feat: adding the concept of a share network, using by the connentivity module

gambol99 · gambol99 · commit 7f0f19695e2c · 2025-02-08T15:52:58.000Z
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -18,3 +18,27 @@ jobs:
     name: Module Validation
     with:
       working-directory: .
+
+  shared-module-validation:
+    uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-validation.yml@main
+    name: Shared Module Validation
+    with:
+      working-directory: modules/shared
+
+  ram-module-validation:
+    uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-validation.yml@main
+    name: RAM Module Validation
+    with:
+      working-directory: modules/ram
+
+  ram-principal-associations:
+    uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-validation.yml@main
+    name: RAM Principal Associations
+    with:
+      working-directory: modules/ram_associations
+
+  ram-resource-associations:
+    uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-validation.yml@main
+    name: RAM Resource Associations
+    with:
+      working-directory: modules/ram_resources
diff --git a/modules/ram/main.tf b/modules/ram/main.tf
@@ -0,0 +1,25 @@
+
+## Provision a RAM resource share
+resource "aws_ram_resource_share" "this" {
+  name                      = var.name
+  tags                      = var.tags
+  allow_external_principals = var.allow_external_principals
+}
+
+## Associate the resources to the resource share 
+module "resource_associations" {
+  source   = "../ram_resources"
+  for_each = { for resource in var.resources : resource.name => resource }
+
+  resource_arn       = each.value.resource_arn
+  resource_share_arn = aws_ram_resource_share.this.arn
+}
+
+## Associate the principals to the resource share 
+module "principal_associations" {
+  source   = "../ram_associations"
+  for_each = toset(var.principals)
+
+  principal          = each.value
+  resource_share_arn = aws_ram_resource_share.this.arn
+}
diff --git a/modules/ram/outputs.tf b/modules/ram/outputs.tf
diff --git a/modules/ram/terarform.tf b/modules/ram/terarform.tf
@@ -0,0 +1,11 @@
+
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
diff --git a/modules/ram/variables.tf b/modules/ram/variables.tf
@@ -0,0 +1,30 @@
+variable "name" {
+  description = "Name of the resource share"
+  type        = string
+}
+
+variable "allow_external_principals" {
+  description = "Allow external principals to associate with the resource share."
+  type        = bool
+  default     = false
+}
+
+variable "principals" {
+  description = "List of principals to associate with the resource share."
+  type        = list(string)
+  default     = []
+}
+
+variable "resources" {
+  description = "Schema list of resources to associate to the resource share"
+  type = list(object({
+    name         = string
+    resource_arn = string
+  }))
+  default = []
+}
+
+variable "tags" {
+  description = "Map of tags to assign to the resource share"
+  type        = map(string)
+}
diff --git a/modules/ram_associations/main.tf b/modules/ram_associations/main.tf
@@ -0,0 +1,5 @@
+
+resource "aws_ram_principal_association" "this" {
+  principal          = var.principal
+  resource_share_arn = var.resource_share_arn
+}
diff --git a/modules/ram_associations/outputs.tf b/modules/ram_associations/outputs.tf
@@ -0,0 +1,4 @@
+output "principal_association" {
+  description = "Object with the AWS RAM principal association resource"
+  value       = aws_ram_principal_association.this
+}
diff --git a/modules/ram_associations/terarform.tf b/modules/ram_associations/terarform.tf
@@ -0,0 +1,11 @@
+
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
diff --git a/modules/ram_associations/variables.tf b/modules/ram_associations/variables.tf
@@ -0,0 +1,9 @@
+variable "principal" {
+  description = "The principal to associate with the resource share."
