Feat/networking (#30)

* feat: update tgw variables and vpc-flow log destination condition

* fix: vpc flow-logs encryption by kms key

* fix - tfchecks

* feat: outputs for terraform-aws-control-tower module

* fix - tfchecks

* fix- module name from CT to control_tower

_examples/multi-account/dev/main.tf

@@ -20,7 +20,7 @@ provider "aws" {
   region = local.region
 }
 
-module "CT" {
+module "control_tower" {
   providers = {
     aws = aws.networking
   }
@@ -45,9 +45,9 @@ module "CT" {
   records = var.records
 
   ## TGW-HUB
-  tgw_spoke_enable       = var.tgw_spoke_enable
-  spoke_destination_cidr = var.spoke_destination_cidr
-  transit_gateway_id     = var.transit_gateway_id
-  resource_share_arn     = var.resource_share_arn
+  tgw_spoke_enable             = var.tgw_spoke_enable
+  tgw_spoke_destination_cidr   = var.spoke_destination_cidr
+  tgw_spoke_transit_gateway_id = var.transit_gateway_id
+  tgw_spoke_resource_share_arn = var.resource_share_arn
 
 }

_examples/multi-account/management/main.tf

@@ -4,7 +4,7 @@
 locals {}
 
 module "name" {
-  source = "CT"
+  source = "control_tower"
 
 }
 

_examples/multi-account/networking/main.tf

@@ -20,7 +20,7 @@ provider "aws" {
   region = local.region
 }
 
-module "CT" {
+module "control_tower" {
   providers = {
     aws = aws.networking
   }
@@ -47,9 +47,9 @@ module "CT" {
   records = var.records
 
   ## TGW-HUB
-  tgw_hub_enable             = var.tgw_hub_enable
-  hub_destination_cidr       = var.hub_destination_cidr
-  resource_share_account_ids = var.resource_share_account_ids
+  tgw_hub_enable                     = var.tgw_hub_enable
+  tgw_hub_destination_cidr           = var.hub_destination_cidr
+  tgw_hub_resource_share_account_ids = var.resource_share_account_ids
 
   ## VPN
   vpn_enable     = var.vpn_enable

_examples/multi-account/networking/outputs.tf

@@ -2,16 +2,16 @@
 # Outputs
 # ------------------------------------------------------------------------------
 output "transit_gateway_id" {
-  value       = module.CT.transit_gateway_id
+  value       = module.control_tower.tgw_hub_transit_gateway_id
   description = "The ID of the Transit Gateway."
 }
 
 output "resource_share_arn" {
-  value       = module.CT.resource_share_arn
+  value       = module.control_tower.tgw_hub_resource_share_arn
   description = "The ARN  of the RAM."
 }
 
 output "vpn_id" {
-  value       = module.CT.vpn_id
+  value       = module.control_tower.vpn_id
   description = "The ID of the Client VPN endpoint."
 }

_examples/multi-account/shared/main.tf

@@ -22,7 +22,7 @@ provider "aws" {
   region = local.region
 }
 
-module "CT" {
+module "control_tower" {
   providers = {
     aws = aws.networking
   }
@@ -47,9 +47,9 @@ module "CT" {
   records = var.records
 
   ## TGW-HUB
-  tgw_spoke_enable       = var.tgw_spoke_enable
-  spoke_destination_cidr = var.spoke_destination_cidr
-  transit_gateway_id     = var.transit_gateway_id
-  resource_share_arn     = var.resource_share_arn
+  tgw_spoke_enable             = var.tgw_spoke_enable
+  tgw_spoke_destination_cidr   = var.spoke_destination_cidr
+  tgw_spoke_transit_gateway_id = var.transit_gateway_id
+  tgw_spoke_resource_share_arn = var.resource_share_arn
 
 }

_examples/single-account/main.tf

@@ -20,7 +20,7 @@ provider "aws" {
   region = local.region
 }
 
-module "CT" {
+module "control_tower" {
   providers = {
     aws = aws.networking
   }
@@ -30,7 +30,9 @@ module "CT" {
   region      = local.region
 
