Miguelhar.plat-8802 (#266)

dominodatalab · Sep 12, 2024 · 6482f6b · 6482f6b
1 parent 30000e4
commit 6482f6b
Show file tree

Hide file tree

Showing 12 changed files with 119 additions and 66 deletions.
diff --git a/examples/tfvars/vpn.tfvars b/examples/tfvars/vpn.tfvars
@@ -14,8 +14,18 @@ default_node_groups = {
   }
 }
 
-vpn_connection = {
-  create     = true
-  shared_ip  = "203.0.113.12"
-  cidr_block = "192.168.0.0/16"
+vpn_connections = {
+  create = true
+  connections = [
+    {
+      name        = "vpn_connection_test_1"
+      shared_ip   = "203.0.113.12"
+      cidr_blocks = ["192.168.0.0/16"]
+    },
+    {
+      name        = "vpn_connection_test_2"
+      shared_ip   = "200.0.110.120"
+      cidr_blocks = ["3.4.5.6/16"]
+    }
+  ]
 }
diff --git a/modules/infra/README.md b/modules/infra/README.md
@@ -67,7 +67,7 @@
 | <a name="input_storage"></a> [storage](#input\_storage) | storage = {<br>      filesystem\_type = File system type(netapp\|efs)<br>      efs = {<br>        access\_point\_path = Filesystem path for efs.<br>        backup\_vault = {<br>          create        = Create backup vault for EFS toggle.<br>          force\_destroy = Toggle to allow automatic destruction of all backups when destroying.<br>          backup = {<br>            schedule           = Cron-style schedule for EFS backup vault (default: once a day at 12pm).<br>            cold\_storage\_after = Move backup data to cold storage after this many days.<br>            delete\_after       = Delete backup data after this many days.<br>          }<br>        }<br>      }<br>      netapp = {<br>        deployment\_type = netapp ontap deployment type,('MULTI\_AZ\_1', 'MULTI\_AZ\_2', 'SINGLE\_AZ\_1', 'SINGLE\_AZ\_2')<br>        storage\_capacity = Filesystem Storage capacity<br>        throughput\_capacity = Filesystem throughput capacity<br>        automatic\_backup\_retention\_days = How many days to keep backups<br>        daily\_automatic\_backup\_start\_time = Start time in 'HH:MM' format to initiate backups<br><br>        storage\_capacity\_autosizing = Options for the FXN automatic storage capacity increase, cloudformation template<br>          enabled                     = Enable automatic storage capacity increase.<br>          threshold                  = Used storage capacity threshold.<br>          percent\_capacity\_increase  = The percentage increase in storage capacity when used storage exceeds<br>                                       LowFreeDataStorageCapacityThreshold. Minimum increase is 10 %.<br>          notification\_email\_address = The email address for alarm notification.<br>        }))<br>      }<br>      s3 = {<br>        force\_destroy\_on\_deletion = Toogle to allow recursive deletion of all objects in the s3 buckets. if 'false' terraform will NOT be able to delete non-empty buckets.<br>      }<br>      ecr = {<br>        force\_destroy\_on\_deletion = Toogle to allow recursive deletion of all objects in the ECR repositories. if 'false' terraform will NOT be able to delete non-empty repositories.<br>      }<br>      enable\_remote\_backup = Enable tagging required for cross-account backups<br>      costs\_enabled = Determines whether to provision domino cost related infrastructures, ie, long term storage<br>    }<br>  } | <pre>object({<br>    filesystem_type = optional(string, "efs")<br>    efs = optional(object({<br>      access_point_path = optional(string, "/domino")<br>      backup_vault = optional(object({<br>        create        = optional(bool, true)<br>        force_destroy = optional(bool, true)<br>        backup = optional(object({<br>          schedule           = optional(string, "0 12 * * ? *")<br>          cold_storage_after = optional(number, 35)<br>          delete_after       = optional(number, 125)<br>        }), {})<br>      }), {})<br>    }), {})<br>    netapp = optional(object({<br>      deployment_type                   = optional(string, "SINGLE_AZ_1")<br>      storage_capacity                  = optional(number, 1024)<br>      throughput_capacity               = optional(number, 128)<br>      automatic_backup_retention_days   = optional(number, 90)<br>      daily_automatic_backup_start_time = optional(string, "00:00")<br>      storage_capacity_autosizing = optional(object({<br>        enabled                    = optional(bool, false)<br>        threshold                  = optional(number, 70)<br>        percent_capacity_increase  = optional(number, 30)<br>        notification_email_address = optional(string, "")<br>      }), {})<br>    }), {})<br>    s3 = optional(object({<br>      force_destroy_on_deletion = optional(bool, true)<br>    }), {})<br>    ecr = optional(object({<br>      force_destroy_on_deletion = optional(bool, true)<br>    }), {}),<br>    enable_remote_backup = optional(bool, false)<br>    costs_enabled        = optional(bool, true)<br>  })</pre> | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Deployment tags. | `map(string)` | `{}` | no |
 | <a name="input_use_fips_endpoint"></a> [use\_fips\_endpoint](#input\_use\_fips\_endpoint) | Use aws FIPS endpoints | `bool` | `false` | no |
-| <a name="input_vpn_connection"></a> [vpn\_connection](#input\_vpn\_connection) | create = Create a VPN connection.<br>    shared\_ip = Customer's shared IP Address.<br>    cidr\_block = CIDR block for the customer's network. | <pre>object({<br>    create     = optional(bool, false)<br>    shared_ip  = optional(string, "")<br>    cidr_block = optional(string, "")<br>  })</pre> | `{}` | no |
+| <a name="input_vpn_connections"></a> [vpn\_connections](#input\_vpn\_connections) | create = Create a VPN connection.<br>    connections = List of VPN connections, each with:<br>      - name: Name for identification (optional).<br>      - shared\_ip: Customer's shared IP Address (optional).<br>      - cidr\_block: CIDR block for the customer's network (optional). | <pre>object({<br>    create = optional(bool, false)<br>    connections = optional(list(object({<br>      name        = optional(string, "")<br>      shared_ip   = optional(string, "")<br>      cidr_blocks = optional(list(string), [])<br>    })), [])<br>  })</pre> | `{}` | no |
 
