Add manage_transit_gateway role

roles/manage_transit_gateway/README.md

@@ -0,0 +1,99 @@
+manage_transit_gateway
+==================
+
+A role to create/delete a Transit Gateway with VPC/VPN attachments.
+
+Requirements
+------------
+
+AWS User Account with the following permission:
+
+* ec2:CreateTransitGateway
+* ec2:DescribeTransitGateway
+* ec2:DeleteTransitGateway
+* ec2:CreateTransitGatewayVpcAttachment
+* ec2:DescribeTransitGatewayVpcAttachment
+* ec2:DeleteTransitGatewayVpcAttachment
+* ec2:CreateVpnConnection
+* ec2:DescribeVpnConnection
+* ec2:DeleteVpnConnection
+
+Role Variables
+--------------
+
+* **action**: Whether to create or delete the transit gateway. Choices: 'create', 'delete'.
+* **transit_gateway**: A dict of parameters needed to create transit gateway.
+    **asn**: A private Autonomous System Number (ASN) for the Amazon side of a BGP session.
+    **tags**: A dict of tags for the transit gateway.
+    **description**: Description for the transit gateway.
+* **vpc_attachment**: A list of dict of parameters to create vpc attachments.
+    **name**: Name for the VPC attachment.
+    **tags**: A dict of tags for the attachment.
+    **subnets**: A list of subnets to be added to the attachment.
+* **vpn_attachment**: A list of dict of parameters to create vpn attachments.
+    **customer_gateway_id**: Id of the customer gateway.
+
+Dependencies
+------------
+
+- role: [aws_setup_credentials](../aws_setup_credentials/README.md)
+
+Example Playbook
+----------------
+**Create a transit gateway with 2 VPC attachments**
+
+- hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Create transit gateway
+      ansible.builtin.include_role:
+        name: cloud.aws_ops.manage_transit_gateway
+      vars:
+        action: "create"
+        transit_gateway:
+            asn: 4200000000
+            description: "TGW for Cloud team"
+            tags:
+              "team": "cloud"
+        vpc_attachment:
+            - name: "vpc-attachment-001"
+              tags:
+                "team": "cloud"
+              subnets:
+                - "subnet-xxxx001"
+            - name: "vpc-attachment-002"
+              tags:
+                "team": "cloud"
+              subnets:
+                - "subnet-xxxx002"
+
+
+**Create a transit gateway with  VPN attachment**
+
+- hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Create transit gateway
+      ansible.builtin.include_role:
+        name: cloud.aws_ops.manage_transit_gateway
+      vars:
+        action: "create"
+        transit_gateway:
+          asn: 4200000000
+          description: "TGW for Cloud team"
+          tags:
+            "team": "cloud"
+        vpn_attachment:
+          - customer_gateway_id: "cgw-01b56884848a25446"
+
+License
+-------
+
+GNU General Public License v3.0 or later
+
+See [LICENCE](https://github.com/ansible-collections/cloud.aws_ops/blob/main/LICENSE) to see the full text.
+
+Author Information
+------------------
+
+- Ansible Cloud Content Team

roles/manage_transit_gateway/meta/argument_specs.yaml

@@ -0,0 +1,64 @@
+---
+argument_specs:
+  main:
+    short_description: Creation/Deletion of transit gateway with vpc/vpn attachment
+    options:
+      action:
+        description: Action to be done.
+        type: "str"
+        default: "create"
+        choices: ["create", "delete"]
+      transit_gateway:
+        description: Transit Gateway to be created.
+        type: dict
+        required: True
+        options:
+          asn:
+            description:
+              - A private Autonomous System Number (ASN) for the Amazon side of a BGP session.
+              - The range is 64512 to 65534 for 16-bit ASNs and 4200000000 to 4294967294 for 32-bit ASNs.
+            type: int
+          description:
+            description:
+              - The description of the transit gateway.
+            type: str
+          tags:
+            description: A dict of tags for the transit gateway.
+            type: dict
+      vpc_attachment:
+        description: VPC to be attached.
+        type: list
+        elements: dict
+        options:
+          name:
+            description: Name of the attachment.
+            type: str
+          subnets:
+            description: Subnets for the attachment.
+            type: list
+            elements: str
+          tags:
+            description: A dict of tags for the attachment.
+            type: dict
+      vpn_attachment:
+        description: VPC to be attached.
+        type: list
+        elements: dict
+        options:
+          customer_gateway_id:
+            description: id of the customer gateway for the vpn attachment.
+            type: str
+      vpc_route_table:
+        description: Route table entries for the VPC
+        type: list
+        elements: dict
+        options:
+          vpc_id:
+            description: Te VPC id for which the route should be added.
+            type: str
+          cidr_block:
+            description: Destination CIDR block.
+            type: str
+          tags:
+            description: A dict of tags for the route table.
+            type: dict

