Merge pull request #30 from unifio/wlc-update

Version up
unifio · Mar 8, 2018 · f1eed12 · f1eed12
2 parents 5ced011 + 1788d77
commit f1eed12
Show file tree

Hide file tree

Showing 18 changed files with 564 additions and 424 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -0,0 +1,59 @@
+version: 2
+
+jobs:
+  build:
+    working_directory: ~/repo
+
+    docker:
+      - image: unifio/ci:3.0.411-ruby-2.4
+
+    environment:
+      AWS_REGION: 'us-east-2'
+      TF_PLUGIN_CACHE_DIR: "/root/.terraform.d/plugin-cache"
+
+    steps:
+      - checkout
+
+      - run:
+          name: Verify
+          command: bundle exec rake ci
+
+      - run:
+          name: Test DMZ only configuration
+          command: bundle exec rake basic:no-lan:apply
+
+      - run:
+          name: Test defaults
+          command: |
+            bundle exec rake basic:defaults:apply
+            bundle exec rake basic:defaults:destroy
+
+      - run:
+          name: Test some base module options and expand to 3 AZs
+          command: |
+            bundle exec rake basic:base-options:apply
+
+      - run:
+          name: Test VPN gateway attachment
+          command: |
+            bundle exec rake basic:vpg-attach:apply
+            bundle exec rake basic:vpg-attach:destroy
+
+      - run:
+          name: Test more options and overrides
+          command: |
+            bundle exec rake complete:overrides:apply
+
+      - run:
+          name: Test peering connection
+          command: |
+            bundle exec rake complete:peer-vpc:apply
+            bundle exec rake peering:peer-connect:apply
+
+      - run:
+          name: Clean up
+          when: always
+          command: |
+            bundle exec rake peering:destroy || true
+            bundle exec rake complete:destroy
+            bundle exec rake basic:destroy
diff --git a/.env.docker b/.env.docker
@@ -1,7 +1,3 @@
 AWS_REGION=us-east-2
-COVALENCE_PACKER_DIR=./
-COVALENCE_TERRAFORM_DIR=./
 COVALENCE_TEST_ENVS=basic,complete
 CHECKPOINT_DISABLE=1
-GODEBUG=netdns=cgo
-USER=root
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,23 @@
 #### Consider Implementing:
-* ipv6 support
+* full ipv6 support
+* vpc endpoints
+
+## 0.3.4 (March 7, 2018)
+
+#### BACKWARDS INCOMPATIBILITIES / NOTES:
+* Terraform versions earlier than 0.11.0 no longer supported.
+* The following input variable have been changed:
+  * az module
+    * `dmz_cidrs` -> `dmz_cidrs_override`
+    * `lan_cidrs` -> `lan_cidrs_override`
+
+#### IMPROVEMENTS / NEW FEATURES:
+* Added support for the `enable_classiclink_dns_support` parameter on the vpc resource.
+* Added support for the `assign_generated_ipv6_cidr_block` parameter on the vpc resource. Full ipv6 support coming in the next update.
+* Introduced local variables into the `az` module to better document formulation for default options.
+
+#### BUG FIXES:
+* Updated DHCP module outputs to suppress warnings in Terraform 0.11.0+
 
 ## 0.3.3 (November 13, 2017)
 
@@ -22,7 +40,7 @@
 * The following input variable have been changed:
   * az module
     * `stack_item_fullname` now defaults to a value of `VPC Quick Start`
-    * `stack_item_label` now defaults to a value of `exmpl`
+    * `stack_item_label` now defaults to a value of `qckstrt`
 
 ## 0.3.1 (April 23, 2017)
 

diff --git a/README.md b/README.md
@@ -7,7 +7,7 @@ This module is well suited to both basic and advanced use cases with very few re
 
 ## Requirements ##
 
-- Terraform 0.8.0 or newer
+- Terraform 0.11.0 or newer
 - AWS provider
 
 ## Quick Start
@@ -16,7 +16,7 @@ The following code will yield a fully functioning VPC environment:
 
 ```js
 module "vpc_base" {
-  source = "github.com/terraform-aws-vpc?ref=master//base"
+  source = "github.com/unifio/terraform-aws-vpc?ref=master//base"
 }
 
 module "az" {
@@ -88,11 +88,11 @@ Name | Type | Required | Description
 
