feat: adding the concept of a share network, using by the connentivity module

gambol99 · gambol99 · commit d2d76e482898 · 2025-02-08T18:10:18.000Z
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -18,3 +18,27 @@ jobs:
     name: Module Validation
     with:
       working-directory: .
+
+  shared-module-validation:
+    uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-validation.yml@main
+    name: Shared Module Validation
+    with:
+      working-directory: modules/shared
+
+  ram-module-validation:
+    uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-validation.yml@main
+    name: RAM Module Validation
+    with:
+      working-directory: modules/ram
+
+  ram-principal-associations:
+    uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-validation.yml@main
+    name: RAM Principal Associations
+    with:
+      working-directory: modules/ram_associations
+
+  ram-resource-associations:
+    uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-validation.yml@main
+    name: RAM Resource Associations
+    with:
+      working-directory: modules/ram_resources
diff --git a/modules/ram/main.tf b/modules/ram/main.tf
@@ -0,0 +1,25 @@
+
+## Provision a RAM resource share
+resource "aws_ram_resource_share" "this" {
+  name                      = var.name
+  tags                      = var.tags
+  allow_external_principals = var.allow_external_principals
+}
+
+## Associate the resources to the resource share 
+module "resource_associations" {
+  source   = "../ram_resources"
+  for_each = { for resource in var.resources : resource.name => resource }
+
+  resource_arn       = each.value.resource_arn
+  resource_share_arn = aws_ram_resource_share.this.arn
+}
+
+## Associate the principals to the resource share 
+module "principal_associations" {
+  source   = "../ram_associations"
+  for_each = toset(var.principals)
+
+  principal          = each.value
+  resource_share_arn = aws_ram_resource_share.this.arn
+}
diff --git a/modules/ram/outputs.tf b/modules/ram/outputs.tf
diff --git a/modules/ram/terarform.tf b/modules/ram/terarform.tf
@@ -0,0 +1,11 @@
+
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
diff --git a/modules/ram/variables.tf b/modules/ram/variables.tf
@@ -0,0 +1,30 @@
+variable "name" {
+  description = "Name of the resource share"
+  type        = string
+}
+
+variable "allow_external_principals" {
+  description = "Allow external principals to associate with the resource share."
+  type        = bool
+  default     = false
+}
+
+variable "principals" {
+  description = "List of principals to associate with the resource share."
+  type        = list(string)
+  default     = []
+}
+
+variable "resources" {
+  description = "Schema list of resources to associate to the resource share"
+  type = list(object({
+    name         = string
+    resource_arn = string
+  }))
+  default = []
+}
+
+variable "tags" {
+  description = "Map of tags to assign to the resource share"
+  type        = map(string)
+}
diff --git a/modules/ram_associations/main.tf b/modules/ram_associations/main.tf
@@ -0,0 +1,5 @@
+
+resource "aws_ram_principal_association" "this" {
+  principal          = var.principal
+  resource_share_arn = var.resource_share_arn
+}
diff --git a/modules/ram_associations/outputs.tf b/modules/ram_associations/outputs.tf
@@ -0,0 +1,4 @@
+output "principal_association" {
+  description = "Object with the AWS RAM principal association resource"
+  value       = aws_ram_principal_association.this
+}
diff --git a/modules/ram_associations/terarform.tf b/modules/ram_associations/terarform.tf
@@ -0,0 +1,11 @@
+
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
diff --git a/modules/ram_associations/variables.tf b/modules/ram_associations/variables.tf
@@ -0,0 +1,9 @@
+variable "principal" {
+  description = "The principal to associate with the resource share."
