Merge pull request #202 from lorengordon/appliance-mode

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2.0.0
+current_version = 2.1.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

CHANGELOG.md

@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### 2.1.0
+
+**Commit Delta**: [Change from 2.0.0 release](https://github.com/plus3it/terraform-aws-tardigrade-transit-gateway/compare/2.0.0..2.1.0)
+
+**Released**: 2022.03.29
+
+**Summary**:
+
+*   Supports creating VPC Attachments in appliance mode using the argument, `appliance_mode_support`.
+
 ### 2.0.0
 
 **Commit Delta**: [Change from 1.0.2 release](https://github.com/plus3it/terraform-aws-tardigrade-transit-gateway/compare/1.0.2..2.0.0)

README.md

@@ -34,13 +34,13 @@ This module includes several submodules for different workflows and use cases.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.15.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.15.0 |
 
 ## Resources
 
@@ -60,7 +60,7 @@ This module includes several submodules for different workflows and use cases.
 | <a name="input_route_tables"></a> [route\_tables](#input\_route\_tables) | List of TGW route tables to create with the transit gateway | <pre>list(object({<br>    # `name` used as for_each key<br>    name = string<br>    tags = map(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_routes"></a> [routes](#input\_routes) | List of TGW routes to add to TGW route tables | <pre>list(object({<br>    # `name` used as for_each key<br>    name                   = string<br>    blackhole              = bool<br>    default_route_table    = bool<br>    destination_cidr_block = string<br>    # name from `vpc_attachments` or id of a pre-existing tgw attachment<br>    transit_gateway_attachment = string<br>    # name from `route_tables` or id of a pre-existing route table<br>    transit_gateway_route_table = string<br>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to apply to the TGW and associated resources | `map(string)` | `{}` | no |
-| <a name="input_vpc_attachments"></a> [vpc\_attachments](#input\_vpc\_attachments) | List of VPC attachments to create with the transit gateway | <pre>list(object({<br>    # `name` used as for_each key<br>    name         = string<br>    subnet_ids   = list(string)<br>    dns_support  = string<br>    ipv6_support = string<br>    tags         = map(string)<br>    vpc_routes = list(object({<br>      # `name` is used as for_each key<br>      name                        = string<br>      route_table_id              = string<br>      destination_cidr_block      = string<br>      destination_ipv6_cidr_block = string<br>    }))<br>    transit_gateway_default_route_table_association = bool<br>    transit_gateway_default_route_table_propagation = bool<br>    # name from `route_tables` or id of a pre-existing route table<br>    transit_gateway_route_table_association = string<br>    # list of route table names from `route_tables` or ids of pre-existing route tables<br>    transit_gateway_route_table_propagations = list(string)<br>  }))</pre> | `[]` | no |
+| <a name="input_vpc_attachments"></a> [vpc\_attachments](#input\_vpc\_attachments) | List of VPC attachments to create with the transit gateway | <pre>list(object({<br>    # `name` used as for_each key<br>    name                   = string<br>    subnet_ids             = list(string)<br>    appliance_mode_support = string<br>    dns_support            = string<br>    ipv6_support           = string<br>    tags                   = map(string)<br>    vpc_routes = list(object({<br>      # `name` is used as for_each key<br>      name                        = string<br>      route_table_id              = string<br>      destination_cidr_block      = string<br>      destination_ipv6_cidr_block = string<br>    }))<br>    transit_gateway_default_route_table_association = bool<br>    transit_gateway_default_route_table_propagation = bool<br>    # name from `route_tables` or id of a pre-existing route table<br>    transit_gateway_route_table_association = string<br>    # list of route table names from `route_tables` or ids of pre-existing route tables<br>    transit_gateway_route_table_propagations = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_vpn_ecmp_support"></a> [vpn\_ecmp\_support](#input\_vpn\_ecmp\_support) | Whether VPN Equal Cost Multipath Protocol support is enabled (valid values: disable, enable) | `string` | `"disable"` | no |
 
