From 1c9109d984c694d8a636dfb6cdfe5dfcee914e01 Mon Sep 17 00:00:00 2001 From: rachit89 Date: Thu, 21 Mar 2024 10:52:37 +0530 Subject: [PATCH] Added example of AWS multi account vpc peering --- examples/multi-account-vpc-peering/main.tf | 25 ++++++++ examples/multi-account-vpc-peering/output.tf | 9 +++ .../multi-account-vpc-peering/provider.tf | 17 ++++++ modules/vpc_peering/main.tf | 57 +++++++++++-------- modules/vpc_peering/outputs.tf | 6 +- modules/vpc_peering/variables.tf | 28 +++++++-- 6 files changed, 109 insertions(+), 33 deletions(-) create mode 100644 examples/multi-account-vpc-peering/main.tf create mode 100644 examples/multi-account-vpc-peering/output.tf create mode 100644 examples/multi-account-vpc-peering/provider.tf diff --git a/examples/multi-account-vpc-peering/main.tf b/examples/multi-account-vpc-peering/main.tf new file mode 100644 index 0000000..94731b2 --- /dev/null +++ b/examples/multi-account-vpc-peering/main.tf @@ -0,0 +1,25 @@ +locals { + accepter_name = "tenent-peering" + accepter_region = "us-east-1" + accepter_vpc_id = "vpc-07a2c1d0328341493" + requester_name = "management-peering" + requester_region = "ap-northeast-1" + requester_vpc_id = "vpc-0ce36808b9b133608" + additional_tags = { + Owner = "tenent" + Tenancy = "dedicated" + } +} + +module "vpc_peering" { + source = "../../modules/vpc_peering" + accepter_name = local.accepter_name + vpc_peering_accepter_vpc_id = local.accepter_vpc_id + vpc_peering_accepter_vpc_region = local.accepter_region + requester_name = local.requester_name + vpc_peering_requester_vpc_id = local.requester_vpc_id + vpc_peering_requester_vpc_region = local.requester_region + vpc_peering_multi_account_enabled = true + vpc_peering_requester_aws_profile = "peer" + vpc_peering_accepter_aws_profile = "accepter" +} \ No newline at end of file diff --git a/examples/multi-account-vpc-peering/output.tf b/examples/multi-account-vpc-peering/output.tf new file mode 100644 index 0000000..a4ae83d --- /dev/null +++ b/examples/multi-account-vpc-peering/output.tf @@ -0,0 +1,9 @@ +output "vpc_peering_connection_id" { + description = "Peering connection ID" + value = module.vpc_peering.vpc_peering_connection_id +} + +output "vpc_peering_accept_status" { + description = "Accept status for the connection" + value = module.vpc_peering.vpc_peering_accept_status +} diff --git a/examples/multi-account-vpc-peering/provider.tf b/examples/multi-account-vpc-peering/provider.tf new file mode 100644 index 0000000..aa69792 --- /dev/null +++ b/examples/multi-account-vpc-peering/provider.tf @@ -0,0 +1,17 @@ +provider "aws" { + alias = "peer" + region = "ap-northeast-1" + aws_account_id = "" + default_tags { + tags = local.additional_tags + } +} + +provider "aws" { + alias = "accepter" + region = "ap-northeast-1" + aws_account_id = "" + default_tags { + tags = local.additional_tags + } +} \ No newline at end of file diff --git a/modules/vpc_peering/main.tf b/modules/vpc_peering/main.tf index 533721f..2023b60 100644 --- a/modules/vpc_peering/main.tf +++ b/modules/vpc_peering/main.tf @@ -1,52 +1,59 @@ locals { - requester_route_tables_ids = data.aws_route_tables.requester.ids - accepter_route_tables_ids = data.aws_route_tables.accepter.ids + vpc_peering_requester_route_tables_ids = data.aws_route_tables.requester.ids + vpc_peering_accepter_route_tables_ids = data.aws_route_tables.accepter.ids } provider "aws" { - alias = "peer" - region = var.requester_vpc_region + alias = "peer" + region = var.vpc_peering_requester_vpc_region + profile = var.vpc_peering_multi_account_enabled ? var.vpc_peering_requester_aws_profile : "default" } provider "aws" { - alias = "accepter" - region = var.accepter_vpc_region + alias = "accepter" + region = var.vpc_peering_accepter_vpc_region + profile = var.vpc_peering_multi_account_enabled ? var.vpc_peering_accepter_aws_profile : "default" } data "aws_vpc" "accepter" { - id = var.accepter_vpc_id + id = var.vpc_peering_accepter_vpc_id provider = aws.accepter } data "aws_route_tables" "accepter" { - vpc_id = var.accepter_vpc_id + vpc_id = var.vpc_peering_accepter_vpc_id provider = aws.accepter } data "aws_vpc" "requester" { - id = var.requester_vpc_id + id = var.vpc_peering_requester_vpc_id provider = aws.peer } data "aws_route_tables" "requester" { - vpc_id = var.requester_vpc_id + vpc_id = var.vpc_peering_requester_vpc_id provider = aws.peer } +data "aws_caller_identity" "accepter" { + provider = aws.accepter +} + resource "aws_vpc_peering_connection" "this" { - count = var.peering_enabled ? 1 : 0 - vpc_id = var.requester_vpc_id - peer_vpc_id = var.accepter_vpc_id - peer_region = var.accepter_vpc_region - auto_accept = false - provider = aws.peer + count = var.vpc_peering_enabled ? 