+  type        = string
+}
+
+variable "resource_share_arn" {
+  description = "ARN of the resource share"
+  type        = string
+}
diff --git a/modules/ram_resources/main.tf b/modules/ram_resources/main.tf
@@ -0,0 +1,5 @@
+## Associate the principal to the resource share 
+resource "aws_ram_resource_association" "this" {
+  resource_arn       = var.resource_arn
+  resource_share_arn = var.resource_share_arn
+}
diff --git a/modules/ram_resources/outputs.tf b/modules/ram_resources/outputs.tf
@@ -0,0 +1,4 @@
+output "resource_association" {
+  description = "Object with the AWS RAM resource association resource"
+  value       = aws_ram_resource_association.this
+}
diff --git a/modules/ram_resources/terarform.tf b/modules/ram_resources/terarform.tf
@@ -0,0 +1,11 @@
+
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
diff --git a/modules/ram_resources/variables.tf b/modules/ram_resources/variables.tf
@@ -0,0 +1,9 @@
+variable "resource_arn" {
+  description = "ARN of the resource to associate with the RAM Resource Share"
+  type        = string
+}
+
+variable "resource_share_arn" {
+  description = "ARN of the resource share"
+  type        = string
+}
diff --git a/modules/shared/data.tf b/modules/shared/data.tf
@@ -0,0 +1,3 @@
+# Get the current region
+data "aws_region" "current" {}
+
diff --git a/modules/shared/locals.tf b/modules/shared/locals.tf
@@ -0,0 +1,73 @@
+locals {
+  # Th current region
+  region = data.aws_region.current.name
+  # The id for the transit_gateway_id passed into the module
+  transit_gateway_id = var.enable_transit_gateway ? var.transit_gateway_id : null
+  # Is the routes to propagate down the transit gateway 
+  transit_routes = var.enable_transit_gateway && length(var.transit_gateway_routes) > 0 ? var.transit_gateway_routes : {}
+
+  ## All the subnets except the private and transit gateway 
+  subnets = {
+    for k, v in var.subnets : k => {
+      availability_zones      = v.availability_zones == null ? var.availability_zones : v.availability_zones
+      connect_to_public_natgw = false
+      netmask                 = v.netmask
+      tags                    = merge(var.tags, try(v.tags, {}))
+    } if k != "transit_gateway"
+  }
+
+  # Configuration for the transit subnets 
+  transit_subnet = var.enable_transit_gateway ? {
+    transit_gateway = {
+      connect_to_public_natgw                         = var.enable_transit_gateway_subnet_natgw
+      netmask                                         = 28
+      tags                                            = merge(var.tags, var.transit_subnet_tags)
+      transit_gateway_appliance_mode_support          = var.enable_transit_gateway_appliance_mode ? "enable" : "disable"
+      transit_gateway_default_route_table_association = var.enable_default_route_table_association
+      transit_gateway_default_route_table_propagation = var.enable_default_route_table_propagation
+      transit_gateway_dns_support                     = "enable"
+    }
+  } : null
+
+  # A map of all the subnets we are creating 
+  all_subnets = merge(local.subnets, local.transit_subnet)
+  # A map all the subnets that need to be shared  
+  shared_subnets = {
+    for k, v in var.subnets : k => {
+      principals     = length(v.share.accounts) > 0 ? try(v.share.accounts, []) : try(v.share.organization_units, [])
+      ram_share_name = format("shared-%s-%s", lower(var.name), k)
+      subnet_ids     = [for k, v in module.vpc.private_subnet_attributes_by_az : v.id]
+    } if length(try(v.share.accounts, [])) > 0 || length(try(v.share.organization_units, [])) > 0
+  }
+
+  # A list of all the private subnets cidr blocks
+  private_subnet_cidrs = [for k, x in module.vpc.private_subnet_attributes_by_az : x.cidr_block if startswith(k, "private/")]
+  # A map of private subnet id to cidr block
+  private_subnet_cidr_by_id = { for k, x in module.vpc.private_subnet_attributes_by_az : x.id => x.cidr_block if startswith(k, "private/") }
+  # A map of az to private subnet id 
+  private_subnet_id_by_az = { for k, x in module.vpc.private_subnet_attributes_by_az : trimprefix(k, "private/") => x.id if startswith(k, "private/") }
+  # A map of az to public subnet id 
+  public_subnet_id_by_az = var.public_subnet_netmask > 0 ? { for k, x in module.vpc.public_subnet_attributes_by_az : k => x.id } : {}
+  # A map of public subnet id to cidr block 
+  public_subnet_cidr_by_id = var.public_subnet_netmask > 0 ? { for k, x in module.vpc.public_subnet_attributes_by_az : x.id => x.cidr_block } : {}
+  # public_subnet ranges 