 ## Outputs
@@ -77,5 +77,5 @@ This module includes several submodules for different workflows and use cases.
 ## Testing
 
 This module has tests that require multiple providers. In order to simplify the provider config, it
-assumes you have AWS Profiles named `resource-owner` and `resource-member`. These profiles should
+assumes you have AWS Profiles named `aws` and `awsalternate`. These profiles should
 resolve a credential for two different accounts.

main.tf

@@ -46,11 +46,12 @@ module "vpc_attachments" {
   source   = "./modules/vpc-attachment"
   for_each = { for attachment in var.vpc_attachments : attachment.name => attachment }
 
-  subnet_ids         = each.value.subnet_ids
-  transit_gateway_id = aws_ec2_transit_gateway.this.id
-  dns_support        = each.value.dns_support
-  ipv6_support       = each.value.ipv6_support
-  vpc_routes         = each.value.vpc_routes
+  subnet_ids             = each.value.subnet_ids
+  transit_gateway_id     = aws_ec2_transit_gateway.this.id
+  appliance_mode_support = each.value.appliance_mode_support
+  dns_support            = each.value.dns_support
+  ipv6_support           = each.value.ipv6_support
+  vpc_routes             = each.value.vpc_routes
 
   transit_gateway_default_route_table_association = each.value.transit_gateway_default_route_table_association
   transit_gateway_default_route_table_propagation = each.value.transit_gateway_default_route_table_propagation

modules/cross-account-vpc-attachment/README.md

@@ -8,13 +8,13 @@ Terraform module for managing a cross-account Transit Gateway VPC Attachment.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.15.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws.owner"></a> [aws.owner](#provider\_aws.owner) | >= 3.0 |
+| <a name="provider_aws.owner"></a> [aws.owner](#provider\_aws.owner) | >= 3.15.0 |
 
 ## Resources
 
@@ -28,6 +28,7 @@ Terraform module for managing a cross-account Transit Gateway VPC Attachment.
 |------|-------------|------|---------|:--------:|
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | List of subnets to associate with the VPC attachment | `list(string)` | n/a | yes |
 | <a name="input_transit_gateway_id"></a> [transit\_gateway\_id](#input\_transit\_gateway\_id) | ID of the Transit Gateway | `string` | n/a | yes |
+| <a name="input_appliance_mode_support"></a> [appliance\_mode\_support](#input\_appliance\_mode\_support) | Whether Appliance Mode support is enabled. Valid values: disable, enable | `string` | `"disable"` | no |
 | <a name="input_dns_support"></a> [dns\_support](#input\_dns\_support) | Whether DNS support is enabled. Valid values: disable, enable. | `string` | `"enable"` | no |
 | <a name="input_ipv6_support"></a> [ipv6\_support](#input\_ipv6\_support) | Whether IPv6 support is enabled. Valid values: disable, enable | `string` | `"disable"` | no |
 | <a name="input_routes"></a> [routes](#input\_routes) | List of TGW route objects with a target of the VPC attachment in the `aws.owner` account (TGW route tables are *only* in the `aws.owner` account) | <pre>list(object({<br>    # `name` is used as for_each key<br>    name                           = string<br>    destination_cidr_block         = string<br>    transit_gateway_route_table_id = string<br>  }))</pre> | `[]` | no |

modules/cross-account-vpc-attachment/main.tf

@@ -1,13 +1,14 @@
 module "vpc_attachment" {
   source = "../vpc-attachment"
 
