feat: Add support for security group referencing

terraform-aws-modules · Dec 27, 2024 · 896ea01 · 896ea01
1 parent 9b7a970
commit 896ea01
Show file tree

Hide file tree

Showing 4 changed files with 74 additions and 62 deletions.
diff --git a/README.md b/README.md
@@ -85,28 +85,29 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_amazon_side_asn"></a> [amazon\_side\_asn](#input\_amazon\_side\_asn) | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the TGW is created with the current default Amazon ASN | `string` | `null` | no |
-| <a name="input_create"></a> [create](#input\_create) | Controls if TGW should be created (it affects almost all resources) | `bool` | `true` | no |
+| <a name="input_auto_accept_shared_attachments"></a> [auto\_accept\_shared\_attachments](#input\_auto\_accept\_shared\_attachments) | Whether resource attachment requests are automatically accepted | `bool` | `false` | no |
+| <a name="input_create"></a> [create](#input\_create) | Controls if resources should be created (it affects almost all resources) | `bool` | `true` | no |
 | <a name="input_create_flow_log"></a> [create\_flow\_log](#input\_create\_flow\_log) | Whether to create flow log resource(s) | `bool` | `true` | no |
+| <a name="input_default_route_table_association"></a> [default\_route\_table\_association](#input\_default\_route\_table\_association) | Whether resource attachments are automatically associated with the default association route table | `bool` | `false` | no |
+| <a name="input_default_route_table_propagation"></a> [default\_route\_table\_propagation](#input\_default\_route\_table\_propagation) | Whether resource attachments automatically propagate routes to the default propagation route table | `bool` | `false` | no |
 | <a name="input_description"></a> [description](#input\_description) | Description of the EC2 Transit Gateway | `string` | `null` | no |
-| <a name="input_enable_auto_accept_shared_attachments"></a> [enable\_auto\_accept\_shared\_attachments](#input\_enable\_auto\_accept\_shared\_attachments) | Whether resource attachment requests are automatically accepted | `bool` | `false` | no |
-| <a name="input_enable_default_route_table_association"></a> [enable\_default\_route\_table\_association](#input\_enable\_default\_route\_table\_association) | Whether resource attachments are automatically associated with the default association route table | `bool` | `false` | no |
-| <a name="input_enable_default_route_table_propagation"></a> [enable\_default\_route\_table\_propagation](#input\_enable\_default\_route\_table\_propagation) | Whether resource attachments automatically propagate routes to the default propagation route table | `bool` | `false` | no |
-| <a name="input_enable_dns_support"></a> [enable\_dns\_support](#input\_enable\_dns\_support) | Should be true to enable DNS support in the TGW | `bool` | `true` | no |
-| <a name="input_enable_multicast_support"></a> [enable\_multicast\_support](#input\_enable\_multicast\_support) | Whether multicast support is enabled | `bool` | `false` | no |
+| <a name="input_dns_support"></a> [dns\_support](#input\_dns\_support) | Should be true to enable DNS support in the TGW | `bool` | `true` | no |
 | <a name="input_enable_ram_share"></a> [enable\_ram\_share](#input\_enable\_ram\_share) | Whether to share your transit gateway with other accounts | `bool` | `false` | no |
-| <a name="input_enable_vpn_ecmp_support"></a> [enable\_vpn\_ecmp\_support](#input\_enable\_vpn\_ecmp\_support) | Whether VPN Equal Cost Multipath Protocol support is enabled | `bool` | `true` | no |
 | <a name="input_flow_logs"></a> [flow\_logs](#input\_flow\_logs) | Flow Logs to create for Transit Gateway or attachments | <pre>map(object({<br/>    deliver_cross_account_role = optional(string)<br/>    destination_options = optional(object({<br/>      file_format                = optional(string, "parquet")<br/>      hive_compatible_partitions = optional(bool, false)<br/>      per_hour_partition         = optional(bool, true)<br/>    }))<br/>    iam_role_arn             = optional(string)<br/>    log_destination          = optional(string)<br/>    log_destination_type     = optional(string)<br/>    log_format               = optional(string)<br/>    max_aggregation_interval = optional(number, 30)<br/>    traffic_type             = optional(string, "ALL")<br/>    tags                     = optional(map(string), {})<br/><br/>    enable_transit_gateway = optional(bool, true)<br/>    # The following can be provided when `enable_transit_gateway` is `false`<br/>    vpc_attachment_key     = optional(string)<br/>    peering_attachment_key = optional(string)<br/>  }))</pre> | `{}` | no |
