Merge pull request #243 from silinternational/develop

Release 12.3.0 - Add Transit Gateway option
silinternational · Feb 27, 2024 · ee8c2f6 · ee8c2f6
2 parents 8af802d + 8eb42c9
commit ee8c2f6
Show file tree

Hide file tree

Showing 30 changed files with 161 additions and 70 deletions.
diff --git a/terraform/000-core/main.tf b/terraform/000-core/main.tf
@@ -2,7 +2,7 @@
  * Create ECS cluster
  */
 module "ecscluster" {
-  source       = "github.com/silinternational/terraform-modules//aws/ecs/cluster?ref=8.6.0"
+  source       = "github.com/silinternational/terraform-modules//aws/ecs/cluster?ref=8.7.0"
   cluster_name = var.cluster_name
 }
 

diff --git a/terraform/010-cluster/README.md b/terraform/010-cluster/README.md
@@ -16,7 +16,6 @@ ssl certificate, core application load balancer, and a CloudWatch log group
  - `app_name` - Name of application, ex: Doorman, IdP, etc.
  - `app_env` - Name of environment, ex: prod, test, etc.
  - `aws_instance` - A map containing keys for `instance_type`, `volume_size`, `instance_count`
- - `aws_region` - A string with region to deploy in, example: `us-east-1`
  - `aws_zones` - A list of availability zones to distribute instances across, example: `["us-east-1a", "us-east-1b", "us-east-1c"]`
  - `cert_domain_name` - Domain name for certificate, example: `*.mydomain.com`
  - `ecs_cluster_name` - ECS cluster name for registering instances
@@ -58,7 +57,6 @@ module "cluster" {
   app_name                = var.app_name
   app_env                 = var.app_env
   aws_instance            = var.aws_instance
-  aws_region              = var.aws_region
   aws_zones               = var.aws_zones
   cert_domain_name        = var.cert_domain_name
   ecs_cluster_name        = data.terraform_remote_state.core.ecs_cluster_name

diff --git a/terraform/010-cluster/main.tf b/terraform/010-cluster/main.tf
@@ -2,21 +2,25 @@
  * Create VPC
  */
 module "vpc" {
-  source                     = "github.com/silinternational/terraform-modules//aws/vpc?ref=8.6.0"
-  app_name                   = var.app_name
-  app_env                    = var.app_env
-  aws_zones                  = var.aws_zones
-  create_nat_gateway         = var.create_nat_gateway
-  private_subnet_cidr_blocks = var.private_subnet_cidr_blocks
-  public_subnet_cidr_blocks  = var.public_subnet_cidr_blocks
-  vpc_cidr_block             = var.vpc_cidr_block
+  source                                          = "github.com/silinternational/terraform-modules//aws/vpc?ref=8.7.0"
+  app_name                                        = var.app_name
+  app_env                                         = var.app_env
+  aws_zones                                       = var.aws_zones
+  create_nat_gateway                              = var.create_nat_gateway
+  private_subnet_cidr_blocks                      = var.private_subnet_cidr_blocks
+  public_subnet_cidr_blocks                       = var.public_subnet_cidr_blocks
+  vpc_cidr_block                                  = var.vpc_cidr_block
+  use_transit_gateway                             = var.use_transit_gateway
+  transit_gateway_id                              = var.transit_gateway_id
+  transit_gateway_default_route_table_association = var.transit_gateway_default_route_table_association
+  transit_gateway_default_route_table_propagation = var.transit_gateway_default_route_table_propagation
 }
 
 /*
  * Security group to limit traffic to Cloudflare IPs
  */
 module "cloudflare-sg" {
-  source = "github.com/silinternational/terraform-modules//aws/cloudflare-sg?ref=8.6.0"
+  source = "github.com/silinternational/terraform-modules//aws/cloudflare-sg?ref=8.7.0"
   vpc_id = module.vpc.id
 }
 