-  subnet_ids         = var.subnet_ids
-  transit_gateway_id = var.transit_gateway_id
-  cross_account      = true
-  dns_support        = var.dns_support
-  ipv6_support       = var.ipv6_support
-  tags               = var.tags
-  vpc_routes         = [for route in var.vpc_routes : route if route.provider == "aws"]
+  subnet_ids             = var.subnet_ids
+  transit_gateway_id     = var.transit_gateway_id
+  cross_account          = true
+  appliance_mode_support = var.appliance_mode_support
+  dns_support            = var.dns_support
+  ipv6_support           = var.ipv6_support
+  tags                   = var.tags
+  vpc_routes             = [for route in var.vpc_routes : route if route.provider == "aws"]
 }
 
 module "vpc_accepter" {

modules/cross-account-vpc-attachment/variables.tf

@@ -8,6 +8,16 @@ variable "transit_gateway_id" {
   type        = string
 }
 
+variable "appliance_mode_support" {
+  description = "Whether Appliance Mode support is enabled. Valid values: disable, enable"
+  type        = string
+  default     = "disable"
+  validation {
+    condition     = contains(["enable", "disable"], var.appliance_mode_support)
+    error_message = "`appliance_mode_support` must be one of: \"enable\", \"disable\"."
+  }
+}
+
 variable "dns_support" {
   description = "Whether DNS support is enabled. Valid values: disable, enable."
   type        = string

modules/cross-account-vpc-attachment/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.0"
+      version = ">= 3.15.0"
 
       configuration_aliases = [
         aws.owner

modules/vpc-attachment/README.md

@@ -9,13 +9,13 @@ as well as any Transit Gateway route table association or propagations, and VPC
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.15.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.15.0 |
 
 ## Resources
 
@@ -30,6 +30,7 @@ as well as any Transit Gateway route table association or propagations, and VPC
 |------|-------------|------|---------|:--------:|
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | List of subnets to associate with the VPC attachment | `list(string)` | n/a | yes |
 | <a name="input_transit_gateway_id"></a> [transit\_gateway\_id](#input\_transit\_gateway\_id) | ID of the Transit Gateway | `string` | n/a | yes |
+| <a name="input_appliance_mode_support"></a> [appliance\_mode\_support](#input\_appliance\_mode\_support) | Whether Appliance Mode support is enabled. Valid values: disable, enable | `string` | `"disable"` | no |
 | <a name="input_cross_account"></a> [cross\_account](#input\_cross\_account) | Boolean whether this is a cross-account Transit Gateway shared via Resource Access Manager | `bool` | `false` | no |
 | <a name="input_dns_support"></a> [dns\_support](#input\_dns\_support) | Whether DNS support is enabled. Valid values: disable, enable | `string` | `"enable"` | no |
 | <a name="input_ipv6_support"></a> [ipv6\_support](#input\_ipv6\_support) | Whether IPv6 support is enabled. Valid values: disable, enable | `string` | `"disable"` | no |

modules/vpc-attachment/main.tf

@@ -1,10 +1,11 @@
 resource "aws_ec2_transit_gateway_vpc_attachment" "this" {
-  subnet_ids         = var.subnet_ids
-  transit_gateway_id = var.transit_gateway_id
-  vpc_id             = data.aws_subnet.one.vpc_id
-  dns_support        = var.dns_support
-  ipv6_support       = var.ipv6_support
-  tags               = var.tags
+  subnet_ids             = var.subnet_ids
+  transit_gateway_id     = var.transit_gateway_id
+  vpc_id                 = data.aws_subnet.one.vpc_id
+  appliance_mode_support = var.appliance_mode_support
+  dns_support            = var.dns_support
+  ipv6_support           = var.ipv6_support
+  tags                   = var.tags
 