 ## Outputs
 
@@ -91,5 +91,5 @@
 | <a name="output_ssh_key"></a> [ssh\_key](#output\_ssh\_key) | SSH key path,name. |
 | <a name="output_storage"></a> [storage](#output\_storage) | Storage details. |
 | <a name="output_tags"></a> [tags](#output\_tags) | Deployment tags. |
-| <a name="output_vpn_connection"></a> [vpn\_connection](#output\_vpn\_connection) | VPN connection information |
+| <a name="output_vpn_connections"></a> [vpn\_connections](#output\_vpn\_connections) | VPN connection information |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/infra/main.tf b/modules/infra/main.tf
@@ -67,11 +67,11 @@ module "network" {
 }
 
 module "vpn" {
-  count          = var.vpn_connection.create ? 1 : 0
-  source         = "./submodules/vpn"
-  deploy_id      = var.deploy_id
-  network_info   = module.network.info
-  vpn_connection = var.vpn_connection
+  count           = var.vpn_connections.create ? 1 : 0
+  source          = "./submodules/vpn"
+  deploy_id       = var.deploy_id
+  network_info    = module.network.info
+  vpn_connections = var.vpn_connections.connections
 }
 
 locals {

diff --git a/modules/infra/outputs.tf b/modules/infra/outputs.tf
@@ -88,7 +88,7 @@ output "cost_usage_report" {
   value       = local.cost_usage_report_info
 }
 
