fix: Added support for multi-account deployments (terraform-aws-modules#20)

Author: szpuni

CHANGELOG.md

@@ -5,7 +5,8 @@ All notable changes to this project will be documented in this file.
 <a name="unreleased"></a>
 ## [Unreleased]
 
-
+- Added RAM share accepter
+- fixed error when **create_tgw = false**
 
 <a name="v1.2.0"></a>
 ## [v1.2.0] - 2020-08-17

README.md

@@ -78,20 +78,21 @@ module "vpc" {
 ## Examples
 
 * [Complete example](https://github.com/terraform-aws-modules/terraform-aws-transit-gateway/tree/master/examples/complete) shows TGW in combination with the [VPC module](https://github.com/terraform-aws-modules/terraform-aws-vpc) and [Resource Access Manager (RAM)](https://aws.amazon.com/ram/).
+* [Multi-account example](https://github.com/terraform-aws-modules/terraform-aws-transit-gateway/tree/master/examples/multi-account) shows TGW resources shared with different AWS accounts (via [Resource Access Manager (RAM)](https://aws.amazon.com/ram/)).
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.7, < 0.14 |
-| aws | >= 2.18, < 4.0 |
+| aws | >= 2.24, < 4.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | >= 2.18, < 4.0 |
+| aws | >= 2.24, < 4.0 |
 
 ## Inputs
 
@@ -109,6 +110,7 @@ module "vpc" {
 | ram\_allow\_external\_principals | Indicates whether principals outside your organization can be associated with a resource share. | `bool` | `false` | no |
 | ram\_name | The name of the resource share of TGW | `string` | `""` | no |
 | ram\_principals | A list of principals to share TGW with. Possible values are an AWS account ID, an AWS Organizations Organization ARN, or an AWS Organizations Organization Unit ARN | `list(string)` | `[]` | no |
+| ram\_resource\_share\_arn | ARN of RAM resource share | `string` | `""` | no |
 | ram\_tags | Additional tags for the RAM | `map(string)` | `{}` | no |
 | share\_tgw | Whether to share your transit gateway with other accounts | `bool` | `true` | no |
 | tags | A map of tags to add to all resources | `map(string)` | `{}` | no |

examples/multi-account/README.md

@@ -0,0 +1,60 @@
+# Complete AWS Transit Gateway example
+
+Configuration in this directory creates AWS Transit Gateway, attach VPC to it and share it with other AWS principals using [Resource Access Manager (RAM)](https://aws.amazon.com/ram/).
+
+## Notes
+
+There is a famous limitation in Terraform which prevents us from using computed values in `count`. Fot this reason this example is using data-sources to discover already created default VPC and subnets.
+
+In real-world scenario you will have to split creation of VPC (using [terraform-aws-vpc modules](https://github.com/terraform-aws-modules/terraform-aws-vpc)) and creation of TGW resources using this module. 
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Inputs
+
+No input.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| this\_ec2\_transit\_gateway\_arn | EC2 Transit Gateway Amazon Resource Name (ARN) |
+| this\_ec2\_transit\_gateway\_association\_default\_route\_table\_id | Identifier of the default association route table |
+| this\_ec2\_transit\_gateway\_id | EC2 Transit Gateway identifier |
+| this\_ec2\_transit\_gateway\_owner\_id | Identifier of the AWS account that owns the EC2 Transit Gateway |
+| this\_ec2\_transit\_gateway\_propagation\_default\_route\_table\_id | Identifier of the default propagation route table |
+| this\_ec2\_transit\_gateway\_route\_ids | List of EC2 Transit Gateway Route Table identifier combined with destination |
+| this\_ec2\_transit\_gateway\_route\_table\_association | Map of EC2 Transit Gateway Route Table Association attributes |
+| this\_ec2\_transit\_gateway\_route\_table\_association\_ids | List of EC2 Transit Gateway Route Table Association identifiers |
+| this\_ec2\_transit\_gateway\_route\_table\_default\_association\_route\_table | Boolean whether this is the default association route table for the EC2 Transit Gateway |
+| this\_ec2\_transit\_gateway\_route\_table\_default\_propagation\_route\_table | Boolean whether this is the default propagation route table for the EC2 Transit Gateway |
+| this\_ec2\_transit\_gateway\_route\_table\_id | EC2 Transit Gateway Route Table identifier |
+| this\_ec2\_transit\_gateway\_route\_table\_propagation | Map of EC2 Transit Gateway Route Table Propagation attributes |
+| this\_ec2\_transit\_gateway\_route\_table\_propagation\_ids | List of EC2 Transit Gateway Route Table Propagation identifiers |
+| this\_ec2\_transit\_gateway\_vpc\_attachment | Map of EC2 Transit Gateway VPC Attachment attributes |
+| this\_ec2\_transit\_gateway\_vpc\_attachment\_ids | List of EC2 Transit Gateway VPC Attachment identifiers |
+| this\_ram\_principal\_association\_id | The Amazon Resource Name (ARN) of the Resource Share and the principal, separated by a comma |
+| this\_ram\_resource\_share\_id | The Amazon Resource Name (ARN) of the resource share |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/multi-account/main.tf