+  type        = string
+}
+
+variable "resource_share_arn" {
+  description = "ARN of the resource share"
+  type        = string
+}
diff --git a/modules/ram_resources/main.tf b/modules/ram_resources/main.tf
@@ -0,0 +1,5 @@
+## Associate the principal to the resource share 
+resource "aws_ram_resource_association" "this" {
+  resource_arn       = var.resource_arn
+  resource_share_arn = var.resource_share_arn
+}
diff --git a/modules/ram_resources/outputs.tf b/modules/ram_resources/outputs.tf
@@ -0,0 +1,4 @@
+output "resource_association" {
+  description = "Object with the AWS RAM resource association resource"
+  value       = aws_ram_resource_association.this
+}
diff --git a/modules/ram_resources/terarform.tf b/modules/ram_resources/terarform.tf
@@ -0,0 +1,11 @@
+
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
diff --git a/modules/ram_resources/variables.tf b/modules/ram_resources/variables.tf
@@ -0,0 +1,9 @@
+variable "resource_arn" {
+  description = "ARN of the resource to associate with the RAM Resource Share"
+  type        = string
+}
+
+variable "resource_share_arn" {
+  description = "ARN of the resource share"
+  type        = string
+}
diff --git a/modules/shared/data.tf b/modules/shared/data.tf
@@ -0,0 +1,3 @@
+# Get the current region
+data "aws_region" "current" {}
+
diff --git a/modules/shared/locals.tf b/modules/shared/locals.tf
@@ -0,0 +1,63 @@
+locals {
+  # Th current region
+  region = data.aws_region.current.name
+  # The id for the transit_gateway_id passed into the module
+  transit_gateway_id = var.enable_transit_gateway ? var.transit_gateway_id : null
+  # Is the routes to propagate down the transit gateway
+  transit_routes = var.enable_transit_gateway && length(var.transit_gateway_routes) > 0 ? var.transit_gateway_routes : {}
+
+  ## All the subnets except the private and transit gateway
+  subnets = {
+    for k, v in var.subnets : k => {
+      availability_zones      = v.availability_zones == null ? var.availability_zones : v.availability_zones
+      connect_to_public_natgw = false
+      netmask                 = v.netmask
+      tags                    = merge(var.tags, try(v.tags, {}))
+    } if k != "transit_gateway"
+  }
+
+  # Configuration for the transit subnets
+  transit_subnet = var.enable_transit_gateway ? {
+    transit_gateway = {
+      connect_to_public_natgw                         = var.enable_transit_gateway_subnet_natgw
+      netmask                                         = 28
+      tags                                            = merge(var.tags, var.transit_subnet_tags)
+      transit_gateway_appliance_mode_support          = var.enable_transit_gateway_appliance_mode ? "enable" : "disable"
+      transit_gateway_default_route_table_association = var.enable_default_route_table_association
+      transit_gateway_default_route_table_propagation = var.enable_default_route_table_propagation
+      transit_gateway_dns_support                     = "enable"
+    }
+  } : null
+
+  # A map of all the subnets we are creating
+  all_subnets = merge(local.subnets, local.transit_subnet)
+  # A map all the subnets that need to be shared
+  shared_subnets = {
+    for k, v in var.subnets : k => {
+      principals     = length(v.share.accounts) > 0 ? try(v.share.accounts, []) : try(v.share.organization_units, [])
+      ram_share_name = format("shared-%s-%s", lower(var.name), k)
+      subnet_ids     = [for k, v in module.vpc.private_subnet_attributes_by_az : v.id]
+    } if length(try(v.share.accounts, [])) > 0 || length(try(v.share.organization_units, [])) > 0
+  }
+
+  # A list of all the private subnets cidr blocks
+  private_subnet_cidrs = [for k, x in module.vpc.private_subnet_attributes_by_az : x.cidr_block if startswith(k, "private/")]