 ```js
 module "vpc_base" {
-  source = "github.com/terraform-aws-vpc?ref=master//base"
+  source = "github.com/unifio/terraform-aws-vpc?ref=master//base"
 }
 
 module "dhcp" {
-  source = "github.com/terraform-aws-vpc?ref=master//dhcp"
+  source = "github.com/unifio/terraform-aws-vpc?ref=master//dhcp"
 
   domain_name          = "mydomain.com"
   name_servers         = ["172.16.0.2"]
@@ -128,11 +128,11 @@ Name | Type | Required | Description
 
 ```js
 module "vpc_base" {
-  source = "github.com/terraform-aws-vpc?ref=master//base"
+  source = "github.com/unifio/terraform-aws-vpc?ref=master//base"
 }
 
 module "vpg" {
-  source = "github.com/terraform-aws-vpc?ref=master//vpg"
+  source = "github.com/unifio/terraform-aws-vpc?ref=master//vpg"
 
   stack_item_fullname = "My Stack"
   stack_item_label    = "mystack"
@@ -157,9 +157,9 @@ Name | Type | Required | Description
 --- | --- | --- | ---
 `azs_provisioned` | string | Default: `2` | The number of availability zones to be provisioned. Either this or **azs\_provisioned\_override** must be specified. Auto-provisioning will support up to 4 AZs without the need for overrides.
 `azs_provisioned_override` | list | | List of availability zone letters to be provisioned. Useful in regions where not all AZs are VPC ready. Either this or **azs_provisioned** must be specified.
-`dmz_cidrs` | list | | The CIDR block(s) you want the public subnet(s) to cover.
+`dmz_cidrs_override` | list | | The CIDR block(s) you want the public subnet(s) to cover.
 `enable_dmz_public_ips` | string | | Specify true to indicate that instances launched into the DMZ subnet should be assigned a public IP address.
-`lan_cidrs` | list | | The CIDR block(s) you want the LAN subnet(s) to cover.
+`lan_cidrs_override` | list | | The CIDR block(s) you want the LAN subnet(s) to cover.
 `lans_per_az` | string | Default: `1` | The number of private subnets to be provisioned per AZ. Auto-provisioning will support up to 2 private subnets per AZ without the need for overrides.
 `nat_ami_override` | string | | Custom NAT Amazon Machine Image (AMI).
 `nat_eips_enabled` | string | Default: `false` | Flag for specifying allocation of Elastic IPs to NATs for the purposes of whitelisting. This value is overriden to `true` when utilizing NAT gateways.
@@ -176,7 +176,7 @@ Name | Type | Required | Description
 
 ```js
 module "vpc_base" {
-  source = "github.com/terraform-aws-vpc?ref=master//base"
+  source = "github.com/unifio/terraform-aws-vpc?ref=master//base"
 }
 