@@ -0,0 +1,135 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+# This provider is required for attachment only installation in another AWS Account.
+provider "aws" {
+  region = "eu-west-1"
+  alias  = "peer"
+}
+
+// See Notes in README.md for explanation regarding using data-sources and computed values
+data "aws_vpc" "default" {
+  default = true
+}
+
+data "aws_subnet_ids" "this" {
+  vpc_id = data.aws_vpc.default.id
+}
+
+module "tgw" {
+  source = "../../"
+
+  name            = "my-tgw"
+  description     = "My TGW shared with several other AWS accounts"
+  amazon_side_asn = 64532
+
+  enable_auto_accept_shared_attachments = true // When "true" there is no need for RAM resources if using multiple AWS accounts
+
+  vpc_attachments = {
+    vpc1 = {
+      vpc_id                                          = data.aws_vpc.default.id      # module.vpc1.vpc_id
+      subnet_ids                                      = data.aws_subnet_ids.this.ids # module.vpc1.private_subnets
+      dns_support                                     = true
+      ipv6_support                                    = true
+      transit_gateway_default_route_table_association = false
+      transit_gateway_default_route_table_propagation = false
+      //      transit_gateway_route_table_id = "tgw-rtb-073a181ee589b360f"
+
+      tgw_routes = [
+        {
+          destination_cidr_block = "30.0.0.0/16"
+        },
+        {
+          blackhole              = true
+          destination_cidr_block = "0.0.0.0/0"
+        }
+      ]
+    },
+    vpc2 = {
+      vpc_id     = data.aws_vpc.default.id      # module.vpc2.vpc_id
+      subnet_ids = data.aws_subnet_ids.this.ids # module.vpc2.private_subnets
+
+      tgw_routes = [
+        {
+          destination_cidr_block = "50.0.0.0/16"
+        },
+        {
+          blackhole              = true
+          destination_cidr_block = "10.10.10.10/32"
+        }
+      ]
+    },
+  }
+
+  ram_allow_external_principals = true
+  ram_principals                = [307990089504]
+
+  tags = {
+    Purpose = "tgw-complete-example"
+  }
+}
+
+module "tgw_peer" {
+  # This is optional and connects to another account. Meaning you need to be authenticated with 2 separate AWS Accounts
+  source = "../../"
+
+  providers = {
+    aws = aws.peer
+  }
+
+  name            = "my-tgw-peer"
+  description     = "My TGW shared with several other AWS accounts"
+  amazon_side_asn = 64532
+
+  share_tgw                             = true
+  create_tgw                            = false
+  ram_resource_share_arn                = module.tgw.this_ram_resource_share_id
+  enable_auto_accept_shared_attachments = true // When "true" there is no need for RAM resources if using multiple AWS accounts
+
+  vpc_attachments = {
+    vpc1 = {
+      tgw_id                                          = module.tgw.this_ec2_transit_gateway_id
+      vpc_id                                          = data.aws_vpc.default.id      # module.vpc1.vpc_id
+      subnet_ids                                      = data.aws_subnet_ids.this.ids # module.vpc1.private_subnets
+      dns_support                                     = true
+      ipv6_support                                    = true
+      transit_gateway_default_route_table_association = false
+      transit_gateway_default_route_table_propagation = false
+      //      transit_gateway_route_table_id = "tgw-rtb-073a181ee589b360f"
+
+      tgw_routes = [
+        {
+          destination_cidr_block = "30.0.0.0/16"
+        },
+        {
+          blackhole              = true
+          destination_cidr_block = "0.0.0.0/0"
+        }
+      ]
+    },
+  }
+
+  ram_allow_external_principals = true
+  ram_principals                = [307990089504]
+
+  tags = {
+    Purpose = "tgw-complete-example"
+  }
+}
+
+module "vpc1" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 2.0"
+
+  name = "vpc1"
+
+  cidr = "10.10.0.0/16"
+
+  azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+  private_subnets = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"]
+
+  enable_ipv6                                    = true
+  private_subnet_assign_ipv6_address_on_creation = true
+  private_subnet_ipv6_prefixes                   = [0, 1, 2]
+}