-| <a name="input_name"></a> [name](#input\_name) | Name to be used on all the resources as identifier | `string` | `""` | no |
+| <a name="input_multicast_support"></a> [multicast\_support](#input\_multicast\_support) | Whether multicast support is enabled | `bool` | `false` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name to be used on all the resources as the identifier | `string` | `""` | no |
 | <a name="input_peering_attachments"></a> [peering\_attachments](#input\_peering\_attachments) | Map of Transit Gateway peering attachments to create | <pre>map(object({<br/>    peer_account_id         = string<br/>    peer_region             = string<br/>    peer_transit_gateway_id = string<br/>    tags                    = optional(map(string), {})<br/><br/>    accept_peering_attachment = optional(bool, false)<br/>  }))</pre> | `{}` | no |
 | <a name="input_ram_allow_external_principals"></a> [ram\_allow\_external\_principals](#input\_ram\_allow\_external\_principals) | Indicates whether principals outside your organization can be associated with a resource share | `bool` | `false` | no |
 | <a name="input_ram_name"></a> [ram\_name](#input\_ram\_name) | The name of the resource share of TGW | `string` | `""` | no |
 | <a name="input_ram_principals"></a> [ram\_principals](#input\_ram\_principals) | A list of principals to share TGW with. Possible values are an AWS account ID, an AWS Organizations Organization ARN, or an AWS Organizations Organization Unit ARN | `set(string)` | `[]` | no |
 | <a name="input_ram_tags"></a> [ram\_tags](#input\_ram\_tags) | Additional tags for the RAM | `map(string)` | `{}` | no |
+| <a name="input_security_group_referencing_support"></a> [security\_group\_referencing\_support](#input\_security\_group\_referencing\_support) | Whether security group referencing is enabled | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_tgw_tags"></a> [tgw\_tags](#input\_tgw\_tags) | Additional tags for the TGW | `map(string)` | `{}` | no |
 | <a name="input_timeouts"></a> [timeouts](#input\_timeouts) | Create, update, and delete timeout configurations for the transit gateway | `map(string)` | `{}` | no |
 | <a name="input_transit_gateway_cidr_blocks"></a> [transit\_gateway\_cidr\_blocks](#input\_transit\_gateway\_cidr\_blocks) | One or more IPv4 or IPv6 CIDR blocks for the transit gateway. Must be a size /24 CIDR block or larger for IPv4, or a size /64 CIDR block or larger for IPv6 | `list(string)` | `[]` | no |
-| <a name="input_vpc_attachments"></a> [vpc\_attachments](#input\_vpc\_attachments) | Map of VPC route table attachments to create | <pre>map(object({<br/>    vpc_id                                          = string<br/>    subnet_ids                                      = list(string)<br/>    dns_support                                     = optional(bool, true)<br/>    ipv6_support                                    = optional(bool, false)<br/>    appliance_mode_support                          = optional(bool, false)<br/>    transit_gateway_default_route_table_association = optional(bool, false)<br/>    transit_gateway_default_route_table_propagation = optional(bool, false)<br/>    tags                                            = optional(map(string), {})<br/><br/>    accept_peering_attachment = optional(bool, false)<br/>  }))</pre> | `{}` | no |
+| <a name="input_vpc_attachments"></a> [vpc\_attachments](#input\_vpc\_attachments) | Map of VPC route table attachments to create | <pre>map(object({<br/>    appliance_mode_support                          = optional(bool, false)<br/>    dns_support                                     = optional(bool, true)<br/>    ipv6_support                                    = optional(bool, false)<br/>    security_group_referencing_support              = optional(bool, false)<br/>    subnet_ids                                      = list(string)<br/>    tags                                            = optional(map(string), {})<br/>    transit_gateway_default_route_table_association = optional(bool, false)<br/>    transit_gateway_default_route_table_propagation = optional(bool, false)<br/>    vpc_id                                          = string<br/><br/>    accept_peering_attachment = optional(bool, false)<br/>  }))</pre> | `{}` | no |
+| <a name="input_vpn_ecmp_support"></a> [vpn\_ecmp\_support](#input\_vpn\_ecmp\_support) | Whether VPN Equal Cost Multipath Protocol support is enabled | `bool` | `true` | no |
 
