From 0f882d24810b92177ce191c6478598c2459d8310 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Thu, 26 Dec 2024 18:07:29 -0600 Subject: [PATCH] feat: Add variable type definitions on object types --- README.md | 14 +++++------ main.tf | 63 +++++++++++++++++++++++------------------------- variables.tf | 67 ++++++++++++++++++++++++++++++++++++---------------- 3 files changed, 82 insertions(+), 62 deletions(-) diff --git a/README.md b/README.md index a7ffe1d..448fb84 100644 --- a/README.md +++ b/README.md @@ -84,8 +84,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [amazon\_side\_asn](#input\_amazon\_side\_asn) | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the TGW is created with the current default Amazon ASN. | `string` | `null` | no | -| [attachment\_tags](#input\_attachment\_tags) | Additional tags for VPC attachments | `map(string)` | `{}` | no | +| [amazon\_side\_asn](#input\_amazon\_side\_asn) | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the TGW is created with the current default Amazon ASN | `string` | `null` | no | | [create](#input\_create) | Controls if TGW should be created (it affects almost all resources) | `bool` | `true` | no | | [create\_flow\_log](#input\_create\_flow\_log) | Whether to create flow log resource(s) | `bool` | `true` | no | | [description](#input\_description) | Description of the EC2 Transit Gateway | `string` | `null` | no | @@ -94,21 +93,20 @@ No modules. | [enable\_default\_route\_table\_propagation](#input\_enable\_default\_route\_table\_propagation) | Whether resource attachments automatically propagate routes to the default propagation route table | `bool` | `false` | no | | [enable\_dns\_support](#input\_enable\_dns\_support) | Should be true to enable DNS support in the TGW | `bool` | `true` | no | | [enable\_multicast\_support](#input\_enable\_multicast\_support) | Whether multicast support is enabled | `bool` | `false` | no | +| [enable\_ram\_share](#input\_enable\_ram\_share) | Whether to share your transit gateway with other accounts | `bool` | `false` | no | | [enable\_vpn\_ecmp\_support](#input\_enable\_vpn\_ecmp\_support) | Whether VPN Equal Cost Multipath Protocol support is enabled | `bool` | `true` | no | -| [flow\_log\_tags](#input\_flow\_log\_tags) | Additional tags for TGW or attachment flow logs | `map(string)` | `{}` | no | -| [flow\_logs](#input\_flow\_logs) | Flow Logs to create for Transit Gateway or attachments | `any` | `{}` | no | +| [flow\_logs](#input\_flow\_logs) | Flow Logs to create for Transit Gateway or attachments | 
map(object({
    deliver_cross_account_role = optional(string)
    destination_options = optional(object({
      file_format                = optional(string, "parquet")
      hive_compatible_partitions = optional(bool, false)
      per_hour_partition         = optional(bool, true)
    }))
    iam_role_arn             = optional(string)
    log_destination          = optional(string)
    log_destination_type     = optional(string)
    log_format               = optional(string)
    max_aggregation_interval = optional(number, 30)
    traffic_type             = optional(string, "ALL")
    tags                     = optional(map(string), {})

    enable_transit_gateway = optional(bool, true)
    # The following can be provided when `enable_transit_gateway` is `false`
    vpc_attachment_key     = optional(string)
    peering_attachment_key = optional(string)
  }))
| `{}` | no | | [name](#input\_name) | Name to be used on all the resources as identifier | `string` | `""` | no | -| [peering\_attachments](#input\_peering\_attachments) | Map of Transit Gateway peering attachments to create | `any` | `{}` | no | -| [ram\_allow\_external\_principals](#input\_ram\_allow\_external\_principals) | Indicates whether principals outside your organization can be associated with a resource share. | `bool` | `false` | no | +| [peering\_attachments](#input\_peering\_attachments) | Map of Transit Gateway peering attachments to create | 
map(object({
    peer_account_id         = string
    peer_region             = string
