Added Customer Gateway resource

README.md

@@ -256,6 +256,8 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | create\_redshift\_subnet\_group | Controls if redshift subnet group should be created | bool | `"true"` | no |
 | create\_redshift\_subnet\_route\_table | Controls if separate route table for redshift should be created | bool | `"false"` | no |
 | create\_vpc | Controls if VPC should be created (it affects almost all resources) | bool | `"true"` | no |
+| customer\_gateway\_tags | Additional tags for the Customer Gateway | map(string) | `{}` | no |
+| customer\_gateways | Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address) | map(map(any)) | `{}` | no |
 | database\_acl\_tags | Additional tags for the database subnets network ACL | map(string) | `{}` | no |
 | database\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for database subnets | bool | `"false"` | no |
 | database\_inbound\_acl\_rules | Database subnets inbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
@@ -506,6 +508,7 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | Name | Description |
 |------|-------------|
 | azs | A list of availability zones specified as argument to this module |
+| cgw\_ids | List of IDs of Customer Gateway |
 | database\_network\_acl\_id | ID of the database network ACL |
 | database\_route\_table\_ids | List of IDs of database route tables |
 | database\_subnet\_arns | List of ARNs of database subnets |
@@ -564,6 +567,7 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | redshift\_subnets | List of IDs of redshift subnets |
 | redshift\_subnets\_cidr\_blocks | List of cidr_blocks of redshift subnets |
 | redshift\_subnets\_ipv6\_cidr\_blocks | List of IPv6 cidr_blocks of redshift subnets in an IPv6 enabled VPC |
+| this\_customer\_gateway | Map of Customer Gateway attributes |
 | vgw\_id | The ID of the VPN Gateway |
 | vpc\_arn | The ARN of the VPC |
 | vpc\_cidr\_block | The CIDR block of the VPC |

examples/complete-vpc/README.md

@@ -21,13 +21,15 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 
 | Name | Description |
 |------|-------------|
+| cgw\_ids | List of IDs of Customer Gateway |
 | database\_subnets | List of IDs of database subnets |
 | elasticache\_subnets | List of IDs of elasticache subnets |
 | intra\_subnets | List of IDs of intra subnets |
 | nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway |
 | private\_subnets | List of IDs of private subnets |
 | public\_subnets | List of IDs of public subnets |
 | redshift\_subnets | List of IDs of redshift subnets |
+| this\_customer\_gateway | Map of Customer Gateway attributes |
 | vpc\_endpoint\_ssm\_dns\_entry | The DNS entries for the VPC Endpoint for SSM. |
 | vpc\_endpoint\_ssm\_id | The ID of VPC endpoint for SSM |
 | vpc\_endpoint\_ssm\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSM. |

examples/complete-vpc/main.tf

@@ -33,6 +33,17 @@ module "vpc" {
   enable_nat_gateway = true
   single_nat_gateway = true
 
+  customer_gateways = {
+    IP1 = {
+      bgp_asn    = 65112
+      ip_address = "1.2.3.4"
+    },
+    IP2 = {
+      bgp_asn    = 65112
+      ip_address = "5.6.7.8"
+    }
+  }
+
   enable_vpn_gateway = true
 
   enable_dhcp_options              = true

examples/complete-vpc/outputs.tf

@@ -57,6 +57,17 @@ output "vpc_endpoint_ssm_dns_entry" {
   value       = module.vpc.vpc_endpoint_ssm_dns_entry
 }
 
+# Customer Gateway
+output "cgw_ids" {
+  description = "List of IDs of Customer Gateway"
+  value       = module.vpc.cgw_ids
+}
+
+output "this_customer_gateway" {
+  description = "Map of Customer Gateway attributes"
+  value       = module.vpc.this_customer_gateway
+}
+
 //
 //# VPC endpoints
 //output "vpc_endpoint_ec2_id" {

main.tf

@@ -989,6 +989,25 @@ resource "aws_route_table_association" "public" {
   route_table_id = aws_route_table.public[0].id
 }
 
+####################
+# Customer Gateways
+####################
+resource "aws_customer_gateway" "this" {
+  for_each = var.customer_gateways
+
+  bgp_asn    = each.value["bgp_asn"]
+  ip_address = each.value["ip_address"]
+  type       = "ipsec.1"
+
+  tags = merge(
+    {
+      Name = format("%s-%s", var.name, each.key)
+    },
+    var.tags,
+    var.customer_gateway_tags,
+  )
+}
+
 ##############
 # VPN Gateway
 ##############

outputs.tf

@@ -263,6 +263,16 @@ output "egress_only_internet_gateway_id" {
   value       = concat(aws_egress_only_internet_gateway.this.*.id, [""])[0]
 }
 
+output "cgw_ids" {
+  description = "List of IDs of Customer Gateway"
+  value       = [for k, v in aws_customer_gateway.this : v.id]
+}
+
+output "this_customer_gateway" {
+  description = "Map of Customer Gateway attributes"
+  value       = aws_customer_gateway.this
+}
+
 output "vgw_id" {
   description = "The ID of the VPN Gateway"
   value = concat(

variables.tf

@@ -1305,6 +1305,12 @@ variable "map_public_ip_on_launch" {
   default     = true
 }
 
+variable "customer_gateways" {
+  description = "Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address)"
+  type        = map(map(any))
+  default     = {}
+}
+
 variable "enable_vpn_gateway" {
   description = "Should be true if you want to create a new VPN Gateway resource and attach it to the VPC"
   type        = bool
@@ -1489,6 +1495,12 @@ variable "nat_eip_tags" {
   default     = {}
 }
 
+variable "customer_gateway_tags" {
+  description = "Additional tags for the Customer Gateway"
+  type        = map(string)
+  default     = {}
+}
+
 variable "vpn_gateway_tags" {
   description = "Additional tags for the VPN gateway"
   type        = map(string)

vpc-endpoints.tf

@@ -971,7 +971,7 @@ resource "aws_vpc_endpoint" "efs" {
   count = var.create_vpc && var.enable_efs_endpoint ? 1 : 0
 
   vpc_id            = local.vpc_id
-  service_name      = data.aws_vpc_endpoint_service.efs.service_name
+  service_name      = data.aws_vpc_endpoint_service.efs[0].service_name
   vpc_endpoint_type = "Interface"
 
   security_group_ids  = var.efs_endpoint_security_group_ids
@@ -994,7 +994,7 @@ resource "aws_vpc_endpoint" "cloud_directory" {
   count = var.create_vpc && var.enable_cloud_directory_endpoint ? 1 : 0
 
   vpc_id            = local.vpc_id
-  service_name      = data.aws_vpc_endpoint_service.cloud_directory.service_name
+  service_name      = data.aws_vpc_endpoint_service.cloud_directory[0].service_name
   vpc_endpoint_type = "Interface"
 
   security_group_ids  = var.cloud_directory_endpoint_security_group_ids