From 90e6acc97d702cdd3e9b840c5ef6a2b3f91452dd Mon Sep 17 00:00:00 2001 From: xpk Date: Fri, 6 Nov 2020 18:53:20 +0800 Subject: [PATCH] NEW: sharing transit gateway via RAM --- .../network/.terraform.tfstate.lock.info | 1 + .../account1/network/m.random/main.tf | 18 +++++++ tgw-ram-share/account1/network/outputs.tf | 15 ++++++ tgw-ram-share/account1/network/provider.tf | 10 ++++ tgw-ram-share/account1/network/tgw.tf | 30 +++++++++++ tgw-ram-share/account1/network/variables.tf | 23 ++++++++ tgw-ram-share/account1/network/vpc.tf | 52 +++++++++++++++++++ tgw-ram-share/account2/network/outputs.tf | 19 +++++++ tgw-ram-share/account2/network/provider.tf | 12 +++++ tgw-ram-share/account2/network/tgw-accept.tf | 25 +++++++++ tgw-ram-share/account2/network/variables.tf | 18 +++++++ tgw-ram-share/account2/network/vpc.tf | 4 ++ 12 files changed, 227 insertions(+) create mode 100644 tgw-ram-share/account1/network/.terraform.tfstate.lock.info create mode 100644 tgw-ram-share/account1/network/m.random/main.tf create mode 100644 tgw-ram-share/account1/network/outputs.tf create mode 100644 tgw-ram-share/account1/network/provider.tf create mode 100644 tgw-ram-share/account1/network/tgw.tf create mode 100644 tgw-ram-share/account1/network/variables.tf create mode 100644 tgw-ram-share/account1/network/vpc.tf create mode 100644 tgw-ram-share/account2/network/outputs.tf create mode 100644 tgw-ram-share/account2/network/provider.tf create mode 100644 tgw-ram-share/account2/network/tgw-accept.tf create mode 100644 tgw-ram-share/account2/network/variables.tf create mode 100644 tgw-ram-share/account2/network/vpc.tf diff --git a/tgw-ram-share/account1/network/.terraform.tfstate.lock.info b/tgw-ram-share/account1/network/.terraform.tfstate.lock.info new file mode 100644 index 0000000..b0c024d --- /dev/null +++ b/tgw-ram-share/account1/network/.terraform.tfstate.lock.info @@ -0,0 +1 @@ +{"ID":"2e5ae993-50c7-cc5c-4e72-ab5e9005771e","Operation":"OperationTypeApply","Info":"","Who":"kn@ism.zoo.lo","Version":"0.12.29","Created":"2020-11-06T10:41:09.3951206Z","Path":"terraform.tfstate"} \ No newline at end of file diff --git a/tgw-ram-share/account1/network/m.random/main.tf b/tgw-ram-share/account1/network/m.random/main.tf new file mode 100644 index 0000000..d868a5e --- /dev/null +++ b/tgw-ram-share/account1/network/m.random/main.tf @@ -0,0 +1,18 @@ +resource "random_string" "string" { + length = 4 + special = false +} + +resource "random_integer" "number" { + min = 1000 + max = 9999 +} + +output "string" { + value = random_string.string.result +} + +output "number" { + value = random_integer.number.result +} + diff --git a/tgw-ram-share/account1/network/outputs.tf b/tgw-ram-share/account1/network/outputs.tf new file mode 100644 index 0000000..122a5d1 --- /dev/null +++ b/tgw-ram-share/account1/network/outputs.tf @@ -0,0 +1,15 @@ +output tgw-id { + value = aws_ec2_transit_gateway.tgw01.id +} + +output tgw-invite-arn { + value = aws_ram_resource_share.ram-share.arn +} + +output tgw-invite-principal { + value = aws_ram_principal_association.ram-invite.principal +} + +output shared-tgw-id { + value = split("/", aws_ram_resource_association.tg-share.resource_arn)[1] +} \ No newline at end of file diff --git a/tgw-ram-share/account1/network/provider.tf b/tgw-ram-share/account1/network/provider.tf new file mode 100644 index 0000000..c316893 --- /dev/null +++ b/tgw-ram-share/account1/network/provider.tf @@ -0,0 +1,10 @@ +provider "aws" { + region = "ap-southeast-1" +} + +terraform { + required_version = "> 0.12, < 0.13" + required_providers { + aws = "~> 3.6.0" + } +} \ No newline at end of file diff --git a/tgw-ram-share/account1/network/tgw.tf b/tgw-ram-share/account1/network/tgw.tf new file mode 100644 index 0000000..f6af131 --- /dev/null +++ b/tgw-ram-share/account1/network/tgw.tf @@ -0,0 +1,30 @@ +resource "aws_ec2_transit_gateway" "tgw01" { + description = "test transit gateway" + auto_accept_shared_attachments = "enable" + default_route_table_association = "enable" + default_route_table_propagation = "enable" + dns_support = "enable" + tags = local.default-tags +} + +resource "aws_ec2_transit_gateway_vpc_attachment" "tgw-attach" { + subnet_ids = module.vpc01.private_subnets + transit_gateway_id = aws_ec2_transit_gateway.tgw01.id + vpc_id = module.vpc01.vpc_id +} + +resource "aws_ram_resource_share" "ram-share" { + name = "rslab-dplab" + allow_external_principals = true + tags = local.default-tags +} + +resource "aws_ram_resource_association" "tg-share" { + resource_arn = aws_ec2_transit_gateway.tgw01.arn + resource_share_arn = aws_ram_resource_share.ram-share.arn +} + +resource "aws_ram_principal_association" "ram-invite" { + principal = var.tgw-target-account + resource_share_arn = aws_ram_resource_share.ram-share.arn +} diff --git a/tgw-ram-share/account1/network/variables.tf b/tgw-ram-share/account1/network/variables.tf