[vpc-peering] Implement cross-account peering (#87)

* Support cross-account peering

* add example

* fmt

* address CR

* Update aws/vpc-peering/variables.tf

Co-Authored-By: osterman <[email protected]>

* Update aws/vpc-peering/variables.tf

Co-Authored-By: osterman <[email protected]>

Author: osterman

aws/backing-services/vpc.tf

@@ -10,6 +10,8 @@ variable "vpc_nat_gateway_enabled" {
   default = "true"
 }
 
+data "aws_region" "current" {}
+
 module "vpc" {
   source     = "git::https://github.com/cloudposse/terraform-aws-vpc.git?ref=tags/0.3.3"
   namespace  = "${var.namespace}"
@@ -30,3 +32,13 @@ module "subnets" {
   cidr_block          = "${module.vpc.vpc_cidr_block}"
   nat_gateway_enabled = "${var.vpc_nat_gateway_enabled}"
 }
+
+output "vpc_id" {
+  description = "VPC ID of backing services"
+  value       = "${module.vpc.vpc_id}"
+}
+
+output "region" {
+  description = "AWS region of backing services"
+  value       = "${data.aws_region.current.name}"
+}

aws/vpc-peering/Makefile

@@ -0,0 +1,15 @@
+## Initialize terraform remote state
+init:
+	[ -f .terraform/terraform.tfstate ] || init-terraform
+
+## Clean up the project
+clean:
+	rm -rf .terraform *.tfstate*
+
+## Pass arguments through to terraform which require remote state
+apply console destroy graph plan output providers show: init
+	terraform $@
+
+## Pass arguments through to terraform which do not require remote state
+get fmt validate version:
+	terraform $@

aws/vpc-peering/main.tf

@@ -0,0 +1,80 @@
+terraform {
+  required_version = ">= 0.11.2"
+
+  backend "s3" {}
+}
+
+provider "aws" {
+  assume_role {
+    role_arn = "${var.aws_assume_role_arn}"
+  }
+}
+
+# Fetch the OrganizationAccountAccessRole ARNs from SSM
+module "requester_role_arns" {
+  enabled        = "${var.enabled}"
+  source         = "git::https://github.com/cloudposse/terraform-aws-ssm-parameter-store?ref=tags/0.1.5"
+  parameter_read = ["/${var.namespace}/${var.requester_account}/organization_account_access_role"]
+}
+
+locals {
+  requester_vpc_tags = "${var.requester_vpc_tags}"
+  requester_region   = "${var.requester_region}"
+  requester_role_arn = "${join("", module.requester_role_arns.values)}"
+}
+
+# Fetch the OrganizationAccountAccessRole ARNs from SSM
+module "accepter_role_arns" {
+  enabled        = "${var.enabled}"
+  source         = "git::https://github.com/cloudposse/terraform-aws-ssm-parameter-store?ref=tags/0.1.5"
+  parameter_read = ["/${var.namespace}/${var.accepter_account}/organization_account_access_role"]
+}
+
+locals {
+  accepter_vpc_tags = "${var.accepter_vpc_tags}"
+  accepter_region   = "${var.accepter_region}"
+  accepter_role_arn = "${join("", module.accepter_role_arns.values)}"
+}
+
+module "vpc_peering" {
+  source = "git::https://github.com/cloudposse/terraform-aws-vpc-peering-multi-account.git?ref=tags/0.1.0"
+
+  enabled = "${var.enabled}"
+
+  namespace  = "${var.namespace}"
+  stage      = "${var.stage}"
+  name       = "${var.name}"
+  attributes = ["${var.requester_account}", "${var.accepter_account}"]
+
+  auto_accept = true
+
+  # Requester
+  requester_vpc_tags            = "${local.requester_vpc_tags}"
+  requester_region              = "${local.requester_region}"
+  requester_aws_assume_role_arn = "${local.requester_role_arn}"
+
+  # Accepter
+  accepter_vpc_tags            = "${local.accepter_vpc_tags}"
+  accepter_region              = "${local.accepter_region}"
+  accepter_aws_assume_role_arn = "${local.accepter_role_arn}"
+}
+
+output "accepter_accept_status" {
+  description = "Accepter VPC peering connection request status"
+  value       = "${module.vpc_peering.accepter_accept_status}"
+}
+
+output "accepter_connection_id" {
+  description = "Accepter VPC peering connection ID"
+  value       = "${module.vpc_peering.accepter_connection_id}"
+}
+
+output "requester_accept_status" {
+  description = "Requester VPC peering connection request status"
+  value       = "${module.vpc_peering.requester_accept_status}"
+}
+
+output "requester_connection_id" {
+  description = "Requester VPC peering connection ID"
+  value       = "${module.vpc_peering.requester_connection_id}"
+}

aws/vpc-peering/terraform.tfvars.example

@@ -0,0 +1,13 @@
+requester_account = "prod"
+requester_region = "us-west-2"
+
+requester_vpc_tags = {
+  Name = "eg-prod-backing-services"
+}
+
+accepter_account = "data"
+accepter_region = "us-west-2"
+
+accepter_vpc_tags = {
+  Name = "us-west-2.data.example.co"
+}

aws/vpc-peering/variables.tf

@@ -0,0 +1,51 @@
+variable "aws_assume_role_arn" {}
+
+variable "enabled" {
+  type        = "string"
+  description = "Whether to create the resources. Set to `false` to prevent the module from creating any resources"
+  default     = "true"
+}
+
+variable "namespace" {
+  type        = "string"
+  description = "Namespace (e.g. `eg` or `cp`)"
+}
+
+variable "stage" {
+  type        = "string"
+  description = "Stage (e.g. `prod`, `dev`, `staging`)"
+}
+
+variable "name" {
+  type        = "string"
+  description = "Application or solution name (e.g. `app`)"
+  default     = "vpc-peering"
+}
+
+variable "requester_account" {
+  description = "Account name of the requester (e.g. `prod` or `staging`). Used to look up the role ARN from SSM"
+}
+
+variable "requester_region" {
+  decription = "Region of the requester's VPC"
+}
+
+variable "requester_vpc_tags" {
+  type        = "map"
+  description = "Tags to filter for the requester's VPC"
+  default     = {}
+}
+
+variable "accepter_region" {
+  decription = "Region of the accepter's VPC"
+}
+
+variable "accepter_account" {
+  description = "Account name of the accepter (e.g. `prod` or `staging`). Used to look up the role ARN from SSM"
+}
+
+variable "accepter_vpc_tags" {
+  type        = "map"
+  description = "Tags to filter for the accepter's VPC"
+  default     = {}
+}