From 8ba6b246d7080adc302958b76408e0150ffc91a7 Mon Sep 17 00:00:00 2001 From: Giulio Micheloni Date: Sat, 2 Apr 2022 01:21:05 +0100 Subject: [PATCH 1/3] examples: configuration for intra-region Transit Gateway Peering Issue #23828 made me think that the intra-region Peering use-case is not straight forward. Operators might assume they need to configure the Acceptor to the Peering Attachment that Terraform creates. In fact, AWS creates two Peering Attachment resources, one for the Creator side and one for the Acceptor side. So, the a Data Source is needed to find the second Acceptor side's attachment and then use it to configure the Acceptor resource. Closes: #23828 --- .../README.md | 20 ++++ .../main.tf | 110 ++++++++++++++++++ .../terraform.template.tfvars | 5 + .../variables.tf | 3 + 4 files changed, 138 insertions(+) create mode 100644 examples/transit-gateway-intra-region-peering/README.md create mode 100644 examples/transit-gateway-intra-region-peering/main.tf create mode 100644 examples/transit-gateway-intra-region-peering/terraform.template.tfvars create mode 100644 examples/transit-gateway-intra-region-peering/variables.tf diff --git a/examples/transit-gateway-intra-region-peering/README.md b/examples/transit-gateway-intra-region-peering/README.md new file mode 100644 index 00000000000..631d23852cc --- /dev/null +++ b/examples/transit-gateway-intra-region-peering/README.md @@ -0,0 +1,20 @@ +# EC2 Transit Gateway intra-region Peering + +This example demonstrates how to create two Transit Gateways in one AWS account and *same* region, attach a VPC each, and then create a Peering Attachment between the two Transit Gateways. + +See [more in the Transit Gateway intra-region Peering documentation](https://aws.amazon.com/it/blogs/networking-and-content-delivery/aws-transit-gateway-now-supports-intra-region-peering/). + +## Running this example + +Either `cp terraform.template.tfvars terraform.tfvars` and modify that new file accordingly or provide variables via CLI: + +```terrform +terraform apply \ + -var="aws_profile=aws-account" \ + -var="aws_region=us-east-1" +``` + +## Prerequisites + +- This example requires one AWS accounts within the same AWS Organizations Organization +- Ensure Resource Access Manager is enabled in your organization. For more information, see the [Resource Access Manager User Guide](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html). \ No newline at end of file diff --git a/examples/transit-gateway-intra-region-peering/main.tf b/examples/transit-gateway-intra-region-peering/main.tf new file mode 100644 index 00000000000..7ee79356456 --- /dev/null +++ b/examples/transit-gateway-intra-region-peering/main.tf @@ -0,0 +1,110 @@ +terraform { + required_version = ">= 0.14.9" +} + +provider "aws" { + region = var.aws_region + profile = var.aws_profile +} + +resource "aws_vpc" "example_vpc_1" { + cidr_block = "10.1.0.0/16" + + tags = { + Name = "terraform-example-vpc-1" + } +} + +resource "aws_subnet" "example_subnet_1" { + cidr_block = "10.1.0.0/24" + vpc_id = aws_vpc.example_vpc_1.id + + tags = { + Name = "terraform-example-subnet-1" + } +} + +resource "aws_vpc" "example_vpc_2" { + cidr_block = "10.2.0.0/16" + + tags = { + Name = "terraform-example-vpc-2" + } +} + +resource "aws_subnet" "example_subnet_2" { + cidr_block = "10.2.0.0/24" + vpc_id = aws_vpc.example_vpc_2.id + + tags = { + Name = "terraform-example-subnet-2" + } +} + +# Create the first Transit Gateway. +resource "aws_ec2_transit_gateway" "example_tgw_1" { + tags = { + Name = "terraform-example-tgw-1" + } +} + +# Attach the first VPC to the first Transit Gateway. +resource "aws_ec2_transit_gateway_vpc_attachment" "example_vpc_1_attachment" { + subnet_ids = [aws_subnet.example_subnet_1.id] + transit_gateway_id = aws_ec2_transit_gateway.example_tgw_1.id + vpc_id = aws_vpc.example_vpc_1.id + + tags = { + Name = "terraform-example-vpc-attach-1" + } +} + +# Create the second Transit Gateway in the same region. +resource "aws_ec2_transit_gateway" "example_tgw_2" { + tags = { + Name = "terraform-example-tgw-2" + } +} + +# Attach the second VPC to the second Transit Gateway. +resource "aws_ec2_transit_gateway_vpc_attachment" "example_vpc_2_attachment" { + subnet_ids = [aws_subnet.example_subnet_2.id] + transit_gateway_id = aws_ec2_transit_gateway.example_tgw_2.id + vpc_id = aws_vpc.example_vpc_2.id + + tags = { + Name = "terraform-example-vpc-attach-2" + } +} + +# Create the intra-region Peering Attachment from Gateway 1 to Gateway 2. +# Actually, this will create two peerings: one for Gateway 1 (Creator) +# and one for Gateway 2 (Acceptor). +resource "aws_ec2_transit_gateway_peering_attachment" "example_source_peering" { + peer_region = var.aws_region + transit_gateway_id = aws_ec2_transit_gateway.example_tgw_1.id + peer_transit_gateway_id = aws_ec2_transit_gateway.example_tgw_2.id + tags = { + Name = "terraform-example-tgw-peering" + Side = "Creator" + } +} + +# Transit Gateway 2's peering request needs to be accepted. +# So, we fetch the Peering Attachment that is created for the Gateway 2. +data "aws_ec2_transit_gateway_peering_attachment" "example_acceptor_peering_data" { + depends_on = [aws_ec2_transit_gateway_peering_attachment.example_source_peering] + filter { + name = "transit-gateway-id" + values = [aws_ec2_transit_gateway.example_tgw_2.id] + } +} + +# Accept the Attachment Peering request. +resource "aws_ec2_transit_gateway_peering_attachment_accepter" "example_accpeter" { + transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.example_acceptor_peering_data.id + tags = { + Name = "terraform-example-tgw-peering-accepter" + Side = "Acceptor" + } +} \ No newline at end of file diff --git a/examples/transit-gateway-intra-region-peering/terraform.template.tfvars b/examples/transit-gateway-intra-region-peering/terraform.template.tfvars new file mode 100644 index 00000000000..290c2a8fa3f --- /dev/null +++ b/examples/transit-gateway-intra-region-peering/terraform.template.tfvars @@ -0,0 +1,5 @@ +# AWS Profile (type `aws configure`) +aws_profile = "default" + +# AWS Region +aws_region = "us-east-1" diff --git a/examples/transit-gateway-intra-region-peering/variables.tf b/examples/transit-gateway-intra-region-peering/variables.tf new file mode 100644 index 00000000000..018322bac48 --- /dev/null +++ b/examples/transit-gateway-intra-region-peering/variables.tf @@ -0,0 +1,3 @@ +variable "aws_profile" {} + +variable "aws_region" {} From 581270c84bc239f8f2c3f204e3e779fc2b07a8cb Mon Sep 17 00:00:00 2001 From: Giulio Micheloni Date: Sat, 2 Apr 2022 11:50:00 +0100 Subject: [PATCH 2/3] intra-region peering example: fix Terraform Core version --- examples/transit-gateway-intra-region-peering/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/transit-gateway-intra-region-peering/main.tf b/examples/transit-gateway-intra-region-peering/main.tf index 7ee79356456..e001954cda3 100644 --- a/examples/transit-gateway-intra-region-peering/main.tf +++ b/examples/transit-gateway-intra-region-peering/main.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.14.9" + required_version = ">= 0.12" } provider "aws" { From 9e769e752f43b6f9274fef80d1932e788c657fd2 Mon Sep 17 00:00:00 2001 From: Giulio Micheloni Date: Sun, 19 Jun 2022 19:20:45 +0100 Subject: [PATCH 3/3] Resolved typos and formatting --- .../transit-gateway-intra-region-peering/README.md | 2 +- examples/transit-gateway-intra-region-peering/main.tf | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/transit-gateway-intra-region-peering/README.md b/examples/transit-gateway-intra-region-peering/README.md index 631d23852cc..ec136b6c9a2 100644 --- a/examples/transit-gateway-intra-region-peering/README.md +++ b/examples/transit-gateway-intra-region-peering/README.md @@ -1,6 +1,6 @@ # EC2 Transit Gateway intra-region Peering -This example demonstrates how to create two Transit Gateways in one AWS account and *same* region, attach a VPC each, and then create a Peering Attachment between the two Transit Gateways. +This example demonstrates how to create two Transit Gateways in one AWS account and the same region, attach a VPC each, and then create a Peering Attachment between the two Transit Gateways. See [more in the Transit Gateway intra-region Peering documentation](https://aws.amazon.com/it/blogs/networking-and-content-delivery/aws-transit-gateway-now-supports-intra-region-peering/). diff --git a/examples/transit-gateway-intra-region-peering/main.tf b/examples/transit-gateway-intra-region-peering/main.tf index e001954cda3..4a1ad370b44 100644 --- a/examples/transit-gateway-intra-region-peering/main.tf +++ b/examples/transit-gateway-intra-region-peering/main.tf @@ -78,7 +78,7 @@ resource "aws_ec2_transit_gateway_vpc_attachment" "example_vpc_2_attachment" { } # Create the intra-region Peering Attachment from Gateway 1 to Gateway 2. -# Actually, this will create two peerings: one for Gateway 1 (Creator) +# Actually, this will create two peerings: one for Gateway 1 (Creator) # and one for Gateway 2 (Acceptor). resource "aws_ec2_transit_gateway_peering_attachment" "example_source_peering" { peer_region = var.aws_region @@ -90,9 +90,9 @@ resource "aws_ec2_transit_gateway_peering_attachment" "example_source_peering" { } } -# Transit Gateway 2's peering request needs to be accepted. +# Transit Gateway 2's peering request needs to be accepted. # So, we fetch the Peering Attachment that is created for the Gateway 2. -data "aws_ec2_transit_gateway_peering_attachment" "example_acceptor_peering_data" { +data "aws_ec2_transit_gateway_peering_attachment" "example_accepter_peering_data" { depends_on = [aws_ec2_transit_gateway_peering_attachment.example_source_peering] filter { name = "transit-gateway-id" @@ -101,8 +101,8 @@ data "aws_ec2_transit_gateway_peering_attachment" "example_acceptor_peering_data } # Accept the Attachment Peering request. -resource "aws_ec2_transit_gateway_peering_attachment_accepter" "example_accpeter" { - transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.example_acceptor_peering_data.id +resource "aws_ec2_transit_gateway_peering_attachment_accepter" "example_accepter" { + transit_gateway_attachment_id = data.aws_ec2_transit_gateway_peering_attachment.example_accepter_peering_data.id tags = { Name = "terraform-example-tgw-peering-accepter" Side = "Acceptor"