 module "az" {
@@ -232,7 +232,7 @@ Name | Type | Required | Description
 
 ```js
 module "vpc_peer" {
-  source = "github.com/terraform-aws-vpc?ref=master//peer"
+  source = "github.com/unifio/terraform-aws-vpc?ref=master//peer"
 
   accepter_allow_remote_dns  = "false"
   accepter_owner_id          = "${var.peer_owner_id}"

diff --git a/az/main.tf b/az/main.tf
@@ -2,27 +2,62 @@
 
 ## Set Terraform version constraint
 terraform {
-  required_version = "> 0.8.0"
+  required_version = "> 0.11.0"
 }
 
-## Provisions DMZ resources
+## Variables
+data "aws_region" "current" {}
 
-### Provisions subnets
-data "aws_region" "current" {
-  current = true
+data "aws_availability_zones" "available" {}
+
+locals {
+  # Calculates the number of AZs to be provisioned based on various possible inputs
+  azs_provisioned_count = "${local.azs_provisioned_override_enabled == "true" ? length(var.azs_provisioned_override) : var.azs_provisioned}"
+
+  # Check to see if availability zones are being overridden. Some AWS regions do not support VPC in all AZs and it can vary by account.
+  azs_provisioned_override_enabled = "${length(var.azs_provisioned_override) > 0 && var.azs_provisioned_override[0] != "non_empty_list" ? "true" : "false"}"
+
+  # Check to see if DMZ CIDRs are being overridden. An empty list causes problems in some of the downstream formualtion.
+  dmz_cidrs_override_enabled = "${length(var.dmz_cidrs_override) > 0 && var.dmz_cidrs_override[0] != "non_empty_list" ? "true" : "false"}"
+
+  # Check to see if elastic IPs are to be provisioned. NAT gateways require EIPs.
+  eips_enabled_check = "${var.nat_eips_enabled == "true" || var.nat_gateways_enabled == "true" ? 1 : 0}"
+
+  # Check to see if private LAN subnets are to be provisioned.
+  lans_enabled_check = "${local.lans_per_az_checked > 0 ? 1 : 0}"
+
+  # Check to see if LAN CIDRs are being overridden. An empty list causes problems in some of the downstream formualtion.
+  lan_cidrs_override_enabled = "${length(var.lan_cidrs_override) > 0 && var.lan_cidrs_override[0] != "non_empty_list" ? "true" : "false"}"
+
+  # Multiplier to be used in downstream calculation based on the number of LAN subnets per AZ.
+  lans_multiplier = "${local.lans_per_az_checked > 0 ? local.lans_per_az_checked : 1}"
+
+  # Handles scenario where an emptry string is passed in for lans_per_az
+  lans_per_az_checked = "${var.lans_per_az != "" ? var.lans_per_az : "1"}"
+
+  # Check to see if NAT gateways are to be provisioned
+  nat_gateways_enabled_check = "${var.nat_gateways_enabled == "true" ? 1 : 0}"
+
+  # Check to see if NAT gateways are NOT to be provisioned
+  nat_gateways_not_enabled_check = "${var.nat_gateways_enabled != "true" ? 1 : 0}"
 }
 
-data "aws_availability_zones" "available" {}
+## Provisions DMZ resources
+
+### Provisions subnets
 
 data "aws_vpc" "base" {
   id = "${var.vpc_id}"
 }
 
 resource "aws_subnet" "dmz" {
-  count = "${length(var.azs_provisioned_override) > 0 && var.azs_provisioned_override[0] != "non_empty_list" ? length(var.azs_provisioned_override) : var.azs_provisioned}"
+  count = "${local.azs_provisioned_count}"
 
-  availability_zone       = "${length(var.azs_provisioned_override) > 0 && var.azs_provisioned_override[0] != "non_empty_list" ? "${data.aws_region.current.name}${element(var.azs_provisioned_override,count.index)}" : element(data.aws_availability_zones.available.names,count.index)}"
-  cidr_block              = "${length(var.dmz_cidrs) > 0 && var.dmz_cidrs[0] != "non_empty_list" ? element(var.dmz_cidrs,count.index) : cidrsubnet(data.aws_vpc.base.cidr_block,lookup(var.az_cidrsubnet_newbits, length(var.azs_provisioned_override) > 0 && var.azs_provisioned_override[0] != "non_empty_list" ? length(var.azs_provisioned_override) : var.azs_provisioned),count.index)}"
+  # Selects the first N number of AZs available for VPC use in the given region, where N is the requested number of AZs to provision. This order can be overidden by passing in an explicit list of AZ letters to be used.
+  availability_zone = "${local.azs_provisioned_override_enabled == "true" ? "${data.aws_region.current.name}${element(var.azs_provisioned_override,count.index)}" : element(data.aws_availability_zones.available.names,count.index)}"
+
+  # Provisions N number of evenly allocated address spaces from the overall VPC CIDR block, where N is the requested number of AZs to provision. Address space per subnet can be overidden by passing in an explicit list of CIDRs to be used.