@@ -37,7 +41,7 @@ data "aws_ami" "ecs_ami" {
  * Create auto-scaling group
  */
 module "asg" {
-  source                  = "github.com/silinternational/terraform-modules//aws/asg?ref=8.6.0"
+  source                  = "github.com/silinternational/terraform-modules//aws/asg?ref=8.7.0"
   app_name                = var.app_name
   app_env                 = var.app_env
   aws_instance            = var.aws_instance
@@ -61,7 +65,7 @@ data "aws_acm_certificate" "wildcard" {
  * Create application load balancer for public access
  */
 module "alb" {
-  source          = "github.com/silinternational/terraform-modules//aws/alb?ref=8.6.0"
+  source          = "github.com/silinternational/terraform-modules//aws/alb?ref=8.7.0"
   app_name        = var.app_name
   app_env         = var.app_env
   internal        = "false"
@@ -75,7 +79,7 @@ module "alb" {
  * Create application load balancer for internal use
  */
 module "internal_alb" {
-  source          = "github.com/silinternational/terraform-modules//aws/alb?ref=8.6.0"
+  source          = "github.com/silinternational/terraform-modules//aws/alb?ref=8.7.0"
   alb_name        = "alb-${var.app_name}-${var.app_env}-int"
   app_name        = var.app_name
   app_env         = var.app_env

diff --git a/terraform/010-cluster/vars.tf b/terraform/010-cluster/vars.tf
@@ -33,6 +33,12 @@ variable "create_nat_gateway" {
   default     = true
 }
 
+variable "use_transit_gateway" {
+  description = "Set to true to attach a transit gateway to this VPC and route traffic to it. Use in conjunction with transit_gateway_id and create_nat_gateway=false."
+  type        = bool
+  default     = false
+}
+
 variable "ecs_cluster_name" {
   type = string
 }
@@ -68,6 +74,24 @@ variable "tags" {
   default     = {}
 }
 
+variable "transit_gateway_id" {
+  description = "The ID of the transit gateway to attach to when use_transit_gateway = true."
+  type        = string
+  default     = ""
+}
+
+variable "transit_gateway_default_route_table_association" {
+  description = "Whether or not to associate with the default route table of the transit gateway."
+  type        = bool
+  default     = true
+}
+
+variable "transit_gateway_default_route_table_propagation" {
+  description = "Whether or not to send propagation of this route to the default route table of the transit gateway."
+  type        = bool
+  default     = true
+}
+
 variable "vpc_cidr_block" {
   description = "The block of IP addresses (as a CIDR) the VPC should use"
   type        = string

diff --git a/terraform/020-database/main.tf b/terraform/020-database/main.tf
@@ -8,7 +8,7 @@ resource "random_id" "db_root_pass" {
 }
 
 module "rds" {
-  source                  = "github.com/silinternational/terraform-modules//aws/rds/mariadb?ref=8.6.0"
+  source                  = "github.com/silinternational/terraform-modules//aws/rds/mariadb?ref=8.7.0"
   app_name                = var.app_name
   app_env                 = var.app_env
   db_name                 = var.db_name

diff --git a/terraform/022-ecr/main.tf b/terraform/022-ecr/main.tf
@@ -2,7 +2,7 @@
  * id-broker
  */
 module "ecr_idbroker" {
-  source                = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.6.0"
+  source                = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.7.0"
   repo_name             = "${var.idp_name}/id-broker"
   ecsInstanceRole_arn   = var.ecsInstanceRole_arn
   ecsServiceRole_arn    = var.ecsServiceRole_arn
@@ -15,7 +15,7 @@ module "ecr_idbroker" {
  * pw-api
  */
 module "ecr_pwapi" {
-  source                = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.6.0"
+  source                = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.7.0"
   repo_name             = "${var.idp_name}/pw-api"
   ecsInstanceRole_arn   = var.ecsInstanceRole_arn
   ecsServiceRole_arn    = var.ecsServiceRole_arn
@@ -28,7 +28,7 @@ module "ecr_pwapi" {
  * simplesamlphp
  */
 module "ecr_simplesamlphp" {
-  source                = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.6.0"
+  source                = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.7.0"
   repo_name             = "${var.idp_name}/simplesamlphp"
   ecsInstanceRole_arn   = var.ecsInstanceRole_arn
   ecsServiceRole_arn    = var.ecsServiceRole_arn
@@ -41,7 +41,7 @@ module "ecr_simplesamlphp" {
  * id-sync
  */
 module "ecr_idsync" {
-  source                = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.6.0"
+  source                = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.7.0"
   repo_name             = "${var.idp_name}/id-sync"
   ecsInstanceRole_arn   = var.ecsInstanceRole_arn
   ecsServiceRole_arn    = var.ecsServiceRole_arn

