Added Customer Gateway resource (#360)

5bd21bdc · Anton Babenko · GitHub · bd51e9f5 · 5bd21bdc · 5bd21bdc
Commit 5bd21bdc authored Nov 27, 2019 by Anton Babenko Committed by GitHub Nov 27, 2019
8 changed files
--- a/README.md
+++ b/README.md
@@ -256,6 +256,8 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | create\_redshift\_subnet\_group | Controls if redshift subnet group should be created | bool | `"true"` | no |
 | create\_redshift\_subnet\_route\_table | Controls if separate route table for redshift should be created | bool | `"false"` | no |
 | create\_vpc | Controls if VPC should be created (it affects almost all resources) | bool | `"true"` | no |
+| customer\_gateway\_tags | Additional tags for the Customer Gateway | map(string) | `{}` | no |
+| customer\_gateways | Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address) | map(map(any)) | `{}` | no |
 | database\_acl\_tags | Additional tags for the database subnets network ACL | map(string) | `{}` | no |
 | database\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for database subnets | bool | `"false"` | no |
 | database\_inbound\_acl\_rules | Database subnets inbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
@@ -506,6 +508,7 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | Name | Description |
 |------|-------------|
 | azs | A list of availability zones specified as argument to this module |
+| cgw\_ids | List of IDs of Customer Gateway |
 | database\_network\_acl\_id | ID of the database network ACL |
 | database\_route\_table\_ids | List of IDs of database route tables |
 | database\_subnet\_arns | List of ARNs of database subnets |
@@ -564,6 +567,7 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | redshift\_subnets | List of IDs of redshift subnets |
 | redshift\_subnets\_cidr\_blocks | List of cidr_blocks of redshift subnets |
 | redshift\_subnets\_ipv6\_cidr\_blocks | List of IPv6 cidr_blocks of redshift subnets in an IPv6 enabled VPC |
+| this\_customer\_gateway | Map of Customer Gateway attributes |
 | vgw\_id | The ID of the VPN Gateway |
 | vpc\_arn | The ARN of the VPC |
 | vpc\_cidr\_block | The CIDR block of the VPC |

--- a/examples/complete-vpc/README.md
+++ b/examples/complete-vpc/README.md
@@ -21,6 +21,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP

 | Name | Description |
 |------|-------------|
+| cgw\_ids | List of IDs of Customer Gateway |
 | database\_subnets | List of IDs of database subnets |
 | elasticache\_subnets | List of IDs of elasticache subnets |
 | intra\_subnets | List of IDs of intra subnets |
@@ -28,6 +29,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | private\_subnets | List of IDs of private subnets |
 | public\_subnets | List of IDs of public subnets |
 | redshift\_subnets | List of IDs of redshift subnets |
+| this\_customer\_gateway | Map of Customer Gateway attributes |
 | vpc\_endpoint\_ssm\_dns\_entry | The DNS entries for the VPC Endpoint for SSM. |
 | vpc\_endpoint\_ssm\_id | The ID of VPC endpoint for SSM |
 | vpc\_endpoint\_ssm\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSM. |

--- a/examples/complete-vpc/main.tf
+++ b/examples/complete-vpc/main.tf
@@ -33,6 +33,17 @@ module "vpc" {
  enable_nat_gateway = true
  single_nat_gateway = true

+  customer_gateways = {
+    IP1 = {
+      bgp_asn    = 65112
+      ip_address = "1.2.3.4"
+    },
+    IP2 = {
+      bgp_asn    = 65112
+      ip_address = "5.6.7.8"
+    }
+  }
+
  enable_vpn_gateway = true

  enable_dhcp_options              = true

--- a/examples/complete-vpc/outputs.tf
+++ b/examples/complete-vpc/outputs.tf
@@ -57,6 +57,17 @@ output "vpc_endpoint_ssm_dns_entry" {
  value       = module.vpc.vpc_endpoint_ssm_dns_entry
 }

+# Customer Gateway
+output "cgw_ids" {
+  description = "List of IDs of Customer Gateway"
+  value       = module.vpc.cgw_ids
+}
+
+output "this_customer_gateway" {
+  description = "Map of Customer Gateway attributes"
+  value       = module.vpc.this_customer_gateway
+}
+
 //
 //# VPC endpoints
 //output "vpc_endpoint_ec2_id" {

--- a/main.tf
+++ b/main.tf
@@ -989,6 +989,25 @@ resource "aws_route_table_association" "public" {
  route_table_id = aws_route_table.public[0].id
 }

+####################
+# Customer Gateways
+####################
+resource "aws_customer_gateway" "this" {
+  for_each = var.customer_gateways
+
+  bgp_asn    = each.value["bgp_asn"]
+  ip_address = each.value["ip_address"]
+  type       = "ipsec.1"
+
+  tags = merge(
+    {
+      Name = format("%s-%s", var.name, each.key)
+    },
+    var.tags,
+    var.customer_gateway_tags,
+  )
+}
+
 ##############
 # VPN Gateway
 ##############

--- a/outputs.tf
+++ b/outputs.tf
@@ -263,6 +263,16 @@ output "egress_only_internet_gateway_id" {
  value       = concat(aws_egress_only_internet_gateway.this.*.id, [""])[0]
 }

+output "cgw_ids" {
+  description = "List of IDs of Customer Gateway"
+  value       = [for k, v in aws_customer_gateway.this : v.id]
+}
+
+output "this_customer_gateway" {
+  description = "Map of Customer Gateway attributes"
+  value       = aws_customer_gateway.this
+}
+
 output "vgw_id" {
  description = "The ID of the VPN Gateway"
  value = concat(

--- a/variables.tf
+++ b/variables.tf
@@ -1305,6 +1305,12 @@ variable "map_public_ip_on_launch" {
  default     = true
 }

+variable "customer_gateways" {
+  description = "Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address)"
+  type        = map(map(any))
+  default     = {}
+}
+
 variable "enable_vpn_gateway" {
  description = "Should be true if you want to create a new VPN Gateway resource and attach it to the VPC"
  type        = bool
@@ -1489,6 +1495,12 @@ variable "nat_eip_tags" {
  default     = {}
 }

+variable "customer_gateway_tags" {
+  description = "Additional tags for the Customer Gateway"
+  type        = map(string)
+  default     = {}
+}
+
 variable "vpn_gateway_tags" {
  description = "Additional tags for the VPN gateway"
  type        = map(string)

--- a/vpc-endpoints.tf
+++ b/vpc-endpoints.tf
@@ -971,7 +971,7 @@ resource "aws_vpc_endpoint" "efs" {
  count = var.create_vpc && var.enable_efs_endpoint ? 1 : 0

  vpc_id            = local.vpc_id
-  service_name      = data.aws_vpc_endpoint_service.efs.service_name
+  service_name      = data.aws_vpc_endpoint_service.efs[0].service_name
  vpc_endpoint_type = "Interface"

  security_group_ids  = var.efs_endpoint_security_group_ids
@@ -994,7 +994,7 @@ resource "aws_vpc_endpoint" "cloud_directory" {
  count = var.create_vpc && var.enable_cloud_directory_endpoint ? 1 : 0

  vpc_id            = local.vpc_id
-  service_name      = data.aws_vpc_endpoint_service.cloud_directory.service_name
+  service_name      = data.aws_vpc_endpoint_service.cloud_directory[0].service_name
  vpc_endpoint_type = "Interface"

  security_group_ids  = var.cloud_directory_endpoint_security_group_ids