+  # A map of private subnet id to cidr block
+  private_subnet_cidr_by_id = { for k, x in module.vpc.private_subnet_attributes_by_az : x.id => x.cidr_block if startswith(k, "private/") }
+  # A map of az to private subnet id
+  private_subnet_id_by_az = { for k, x in module.vpc.private_subnet_attributes_by_az : trimprefix(k, "private/") => x.id if startswith(k, "private/") }
+  # The subnet id for the private subnets
+  private_subnet_ids = [for k, x in module.vpc.private_subnet_attributes_by_az : x.id if startswith(k, "private/")]
+  # The subnet id for the transit subnets
+  transit_subnet_ids = var.enable_transit_gateway ? [for k, x in module.vpc.tgw_subnet_attributes_by_az : x.id] : []
+  # A list of transit route table ids
+  transit_route_table_ids = var.enable_transit_gateway ? [for k, x in module.vpc.rt_attributes_by_type_by_az.transit_gateway : x.id] : []
+  # The routing tables for the private subnets
+  private_route_table_ids = [for k, x in module.vpc.rt_attributes_by_type_by_az.private : x.id]
+  # A map of the route table ids for the transit gateway by az
+  transit_route_table_by_az = var.enable_transit_gateway ? { for k, v in module.vpc.rt_attributes_by_type_by_az.transit_gateway : k => v.id } : {}
+  # A list of the private endpoints to enable ssm
+  ssm_endpoints = var.enable_ssm ? ["ssmmessages", "ssm", "ec2messages"] : []
+  # enabled_endpotints is a list of all the private endpoints to enable
+  enabled_endpoints = concat(var.enable_private_endpoints, local.ssm_endpoints)
+}
diff --git a/modules/shared/main.tf b/modules/shared/main.tf
@@ -0,0 +1,76 @@
+
+## Provision a virtual private cloud
+module "vpc" {
+  source  = "aws-ia/vpc/aws"
+  version = "4.4.3"
+
+  name                     = var.name
+  az_count                 = var.availability_zones
+  cidr_block               = var.vpc_cidr
+  subnets                  = local.all_subnets
+  tags                     = var.tags
+  transit_gateway_id       = local.transit_gateway_id
+  transit_gateway_routes   = local.transit_routes
+  vpc_instance_tenancy     = var.vpc_instance_tenancy
+  vpc_enable_dns_hostnames = true
+  vpc_enable_dns_support   = true
+  vpc_ipv4_ipam_pool_id    = var.ipam_pool_id
+  vpc_ipv4_netmask_length  = var.vpc_netmask
+}
+
+## Provision a AWS RAM share, to distribute the subnets to the accounts
+module "ram_share" {
+  for_each = local.shared_subnets
+  source   = "../ram"
+
+  allow_external_principals = false
+  name                      = each.value.ram_share_name
+  principals                = each.value.principals
+  resources                 = each.value.subnet_ids
+  tags                      = var.tags
+
+  depends_on = [module.vpc]
+}
+
+## Associate any resolver rules with the vpc if required
+resource "aws_route53_resolver_rule_association" "resolver_associations" {
+  for_each = toset(var.associated_resolver_rules)
+
+  resolver_rule_id = each.value
+  vpc_id           = module.vpc.vpc_attributes.id
+}
+
+## Provision the security groups for the private links
+module "private_links" {
+  count   = length(local.enabled_endpoints) > 0 ? 1 : 0
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "5.3.0"
+
+  description         = "Provides the security groups for the private links access"
+  ingress_rules       = ["https-443-tcp"]
+  ingress_cidr_blocks = local.private_subnet_cidrs
+  name                = "private-links-${var.name}"
+  tags                = var.tags
+  vpc_id              = module.vpc.vpc_attributes.id
+}
+
+## Provision any private endpoints
+resource "aws_vpc_endpoint" "vpe_endpoints" {
+  for_each = toset(local.enabled_endpoints)
+
+  private_dns_enabled = true
+  security_group_ids  = [module.private_links[0].security_group_id]
+  service_name        = "com.amazonaws.${local.region}.${each.value}"