diff --git a/terraform/031-email-service/README.md b/terraform/031-email-service/README.md
@@ -11,7 +11,6 @@ This module is used to create an ECS service running email-service.
 ## Required Inputs
 
  - `app_env` - Application environment
- - `aws_region` - AWS region
  - `cloudflare_domain` - Top level domain name for use with Cloudflare
  - `cloudwatch_log_group_name` - CloudWatch log group name
  - `db_name` - Name of MySQL database for email-service
@@ -64,7 +63,6 @@ module "email" {
   source                    = "github.com/silinternational/idp-in-a-box//terraform/031-email-service"
   app_env                   = var.app_env
   app_name                  = var.app_name
-  aws_region                = var.aws_region`
   cloudflare_domain         = var.cloudflare_domain
   cloudwatch_log_group_name = var.cloudwatch_log_group_name
   cpu_api                   = var.cpu_api

diff --git a/terraform/031-email-service/main.tf b/terraform/031-email-service/main.tf
@@ -1,3 +1,8 @@
+locals {
+  aws_account = data.aws_caller_identity.this.account_id
+  aws_region  = data.aws_region.current.name
+}
+
 /*
  * Create target group for ALB
  */
@@ -54,7 +59,7 @@ resource "random_id" "access_token_idsync" {
  * Create role for access to SES
  */
 resource "aws_iam_role" "ses" {
-  name = "ses-${var.idp_name}-${var.app_name}-${var.app_env}-${var.aws_region}"
+  name = "ses-${var.idp_name}-${var.app_name}-${var.app_env}-${local.aws_region}"
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
@@ -100,13 +105,13 @@ resource "aws_iam_role_policy" "ses" {
  * Create ECS services
  */
 locals {
-  subdomain_with_region = "${var.subdomain}-${var.aws_region}"
+  subdomain_with_region = "${var.subdomain}-${local.aws_region}"
 
   task_def_api = templatefile("${path.module}/task-definition-api.json", {
     api_access_keys           = "${random_id.access_token_pwmanager.hex},${random_id.access_token_idbroker.hex},${random_id.access_token_idsync.hex}"
     app_env                   = var.app_env
     app_name                  = var.app_name
-    aws_region                = var.aws_region
+    aws_region                = local.aws_region
     cloudwatch_log_group_name = var.cloudwatch_log_group_name
     cpu_api                   = var.cpu_api
     db_name                   = var.db_name
@@ -130,7 +135,7 @@ locals {
 }
 
 module "ecsservice_api" {
-  source             = "github.com/silinternational/terraform-modules//aws/ecs/service-only?ref=8.6.0"
+  source             = "github.com/silinternational/terraform-modules//aws/ecs/service-only?ref=8.7.0"
   cluster_id         = var.ecs_cluster_id
   service_name       = "${var.idp_name}-${var.app_name}-api"
   service_env        = var.app_env
@@ -148,7 +153,7 @@ locals {
     api_access_keys           = "${random_id.access_token_pwmanager.hex},${random_id.access_token_idbroker.hex},${random_id.access_token_idsync.hex}"
     app_env                   = var.app_env
     app_name                  = var.app_name
-    aws_region                = var.aws_region
+    aws_region                = local.aws_region
     cloudwatch_log_group_name = var.cloudwatch_log_group_name
     cpu_cron                  = var.cpu_cron
     db_name                   = var.db_name
@@ -172,7 +177,7 @@ locals {
 }
 
