Merge pull request terraform-aws-modules#92 from pablo19sc/main

Adding Cloud WAN support
alexohima · Nov 14, 2022 · 079bf31 · 079bf31
2 parents ff4c64f + 85ae4ef
commit 079bf31
Show file tree

Hide file tree

Showing 26 changed files with 805 additions and 28 deletions.
diff --git a/.header.md b/.header.md
@@ -41,7 +41,7 @@ module "vpc" {
 
 ## Reserved Subnet Key Names
 
-There are 2 reserved keys for subnet key names in var.subnets corresponding to types "public" and "transit_gateway". Other custom subnet key names are valid are and those subnets will be private subnets.
+There are 3 reserved keys for subnet key names in var.subnets corresponding to types "public", "transit_gateway", and "core_network" [(an AWS Cloud WAN feature)](https://docs.aws.amazon.com/vpc/latest/cloudwan/cloudwan-networks-working-with.html). Other custom subnet key names are valid are and those subnets will be private subnets.
 
 ```terraform
 transit_gateway_id = <>
@@ -86,6 +86,33 @@ subnets = {
 }
 ```
 
+```terraform
+core_network = {
+  id  = <>
+  arn = <>
+}
+core_network_routes = {
+  workload = "pl-123"
+}
+
+subnets = {
+  workload = {
+    name_prefix = "workload-private"
+    netmask     = 24
+  }
+
+  core_network = {
+    netmask            = 28
+    ipv6_support       = false
+    require_acceptance = true
+    accept_attachment  = true
+
+    tags = {
+      env = "prod"
+    }
+}
+```
+
 ## Updating a VPC with new or removed subnets
 
 If using `netmask` to calculate subnets and you wish to either add or remove subnets (ex: adding / removing an AZ), you may have to change from using `netmask` for some subnets and set to explicit instead. Private subnets are always calculated before public.
@@ -207,6 +234,51 @@ or
 
 `export AWS_DEFAULT_REGION=<>`
 
-## Contributing
+## Error creating routes to Core Network
+
+Error:
+
+> error creating Route in Route Table (rtb-xxx) with destination (YYY): InvalidCoreNetworkArn.NotFound: The core network arn 'arn:aws:networkmanager::XXXX:core-network/core-network-YYYYY' does not exist.
+
+This happens when the Core Network's VPC attachment requires acceptance, so it's not possible to create the routes in the VPC until the attachment is accepted. Check the following:
+
+* If the VPC attachment requires acceptance and you want the module to automatically accept it, configure `require_acceptance` and `accept_attachment` to `true`.
+
+```terraform
+subnets = {
+  core_network = {
+    netmaks            = 28
+    require_acceptance = true
+    accept_attachment  = true
+  }
+}
+```
+
+* If the VPC attachment requires acceptance but you want to accept it outside the module, first configure `require_acceptance` to `true` and `accept_attachment` to `false`.
+
+```terraform
+subnets = {
+  core_network = {
+    netmaks            = 28
+    require_acceptance = true
+    accept_attachment  = true
+  }
+}
+```
+
+After you apply and the attachment is accepted (outside the module), change the subnet configuration with `require_acceptance` to `false`.
+
+```terraform
+subnets = {
+  core_network = {
+    netmaks            = 28
+    require_acceptance = false
+  }
+}
+```
+
+* Alternatively, you can also not configure any subnet route (`var.core_network_routes`) to the Core Network until the attachment gets accepted.
+
+# Contributing
 
 Please see our [developer documentation](https://github.com/aws-ia/terraform-aws-vpc/blob/main/contributing.md) for guidance on contributing to this module
diff --git a/README.md b/README.md
diff --git a/data.tf b/data.tf
@@ -19,7 +19,7 @@ locals {
   # - subnets map contains arbitrary amount of subnet "keys" which are both defined as the subnets type and default name (unless name_prefix is provided).
   # - resource name labels for subnet use the key as  private subnet keys are constructed
 
-  singleton_subnet_types = ["public", "transit_gateway"]
+  singleton_subnet_types = ["public", "transit_gateway", "core_network"]
   private_subnet_names   = setsubtract(local.subnet_keys, local.singleton_subnet_types)
 
   # constructed list of <private_subnet_key>/az
@@ -35,6 +35,14 @@ locals {
   subnets_tgw_routed                  = keys(var.transit_gateway_routes)
   private_subnet_key_names_tgw_routed = [for subnet in local.private_per_az : subnet if contains(local.subnets_tgw_routed, split("/", subnet)[0])]
 
