from aws-ia/tgw-association

include tgw rt assocation, re-organize rsc
aws-ia · Jun 7, 2022 · ef781be · ef781be
2 parents 26f0553 + 07304e1
commit ef781be
Show file tree

Hide file tree

Showing 3 changed files with 94 additions and 81 deletions.
diff --git a/README.md b/README.md
@@ -187,6 +187,7 @@ Please see our [developer documentation](https://github.com/aws-ia/terraform-aws
 | [awscc_ec2_route_table.tgw](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/ec2_route_table) | resource |
 | [awscc_ec2_subnet_route_table_association.private](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/ec2_subnet_route_table_association) | resource |
 | [awscc_ec2_subnet_route_table_association.public](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/ec2_subnet_route_table_association) | resource |
+| [awscc_ec2_subnet_route_table_association.tgw](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/ec2_subnet_route_table_association) | resource |
 | [aws_availability_zones.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_vpc_ipam_preview_next_cidr.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_ipam_preview_next_cidr) | data source |
 | [awscc_ec2_vpc.main](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/data-sources/ec2_vpc) | data source |

diff --git a/examples/transit_gateway/main.tf b/examples/transit_gateway/main.tf
@@ -32,4 +32,3 @@ module "vpc" {
     }
   }
 }
-
diff --git a/main.tf b/main.tf
@@ -30,22 +30,7 @@ resource "aws_vpc_ipv4_cidr_block_association" "secondary" {
   ipv4_ipam_pool_id = var.vpc_ipv4_ipam_pool_id
 }
 
-resource "aws_subnet" "private" {
-  for_each = try(local.subnets.private, {})
-
-  availability_zone       = each.key
-  vpc_id                  = local.vpc.id
-  cidr_block              = each.value
-  map_public_ip_on_launch = false
-
-  tags = merge({
-    Name = "${local.subnet_names["private"]}-${each.key}" },
-  module.tags.tags_aws)
-
-  depends_on = [
-    aws_vpc_ipv4_cidr_block_association.secondary
-  ]
-}
+# Public Subnets
 
 resource "aws_subnet" "public" {
   for_each = try(local.subnets.public, {})
@@ -59,41 +44,6 @@ resource "aws_subnet" "public" {
   module.tags.tags_aws)
 }
 
-resource "aws_subnet" "tgw" {
-  for_each = try(local.subnets.transit_gateway, {})
-
-  availability_zone = each.key
-  vpc_id            = local.vpc.id
-  cidr_block        = each.value
-
-  tags = merge({
-    Name = "${local.subnet_names["transit_gateway"]}-${each.key}" },
-  module.tags.tags_aws)
-}
-
-resource "awscc_ec2_route_table" "private" {
-  for_each = try(local.subnets.private, {})
-
-  vpc_id = local.vpc.id
-
-  tags = concat(
-    [{ "key" = "Name", "value" = "${local.subnet_names["private"]}-${each.key}" }],
-    module.tags.tags
-  )
-}
-
-resource "awscc_ec2_route_table" "tgw" {
-  for_each = try(local.subnets.transit_gateway, {})
-
-  vpc_id = local.vpc.id
-
-  tags = concat(
-    [{ "key" = "Name", "value" = "${local.subnet_names["transit_gateway"]}-${each.key}" }],
-    module.tags.tags
-  )
-}
-
-
 resource "awscc_ec2_route_table" "public" {
   for_each = try(local.subnets.public, {})
 
@@ -105,13 +55,6 @@ resource "awscc_ec2_route_table" "public" {
   )
 }
 
-resource "awscc_ec2_subnet_route_table_association" "private" {
-  for_each = try(local.subnets.private, {})
-
-  subnet_id      = aws_subnet.private[each.key].id
-  route_table_id = awscc_ec2_route_table.private[each.key].id
-}
-
 resource "awscc_ec2_subnet_route_table_association" "public" {
   for_each = try(local.subnets.public, {})
 
@@ -152,27 +95,71 @@ resource "aws_internet_gateway" "main" {
   module.tags.tags_aws)
 }
 
-resource "aws_route" "private_to_nat" {
-  # if `route_to_nat` exists & `true` apply to private subnets per az, else do not apply
-  for_each = try(var.subnets.private.route_to_nat, false) ? try(local.subnets.public, {}) : {}
+resource "aws_route" "public_to_igw" {
+  for_each = try(local.subnets.public, {})
 
-  route_table_id         = awscc_ec2_route_table.private[each.key].id
+  route_table_id         = awscc_ec2_route_table.public[each.key].id
   destination_cidr_block = "0.0.0.0/0"
-  # try to get nat for AZ, else use singular nat
-  nat_gateway_id = try(aws_nat_gateway.main[each.key].id, aws_nat_gateway.main[local.nat_configuration[0]].id)
+  gateway_id             = aws_internet_gateway.main[0].id
 }
 
