Added example of AWS multi account vpc peering

squareops · Mar 21, 2024 · 1c9109d · 1c9109d
1 parent d41708f
commit 1c9109d
Show file tree

Hide file tree

Showing 6 changed files with 109 additions and 33 deletions.
diff --git a/examples/multi-account-vpc-peering/main.tf b/examples/multi-account-vpc-peering/main.tf
@@ -0,0 +1,25 @@
+locals {
+  accepter_name    = "tenent-peering"
+  accepter_region  = "us-east-1"
+  accepter_vpc_id  = "vpc-07a2c1d0328341493"
+  requester_name   = "management-peering"
+  requester_region = "ap-northeast-1"
+  requester_vpc_id = "vpc-0ce36808b9b133608"
+  additional_tags = {
+    Owner   = "tenent"
+    Tenancy = "dedicated"
+  }
+}
+
+module "vpc_peering" {
+  source                            = "../../modules/vpc_peering"
+  accepter_name                     = local.accepter_name
+  vpc_peering_accepter_vpc_id       = local.accepter_vpc_id
+  vpc_peering_accepter_vpc_region   = local.accepter_region
+  requester_name                    = local.requester_name
+  vpc_peering_requester_vpc_id      = local.requester_vpc_id
+  vpc_peering_requester_vpc_region  = local.requester_region
+  vpc_peering_multi_account_enabled = true
+  vpc_peering_requester_aws_profile = "peer"
+  vpc_peering_accepter_aws_profile  = "accepter"
+}
diff --git a/examples/multi-account-vpc-peering/output.tf b/examples/multi-account-vpc-peering/output.tf
@@ -0,0 +1,9 @@
+output "vpc_peering_connection_id" {
+  description = "Peering connection ID"
+  value       = module.vpc_peering.vpc_peering_connection_id
+}
+
+output "vpc_peering_accept_status" {
+  description = "Accept status for the connection"
+  value       = module.vpc_peering.vpc_peering_accept_status
+}
diff --git a/examples/multi-account-vpc-peering/provider.tf b/examples/multi-account-vpc-peering/provider.tf
@@ -0,0 +1,17 @@
+provider "aws" {
+  alias          = "peer"
+  region         = "ap-northeast-1"
+  aws_account_id = ""
+  default_tags {
+    tags = local.additional_tags
+  }
+}
+
+provider "aws" {
+  alias          = "accepter"
+  region         = "ap-northeast-1"
+  aws_account_id = ""
+  default_tags {
+    tags = local.additional_tags
+  }
+}
diff --git a/modules/vpc_peering/main.tf b/modules/vpc_peering/main.tf
@@ -1,52 +1,59 @@
 locals {
-  requester_route_tables_ids = data.aws_route_tables.requester.ids
-  accepter_route_tables_ids  = data.aws_route_tables.accepter.ids
+  vpc_peering_requester_route_tables_ids = data.aws_route_tables.requester.ids
+  vpc_peering_accepter_route_tables_ids  = data.aws_route_tables.accepter.ids
 }
 
 provider "aws" {
-  alias  = "peer"
-  region = var.requester_vpc_region
+  alias   = "peer"
+  region  = var.vpc_peering_requester_vpc_region
+  profile = var.vpc_peering_multi_account_enabled ? var.vpc_peering_requester_aws_profile : "default"
 }
 
 provider "aws" {
-  alias  = "accepter"
-  region = var.accepter_vpc_region
+  alias   = "accepter"
+  region  = var.vpc_peering_accepter_vpc_region
+  profile = var.vpc_peering_multi_account_enabled ? var.vpc_peering_accepter_aws_profile : "default"
 }
 
 data "aws_vpc" "accepter" {
-  id       = var.accepter_vpc_id
+  id       = var.vpc_peering_accepter_vpc_id
   provider = aws.accepter
 }
 
 data "aws_route_tables" "accepter" {
-  vpc_id   = var.accepter_vpc_id
+  vpc_id   = var.vpc_peering_accepter_vpc_id
   provider = aws.accepter
 }
 
 data "aws_vpc" "requester" {
-  id       = var.requester_vpc_id
+  id       = var.vpc_peering_requester_vpc_id
   provider = aws.peer
 }
 
 data "aws_route_tables" "requester" {
-  vpc_id   = var.requester_vpc_id
+  vpc_id   = var.vpc_peering_requester_vpc_id
   provider = aws.peer
 }
 
+data "aws_caller_identity" "accepter" {
+  provider = aws.accepter
+}
+
 resource "aws_vpc_peering_connection" "this" {
-  count       = var.peering_enabled ? 1 : 0
-  vpc_id      = var.requester_vpc_id
-  peer_vpc_id = var.accepter_vpc_id
-  peer_region = var.accepter_vpc_region
-  auto_accept = false
-  provider    = aws.peer
+  count         = var.vpc_peering_enabled ? 1 : 0
+  vpc_id        = var.vpc_peering_requester_vpc_id
+  peer_vpc_id   = var.vpc_peering_accepter_vpc_id
+  peer_region   = var.vpc_peering_multi_account_enabled ? var.vpc_peering_accepter_vpc_region : null
+  auto_accept   = false
+  peer_owner_id = var.vpc_peering_multi_account_enabled ? data.aws_caller_identity.accepter.id : null
+  provider      = aws.peer
   tags = {
     Name = format("%s-%s-%s", var.requester_name, "to", var.accepter_name)
   }
 }
 
