From 6c2fbcd8cb8101506b1ff1fcb44c8a9e931d324a Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Wed, 27 Nov 2019 16:25:41 +0100 Subject: [PATCH] Added Customer Gateway resource --- README.md | 4 ++++ examples/complete-vpc/README.md | 2 ++ examples/complete-vpc/main.tf | 11 +++++++++++ examples/complete-vpc/outputs.tf | 11 +++++++++++ main.tf | 19 +++++++++++++++++++ outputs.tf | 10 ++++++++++ variables.tf | 12 ++++++++++++ vpc-endpoints.tf | 4 ++-- 8 files changed, 71 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 737d4b340..957234d89 100644 --- a/README.md +++ b/README.md @@ -256,6 +256,8 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | create\_redshift\_subnet\_group | Controls if redshift subnet group should be created | bool | `"true"` | no | | create\_redshift\_subnet\_route\_table | Controls if separate route table for redshift should be created | bool | `"false"` | no | | create\_vpc | Controls if VPC should be created (it affects almost all resources) | bool | `"true"` | no | +| customer\_gateway\_tags | Additional tags for the Customer Gateway | map(string) | `{}` | no | +| customer\_gateways | Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address) | map(map(any)) | `{}` | no | | database\_acl\_tags | Additional tags for the database subnets network ACL | map(string) | `{}` | no | | database\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for database subnets | bool | `"false"` | no | | database\_inbound\_acl\_rules | Database subnets inbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | @@ -506,6 +508,7 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | Name | Description | |------|-------------| | azs | A list of availability zones specified as argument to this module | +| cgw\_ids | List of IDs of Customer Gateway | | database\_network\_acl\_id | ID of the database network ACL | | database\_route\_table\_ids | List of IDs of database route tables | | database\_subnet\_arns | List of ARNs of database subnets | @@ -564,6 +567,7 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | redshift\_subnets | List of IDs of redshift subnets | | redshift\_subnets\_cidr\_blocks | List of cidr_blocks of redshift subnets | | redshift\_subnets\_ipv6\_cidr\_blocks | List of IPv6 cidr_blocks of redshift subnets in an IPv6 enabled VPC | +| this\_customer\_gateway | Map of Customer Gateway attributes | | vgw\_id | The ID of the VPN Gateway | | vpc\_arn | The ARN of the VPC | | vpc\_cidr\_block | The CIDR block of the VPC | diff --git a/examples/complete-vpc/README.md b/examples/complete-vpc/README.md index 7a0a4a96d..ca3bf98a6 100644 --- a/examples/complete-vpc/README.md +++ b/examples/complete-vpc/README.md @@ -21,6 +21,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Description | |------|-------------| +| cgw\_ids | List of IDs of Customer Gateway | | database\_subnets | List of IDs of database subnets | | elasticache\_subnets | List of IDs of elasticache subnets | | intra\_subnets | List of IDs of intra subnets | @@ -28,6 +29,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP | private\_subnets | List of IDs of private subnets | | public\_subnets | List of IDs of public subnets | | redshift\_subnets | List of IDs of redshift subnets | +| this\_customer\_gateway | Map of Customer Gateway attributes | | vpc\_endpoint\_ssm\_dns\_entry | The DNS entries for the VPC Endpoint for SSM. | | vpc\_endpoint\_ssm\_id | The ID of VPC endpoint for SSM | | vpc\_endpoint\_ssm\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSM. | diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf index 08336f8a1..e492f5c87 100644 --- a/examples/complete-vpc/main.tf +++ b/examples/complete-vpc/main.tf @@ -33,6 +33,17 @@ module "vpc" { enable_nat_gateway = true single_nat_gateway = true + customer_gateways = { + IP1 = { + bgp_asn = 65112 + ip_address = "1.2.3.4" + }, + IP2 = { + bgp_asn = 65112 + ip_address = "5.6.7.8" + } + } + enable_vpn_gateway = true enable_dhcp_options = true diff --git a/examples/complete-vpc/outputs.tf b/examples/complete-vpc/outputs.tf index db1fef127..a0887de5e 100644 --- a/examples/complete-vpc/outputs.tf +++ b/examples/complete-vpc/outputs.tf @@ -57,6 +57,17 @@ output "vpc_endpoint_ssm_dns_entry" { value = module.vpc.vpc_endpoint_ssm_dns_entry } +# Customer Gateway +output "cgw_ids" { + description = "List of IDs of Customer Gateway" + value = module.vpc.cgw_ids +} + +output "this_customer_gateway" { + description = "Map of Customer Gateway attributes" + value = module.vpc.this_customer_gateway +} + // //# VPC endpoints //output "vpc_endpoint_ec2_id" { diff --git a/main.tf b/main.tf index a8a693037..d07bb87e1 100644 --- a/main.tf +++ b/main.tf @@ -989,6 +989,25 @@ resource "aws_route_table_association" "public" { route_table_id = aws_route_table.public[0].id } +#################### +# Customer Gateways +#################### +resource "aws_customer_gateway" "this" { + for_each = var.customer_gateways + + bgp_asn = each.value["bgp_asn"] + ip_address = each.value["ip_address"] + type = "ipsec.1" + + tags = merge( + { + Name = format("%s-%s", var.name, each.key) + }, + var.tags, + var.customer_gateway_tags, + ) +} + ############## # VPN Gateway ############## diff --git a/outputs.tf b/outputs.tf index 29427c3c9..946d081e1 100644 --- a/outputs.tf +++ b/outputs.tf @@ -263,6 +263,16 @@ output "egress_only_internet_gateway_id" { value = concat(aws_egress_only_internet_gateway.this.*.id, [""])[0] } +output "cgw_ids" { + description = "List of IDs of Customer Gateway" + value = [for k, v in aws_customer_gateway.this : v.id] +} + +output "this_customer_gateway" { + description = "Map of Customer Gateway attributes" + value = aws_customer_gateway.this +} + output "vgw_id" { description = "The ID of the VPN Gateway" value = concat( diff --git a/variables.tf b/variables.tf index 3f40cf38a..856e2a25c 100644 --- a/variables.tf +++ b/variables.tf @@ -1305,6 +1305,12 @@ variable "map_public_ip_on_launch" { default = true } +variable "customer_gateways" { + description = "Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address)" + type = map(map(any)) + default = {} +} + variable "enable_vpn_gateway" { description = "Should be true if you want to create a new VPN Gateway resource and attach it to the VPC" type = bool @@ -1489,6 +1495,12 @@ variable "nat_eip_tags" { default = {} } +variable "customer_gateway_tags" { + description = "Additional tags for the Customer Gateway" + type = map(string) + default = {} +} + variable "vpn_gateway_tags" { description = "Additional tags for the VPN gateway" type = map(string) diff --git a/vpc-endpoints.tf b/vpc-endpoints.tf index c8b48256e..01052f204 100644 --- a/vpc-endpoints.tf +++ b/vpc-endpoints.tf @@ -971,7 +971,7 @@ resource "aws_vpc_endpoint" "efs" { count = var.create_vpc && var.enable_efs_endpoint ? 1 : 0 vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.efs.service_name + service_name = data.aws_vpc_endpoint_service.efs[0].service_name vpc_endpoint_type = "Interface" security_group_ids = var.efs_endpoint_security_group_ids @@ -994,7 +994,7 @@ resource "aws_vpc_endpoint" "cloud_directory" { count = var.create_vpc && var.enable_cloud_directory_endpoint ? 1 : 0 vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.cloud_directory.service_name + service_name = data.aws_vpc_endpoint_service.cloud_directory[0].service_name vpc_endpoint_type = "Interface" security_group_ids = var.cloud_directory_endpoint_security_group_ids