 ## Outputs
 

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -23,10 +23,11 @@ locals {
 module "transit_gateway" {
   source = "../../"
 
-  name                        = local.name
-  description                 = "Example Transit Gateway connecting multiple VPCs"
-  amazon_side_asn             = 64532
-  transit_gateway_cidr_blocks = ["10.99.0.0/24"]
+  name                               = local.name
+  description                        = "Example Transit Gateway connecting multiple VPCs"
+  amazon_side_asn                    = 64532
+  security_group_referencing_support = true
+  transit_gateway_cidr_blocks        = ["10.99.0.0/24"]
 
   # flow_logs = {
   #   tgw = {
@@ -60,14 +61,16 @@ module "transit_gateway" {
 
   vpc_attachments = {
     vpc1 = {
-      vpc_id       = module.vpc1.vpc_id
-      subnet_ids   = module.vpc1.private_subnets
-      ipv6_support = true
+      vpc_id                             = module.vpc1.vpc_id
+      security_group_referencing_support = true
+      subnet_ids                         = module.vpc1.private_subnets
+      ipv6_support                       = true
     }
 
     vpc2 = {
-      vpc_id     = module.vpc2.vpc_id
-      subnet_ids = module.vpc2.private_subnets
+      vpc_id                             = module.vpc2.vpc_id
+      security_group_referencing_support = true
+      subnet_ids                         = module.vpc2.private_subnets
     }
   }
 

diff --git a/main.tf b/main.tf
@@ -13,15 +13,16 @@ locals {
 resource "aws_ec2_transit_gateway" "this" {
   count = var.create ? 1 : 0
 
-  description                     = var.description
-  amazon_side_asn                 = var.amazon_side_asn
-  default_route_table_association = var.enable_default_route_table_association ? "enable" : "disable"
-  default_route_table_propagation = var.enable_default_route_table_propagation ? "enable" : "disable"
-  auto_accept_shared_attachments  = var.enable_auto_accept_shared_attachments ? "enable" : "disable"
-  multicast_support               = var.enable_multicast_support ? "enable" : "disable"
-  vpn_ecmp_support                = var.enable_vpn_ecmp_support ? "enable" : "disable"
-  dns_support                     = var.enable_dns_support ? "enable" : "disable"
-  transit_gateway_cidr_blocks     = var.transit_gateway_cidr_blocks
+  amazon_side_asn                    = var.amazon_side_asn
+  auto_accept_shared_attachments     = var.auto_accept_shared_attachments ? "enable" : "disable"
+  default_route_table_association    = var.default_route_table_association ? "enable" : "disable"
+  default_route_table_propagation    = var.default_route_table_propagation ? "enable" : "disable"
+  description                        = var.description
+  dns_support                        = var.dns_support ? "enable" : "disable"
+  multicast_support                  = var.multicast_support ? "enable" : "disable"
+  security_group_referencing_support = var.security_group_referencing_support ? "enable" : "disable"
+  transit_gateway_cidr_blocks        = var.transit_gateway_cidr_blocks
+  vpn_ecmp_support                   = var.vpn_ecmp_support ? "enable" : "disable"
 
   timeouts {
     create = try(var.timeouts.create, null)
@@ -33,7 +34,7 @@ resource "aws_ec2_transit_gateway" "this" {
 }
 
 resource "aws_ec2_tag" "this" {
-  for_each = { for k, v in local.tgw_tags : k => v if var.create && var.enable_default_route_table_association }
+  for_each = { for k, v in local.tgw_tags : k => v if var.create && var.default_route_table_association }
 
   resource_id = aws_ec2_transit_gateway.this[0].association_default_route_table_id
   key         = each.key
@@ -47,15 +48,15 @@ resource "aws_ec2_tag" "this" {
 resource "aws_ec2_transit_gateway_vpc_attachment" "this" {
   for_each = { for k, v in var.vpc_attachments : k => v if var.create }
 