-resource "aws_route" "tgw_to_nat" {
+resource "aws_route" "public_to_tgw" {
+  for_each = try(var.subnets.public.route_to_transit_gateway, []) != [] ? toset([
+    for _, key in keys(local.subnets.public) : "${key}:${var.subnets.public.route_to_transit_gateway[0]}"
+  ]) : toset([])
+
+  route_table_id         = awscc_ec2_route_table.public[split(":", each.key)[0]].id
+  destination_cidr_block = var.subnets.public.route_to_transit_gateway[0]
+  transit_gateway_id     = var.subnets.transit_gateway.transit_gateway_id
+}
+
+# Private Subnets
+
+resource "aws_subnet" "private" {
+  for_each = try(local.subnets.private, {})
+
+  availability_zone       = each.key
+  vpc_id                  = local.vpc.id
+  cidr_block              = each.value
+  map_public_ip_on_launch = false
+
+  tags = merge({
+    Name = "${local.subnet_names["private"]}-${each.key}" },
+  module.tags.tags_aws)
+
+  depends_on = [
+    aws_vpc_ipv4_cidr_block_association.secondary
+  ]
+}
+
+resource "awscc_ec2_route_table" "private" {
+  for_each = try(local.subnets.private, {})
+
+  vpc_id = local.vpc.id
+
+  tags = concat(
+    [{ "key" = "Name", "value" = "${local.subnet_names["private"]}-${each.key}" }],
+    module.tags.tags
+  )
+}
+
+resource "awscc_ec2_subnet_route_table_association" "private" {
+  for_each = try(local.subnets.private, {})
+
+  subnet_id      = aws_subnet.private[each.key].id
+  route_table_id = awscc_ec2_route_table.private[each.key].id
+}
+
+resource "aws_route" "private_to_nat" {
   # if `route_to_nat` exists & `true` apply to private subnets per az, else do not apply
-  for_each = try(var.subnets.transit_gateway.route_to_nat, false) ? try(local.subnets.public, {}) : {}
+  for_each = try(var.subnets.private.route_to_nat, false) ? try(local.subnets.public, {}) : {}
 
-  route_table_id         = awscc_ec2_route_table.tgw[each.key].id
+  route_table_id         = awscc_ec2_route_table.private[each.key].id
   destination_cidr_block = "0.0.0.0/0"
   # try to get nat for AZ, else use singular nat
   nat_gateway_id = try(aws_nat_gateway.main[each.key].id, aws_nat_gateway.main[local.nat_configuration[0]].id)
 }
 
-
 resource "aws_route" "private_to_tgw" {
   # TODO: move logic to locals once `route_to_transit_gateway` can accept more than 1 list item
   for_each = try(var.subnets.private.route_to_transit_gateway, []) != [] ? toset([
@@ -184,22 +171,46 @@ resource "aws_route" "private_to_tgw" {
   transit_gateway_id     = var.subnets.transit_gateway.transit_gateway_id
 }
 
-resource "aws_route" "public_to_igw" {
-  for_each = try(local.subnets.public, {})
+# Transit Gateway Subnets
 
-  route_table_id         = awscc_ec2_route_table.public[each.key].id
-  destination_cidr_block = "0.0.0.0/0"
-  gateway_id             = aws_internet_gateway.main[0].id
+resource "aws_subnet" "tgw" {
+  for_each = try(local.subnets.transit_gateway, {})
+
+  availability_zone = each.key
+  vpc_id            = local.vpc.id
+  cidr_block        = each.value
+
+  tags = merge({
+    Name = "${local.subnet_names["transit_gateway"]}-${each.key}" },
+  module.tags.tags_aws)
 }
 
-resource "aws_route" "public_to_tgw" {
-  for_each = try(var.subnets.public.route_to_transit_gateway, []) != [] ? toset([
-    for _, key in keys(local.subnets.public) : "${key}:${var.subnets.public.route_to_transit_gateway[0]}"
-  ]) : toset([])
+resource "awscc_ec2_route_table" "tgw" {
+  for_each = try(local.subnets.transit_gateway, {})
 
-  route_table_id         = awscc_ec2_route_table.public[split(":", each.key)[0]].id
-  destination_cidr_block = var.subnets.public.route_to_transit_gateway[0]
-  transit_gateway_id     = var.subnets.transit_gateway.transit_gateway_id
+  vpc_id = local.vpc.id
+
+  tags = concat(
+    [{ "key" = "Name", "value" = "${local.subnet_names["transit_gateway"]}-${each.key}" }],
+    module.tags.tags
+  )
+}
+
+resource "awscc_ec2_subnet_route_table_association" "tgw" {
+  for_each = try(local.subnets.transit_gateway, {})
+
+  subnet_id      = aws_subnet.tgw[each.key].id
+  route_table_id = awscc_ec2_route_table.tgw[each.key].id
+}
+
+resource "aws_route" "tgw_to_nat" {
+  # if `route_to_nat` exists & `true` apply to private subnets per az, else do not apply
+  for_each = try(var.subnets.transit_gateway.route_to_nat, false) ? try(local.subnets.public, {}) : {}
+
+  route_table_id         = awscc_ec2_route_table.tgw[each.key].id
+  destination_cidr_block = "0.0.0.0/0"
+  # try to get nat for AZ, else use singular nat
+  nat_gateway_id = try(aws_nat_gateway.main[each.key].id, aws_nat_gateway.main[local.nat_configuration[0]].id)
 }
 
 resource "aws_ec2_transit_gateway_vpc_attachment" "tgw" {
@@ -220,6 +231,8 @@ resource "aws_ec2_transit_gateway_route_table_association" "tgw" {
   transit_gateway_route_table_id = var.subnets.transit_gateway.transit_gateway_route_table_id
 }
 
+# Flow Logs
+
 module "flow_logs" {
   count = local.create_flow_logs ? 1 : 0