1 : 0 + vpc_id = var.vpc_peering_requester_vpc_id + peer_vpc_id = var.vpc_peering_accepter_vpc_id + peer_region = var.vpc_peering_multi_account_enabled ? var.vpc_peering_accepter_vpc_region : null + auto_accept = false + peer_owner_id = var.vpc_peering_multi_account_enabled ? data.aws_caller_identity.accepter.id : null + provider = aws.peer tags = { Name = format("%s-%s-%s", var.requester_name, "to", var.accepter_name) } } resource "aws_vpc_peering_connection_accepter" "this" { - count = var.peering_enabled ? 1 : 0 + count = var.vpc_peering_enabled ? 1 : 0 depends_on = [aws_vpc_peering_connection.this] provider = aws.accepter vpc_peering_connection_id = aws_vpc_peering_connection.this[0].id @@ -57,7 +64,7 @@ resource "aws_vpc_peering_connection_accepter" "this" { } resource "aws_vpc_peering_connection_options" "this" { - count = var.peering_enabled ? 1 : 0 + count = var.vpc_peering_enabled ? 1 : 0 depends_on = [aws_vpc_peering_connection_accepter.this] vpc_peering_connection_id = aws_vpc_peering_connection.this[0].id accepter { @@ -70,17 +77,17 @@ resource "aws_vpc_peering_connection_options" "this" { #### route tables #### resource "aws_route" "requester" { - count = var.peering_enabled ? length(local.requester_route_tables_ids) : 0 - route_table_id = local.requester_route_tables_ids[count.index] + count = var.vpc_peering_enabled ? length(local.vpc_peering_requester_route_tables_ids) : 0 + route_table_id = local.vpc_peering_requester_route_tables_ids[count.index] destination_cidr_block = data.aws_vpc.accepter.cidr_block - vpc_peering_connection_id = var.peering_enabled ? aws_vpc_peering_connection.this[0].id : null + vpc_peering_connection_id = var.vpc_peering_enabled ? aws_vpc_peering_connection.this[0].id : null provider = aws.peer } resource "aws_route" "accepter" { - count = var.peering_enabled ? length(local.accepter_route_tables_ids) : 0 - route_table_id = local.accepter_route_tables_ids[count.index] + count = var.vpc_peering_enabled ? length(local.vpc_peering_accepter_route_tables_ids) : 0 + route_table_id = local.vpc_peering_accepter_route_tables_ids[count.index] destination_cidr_block = data.aws_vpc.requester.cidr_block - vpc_peering_connection_id = var.peering_enabled ? aws_vpc_peering_connection.this[0].id : null + vpc_peering_connection_id = var.vpc_peering_enabled ? aws_vpc_peering_connection.this[0].id : null provider = aws.accepter -} +} \ No newline at end of file diff --git a/modules/vpc_peering/outputs.tf b/modules/vpc_peering/outputs.tf index 1d8a27a..1381a64 100644 --- a/modules/vpc_peering/outputs.tf +++ b/modules/vpc_peering/outputs.tf @@ -1,9 +1,9 @@ output "vpc_peering_connection_id" { description = "Peering connection ID" - value = var.peering_enabled ? aws_vpc_peering_connection.this[0].id : null + value = var.vpc_peering_enabled ? aws_vpc_peering_connection.this[0].id : null } output "vpc_peering_accept_status" { description = "Status for the connection" - value = var.peering_enabled ? aws_vpc_peering_connection_accepter.this[0].accept_status : null -} + value = var.vpc_peering_enabled ? aws_vpc_peering_connection_accepter.this[0].accept_status : null +} diff --git a/modules/vpc_peering/variables.tf b/modules/vpc_peering/variables.tf index 9865a10..12d7b5f 100644 --- a/modules/vpc_peering/variables.tf +++ b/modules/vpc_peering/variables.tf @@ -1,22 +1,22 @@ -variable "accepter_vpc_id" { +variable "vpc_peering_accepter_vpc_id" { type = string description = "Specify the unique identifier of the VPC that will act as the Acceptor in the VPC peering connection." default = "" } -variable "accepter_vpc_region" { +variable "vpc_peering_accepter_vpc_region" { type = string description = "Provide the AWS region where the Acceptor VPC is located. This helps in identifying the correct region for establishing the VPC peering connection." default = "" } -variable "requester_vpc_id" { +variable "vpc_peering_requester_vpc_id" { type = string description = "Specify the unique identifier of the VPC that will act as the Reqester in the VPC peering connection." default = "" } -variable "requester_vpc_region" { +variable "vpc_peering_requester_vpc_region" { type = string description = "Specify the AWS region where the Requester VPC resides. It ensures the correct region is used for setting up the VPC peering." default = "" @@ -34,8 +34,26 @@ variable "accepter_name" { default = "" } -variable "peering_enabled" { +variable "vpc_peering_enabled" { type = bool description = "Set this variable to true if you want to create the VPC peering connection. Set it to false if you want to skip the creation process." default = true } + +variable "vpc_peering_multi_account_enabled" { + type = bool + description = "Set this variable to true if you want to create the VPC peering connection between reagions. Set it to false if you want to skip the creation process." + default = true +} + +variable "vpc_peering_requester_aws_profile" { + type = string + description = "Provide the AWS profile where the requester VPC is located." + default = "" +} + +variable "vpc_peering_accepter_aws_profile" { + type = string + description = "Provide the AWS profile where the accepter VPC is located." + default = "" +} \ No newline at end of file