-output "vpn_connection" {
+output "vpn_connections" {
   description = "VPN connection information"
-  value       = var.vpn_connection.create ? module.vpn[0].vpn_connection : null
+  value       = var.vpn_connections.create ? module.vpn[0].vpn_connections : null
 }
diff --git a/modules/infra/submodules/vpn/README.md b/modules/infra/submodules/vpn/README.md
@@ -35,11 +35,11 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_deploy_id"></a> [deploy\_id](#input\_deploy\_id) | Domino Deployment ID | `string` | n/a | yes |
 | <a name="input_network_info"></a> [network\_info](#input\_network\_info) | id = VPC ID.<br>    subnets = {<br>      public = List of public Subnets.<br>      [{<br>        name = Subnet name.<br>        subnet\_id = Subnet ud<br>        az = Subnet availability\_zone<br>        az\_id = Subnet availability\_zone\_id<br>      }]<br>      private = List of private Subnets.<br>      [{<br>        name = Subnet name.<br>        subnet\_id = Subnet ud<br>        az = Subnet availability\_zone<br>        az\_id = Subnet availability\_zone\_id<br>      }]<br>      pod = List of pod Subnets.<br>      [{<br>        name = Subnet name.<br>        subnet\_id = Subnet ud<br>        az = Subnet availability\_zone<br>        az\_id = Subnet availability\_zone\_id<br>      }]<br>    } | <pre>object({<br>    vpc_id = string<br>    route_tables = object({<br>      public  = optional(list(string))<br>      private = optional(list(string))<br>      pod     = optional(list(string))<br>    })<br>    subnets = object({<br>      public = list(object({<br>        name      = string<br>        subnet_id = string<br>        az        = string<br>        az_id     = string<br>      }))<br>      private = list(object({<br>        name      = string<br>        subnet_id = string<br>        az        = string<br>        az_id     = string<br>      }))<br>      pod = list(object({<br>        name      = string<br>        subnet_id = string<br>        az        = string<br>        az_id     = string<br>      }))<br>    })<br>    vpc_cidrs = string<br>  })</pre> | n/a | yes |
-| <a name="input_vpn_connection"></a> [vpn\_connection](#input\_vpn\_connection) | shared\_ip = Customer's shared IP Address.<br>    cidr\_block = CIDR block for the customer's network. | <pre>object({<br>    shared_ip  = string<br>    cidr_block = string<br>  })</pre> | n/a | yes |
+| <a name="input_vpn_connections"></a> [vpn\_connections](#input\_vpn\_connections) | List of VPN connections, each with:<br>    - name: Name for identification<br>    - shared\_ip: Customer's shared IP Address.<br>    - cidr\_block: List of CIDR blocks for the customer's network. | <pre>list(object({<br>    name        = string<br>    shared_ip   = string<br>    cidr_blocks = list(string)<br>  }))</pre> | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_vpn_connection"></a> [vpn\_connection](#output\_vpn\_connection) | VPN connection information |
+| <a name="output_vpn_connections"></a> [vpn\_connections](#output\_vpn\_connections) | List of VPN connections information |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/infra/submodules/vpn/main.tf b/modules/infra/submodules/vpn/main.tf
@@ -1,8 +1,12 @@
-
-
 resource "aws_customer_gateway" "customer_gateway" {
-  ip_address = var.vpn_connection.shared_ip
+  for_each = { for vpn in var.vpn_connections : vpn.name => vpn }
+
+  ip_address = each.value.shared_ip
   type       = "ipsec.1"
+  bgp_asn    = "65000"
+  tags = {
+    Name = each.value.name
+  }
 }
 
 resource "aws_vpn_gateway" "this" {
@@ -18,22 +22,40 @@ resource "aws_vpn_gateway_attachment" "this" {
 }
 
 resource "aws_vpn_connection" "this" {
-  customer_gateway_id = aws_customer_gateway.customer_gateway.id
+  for_each = aws_customer_gateway.customer_gateway
+
+  customer_gateway_id = each.value.id
   vpn_gateway_id      = aws_vpn_gateway.this.id
   type                = "ipsec.1"
-
-  static_routes_only = true
-
+  static_routes_only  = true
   tags = {
-    Name = "${var.deploy_id}-vpn-connection"
+    Name = "${each.key}-vpn-connection"
   }
 }
 
+locals {
+  vpn_cidr_blocks = {
+    for vpn in var.vpn_connections : vpn.name => {
+      cidr_blocks = vpn.cidr_blocks
+      vpn_id      = aws_vpn_connection.this[vpn.name].id
+    }
+  }
+
+  flattened_vpn_cidr_block = merge([
+    for vpn, data in local.vpn_cidr_blocks : {
+      for cidr in data.cidr_blocks : cidr => data.vpn_id
+    }
+  ]...)
+}
+
 resource "aws_vpn_connection_route" "this" {
-  destination_cidr_block = var.vpn_connection.cidr_block
-  vpn_connection_id      = aws_vpn_connection.this.id
+  for_each = local.flattened_vpn_cidr_block
+
+  destination_cidr_block = each.key
+  vpn_connection_id      = each.value
 }
 