   ## VPC
-  cidr_block = local.cidr_block
+  cidr_block                = local.cidr_block
+  enable_flow_log           = var.enable_flow_log
+  flow_log_destination_type = var.flow_log_destination_type
 
   ## SUBNET
   subnet_type         = var.subnet_type
@@ -47,9 +49,9 @@ module "CT" {
   records = var.records
 
   ## TGW-HUB
-  tgw_hub_enable             = var.tgw_hub_enable
-  hub_destination_cidr       = var.hub_destination_cidr
-  resource_share_account_ids = var.resource_share_account_ids
+  tgw_hub_enable                     = var.tgw_hub_enable
+  tgw_hub_destination_cidr           = var.hub_destination_cidr
+  tgw_hub_resource_share_account_ids = var.resource_share_account_ids
 
   ## VPN
   vpn_enable     = var.vpn_enable

_examples/single-account/outputs.tf

@@ -1,17 +1,17 @@
 # ------------------------------------------------------------------------------
 # Outputs
 # ------------------------------------------------------------------------------
-output "transit_gateway_id" {
-  value       = module.CT.transit_gateway_id
-  description = "The ID of the Transit Gateway."
+output "tgw_hub_transit_gateway_id" {
+  value       = module.control_tower.tgw_hub_transit_gateway_id
+  description = "The ID of the Hub Transit Gateway."
 }
 
-output "resource_share_arn" {
-  value       = module.CT.resource_share_arn
-  description = "The ARN  of the RAM."
+output "tgw_hub_resource_share_arn" {
+  value       = module.control_tower.tgw_hub_resource_share_arn
+  description = "The ARN of the RAM."
 }
 
 output "vpn_id" {
-  value       = module.CT.vpn_id
+  value       = module.control_tower.vpn_id
   description = "The ID of the Client VPN endpoint."
 }

_examples/single-account/terraform.tfvars

@@ -1,3 +1,5 @@
+enable_flow_log            = true
+flow_log_destination_type  = "cloud-watch-logs"
 subnet_type                = "public-private"
 domain                     = "clouddrove.ca"
 records                    = []

_examples/single-account/variables.tf

@@ -2,6 +2,19 @@
 # Variables
 # ------------------------------------------------------------------------------
 
+## VPC
+variable "enable_flow_log" {
+  type        = bool
+  default     = true
+  description = "Enable vpc_flow_log logs."
+}
+
+variable "flow_log_destination_type" {
+  type        = string
+  default     = "s3"
+  description = "Type of flow log destination. Can be `s3` or `cloud-watch-logs`"
+}
+
 ## SUBNET
 variable "subnet_type" {
   type        = string

main.tf

@@ -10,13 +10,14 @@ module "vpc" {
   source  = "clouddrove/vpc/aws"
   version = "2.0.0"
 
-  enable                    = var.vpc_enable
-  name                      = var.name
-  environment               = var.environment
-  cidr_block                = var.cidr_block
-  enable_flow_log           = var.enable_flow_log
-  flow_log_destination_type = var.flow_log_destination_type
-  flow_logs_bucket_name     = "${var.name}-${var.environment}-vpc-logs-bucket"
+  enable                              = var.vpc_enable
+  name                                = var.name
+  environment                         = var.environment
+  cidr_block                          = var.cidr_block
+  enable_flow_log                     = var.enable_flow_log
+  flow_log_destination_type           = var.flow_log_destination_type
+  create_flow_log_cloudwatch_iam_role = var.create_flow_log_cloudwatch_iam_role
+  flow_logs_bucket_name               = var.flow_log_destination_type == "s3" ? "${var.name}-${var.environment}-vpc-logs-bucket" : ""
 }
 