+  cidr_block              = "${local.dmz_cidrs_override_enabled == "true" ? element(var.dmz_cidrs_override,count.index) : cidrsubnet(data.aws_vpc.base.cidr_block,lookup(var.az_cidrsubnet_newbits, local.azs_provisioned_count),count.index)}"
   map_public_ip_on_launch = "${var.enable_dmz_public_ips}"
   vpc_id                  = "${var.vpc_id}"
 
@@ -35,7 +70,7 @@ resource "aws_subnet" "dmz" {
 
 ### Associates subnet with routing table
 resource "aws_route_table_association" "rta_dmz" {
-  count = "${length(var.azs_provisioned_override) > 0 && var.azs_provisioned_override[0] != "non_empty_list" ? length(var.azs_provisioned_override) : var.azs_provisioned}"
+  count = "${local.azs_provisioned_count}"
 
   route_table_id = "${var.rt_dmz_id}"
   subnet_id      = "${element(aws_subnet.dmz.*.id,count.index)}"
@@ -72,20 +107,20 @@ data "aws_ami" "nat_ami" {
 }
 
 resource "aws_eip" "eip_nat" {
-  count = "${(length(var.azs_provisioned_override) > 0 && var.azs_provisioned_override[0] != "non_empty_list" ? length(var.azs_provisioned_override) : var.azs_provisioned) * signum(length(var.lans_per_az) > 0 ? var.lans_per_az : "1") * signum(var.nat_eips_enabled == "true" || var.nat_gateways_enabled == "true" ? "1" : "0")}"
+  count = "${local.azs_provisioned_count * local.lans_enabled_check * local.eips_enabled_check}"
 
   vpc = true
 }
 
 resource "aws_eip_association" "eip_nat_assoc" {
-  count = "${(length(var.azs_provisioned_override) > 0 && var.azs_provisioned_override[0] != "non_empty_list" ? length(var.azs_provisioned_override) : var.azs_provisioned) * signum(length(var.lans_per_az) > 0 ? var.lans_per_az : "1") * signum(var.nat_eips_enabled == "true" && var.nat_gateways_enabled != "true" ? "1" : "0")}"
+  count = "${local.azs_provisioned_count * local.lans_enabled_check * local.eips_enabled_check * local.nat_gateways_not_enabled_check}"
 
   allocation_id = "${element(aws_eip.eip_nat.*.id,count.index)}"
   instance_id   = "${element(aws_instance.nat.*.id,count.index)}"
 }
 
 resource "aws_instance" "nat" {
-  count = "${(length(var.azs_provisioned_override) > 0 && var.azs_provisioned_override[0] != "non_empty_list" ? length(var.azs_provisioned_override) : var.azs_provisioned) * signum(length(var.lans_per_az) > 0 ? var.lans_per_az : "1") * signum(var.nat_gateways_enabled != "true" ? "1" : "0")}"
+  count = "${local.azs_provisioned_count * local.lans_enabled_check * local.nat_gateways_not_enabled_check}"
 
   ami                         = "${coalesce(var.nat_ami_override,data.aws_ami.nat_ami.id)}"
   associate_public_ip_address = true
@@ -103,7 +138,7 @@ resource "aws_instance" "nat" {
 }
 
 resource "aws_security_group" "sg_nat" {
-  count = "${(length(var.azs_provisioned_override) > 0 && var.azs_provisioned_override[0] != "non_empty_list" ? length(var.azs_provisioned_override) : var.azs_provisioned) * signum(length(var.lans_per_az) > 0 ? var.lans_per_az : "1") * signum(var.nat_gateways_enabled != "true" ? "1" : "0")}"
+  count = "${local.azs_provisioned_count * local.lans_enabled_check * local.nat_gateways_not_enabled_check}"
 
   description = "${var.stack_item_fullname} NAT security group"
   name_prefix = "${var.stack_item_label}-nat-"
@@ -117,7 +152,7 @@ resource "aws_security_group" "sg_nat" {
   }
 
   ingress {
-    cidr_blocks = ["${length(var.lan_cidrs) > 0 && var.lan_cidrs[0] != "non_empty_list" ? element(var.lan_cidrs,count.index) : cidrsubnet(data.aws_vpc.base.cidr_block,lookup(var.az_cidrsubnet_newbits, (length(var.azs_provisioned_override) > 0 && var.azs_provisioned_override[0] != "non_empty_list" ? length(var.azs_provisioned_override) : var.azs_provisioned) * (length(var.lans_per_az) > 0 ? var.lans_per_az : "1")),count.index + lookup(var.az_cidrsubnet_offset, length(var.azs_provisioned_override) > 0 && var.azs_provisioned_override[0] != "non_empty_list" ? length(var.azs_provisioned_override) : var.azs_provisioned))}"]
+    cidr_blocks = ["${local.lan_cidrs_override_enabled == "true" ? element(var.lan_cidrs_override,count.index) : cidrsubnet(data.aws_vpc.base.cidr_block,lookup(var.az_cidrsubnet_newbits, local.azs_provisioned_count * local.lans_multiplier),count.index + lookup(var.az_cidrsubnet_offset, local.azs_provisioned_count))}"]
     from_port   = 0
     protocol    = "-1"
     to_port     = 0
@@ -131,7 +166,7 @@ resource "aws_security_group" "sg_nat" {
 }
 