+  subnet_ids          = local.private_subnet_ids
+  tags                = merge(var.tags, { Name = "vpe-${each.value}-${var.name}" })
+  vpc_endpoint_type   = "Interface"
+  vpc_id              = module.vpc.vpc_attributes.id
+}
+
+## Associate the route53 zones with the vpc if required
+resource "aws_route53_zone_association" "vpc_associations" {
+  for_each = toset(var.associated_route53_zones)
+
+  zone_id = each.value
+  vpc_id  = module.vpc.vpc_attributes.id
+}
diff --git a/modules/shared/outputs.tf b/modules/shared/outputs.tf
@@ -0,0 +1,80 @@
+
+output "vpc_id" {
+  description = "The ID of the VPC"
+  value       = module.vpc.vpc_attributes.id
+}
+
+output "vpc_cidr" {
+  description = "The CIDR block of the VPC"
+  value       = module.vpc.vpc_attributes.cidr_block
+}
+
+output "vpc_attributes" {
+  description = "The attributes of the VPC (see aws-ia/vpc/aws for details)"
+  value       = module.vpc.vpc_attributes
+}
+
+output "private_subnet_cidrs" {
+  description = "A list of the CIDRs for the private subnets"
+  value       = local.private_subnet_cidrs
+}
+
+output "private_subnet_id_by_az" {
+  description = "A map of availability zone to subnet id of the private subnets i.e. eu-west-2a => subnet_id"
+  value       = local.private_subnet_id_by_az
+}
+
+output "private_subnet_attributes_by_az" {
+  description = "The attributes of the private subnets (see aws-ia/vpc/aws for details)"
+  value       = module.vpc.private_subnet_attributes_by_az
+}
+
+output "transit_subnet_attributes_by_az" {
+  description = "The attributes of the transit gateway subnets (see aws-ia/vpc/aws for details)"
+  value       = var.enable_transit_gateway ? module.vpc.tgw_subnet_attributes_by_az : null
+}
+
+output "natgw_id_per_az" {
+  description = "The IDs of the NAT Gateways (see aws-ia/vpc/aws for details)"
+  value       = var.enable_nat_gateway ? module.vpc.natgw_id_per_az : null
+}
+
+output "rt_attributes_by_type_by_az" {
+  description = "The attributes of the route tables (see aws-ia/vpc/aws for details)"
+  value       = module.vpc.rt_attributes_by_type_by_az
+}
+
+output "private_subnet_ids" {
+  description = "The IDs of the private subnets i.e. [subnet_id, subnet_id]"
+  value       = local.private_subnet_ids
+}
+
+output "transit_subnet_ids" {
+  description = "The IDs of the transit gateway subnets ie. [subnet_id, subnet_id]"
+  value       = var.enable_transit_gateway ? local.transit_subnet_ids : null
+}
+
+output "private_route_table_ids" {
+  description = "The IDs of the private route tables ie. [route_table_id, route_table_id]"
+  value       = local.private_route_table_ids
+}
+
+output "transit_route_table_ids" {
+  description = "The IDs of the transit gateway route tables ie. [route_table_id, route_table_id]"
+  value       = var.enable_transit_gateway ? local.transit_route_table_ids : null
+}
+
+output "transit_route_table_by_az" {
+  description = "A map of availability zone to transit gateway route table ID i.e eu-west-2a => route_table_id"
+  value       = var.enable_transit_gateway ? local.transit_route_table_by_az : null
+}
+
+output "transit_gateway_attachment_id" {
+  description = "The ID of the transit gateway attachment if enabled"
+  value       = var.enable_transit_gateway ? module.vpc.transit_gateway_attachment_id : null
+}
+
+output "nat_public_ips" {
+  description = "The public IPs of the NAT Gateways i.e [public_ip, public_ip]"
+  value       = var.enable_nat_gateway ? [] : [for x in module.vpc.nat_gateway_attributes_by_az : x.public_ip]
+}
diff --git a/modules/shared/terraform.tf b/modules/shared/terraform.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
diff --git a/modules/shared/variables.tf b/modules/shared/variables.tf