roles/manage_transit_gateway/meta/main.yaml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: cloud.aws_ops.aws_setup_credentials

roles/manage_transit_gateway/tasks/add_vpc_route_entries.yaml

@@ -0,0 +1,9 @@
+- name: Add route entries.
+  amazon.aws.ec2_vpc_route_table:
+    vpc_id: "{{ item.vpc_id }}"
+    tags: "{{ item.tags }}"
+    purge_routes: False
+    routes:
+      - dest: "{{ item.cidr_block }}"
+        gateway_id: "{{ manage_transit_gateway_tgw_result.transit_gateway.transit_gateway_id }}"
+  register: manage_transit_gateway_route_table

roles/manage_transit_gateway/tasks/create.yaml

@@ -0,0 +1,35 @@
+---
+- name: Run create_tgw_attach_vpc role
+  block:
+    - name: Create  transit gateway
+      community.aws.ec2_transit_gateway:
+        state: present
+        description: "{{ transit_gateway.description }}"
+        asn: "{{ transit_gateway.asn }}"
+        tags: "{{ transit_gateway.tags }}"
+      register: manage_transit_gateway_tgw_result
+
+    - name: Verify that transit gateway has been created/updated
+      ansible.builtin.debug:
+        msg: Transit Gateway successfully created/updated.
+      when: manage_transit_gateway_tgw_result.changed
+
+    - name: Print debug msg
+      ansible.builtin.debug:
+        msg: Transit Gateway '{{ manage_transit_gateway_tgw_result.transit_gateway.transit_gateway_id }}' exists, no updates needed.
+      when: not manage_transit_gateway_tgw_result.changed
+
+    - name: Create VPC attachment
+      when: vars["vpc_attachment"] is defined
+      ansible.builtin.include_tasks: create_vpc_attachment.yaml
+      loop: "{{ vpc_attachment }}"
+
+    - name: Create VPN attachment
+      when: vars["vpn_attachment"] is defined
+      ansible.builtin.include_tasks: create_vpn_attachment.yaml
+      loop: "{{ vpn_attachment }}"
+
+    - name: Create route table entries
+      when: vars["vpc_route_table"] is defined
+      ansible.builtin.include_tasks: add_vpc_route_entries.yaml
+      loop: "{{ vpc_route_table }}"

roles/manage_transit_gateway/tasks/create_vpc_attachment.yaml

@@ -0,0 +1,20 @@
+---
+- name: Create VPC attachment
+  community.aws.ec2_transit_gateway_vpc_attachment:
+    state: present
+    name: "{{ item.name }}"
+    transit_gateway: "{{ manage_transit_gateway_tgw_result.transit_gateway.transit_gateway_id }}"
+    subnets: "{{ item.subnets }}"
+    tags: "{{ item.tags }}"
+    purge_subnets: False
+  register: manage_transit_gateway_tgw_vpc_attachment_result
+
+- name: Verify that the transit gateway vpc attachment has been successfully created.
+  ansible.builtin.debug:
+    msg: Transit gateway VPC attachment {{ item.name }} has been successfully created.
+  when: manage_transit_gateway_tgw_vpc_attachment_result is changed
+
+- name: Print debug message
+  ansible.builtin.debug:
+    msg: Transit gateway VPC attachment {{ item.name }} already exists with the given subnets.
+  when: manage_transit_gateway_tgw_vpc_attachment_result is not changed

roles/manage_transit_gateway/tasks/create_vpn_attachment.yaml

@@ -0,0 +1,17 @@
+---
+- name: Create vpn connection, with customer gateway and transit_gateway
+  community.aws.ec2_vpc_vpn:
+    customer_gateway_id: '{{ item.customer_gateway_id }}'
+    transit_gateway_id: '{{ manage_transit_gateway_tgw_result.transit_gateway.transit_gateway_id }}'
+    state: present
+  register: manage_transit_gateway_tgw_vpn_attachment_result
+
+- name: Verify that the transit gateway vpc attachment has been successfully created.
+  ansible.builtin.debug:
+    msg: Transit gateway VPN attachment has been successfully created.
+  when: manage_transit_gateway_tgw_vpn_attachment_result is changed
+
+- name: Print debug message
+  ansible.builtin.debug:
+    msg: Transit gateway VPN attachment {{ item.name }} already exists.
+  when: manage_transit_gateway_tgw_vpn_attachment_result is not changed