new file mode 100644 index 0000000..bdd0631 --- /dev/null +++ b/tgw-ram-share/account1/network/variables.tf @@ -0,0 +1,23 @@ +variable "aws_access_key" {} +variable "aws_secret_key" {} + +variable "vpc-cidr" {} + +variable aws-region {} +variable owner {} +variable project {} +variable environment {} +variable application {} +variable terraformmode {} + +locals { + default-tags = { + terraform = var.terraformmode + environment = var.environment + project = var.project + application = var.application + } +} + + +variable tgw-target-account {} \ No newline at end of file diff --git a/tgw-ram-share/account1/network/vpc.tf b/tgw-ram-share/account1/network/vpc.tf new file mode 100644 index 0000000..84e8aac --- /dev/null +++ b/tgw-ram-share/account1/network/vpc.tf @@ -0,0 +1,52 @@ +data "aws_availability_zones" "available" {} + +locals { + subnet_start = cidrsubnets(var.vpc-cidr, 4, 4) +} + +module "random" { + source = "./m.random" +} + +module "vpc01" { + source = "terraform-aws-modules/vpc/aws" + version = "2.47.0" + + name = "demo-vpc-${module.random.number}" + cidr = var.vpc-cidr + azs = data.aws_availability_zones.available.names + private_subnets = cidrsubnets(local.subnet_start[0], 4, 4) + public_subnets = cidrsubnets(local.subnet_start[1], 4, 4) + enable_nat_gateway = false + single_nat_gateway = true + enable_dns_hostnames = true + + # this is kinda slow + # enable_ssm_endpoint = true + # ssm_endpoint_private_dns_enabled = true + # ssm_endpoint_security_group_ids = [aws_security_group.endpoint-sg.id] + # ssm_endpoint_subnet_ids = module.vpc01.public_subnets + + tags = local.default-tags + +} + +resource "aws_security_group" "endpoint-sg" { + name = "endpoint-sg" + vpc_id = module.vpc01.vpc_id + ingress { + description = "Allow within VPC" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [module.vpc01.vpc_cidr_block] + } + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + tags = local.default-tags +} + diff --git a/tgw-ram-share/account2/network/outputs.tf b/tgw-ram-share/account2/network/outputs.tf new file mode 100644 index 0000000..d0fea34 --- /dev/null +++ b/tgw-ram-share/account2/network/outputs.tf @@ -0,0 +1,19 @@ +output vpc-id { + value = data.aws_vpc.vpc1.id +} + +output share-name { + value = aws_ram_resource_share_accepter.tgw-accepter.share_name +} + +output share-status { + value = aws_ram_resource_share_accepter.tgw-accepter.status +} + +output shared-resources { + value = aws_ram_resource_share_accepter.tgw-accepter.resources +} + +output tgw-id { + value = data.aws_ec2_transit_gateway.shared-tgw.id +} \ No newline at end of file diff --git a/tgw-ram-share/account2/network/provider.tf b/tgw-ram-share/account2/network/provider.tf new file mode 100644 index 0000000..297ca34 --- /dev/null +++ b/tgw-ram-share/account2/network/provider.tf @@ -0,0 +1,12 @@ +provider "aws" { + region = var.aws-region + access_key = var.aws_access_key + secret_key = var.aws_secret_key +} + +terraform { + required_version = "> 0.12, < 0.13" + required_providers { + aws = "~> 3.6.0" + } +} \ No newline at end of file diff --git a/tgw-ram-share/account2/network/tgw-accept.tf b/tgw-ram-share/account2/network/tgw-accept.tf new file mode 100644 index 0000000..afa9457 --- /dev/null +++ b/tgw-ram-share/account2/network/tgw-accept.tf @@ -0,0 +1,25 @@ +resource "aws_ram_resource_share_accepter" "tgw-accepter" { + share_arn = "arn:aws:ram:ap-southeast-1:573340405480:resource-share/70e66c50-c169-4f31-a199-f3a09adb27ce" + lifecycle { + ignore_changes = all + } +} + +locals { + tgw-id = split("/", aws_ram_resource_share_accepter.tgw-accepter.resources[0])[1] +} + +data "aws_ec2_transit_gateway" shared-tgw { + id = local.tgw-id +} + +data "aws_subnet_ids" subnet-ids { + vpc_id = data.aws_vpc.vpc1.id +} + +resource "aws_ec2_transit_gateway_vpc_attachment" tgw-attach { + vpc_id = data.aws_vpc.vpc1.id + subnet_ids = [tolist(data.aws_subnet_ids.subnet-ids.ids)[0]] + transit_gateway_id = data.aws_ec2_transit_gateway.shared-tgw.id + tags = local.default-tags +} diff --git a/tgw-ram-share/account2/network/variables.tf b/tgw-ram-share/account2/network/variables.tf new file mode 100644 index 0000000..7d2fe8a --- /dev/null +++ b/tgw-ram-share/account2/network/variables.tf @@ -0,0 +1,18 @@ +variable "aws_access_key" {} +variable "aws_secret_key" {} + +variable aws-region {} +variable owner {} +variable project {} +variable environment {} +variable application {} +variable terraformmode {} + +locals { + default-tags = { + terraform = var.terraformmode + environment = var.environment + project = var.project + application = var.application + } +} diff --git a/tgw-ram-share/account2/network/vpc.tf b/tgw-ram-share/account2/network/vpc.tf new file mode 100644 index 0000000..01362c3 --- /dev/null +++ b/tgw-ram-share/account2/network/vpc.tf @@ -0,0 +1,4 @@ +data aws_vpc vpc1 { + id = "vpc-d151e0b4" +} +