+  # support variables for core_network_routes
+  subnets_cwan_routed                  = keys(var.core_network_routes)
+  private_subnet_key_names_cwan_routes = [for subnet in local.private_per_az : subnet if contains(local.subnets_cwan_routed, split("/", subnet)[0])]
+  require_acceptance                   = try(var.subnets.core_network.require_acceptance, false) # value to default
+  accept_attachment                    = try(var.subnets.core_network.accept_attachment, true)   # value to default
+  create_acceptance                    = (local.require_acceptance == true && local.accept_attachment == true)
+  create_cwan_routes                   = (local.require_acceptance == false) || local.create_acceptance
+
   ##################################################################
   # NAT configurations options, maps user string input to HCL usable values. selected based on nat_gateway_configuration
   # null   = none

diff --git a/examples/cloud_wan/.header.md b/examples/cloud_wan/.header.md
@@ -0,0 +1,10 @@
+# Creating AWS Cloud WAN's VPC attachment
+
+This example shows how you can use this module with `core_network` subnets, and AWS Cloud WAN's VPC attachment. This examples creates the following:
+
+* Global Network and Core Network.
+* Core Network's policy (in `cwan_policy.tf`), creating two segments (prod and nonprod) in two AWS Regions (*us-east-1* and *eu-west-1*). The *prod* segments needs acceptance for the attachments.
+* The VPC module creates the following (in two AWS Regions):
+  * Two sets of subnets (workloads and core_network)
+  * Cloud WAN's VPC attachment - with attachment acceptance for the VPC to associate to the *prod* segment.
+  * Routing to Core Network (0.0.0.0/0) in workload subnets.
diff --git a/examples/cloud_wan/.terraform-docs.yaml b/examples/cloud_wan/.terraform-docs.yaml
@@ -0,0 +1,21 @@
+formatter: markdown
+header-from: .header.md
+settings:
+  anchor: true
+  color: true
+  default: true
+  escape: true
+  html: true
+  indent: 2
+  required: true
+  sensitive: true
+  type: true
+  lockfile: false
+
+sort:
+  enabled: true
+  by: required
+
+output:
+  file: README.md
+  mode: replace
diff --git a/examples/cloud_wan/README.md b/examples/cloud_wan/README.md
@@ -0,0 +1,57 @@
+<!-- BEGIN_TF_DOCS -->
+# Creating AWS Cloud WAN's VPC attachment
+
+This example shows how you can use this module with `core_network` subnets, and AWS Cloud WAN's VPC attachment. This examples creates the following:
+
+* Global Network and Core Network.
+* Core Network's policy (in `cwan_policy.tf`), creating two segments (prod and nonprod) in two AWS Regions (*us-east-1* and *eu-west-1*). The *prod* segments needs acceptance for the attachments.
+* The VPC module creates the following (in two AWS Regions):
+  * Two sets of subnets (workloads and core\_network)
+  * Cloud WAN's VPC attachment - with attachment acceptance for the VPC to associate to the *prod* segment.
+  * Routing to Core Network (0.0.0.0/0) in workload subnets.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.27.0 |
+| <a name="requirement_awscc"></a> [awscc](#requirement\_awscc) | >= 0.36.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.27.0 |
+| <a name="provider_awscc.awsccnvirginia"></a> [awscc.awsccnvirginia](#provider\_awscc.awsccnvirginia) | >= 0.36.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_ireland_vpc"></a> [ireland\_vpc](#module\_ireland\_vpc) | aws-ia/vpc/aws | >= 3.0.2 |
+| <a name="module_nvirginia_vpc"></a> [nvirginia\_vpc](#module\_nvirginia\_vpc) | aws-ia/vpc/aws | >= 3.0.2 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [awscc_networkmanager_core_network.core_network](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/networkmanager_core_network) | resource |
+| [awscc_networkmanager_global_network.global_network](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/networkmanager_global_network) | resource |
+| [aws_networkmanager_core_network_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/networkmanager_core_network_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cloud_wan_regions"></a> [cloud\_wan\_regions](#input\_cloud\_wan\_regions) | AWS Regions to create in Cloud WAN's core network. | <pre>object({<br>    nvirginia = string<br>    ireland   = string<br>  })</pre> | <pre>{<br>  "ireland": "eu-west-1",<br>  "nvirginia": "us-east-1"<br>}</pre> | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_core_network"></a> [core\_network](#output\_core\_network) | Core Network ID. |