roles/manage_transit_gateway/tasks/delete.yaml

@@ -0,0 +1,81 @@
+---
+- name: Run manage_transit_gateway role
+  block:
+    - name: List all the transit gateway attachments
+      community.aws.ec2_transit_gateway_info:
+      register: manage_transit_gateway_info
+
+    - name: Get the transit gateway with the given description
+      ansible.builtin.set_fact:
+        manage_transit_gateway_gw: "{{ item }}"
+      when:
+        - item.description == transit_gateway.description
+        - item.state == "available"
+      loop: "{{ manage_transit_gateway_info.transit_gateways }}"
+
+    - name: Delete the attachment and transit manage_transit_gateway_gw
+      when: manage_transit_gateway_gw is defined
+      block:
+        - name: Describe attachments on a specific VPC
+          community.aws.ec2_transit_gateway_vpc_attachment_info:
+            filters:
+              transit-gateway-id: '{{ manage_transit_gateway_gw.transit_gateway_id }}'
+          register: manage_transit_gateway_info
+
+        - name: Start deletion of all attachments
+          community.aws.ec2_transit_gateway_vpc_attachment:
+            state: absent
+            id: '{{ item.transit_gateway_attachment_id }}'
+            wait: True
+          loop: '{{ manage_transit_gateway_info.attachments }}'
+
+        - name: Check if all the transit gateway attachments have been deleted
+          community.aws.ec2_transit_gateway_vpc_attachment_info:
+            filters:
+              transit-gateway-id: '{{ manage_transit_gateway_gw.transit_gateway_id }}'
+          register: manage_transit_gateway_info
+
+        - name: Check for attachments
+          ansible.builtin.assert:
+            that:
+              - manage_transit_gateway_info.attachments | length == 0
+
+        - name: Check for vpn attachments
+          community.aws.ec2_vpc_vpn_info:
+          register: manage_transit_gateway_vpn_info
+
+        - name: Set fact
+          ansible.builtin.set_fact:
+            manage_transit_gateway_cgw: "{{ item.customer_gateway_id }}"
+          when:
+            - item.transit_gateway_id == manage_transit_gateway_gw.transit_gateway_id
+            - item.state == "available"
+          loop: "{{ manage_transit_gateway_vpn_info.vpn_connections }}"
+
+        - name: Delete vpn connection, with customer gateway and transit_gateway
+          community.aws.ec2_vpc_vpn:
+            customer_gateway_id: '{{ manage_transit_gateway_cgw }}'
+            transit_gateway_id: '{{ manage_transit_gateway_gw.transit_gateway_id }}'
+            state: absent
+            wait_timeout: 600
+          when:
+            - manage_transit_gateway_vpn_info.vpn_connections != []
+            - manage_transit_gateway_cgw is defined
+
+        - name: Check for vpn attachments after deletion
+          community.aws.ec2_vpc_vpn_info:
+          register: manage_transit_gateway_vpn_att_info
+
+        - name: Check for vpn attachments
+          ansible.builtin.assert:
+            that:
+              - item.state == "deleted"
+          when:
+            - item.transit_gateway_id == manage_transit_gateway_gw.transit_gateway_id
+          loop: "{{ manage_transit_gateway_vpn_att_info.vpn_connections }}"
+
+        - name: Delete Transit Gateways
+          community.aws.ec2_transit_gateway:
+            state: absent
+            transit_gateway_id: '{{ manage_transit_gateway_gw.transit_gateway_id }}'
+          ignore_errors: true

roles/manage_transit_gateway/tasks/main.yaml

@@ -0,0 +1,8 @@
+---
+- name: Run manage transit gateway role
+  module_defaults:
+    group/aws: "{{ aws_setup_credentials__output }}"
+
+  block:
+    - name: Include file
+      ansible.builtin.include_tasks: "{{ action }}.yaml"

tests/integration/targets/test_manage_transit_gateway/aliases

@@ -0,0 +1,3 @@
+cloud/aws
+role/manage_transit_gateway
+time=35m

tests/integration/targets/test_manage_transit_gateway/defaults/main.yml

@@ -0,0 +1,13 @@
+cidr_prefix: '10.{{ 255 | random(seed=resource_prefix) }}'
+aws_security_token: '{{ security_token | default(omit) }}'
+tgw_name: '{{ resource_prefix }}'
+vpc_name_a: '{{ resource_prefix }}-1'
+vpc_name_b: '{{ resource_prefix }}-2'
+vpc_cidr_a: '{{ cidr_prefix }}.1.0/24'
+vpc_cidr_b: '{{ cidr_prefix }}.2.0/24'
+
+subnet_cidr_a_1: '{{ cidr_prefix }}.1.0/26'
+subnet_cidr_b_1: '{{ cidr_prefix }}.2.0/26'
+
+subnet_name_a_1: '{{ resource_prefix }}-a-1'
+subnet_name_b_1: '{{ resource_prefix }}-b-1'