 resource "aws_vpc_peering_connection_accepter" "this" {
-  count                     = var.peering_enabled ? 1 : 0
+  count                     = var.vpc_peering_enabled ? 1 : 0
   depends_on                = [aws_vpc_peering_connection.this]
   provider                  = aws.accepter
   vpc_peering_connection_id = aws_vpc_peering_connection.this[0].id
@@ -57,7 +64,7 @@ resource "aws_vpc_peering_connection_accepter" "this" {
 }
 
 resource "aws_vpc_peering_connection_options" "this" {
-  count                     = var.peering_enabled ? 1 : 0
+  count                     = var.vpc_peering_enabled ? 1 : 0
   depends_on                = [aws_vpc_peering_connection_accepter.this]
   vpc_peering_connection_id = aws_vpc_peering_connection.this[0].id
   accepter {
@@ -70,17 +77,17 @@ resource "aws_vpc_peering_connection_options" "this" {
 ####  route tables ####
 
 resource "aws_route" "requester" {
-  count                     = var.peering_enabled ? length(local.requester_route_tables_ids) : 0
-  route_table_id            = local.requester_route_tables_ids[count.index]
+  count                     = var.vpc_peering_enabled ? length(local.vpc_peering_requester_route_tables_ids) : 0
+  route_table_id            = local.vpc_peering_requester_route_tables_ids[count.index]
   destination_cidr_block    = data.aws_vpc.accepter.cidr_block
-  vpc_peering_connection_id = var.peering_enabled ? aws_vpc_peering_connection.this[0].id : null
+  vpc_peering_connection_id = var.vpc_peering_enabled ? aws_vpc_peering_connection.this[0].id : null
   provider                  = aws.peer
 }
 
 resource "aws_route" "accepter" {
-  count                     = var.peering_enabled ? length(local.accepter_route_tables_ids) : 0
-  route_table_id            = local.accepter_route_tables_ids[count.index]
+  count                     = var.vpc_peering_enabled ? length(local.vpc_peering_accepter_route_tables_ids) : 0
+  route_table_id            = local.vpc_peering_accepter_route_tables_ids[count.index]
   destination_cidr_block    = data.aws_vpc.requester.cidr_block
-  vpc_peering_connection_id = var.peering_enabled ? aws_vpc_peering_connection.this[0].id : null
+  vpc_peering_connection_id = var.vpc_peering_enabled ? aws_vpc_peering_connection.this[0].id : null
   provider                  = aws.accepter
-}
+}
diff --git a/modules/vpc_peering/outputs.tf b/modules/vpc_peering/outputs.tf
@@ -1,9 +1,9 @@
 output "vpc_peering_connection_id" {
   description = "Peering connection ID"
-  value       = var.peering_enabled ? aws_vpc_peering_connection.this[0].id : null
+  value       = var.vpc_peering_enabled ? aws_vpc_peering_connection.this[0].id : null
 }
 
 output "vpc_peering_accept_status" {
   description = "Status for the connection"
-  value       = var.peering_enabled ? aws_vpc_peering_connection_accepter.this[0].accept_status : null
-}
+  value       = var.vpc_peering_enabled ? aws_vpc_peering_connection_accepter.this[0].accept_status : null
+}
diff --git a/modules/vpc_peering/variables.tf b/modules/vpc_peering/variables.tf
@@ -1,22 +1,22 @@
-variable "accepter_vpc_id" {
+variable "vpc_peering_accepter_vpc_id" {
   type        = string
   description = "Specify the unique identifier of the VPC that will act as the Acceptor in the VPC peering connection."
   default     = ""
 }
 
-variable "accepter_vpc_region" {
+variable "vpc_peering_accepter_vpc_region" {
   type        = string
   description = "Provide the AWS region where the Acceptor VPC is located. This helps in identifying the correct region for establishing the VPC peering connection."
   default     = ""
 }
 
-variable "requester_vpc_id" {
+variable "vpc_peering_requester_vpc_id" {
   type        = string
   description = "Specify the unique identifier of the VPC that will act as the Reqester in the VPC peering connection."
   default     = ""
 }
 
-variable "requester_vpc_region" {
+variable "vpc_peering_requester_vpc_region" {
   type        = string
   description = "Specify the AWS region where the Requester VPC resides. It ensures the correct region is used for setting up the VPC peering."
   default     = ""
@@ -34,8 +34,26 @@ variable "accepter_name" {
   default     = ""
 }
 
-variable "peering_enabled" {
+variable "vpc_peering_enabled" {
   type        = bool
   description = "Set this variable to true if you want to create the VPC peering connection. Set it to false if you want to skip the creation process."
   default     = true
 }
+
+variable "vpc_peering_multi_account_enabled" {
+  type        = bool
+  description = "Set this variable to true if you want to create the VPC peering connection between reagions. Set it to false if you want to skip the creation process."
+  default     = true
+}
+
+variable "vpc_peering_requester_aws_profile" {
+  type        = string
+  description = "Provide the AWS profile where the requester VPC is located."
+  default     = ""
+}
+
+variable "vpc_peering_accepter_aws_profile" {
+  type        = string
+  description = "Provide the AWS profile where the accepter VPC is located."
+  default     = ""
+}