    peer_transit_gateway_id = string
    tags                    = optional(map(string), {})

    accept_peering_attachment = optional(bool, false)
  }))
| `{}` | no | +| [ram\_allow\_external\_principals](#input\_ram\_allow\_external\_principals) | Indicates whether principals outside your organization can be associated with a resource share | `bool` | `false` | no | | [ram\_name](#input\_ram\_name) | The name of the resource share of TGW | `string` | `""` | no | | [ram\_principals](#input\_ram\_principals) | A list of principals to share TGW with. Possible values are an AWS account ID, an AWS Organizations Organization ARN, or an AWS Organizations Organization Unit ARN | `set(string)` | `[]` | no | | [ram\_tags](#input\_ram\_tags) | Additional tags for the RAM | `map(string)` | `{}` | no | -| [share\_tgw](#input\_share\_tgw) | Whether to share your transit gateway with other accounts | `bool` | `true` | no | | [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no | | [tgw\_tags](#input\_tgw\_tags) | Additional tags for the TGW | `map(string)` | `{}` | no | | [timeouts](#input\_timeouts) | Create, update, and delete timeout configurations for the transit gateway | `map(string)` | `{}` | no | | [transit\_gateway\_cidr\_blocks](#input\_transit\_gateway\_cidr\_blocks) | One or more IPv4 or IPv6 CIDR blocks for the transit gateway. Must be a size /24 CIDR block or larger for IPv4, or a size /64 CIDR block or larger for IPv6 | `list(string)` | `[]` | no | -| [vpc\_attachments](#input\_vpc\_attachments) | Map of VPC route table attachments to create | `any` | `{}` | no | +| [vpc\_attachments](#input\_vpc\_attachments) | Map of VPC route table attachments to create | 
map(object({
    vpc_id                                          = string
    subnet_ids                                      = list(string)
    dns_support                                     = optional(bool, true)
    ipv6_support                                    = optional(bool, false)
    appliance_mode_support                          = optional(bool, false)
    transit_gateway_default_route_table_association = optional(bool, false)
    transit_gateway_default_route_table_propagation = optional(bool, false)
    tags                                            = optional(map(string), {})

    accept_peering_attachment = optional(bool, false)
  }))
| `{}` | no | ## Outputs diff --git a/main.tf b/main.tf index 2eda8ff..f8fd48e 100644 --- a/main.tf +++ b/main.tf @@ -47,36 +47,34 @@ resource "aws_ec2_tag" "this" { resource "aws_ec2_transit_gateway_vpc_attachment" "this" { for_each = { for k, v in var.vpc_attachments : k => v if var.create } - transit_gateway_id = var.create ? aws_ec2_transit_gateway.this[0].id : each.value.tgw_id + transit_gateway_id = aws_ec2_transit_gateway.this[0].id vpc_id = each.value.vpc_id subnet_ids = each.value.subnet_ids - dns_support = try(each.value.dns_support, true) ? "enable" : "disable" - ipv6_support = try(each.value.ipv6_support, false) ? "enable" : "disable" - appliance_mode_support = try(each.value.appliance_mode_support, false) ? "enable" : "disable" - transit_gateway_default_route_table_association = try(each.value.transit_gateway_default_route_table_association, false) - transit_gateway_default_route_table_propagation = try(each.value.transit_gateway_default_route_table_propagation, false) + dns_support = each.value.dns_support ? "enable" : "disable" + ipv6_support = each.value.ipv6_support ? "enable" : "disable" + appliance_mode_support = each.value.appliance_mode_support ? "enable" : "disable" + transit_gateway_default_route_table_association = each.value.transit_gateway_default_route_table_association + transit_gateway_default_route_table_propagation = each.value.transit_gateway_default_route_table_propagation tags = merge( var.tags, { Name = each.key }, - var.attachment_tags, - try(each.value.tags, {}), + each.value.tags, ) } resource "aws_ec2_transit_gateway_vpc_attachment_accepter" "this" { - for_each = { for k, v in var.vpc_attachments : k => v if var.create && try(v.accept_peering_attachment, false) } + for_each = { for k, v in var.vpc_attachments : k => v if var.create && v.accept_peering_attachment } transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.this[0] - transit_gateway_default_route_table_association = try(each.value.transit_gateway_default_route_table_association, false) - transit_gateway_default_route_table_propagation = try(each.value.transit_gateway_default_route_table_propagation, false) + transit_gateway_default_route_table_association = each.value.transit_gateway_default_route_table_association + transit_gateway_default_route_table_propagation = each.value.transit_gateway_default_route_table_propagation tags = merge( var.tags, { Name = each.key }, - var.attachment_tags, - try(each.value.tags, {}), + each.value.tags, ) } @@ -89,14 +87,14 @@ resource "aws_ec2_transit_gateway_peering_attachment" "this" { peer_account_id = each.value.peer_account_id peer_region = each.value.peer_region - peer_transit_gateway_id = each.value.peer_tgw_id + peer_transit_gateway_id = each.value.peer_transit_gateway_id transit_gateway_id = aws_ec2_transit_gateway.this[0].id tags = var.tags } resource "aws_ec2_transit_gateway_peering_attachment_accepter" "this" { - for_each = { for k, v in var.peering_attachments : k => v if var.create && try(v.accept_peering_attachment, false) } + for_each = { for k, v in var.peering_attachments : k => v if var.create && v.accept_peering_attachment } transit_gateway_attachment_id = aws_ec2_transit_gateway_peering_attachment.this[each.key].id @@ -112,7 +110,7 @@ locals { } resource "aws_ram_resource_share" "this" { - count = var.create && var.share_tgw ? 1 : 0 + count = var.create && var.enable_ram_share ? 1 : 0 name = local.ram_name allow_external_principals = var.ram_allow_external_principals @@ -125,14 +123,14 @@ resource "aws_ram_resource_share" "this" { } resource "aws_ram_resource_association" "this" { - count = var.create && var.share_tgw ? 1 : 0 + count = var.create && var.enable_ram_share ? 1 : 0 resource_arn = aws_ec2_transit_gateway.this[0].arn resource_share_arn = aws_ram_resource_share.this[0].id } resource "aws_ram_principal_association" "this" { - for_each = { for k, v in var.ram_principals : k => v if var.create && var.share_tgw } + for_each = { for k, v in var.ram_principals : k => v if var.create && var.enable_ram_share } principal = each.value resource_share_arn = aws_ram_resource_share.this[0].arn @@ -145,28 +143,27 @@ resource "aws_ram_principal_association" "this" { resource "aws_flow_log" "this" { for_each = { for k, v in var.flow_logs : k => v if var.create && var.create_flow_log } - deliver_cross_account_role = try(each.value.deliver_cross_account_role, null) + deliver_cross_account_role = each.value.deliver_cross_account_role dynamic "destination_options" { - for_each = try([each.value.destination_options], []) + for_each = each.value.destination_options != null ? [each.value.destination_options] : [] content { - file_format = try(each.value.file_format, "parquet") - hive_compatible_partitions = try(each.value.hive_compatible_partitions, false) - per_hour_partition = try(each.value.per_hour_partition, true) + file_format = each.value.file_format + hive_compatible_partitions = each.value.hive_compatible_partitions + per_hour_partition = each.value.per_hour_partition } } - iam_role_arn = try(each.value.iam_role_arn, null) - log_destination = try(each.value.log_destination, null) - log_destination_type = try(each.value.log_destination_type, null) - log_format = try(each.value.log_format, null) - # When transit_gateway_id or transit_gateway_attachment_id is specified, max_aggregation_interval must be 60 seconds (1 minute). - max_aggregation_interval = max(try(each.value.max_aggregation_interval, 30), 60) + iam_role_arn = each.value.iam_role_arn + log_destination = each.value.log_destination + log_destination_type = each.value.log_destination_type + log_format = each.value.log_format + max_aggregation_interval = max(each.value.max_aggregation_interval, 60) - traffic_type = try(each.value.traffic_type, "ALL") - transit_gateway_id = try(each.value.enable_transit_gateway, true) ? aws_ec2_transit_gateway.this[0].id : null - transit_gateway_attachment_id = try(each.value.enable_transit_gateway, true) ? null : try( + traffic_type = each.value.traffic_type + transit_gateway_id = each.value.enable_transit_gateway ? aws_ec2_transit_gateway.this[0].id : null + transit_gateway_attachment_id = each.value.enable_transit_gateway ? null : try( aws_ec2_transit_gateway_vpc_attachment.this[each.value.vpc_attachment_key].id, aws_ec2_transit_gateway_peering_attachment.this[each.value.peering_attachment_key].id, null @@ -174,6 +171,6 @@ resource "aws_flow_log" "this" { tags = merge( var.tags, - var.flow_log_tags, + each.value.tags, ) } diff --git a/variables.tf b/variables.tf index 936d676..b466d42 100644 --- a/variables.tf +++ b/variables.tf @@ -27,7 +27,7 @@ variable "description" { } variable "amazon_side_asn" { - description = "The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the TGW is created with the current default Amazon ASN." + description = "The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the TGW is created with the current default Amazon ASN" type = string default = null } @@ -92,30 +92,42 @@ variable "tgw_tags" { variable "vpc_attachments" { description = "Map of VPC route table attachments to create" - type = any - default = {} + type = map(object({ + vpc_id = string + subnet_ids = list(string) + dns_support = optional(bool, true) + ipv6_support = optional(bool, false) + appliance_mode_support = optional(bool, false) + transit_gateway_default_route_table_association = optional(bool, false) + transit_gateway_default_route_table_propagation = optional(bool, false) + tags = optional(map(string), {}) + + accept_peering_attachment = optional(bool, false) + })) + default = {} } variable "peering_attachments" { description = "Map of Transit Gateway peering attachments to create" - type = any - default = {} -} + type = map(object({ + peer_account_id = string + peer_region = string + peer_transit_gateway_id = string + tags = optional(map(string), {}) -variable "attachment_tags" { - description = "Additional tags for VPC attachments" - type = map(string) - default = {} + accept_peering_attachment = optional(bool, false) + })) + default = {} } ################################################################################ # Resource Access Manager ################################################################################ -variable "share_tgw" { +variable "enable_ram_share" { description = "Whether to share your transit gateway with other accounts" type = bool - default = true + default = false } variable "ram_name" { @@ -125,7 +137,7 @@ variable "ram_name" { } variable "ram_allow_external_principals" { - description = "Indicates whether principals outside your organization can be associated with a resource share." + description = "Indicates whether principals outside your organization can be associated with a resource share" type = bool default = false } @@ -154,12 +166,25 @@ variable "create_flow_log" { variable "flow_logs" { description = "Flow Logs to create for Transit Gateway or attachments" - type = any - default = {} -} - -variable "flow_log_tags" { - description = "Additional tags for TGW or attachment flow logs" - type = map(string) - default = {} + type = map(object({ + deliver_cross_account_role = optional(string) + destination_options = optional(object({ + file_format = optional(string, "parquet") + hive_compatible_partitions = optional(bool, false) + per_hour_partition = optional(bool, true) + })) + iam_role_arn = optional(string) + log_destination = optional(string) + log_destination_type = optional(string) + log_format = optional(string) + max_aggregation_interval = optional(number, 30) + traffic_type = optional(string, "ALL") + tags = optional(map(string), {}) + + enable_transit_gateway = optional(bool, true) + # The following can be provided when `enable_transit_gateway` is `false` + vpc_attachment_key = optional(string) + peering_attachment_key = optional(string) + })) + default = {} }