 ##----------------------------------------------SUBNETS----------------------------------------------------##
@@ -83,22 +84,22 @@ module "tgw_hub" {
   depends_on                     = [module.vpc, module.subnet]
   name                           = var.name
   environment                    = var.environment
-  tgw_create                     = var.hub_tgw_create
-  auto_accept_shared_attachments = var.hub_auto_accept_shared_attachments
-  description                    = var.description
-  #TGW Share
-  resource_share_enable                    = var.resource_share_enable
-  resource_share_allow_external_principals = var.resource_share_allow_external_principals
-  resource_share_account_ids               = var.resource_share_account_ids
-  # VPC Attachements
+  tgw_create                     = var.tgw_hub_create
+  auto_accept_shared_attachments = var.tgw_hub_auto_accept_shared_attachments
+  description                    = var.tgw_hub_description
+  # -- TGW Share
+  resource_share_enable                    = var.tgw_hub_resource_share_enable
+  resource_share_allow_external_principals = var.tgw_hub_resource_share_allow_external_principals
+  resource_share_account_ids               = var.tgw_hub_resource_share_account_ids
+  # -- VPC Attachements
   vpc_attachments = {
     vpc1 = {
       vpc_id                                          = module.vpc.vpc_id
       subnet_ids                                      = module.subnet.private_subnet_id
-      transit_gateway_default_route_table_association = var.transit_gateway_default_route_table_association
-      transit_gateway_default_route_table_propagation = var.transit_gateway_default_route_table_propagation
+      transit_gateway_default_route_table_association = var.tgw_hub_transit_gateway_default_route_table_association
+      transit_gateway_default_route_table_propagation = var.tgw_hub_transit_gateway_default_route_table_propagation
       vpc_route_table_ids                             = module.subnet.private_route_tables_id
-      destination_cidr                                = var.hub_destination_cidr
+      destination_cidr                                = var.tgw_hub_destination_cidr
     }
   }
 }
@@ -111,21 +112,21 @@ module "tgw_spoke" {
   depends_on  = [module.vpc, module.subnet]
   name        = var.name
   environment = var.environment
-  tgw_create  = var.spoke_tgw_create
-  description = var.description
-  #TGW Share
-  aws_ram_resource_share_accepter = var.aws_ram_resource_share_accepter
-  resource_share_arn              = var.resource_share_arn
-  # VPC Attachements
-  transit_gateway_id = var.transit_gateway_id
+  tgw_create  = var.tgw_spoke_create
+  description = var.tgw_spoke_description
+  # -- TGW Share
+  aws_ram_resource_share_accepter = var.tgw_spoke_aws_ram_resource_share_accepter
+  resource_share_arn              = var.tgw_spoke_resource_share_arn
+  # -- VPC Attachements
+  transit_gateway_id = var.tgw_spoke_transit_gateway_id
   vpc_attachments = {
     vpc1 = {
       vpc_id                                          = module.vpc.vpc_id
       subnet_ids                                      = module.subnet.private_subnet_id
-      transit_gateway_default_route_table_association = var.transit_gateway_default_route_table_association
-      transit_gateway_default_route_table_propagation = var.transit_gateway_default_route_table_propagation
+      transit_gateway_default_route_table_association = var.tgw_spoke_transit_gateway_default_route_table_association
+      transit_gateway_default_route_table_propagation = var.tgw_spoke_transit_gateway_default_route_table_propagation
       vpc_route_table_ids                             = module.subnet.private_route_tables_id
-      destination_cidr                                = var.spoke_destination_cidr
+      destination_cidr                                = var.tgw_spoke_destination_cidr
     }
   }
 }
@@ -159,6 +160,7 @@ module "route53" {
   record_enabled = var.record_enabled
   records        = var.records
   vpc_id         = module.vpc.vpc_id
+  force_destroy  = var.records_force_destroy
 }
 
 #----------------------------------------------VPN----------------------------------------------------##
@@ -167,6 +169,7 @@ module "vpn" {
   version = "1.0.7"
 
   enabled             = var.vpn_enable
+  depends_on          = [module.vpc]
   name                = var.name
   environment         = var.environment
   split_tunnel_enable = var.split_tunnel_enable
@@ -178,5 +181,7 @@ module "vpn" {
   network_cidr        = var.vpn_network_cidr
   organization_name   = var.vpn_organization_name
   dns_names           = [var.domain]
+  authentication_type = var.vpn_authentication_type
   saml_arn            = var.saml_arn
+  self_saml_arn       = var.self_saml_arn
 }