+| <a name="output_core_network_vpc_attachments"></a> [core\_network\_vpc\_attachments](#output\_core\_network\_vpc\_attachments) | Core Network VPC attachments. |
+| <a name="output_global_network"></a> [global\_network](#output\_global\_network) | Global Network ID. |
+| <a name="output_vpcs"></a> [vpcs](#output\_vpcs) | VPCs created. |
+<!-- END_TF_DOCS -->
diff --git a/examples/cloud_wan/cwan_policy.tf b/examples/cloud_wan/cwan_policy.tf
@@ -0,0 +1,63 @@
+
+data "aws_networkmanager_core_network_policy_document" "policy" {
+  core_network_configuration {
+    vpn_ecmp_support = true
+    asn_ranges       = ["64515-64520"]
+
+    edge_locations {
+      location = var.cloud_wan_regions.nvirginia
+      asn      = 64515
+    }
+
+    edge_locations {
+      location = var.cloud_wan_regions.ireland
+      asn      = 64516
+    }
+  }
+
+  segments {
+    name                          = "prod"
+    description                   = "Segment for production traffic"
+    require_attachment_acceptance = true
+  }
+
+  segments {
+    name                          = "nonprod"
+    description                   = "Segment for non-production traffic"
+    require_attachment_acceptance = false
+  }
+
+  attachment_policies {
+    rule_number     = 100
+    condition_logic = "or"
+
+    conditions {
+      type     = "tag-value"
+      operator = "equals"
+      key      = "env"
+      value    = "prod"
+    }
+
+    action {
+      association_method = "constant"
+      segment            = "prod"
+    }
+  }
+
+  attachment_policies {
+    rule_number     = 200
+    condition_logic = "or"
+
+    conditions {
+      type     = "tag-value"
+      operator = "equals"
+      key      = "env"
+      value    = "nonprod"
+    }
+
+    action {
+      association_method = "constant"
+      segment            = "nonprod"
+    }
+  }
+}
diff --git a/examples/cloud_wan/main.tf b/examples/cloud_wan/main.tf
@@ -0,0 +1,94 @@
+
+# VPC module (North Virginia)
+module "nvirginia_vpc" {
+  source  = "aws-ia/vpc/aws"
+  version = ">= 3.0.2"
+
+  providers = {
+    aws   = aws.awsnvirginia
+    awscc = awscc.awsccnvirginia
+  }
+
+  name       = "nvirginia-vpc"
+  cidr_block = "10.0.0.0/24"
+  az_count   = 2
+
+  core_network = {
+    id  = awscc_networkmanager_core_network.core_network.core_network_id
+    arn = awscc_networkmanager_core_network.core_network.core_network_arn
+  }
+  core_network_routes = {
+    workload = "0.0.0.0/0"
+  }
+
+  subnets = {
+    workload = { netmask = 28 }
+    core_network = {
+      netmask            = 28
+      ipv6_support       = false
+      require_acceptance = true
+      accept_attachment  = true
+
+      tags = {
+        env = "prod"
+      }
+    }
+  }
+}
+
+# VPC module (Ireland)
+module "ireland_vpc" {
+  source  = "aws-ia/vpc/aws"
+  version = ">= 3.0.2"
+
+  providers = {
+    aws   = aws.awsireland
+    awscc = awscc.awsccireland
+  }
+
+  name       = "ireland-vpc"
+  cidr_block = "10.0.1.0/24"
+  az_count   = 2
+
+  core_network = {
+    id  = awscc_networkmanager_core_network.core_network.core_network_id
+    arn = awscc_networkmanager_core_network.core_network.core_network_arn
+  }
+  core_network_routes = {
+    workload = "0.0.0.0/0"
+  }
+
+  subnets = {
+    workload = { netmask = 28 }
+    core_network = {
+      netmask            = 28
+      ipv6_support       = false
+      require_acceptance = false
+
+      tags = {
+        env = "nonprod"
+      }
+    }
+  }
+}
+
+# Global Network
+resource "awscc_networkmanager_global_network" "global_network" {
+  provider = awscc.awsccnvirginia
+
+  description = "Global Network - VPC module"
+}
+
+# Core Network
+resource "awscc_networkmanager_core_network" "core_network" {
+  provider = awscc.awsccnvirginia
+
+  description       = "Core Network - VPC module"
+  global_network_id = awscc_networkmanager_global_network.global_network.id
+  policy_document   = jsonencode(jsondecode(data.aws_networkmanager_core_network_policy_document.policy.json))
+
+  tags = [{
+    key   = "Name",
+    value = "Core Network - VPC module"
+  }]
+}