 module "ecsservice_cron" {
-  source             = "github.com/silinternational/terraform-modules//aws/ecs/service-no-alb?ref=8.6.0"
+  source             = "github.com/silinternational/terraform-modules//aws/ecs/service-no-alb?ref=8.7.0"
   cluster_id         = var.ecs_cluster_id
   service_name       = "${var.idp_name}-${var.app_name}-cron"
   service_env        = var.app_env
@@ -195,3 +200,11 @@ resource "cloudflare_record" "emaildns" {
 data "cloudflare_zone" "domain" {
   name = var.cloudflare_domain
 }
+
+/*
+ * AWS data
+ */
+
+data "aws_caller_identity" "this" {}
+
+data "aws_region" "current" {}
diff --git a/terraform/031-email-service/vars.tf b/terraform/031-email-service/vars.tf
@@ -8,7 +8,9 @@ variable "app_name" {
 }
 
 variable "aws_region" {
-  type = string
+  description = "WARNING: This is not used. The region is more reliably determined from the aws_region data source."
+  type        = string
+  default     = ""
 }
 
 variable "cloudflare_domain" {

diff --git a/terraform/032-db-backup/README.md b/terraform/032-db-backup/README.md
@@ -10,7 +10,6 @@ This module is used to run mysqldump and backup files to S3
 ## Required Inputs
 
  - `app_env` - Application environment
- - `aws_region` - AWS region
  - `cloudwatch_log_group_name` - CloudWatch log group name
  - `docker_image` - The docker image to use for this
  - `ecs_cluster_id` - ID for ECS Cluster
@@ -44,7 +43,6 @@ module "dbbackup" {
   source                    = "github.com/silinternational/idp-in-a-box//terraform/032-db-backup"
   app_env                   = var.app_env
   app_name                  = var.app_name
-  aws_region                = var.aws_region`
   cloudwatch_log_group_name = var.cloudwatch_log_group_name
   cpu                       = var.cpu
   cron_schedule             = var.cron_schedule

diff --git a/terraform/032-db-backup/main.tf b/terraform/032-db-backup/main.tf
@@ -1,3 +1,8 @@
+locals {
+  aws_account = data.aws_caller_identity.this.account_id
+  aws_region  = data.aws_region.current.name
+}
+
 /*
  * Create S3 bucket for storing backups
  */
@@ -82,7 +87,7 @@ locals {
   task_def_backup = templatefile("${path.module}/task-definition.json", {
     app_env                   = var.app_env
     app_name                  = var.app_name
-    aws_region                = var.aws_region
+    aws_region                = local.aws_region
     cloudwatch_log_group_name = var.cloudwatch_log_group_name
     aws_access_key            = aws_iam_access_key.backup.id
     aws_secret_key            = aws_iam_access_key.backup.secret
@@ -183,3 +188,10 @@ resource "aws_cloudwatch_event_target" "backup_event_target" {
   }
 }
 
+/*
+ * AWS data
+ */
+
+data "aws_caller_identity" "this" {}
+
+data "aws_region" "current" {}
diff --git a/terraform/032-db-backup/vars.tf b/terraform/032-db-backup/vars.tf
@@ -8,7 +8,9 @@ variable "app_name" {
 }
 
 variable "aws_region" {
-  type = string
+  description = "This is not used. The region is more reliably determined from the aws_region data source."
+  type        = string
+  default     = ""
 }
 
 variable "backup_user_name" {

diff --git a/terraform/040-id-broker/README.md b/terraform/040-id-broker/README.md
@@ -11,7 +11,6 @@ This module is used to create an ECS service running id-broker.
 
  - `app_env` - Application environment
  - `app_name` - Application name
- - `aws_region` - AWS region
  - `cloudflare_domain` - Top level domain name for use with Cloudflare
  - `cloudwatch_log_group_name` - CloudWatch log group name
  - `db_name` - Name of MySQL database for id-broker
@@ -145,7 +144,6 @@ module "broker" {
   source                           = "github.com/silinternational/idp-in-a-box//terraform/040-id-broker"
   app_env                          = var.app_env
   app_name                         = var.app_name
-  aws_region                       = var.aws_region
   cloudflare_domain                = var.cloudflare_domain
   cloudwatch_log_group_name        = var.cloudwatch_log_group_name
   contingent_user_duration         = var.contingent_user_duration