+  public_subnet_cidrs = var.public_subnet_netmask > 0 ? [for k, x in module.vpc.public_subnet_attributes_by_az : x.cidr_block] : []
+  # The subnet id for the private subnets
+  private_subnet_ids = [for k, x in module.vpc.private_subnet_attributes_by_az : x.id if startswith(k, "private/")]
+  # The subnet id for the public subnets
+  public_subnet_ids = var.public_subnet_netmask > 0 ? [for k, x in module.vpc.public_subnet_attributes_by_az : x.id] : []
+  # The subnet id for the transit subnets
+  transit_subnet_ids = var.enable_transit_gateway ? [for k, x in module.vpc.tgw_subnet_attributes_by_az : x.id] : []
+  # A list of transit route table ids 
+  transit_route_table_ids = var.enable_transit_gateway ? [for k, x in module.vpc.rt_attributes_by_type_by_az.transit_gateway : x.id] : []
+  # The routing tables for the private subnets
+  private_route_table_ids = [for k, x in module.vpc.rt_attributes_by_type_by_az.private : x.id]
+  # The transgit gateway route table ids 
+  public_route_table_ids = var.public_subnet_netmask > 0 ? [for k, x in module.vpc.rt_attributes_by_type_by_az.public : x.id] : []
+  # A map of the route table ids for the transit gateway by az 
+  transit_route_table_by_az = var.enable_transit_gateway ? { for k, v in module.vpc.rt_attributes_by_type_by_az.transit_gateway : k => v.id } : {}
+  # A list of the private endpoints to enable ssm
+  ssm_endpoints = var.enable_ssm ? ["ssmmessages", "ssm", "ec2messages"] : []
+  # enabled_endpotints is a list of all the private endpoints to enable 
+  enabled_endpoints = concat(var.enable_private_endpoints, local.ssm_endpoints)
+}
diff --git a/modules/shared/main.tf b/modules/shared/main.tf
@@ -0,0 +1,76 @@
+
+## Provision a virtual private cloud
+module "vpc" {
+  source  = "aws-ia/vpc/aws"
+  version = "4.4.3"
+
+  name                     = var.name
+  az_count                 = var.availability_zones
+  cidr_block               = var.vpc_cidr
+  subnets                  = local.all_subnets
+  tags                     = var.tags
+  transit_gateway_id       = local.transit_gateway_id
+  transit_gateway_routes   = local.transit_routes
+  vpc_instance_tenancy     = var.vpc_instance_tenancy
+  vpc_enable_dns_hostnames = true
+  vpc_enable_dns_support   = true
+  vpc_ipv4_ipam_pool_id    = var.ipam_pool_id
+  vpc_ipv4_netmask_length  = var.vpc_netmask
+}
+
+## Provision a AWS RAM share, to distribute the subnets to the accounts
+module "ram_share" {
+  for_each = local.shared_subnets
+  source   = "../ram"
+
+  allow_external_principals = false
+  name                      = each.value.ram_share_name
+  principals                = each.value.principals
+  resources                 = each.value.subnet_ids
+  tags                      = var.tags
+
+  depends_on = [module.vpc]
+}
+
+## Associate any resolver rules with the vpc if required
+resource "aws_route53_resolver_rule_association" "resolver_associations" {
+  for_each = toset(var.associated_resolver_rules)
+
+  resolver_rule_id = each.value
+  vpc_id           = module.vpc.vpc_attributes.id
+}
+
+## Provision the security groups for the private links
+module "private_links" {
+  count   = length(local.enabled_endpoints) > 0 ? 1 : 0
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "5.3.0"
+
+  description         = "Provides the security groups for the private links access"
+  ingress_rules       = ["https-443-tcp"]
+  ingress_cidr_blocks = local.private_subnet_cidrs
+  name                = "private-links-${var.name}"
+  tags                = var.tags
+  vpc_id              = module.vpc.vpc_attributes.id
+}
+
+## Provision any private endpoints
+resource "aws_vpc_endpoint" "vpe_endpoints" {
+  for_each = toset(local.enabled_endpoints)
+
+  private_dns_enabled = true
+  security_group_ids  = [module.private_links[0].security_group_id]
+  service_name        = "com.amazonaws.${local.region}.${each.value}"
+  subnet_ids          = local.private_subnet_ids
+  tags                = merge(var.tags, { Name = "vpe-${each.value}-${var.name}" })
+  vpc_endpoint_type   = "Interface"
+  vpc_id              = module.vpc.vpc_attributes.id
+}
+
+## Associate the route53 zones with the vpc if required
+resource "aws_route53_zone_association" "vpc_associations" {
+  for_each = toset(var.associated_route53_zones)
+
+  zone_id = each.value
+  vpc_id  = module.vpc.vpc_attributes.id
+}
diff --git a/modules/shared/outputs.tf b/modules/shared/outputs.tf
diff --git a/modules/shared/terraform.tf b/modules/shared/terraform.tf
diff --git a/modules/shared/variables.tf b/modules/shared/variables.tf