+
 locals {
   route_table_ids = concat(var.network_info.route_tables.private, var.network_info.route_tables.pod)
 }

diff --git a/modules/infra/submodules/vpn/outputs.tf b/modules/infra/submodules/vpn/outputs.tf
@@ -1,14 +1,17 @@
-output "vpn_connection" {
-  description = "VPN connection information"
+output "vpn_connections" {
+  description = "List of VPN connections information"
   sensitive   = true
-  value = {
-    ip_sec_tunnel_1 = {
-      address       = aws_vpn_connection.this.tunnel1_address
-      preshared_key = aws_vpn_connection.this.tunnel1_preshared_key
+  value = [
+    for k, v in aws_vpn_connection.this : {
+      name = k
+      ip_sec_tunnel_1 = {
+        address       = v.tunnel1_address
+        preshared_key = v.tunnel1_preshared_key
+      }
+      ip_sec_tunnel_2 = {
+        address       = v.tunnel2_address
+        preshared_key = v.tunnel2_preshared_key
+      }
     }
-    ip_sec_tunnel_2 = {
-      address       = aws_vpn_connection.this.tunnel2_address
-      preshared_key = aws_vpn_connection.this.tunnel2_preshared_key
-    }
-  }
+  ]
 }
diff --git a/modules/infra/submodules/vpn/variables.tf b/modules/infra/submodules/vpn/variables.tf
@@ -8,23 +8,36 @@ variable "deploy_id" {
   }
 }
 
-variable "vpn_connection" {
+variable "vpn_connections" {
   description = <<EOF
-    shared_ip = Customer's shared IP Address.
-    cidr_block = CIDR block for the customer's network.
+    List of VPN connections, each with:
+    - name: Name for identification
+    - shared_ip: Customer's shared IP Address.
+    - cidr_block: List of CIDR blocks for the customer's network.
   EOF
-  type = object({
-    shared_ip  = string
-    cidr_block = string
-  })
+  type = list(object({
+    name        = string
+    shared_ip   = string
+    cidr_blocks = list(string)
+  }))
+
+  validation {
+    condition     = alltrue([for vpn in var.vpn_connections : can(regex("^([0-9]{1,3}\\.){3}[0-9]{1,3}$", vpn.shared_ip))])
+    error_message = "Each 'shared_ip' must be a valid IP address."
+  }
+
+  validation {
+    condition     = alltrue([for vpn in var.vpn_connections : alltrue([for cidr in vpn.cidr_blocks : can(cidrhost(cidr, 0))])])
+    error_message = "Each 'cidr_block' must be a valid CIDR block."
+  }
 
   validation {
-    condition     = can(regex("^([0-9]{1,3}\\.){3}[0-9]{1,3}$", var.vpn_connection.shared_ip))
-    error_message = "The 'shared_ip' must be a valid IP address."
+    condition     = length(var.vpn_connections) == length(distinct([for vpn in var.vpn_connections : vpn.name]))
+    error_message = "Each connection 'name' must be unique."
   }
   validation {
-    condition     = can(cidrhost(var.vpn_connection.cidr_block, 0))
-    error_message = "The 'cidr_block' must be a valid CIDR block."
+    condition     = length(flatten([for vpn in var.vpn_connections : vpn.cidr_blocks])) == length(distinct(flatten([for vpn in var.vpn_connections : vpn.cidr_blocks])))
+    error_message = "CIDR blocks must be unique."
   }
 }
 

diff --git a/modules/infra/variables.tf b/modules/infra/variables.tf
@@ -452,23 +452,23 @@ variable "use_fips_endpoint" {
   default     = false
 }
 
-variable "vpn_connection" {
+variable "vpn_connections" {
   description = <<EOF
     create = Create a VPN connection.
-    shared_ip = Customer's shared IP Address.
-    cidr_block = CIDR block for the customer's network.
+    connections = List of VPN connections, each with:
+      - name: Name for identification (optional).
+      - shared_ip: Customer's shared IP Address (optional).
+      - cidr_block: CIDR block for the customer's network (optional).
   EOF
 
   type = object({
-    create     = optional(bool, false)
-    shared_ip  = optional(string, "")
-    cidr_block = optional(string, "")
+    create = optional(bool, false)
+    connections = optional(list(object({
+      name        = optional(string, "")
+      shared_ip   = optional(string, "")
+      cidr_blocks = optional(list(string), [])
+    })), [])
   })
 
   default = {}
-
-  validation {
-    condition     = !(var.vpn_connection.create) || (length(var.vpn_connection.shared_ip) >= 7 && length(var.vpn_connection.cidr_block) >= 7)
-    error_message = "When 'create' is true, both 'shared_ip' and 'cidr_block' must be a valid IPv4 IP."
-  }
 }