   # default assocation and propagation values must be:
   #   `true` if transit gateway is owned by another account (shared using RAM)

modules/vpc-attachment/variables.tf

@@ -14,6 +14,16 @@ variable "cross_account" {
   default     = false
 }
 
+variable "appliance_mode_support" {
+  description = "Whether Appliance Mode support is enabled. Valid values: disable, enable"
+  type        = string
+  default     = "disable"
+  validation {
+    condition     = contains(["enable", "disable"], var.appliance_mode_support)
+    error_message = "`appliance_mode_support` must be one of: \"enable\", \"disable\"."
+  }
+}
+
 variable "dns_support" {
   description = "Whether DNS support is enabled. Valid values: disable, enable"
   type        = string

modules/vpc-attachment/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.0"
+      version = ">= 3.15.0"
     }
   }
 }

tests/cross-account-vpc-attachment/main.tf

@@ -70,12 +70,13 @@ module "tgw" {
   vpc_attachments = [
     {
       # name used as for_each key
-      name         = "foo-${local.id}"
-      subnet_ids   = module.vpc_owner.private_subnets
-      dns_support  = "enable"
-      ipv6_support = "disable"
-      tags         = {}
-      vpc_routes   = []
+      name                   = "foo-${local.id}"
+      subnet_ids             = module.vpc_owner.private_subnets
+      appliance_mode_support = "disable"
+      dns_support            = "enable"
+      ipv6_support           = "disable"
+      tags                   = {}
+      vpc_routes             = []
 
       transit_gateway_default_route_table_association = true
       transit_gateway_default_route_table_propagation = true
@@ -177,7 +178,7 @@ module "ram_share_accepter" {
 }
 
 module "vpc_member" {
-  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.11.3"
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.13.0"
 
   name            = "tardigrade-tgw-${local.id}"
   cidr            = "10.1.0.0/16"
@@ -186,7 +187,7 @@ module "vpc_member" {
 }
 
 module "vpc_owner" {
-  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.11.3"
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.13.0"
   providers = {
     aws = aws.owner
   }

tests/tgw/main.tf

@@ -88,11 +88,12 @@ locals {
   vpc_attachments = [
     {
       # name used as for_each key
-      name         = "foo-${local.id}"
-      subnet_ids   = module.vpc1.private_subnets
-      dns_support  = "enable"
-      ipv6_support = "disable"
-      tags         = {}
+      name                   = "foo-${local.id}"
+      subnet_ids             = module.vpc1.private_subnets
+      appliance_mode_support = "disable"
+      dns_support            = "enable"
+      ipv6_support           = "disable"
+      tags                   = {}
       vpc_routes = [
         {
           # name used as for_each key
@@ -111,11 +112,12 @@ locals {
       ]
     },
     {
-      name         = "bar-${local.id}"
-      subnet_ids   = module.vpc2.private_subnets
-      dns_support  = "enable"
-      ipv6_support = "disable"
-      tags         = {}
+      name                   = "bar-${local.id}"
+      subnet_ids             = module.vpc2.private_subnets
+      appliance_mode_support = "disable"
+      dns_support            = "enable"
+      ipv6_support           = "disable"
+      tags                   = {}
       vpc_routes = [
         {
           name                        = "route-bar1-${local.id}"
@@ -133,7 +135,7 @@ locals {
 }
 
 module "vpc1" {
-  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.11.3"
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.13.0"
 
   name            = "tardigrade-testing-vpc1-${local.id}"
   cidr            = "10.0.0.0/16"
@@ -142,7 +144,7 @@ module "vpc1" {
 }
 
 module "vpc2" {
-  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.11.3"
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.13.0"
 
   name            = "tardigrade-testing-vpc2-${local.id}"
   cidr            = "10.1.0.0/16"

variables.tf

@@ -96,11 +96,12 @@ variable "vpc_attachments" {
   description = "List of VPC attachments to create with the transit gateway"
   type = list(object({
     # `name` used as for_each key
-    name         = string
-    subnet_ids   = list(string)
-    dns_support  = string
-    ipv6_support = string
-    tags         = map(string)
+    name                   = string
+    subnet_ids             = list(string)
+    appliance_mode_support = string
+    dns_support            = string
+    ipv6_support           = string
+    tags                   = map(string)
     vpc_routes = list(object({
       # `name` is used as for_each key
       name                        = string

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.0"
+      version = ">= 3.15.0"
     }
   }
 }