-  transit_gateway_id = aws_ec2_transit_gateway.this[0].id
-  vpc_id             = each.value.vpc_id
-  subnet_ids         = each.value.subnet_ids
-
+  appliance_mode_support                          = each.value.appliance_mode_support ? "enable" : "disable"
   dns_support                                     = each.value.dns_support ? "enable" : "disable"
   ipv6_support                                    = each.value.ipv6_support ? "enable" : "disable"
-  appliance_mode_support                          = each.value.appliance_mode_support ? "enable" : "disable"
+  security_group_referencing_support              = each.value.security_group_referencing_support ? "enable" : "disable"
+  subnet_ids                                      = each.value.subnet_ids
   transit_gateway_default_route_table_association = each.value.transit_gateway_default_route_table_association
   transit_gateway_default_route_table_propagation = each.value.transit_gateway_default_route_table_propagation
+  transit_gateway_id                              = aws_ec2_transit_gateway.this[0].id
+  vpc_id                                          = each.value.vpc_id
 
   tags = merge(
     var.tags,

diff --git a/variables.tf b/variables.tf
@@ -1,5 +1,11 @@
+variable "create" {
+  description = "Controls if resources should be created (it affects almost all resources)"
+  type        = bool
+  default     = true
+}
+
 variable "name" {
-  description = "Name to be used on all the resources as identifier"
+  description = "Name to be used on all the resources as the identifier"
   type        = string
   default     = ""
 }
@@ -14,58 +20,52 @@ variable "tags" {
 # Transit Gateway
 ################################################################################
 
-variable "create" {
-  description = "Controls if TGW should be created (it affects almost all resources)"
-  type        = bool
-  default     = true
-}
-
-variable "description" {
-  description = "Description of the EC2 Transit Gateway"
-  type        = string
-  default     = null
-}
-
 variable "amazon_side_asn" {
   description = "The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the TGW is created with the current default Amazon ASN"
   type        = string
   default     = null
 }
 
-variable "enable_default_route_table_association" {
-  description = "Whether resource attachments are automatically associated with the default association route table"
+variable "auto_accept_shared_attachments" {
+  description = "Whether resource attachment requests are automatically accepted"
   type        = bool
   default     = false
 }
 
-variable "enable_default_route_table_propagation" {
-  description = "Whether resource attachments automatically propagate routes to the default propagation route table"
+variable "default_route_table_association" {
+  description = "Whether resource attachments are automatically associated with the default association route table"
   type        = bool
   default     = false
 }
 
-variable "enable_auto_accept_shared_attachments" {
-  description = "Whether resource attachment requests are automatically accepted"
+variable "default_route_table_propagation" {
+  description = "Whether resource attachments automatically propagate routes to the default propagation route table"
   type        = bool
   default     = false
 }
 
-variable "enable_vpn_ecmp_support" {
-  description = "Whether VPN Equal Cost Multipath Protocol support is enabled"
+variable "description" {
+  description = "Description of the EC2 Transit Gateway"
+  type        = string
+  default     = null
+}
+
+variable "dns_support" {
+  description = "Should be true to enable DNS support in the TGW"
   type        = bool
   default     = true
 }
 
-variable "enable_multicast_support" {
+variable "multicast_support" {
   description = "Whether multicast support is enabled"
   type        = bool
   default     = false
 }
 
-variable "enable_dns_support" {
-  description = "Should be true to enable DNS support in the TGW"
+variable "security_group_referencing_support" {
+  description = "Whether security group referencing is enabled"
   type        = bool
-  default     = true
+  default     = false
 }
 
 variable "transit_gateway_cidr_blocks" {
@@ -74,6 +74,12 @@ variable "transit_gateway_cidr_blocks" {
   default     = []
 }
 
+variable "vpn_ecmp_support" {
+  description = "Whether VPN Equal Cost Multipath Protocol support is enabled"
+  type        = bool
+  default     = true
+}
+
 variable "timeouts" {
   description = "Create, update, and delete timeout configurations for the transit gateway"
   type        = map(string)
@@ -93,14 +99,15 @@ variable "tgw_tags" {
 variable "vpc_attachments" {
   description = "Map of VPC route table attachments to create"
   type = map(object({
-    vpc_id                                          = string
-    subnet_ids                                      = list(string)
+    appliance_mode_support                          = optional(bool, false)
     dns_support                                     = optional(bool, true)
     ipv6_support                                    = optional(bool, false)
-    appliance_mode_support                          = optional(bool, false)
+    security_group_referencing_support              = optional(bool, false)
+    subnet_ids                                      = list(string)
+    tags                                            = optional(map(string), {})
     transit_gateway_default_route_table_association = optional(bool, false)
     transit_gateway_default_route_table_propagation = optional(bool, false)
-    tags                                            = optional(map(string), {})
+    vpc_id                                          = string
 
     accept_peering_attachment = optional(bool, false)
   }))