examples/multi-account/outputs.tf

@@ -0,0 +1,92 @@
+// aws_ec2_transit_gateway
+output "this_ec2_transit_gateway_arn" {
+  description = "EC2 Transit Gateway Amazon Resource Name (ARN)"
+  value       = module.tgw.this_ec2_transit_gateway_arn
+}
+
+output "this_ec2_transit_gateway_association_default_route_table_id" {
+  description = "Identifier of the default association route table"
+  value       = module.tgw.this_ec2_transit_gateway_association_default_route_table_id
+}
+
+output "this_ec2_transit_gateway_id" {
+  description = "EC2 Transit Gateway identifier"
+  value       = module.tgw.this_ec2_transit_gateway_id
+}
+
+output "this_ec2_transit_gateway_owner_id" {
+  description = "Identifier of the AWS account that owns the EC2 Transit Gateway"
+  value       = module.tgw.this_ec2_transit_gateway_owner_id
+}
+
+output "this_ec2_transit_gateway_propagation_default_route_table_id" {
+  description = "Identifier of the default propagation route table"
+  value       = module.tgw.this_ec2_transit_gateway_propagation_default_route_table_id
+}
+
+output "this_ec2_transit_gateway_route_table_default_association_route_table" {
+  description = "Boolean whether this is the default association route table for the EC2 Transit Gateway"
+  value       = module.tgw.this_ec2_transit_gateway_route_table_default_association_route_table
+}
+
+output "this_ec2_transit_gateway_route_table_default_propagation_route_table" {
+  description = "Boolean whether this is the default propagation route table for the EC2 Transit Gateway"
+  value       = module.tgw.this_ec2_transit_gateway_route_table_default_propagation_route_table
+}
+
+// aws_ec2_transit_gateway_route_table
+output "this_ec2_transit_gateway_route_table_id" {
+  description = "EC2 Transit Gateway Route Table identifier"
+  value       = module.tgw.this_ec2_transit_gateway_route_table_id
+}
+
+// aws_ec2_transit_gateway_route
+output "this_ec2_transit_gateway_route_ids" {
+  description = "List of EC2 Transit Gateway Route Table identifier combined with destination"
+  value       = module.tgw.this_ec2_transit_gateway_route_ids
+}
+
+// aws_ec2_transit_gateway_vpc_attachment
+output "this_ec2_transit_gateway_vpc_attachment_ids" {
+  description = "List of EC2 Transit Gateway VPC Attachment identifiers"
+  value       = module.tgw.this_ec2_transit_gateway_vpc_attachment_ids
+}
+
+output "this_ec2_transit_gateway_vpc_attachment" {
+  description = "Map of EC2 Transit Gateway VPC Attachment attributes"
+  value       = module.tgw.this_ec2_transit_gateway_vpc_attachment
+}
+
+// aws_ec2_transit_gateway_route_table_association
+output "this_ec2_transit_gateway_route_table_association_ids" {
+  description = "List of EC2 Transit Gateway Route Table Association identifiers"
+  value       = module.tgw.this_ec2_transit_gateway_route_table_association_ids
+}
+
+output "this_ec2_transit_gateway_route_table_association" {
+  description = "Map of EC2 Transit Gateway Route Table Association attributes"
+  value       = module.tgw.this_ec2_transit_gateway_route_table_association
+}
+
+// aws_ec2_transit_gateway_route_table_propagation
+output "this_ec2_transit_gateway_route_table_propagation_ids" {
+  description = "List of EC2 Transit Gateway Route Table Propagation identifiers"
+  value       = module.tgw.this_ec2_transit_gateway_route_table_propagation_ids
+}
+
+output "this_ec2_transit_gateway_route_table_propagation" {
+  description = "Map of EC2 Transit Gateway Route Table Propagation attributes"
+  value       = module.tgw.this_ec2_transit_gateway_route_table_propagation
+}
+
+// aws_ram_resource_share
+output "this_ram_resource_share_id" {
+  description = "The Amazon Resource Name (ARN) of the resource share"
+  value       = module.tgw.this_ram_resource_share_id
+}
+
+// aws_ram_principal_association
+output "this_ram_principal_association_id" {
+  description = "The Amazon Resource Name (ARN) of the Resource Share and the principal, separated by a comma"
+  value       = module.tgw.this_ram_principal_association_id
+}

main.tf

@@ -67,7 +67,7 @@ resource "aws_ec2_transit_gateway_route" "this" {
 resource "aws_ec2_transit_gateway_vpc_attachment" "this" {
   for_each = var.vpc_attachments
 
-  transit_gateway_id = lookup(each.value, "tgw_id", aws_ec2_transit_gateway.this[0].id)
+  transit_gateway_id = lookup(each.value, "tgw_id", var.create_tgw ? aws_ec2_transit_gateway.this[0].id : null)
   vpc_id             = each.value["vpc_id"]
   subnet_ids         = each.value["subnet_ids"]
 
@@ -132,3 +132,9 @@ resource "aws_ram_principal_association" "this" {
   principal          = var.ram_principals[count.index]
   resource_share_arn = aws_ram_resource_share.this[0].arn
 }
+
+resource "aws_ram_resource_share_accepter" "this" {
+  count = ! var.create_tgw && var.share_tgw ? 1 : 0
+
+  share_arn = var.ram_resource_share_arn
+}

variables.tf

@@ -121,3 +121,9 @@ variable "ram_principals" {
   type        = list(string)
   default     = []
 }
+
+variable "ram_resource_share_arn" {
+  description = "ARN of RAM resource share"
+  type        = string
+  default     = ""
+}

versions.tf

@@ -2,6 +2,6 @@ terraform {
   required_version = ">= 0.12.7, < 0.14"
 
   required_providers {
-    aws = ">= 2.18, < 4.0"
+    aws = ">= 2.24, < 4.0"
   }
 }