 resource "aws_nat_gateway" "nat" {
-  count = "${(length(var.azs_provisioned_override) > 0 && var.azs_provisioned_override[0] != "non_empty_list" ? length(var.azs_provisioned_override) : var.azs_provisioned) * signum(length(var.lans_per_az) > 0 ? var.lans_per_az : "1") * signum(var.nat_gateways_enabled == "true" ? "1" : "0")}"
+  count = "${local.azs_provisioned_count * local.lans_enabled_check * local.nat_gateways_enabled_check}"
 
   allocation_id = "${element(aws_eip.eip_nat.*.id,count.index)}"
   subnet_id     = "${element(aws_subnet.dmz.*.id,count.index)}"
@@ -143,11 +178,14 @@ resource "aws_nat_gateway" "nat" {
 
 ### Provisions subnet
 resource "aws_subnet" "lan" {
-  count = "${(length(var.azs_provisioned_override) > 0 && var.azs_provisioned_override[0] != "non_empty_list" ? length(var.azs_provisioned_override) : var.azs_provisioned) * (length(var.lans_per_az) > 0 ? var.lans_per_az : "1")}"
+  count = "${local.azs_provisioned_count * local.lans_multiplier}"
+
+  # Selects the first N number of AZs available for VPC use in the given region, where N is the requested number of AZs to provision. This order can be overidden by passing in an explicit list of AZ letters to be used.
+  availability_zone = "${local.azs_provisioned_override_enabled == "true" ? "${data.aws_region.current.name}${element(var.azs_provisioned_override,count.index)}" : element(data.aws_availability_zones.available.names,count.index)}"
 
-  availability_zone = "${length(var.azs_provisioned_override) > 0 && var.azs_provisioned_override[0] != "non_empty_list" ? "${data.aws_region.current.name}${element(var.azs_provisioned_override,count.index)}" : element(data.aws_availability_zones.available.names,count.index)}"
-  cidr_block        = "${length(var.lan_cidrs) > 0 && var.lan_cidrs[0] != "non_empty_list" ? element(var.lan_cidrs,count.index) : cidrsubnet(data.aws_vpc.base.cidr_block,lookup(var.az_cidrsubnet_newbits, (length(var.azs_provisioned_override) > 0 && var.azs_provisioned_override[0] != "non_empty_list" ? length(var.azs_provisioned_override) : var.azs_provisioned) * (length(var.lans_per_az) > 0 ? var.lans_per_az : "1")),count.index + (lookup(var.az_cidrsubnet_offset, length(var.azs_provisioned_override) > 0 && var.azs_provisioned_override[0] != "non_empty_list" ? length(var.azs_provisioned_override) : var.azs_provisioned) * (length(var.lans_per_az) > 0 ? var.lans_per_az : "1")))}"
-  vpc_id            = "${var.vpc_id}"
+  # Provisions N number of evenly allocated address spaces from the overall VPC CIDR block, where N is the requested number of AZs to provision multiplied by the number of LAN subnets to provision per AZ. Address space per subnet can be overidden by passing in an explicit list of CIDRs to be used.
+  cidr_block = "${local.lan_cidrs_override_enabled == "true" ? element(var.lan_cidrs_override,count.index) : cidrsubnet(data.aws_vpc.base.cidr_block,lookup(var.az_cidrsubnet_newbits, local.azs_provisioned_count * local.lans_multiplier),count.index + lookup(var.az_cidrsubnet_offset, local.azs_provisioned_count))}"
+  vpc_id     = "${var.vpc_id}"
 
   tags {
     application = "${var.stack_item_fullname}"
@@ -158,7 +196,7 @@ resource "aws_subnet" "lan" {
 
 ### Provisions routing table
 resource "aws_route_table" "rt_lan" {
-  count = "${(length(var.azs_provisioned_override) > 0 && var.azs_provisioned_override[0] != "non_empty_list" ? length(var.azs_provisioned_override) : var.azs_provisioned) * (length(var.lans_per_az) > 0 ? var.lans_per_az : "1")}"
+  count = "${local.azs_provisioned_count * local.lans_multiplier}"
 
   propagating_vgws = ["${compact(var.vgw_ids)}"]
   vpc_id           = "${var.vpc_id}"
@@ -172,7 +210,7 @@ resource "aws_route_table" "rt_lan" {
 
 ### Associates subnet with routing table
 resource "aws_route_table_association" "rta_lan" {
-  count = "${(length(var.azs_provisioned_override) > 0 && var.azs_provisioned_override[0] != "non_empty_list" ? length(var.azs_provisioned_override) : var.azs_provisioned) * (length(var.lans_per_az) > 0 ? var.lans_per_az : "1")}"
+  count = "${local.azs_provisioned_count * local.lans_multiplier}"
 
   route_table_id = "${element(aws_route_table.rt_lan.*.id,count.index)}"
   subnet_id      = "${element(aws_subnet.lan.*.id,count.index)}"

diff --git a/az/variables.tf b/az/variables.tf
@@ -52,7 +52,7 @@ variable "azs_provisioned_override" {
   default     = ["non_empty_list"]
 }
 
-variable "dmz_cidrs" {
+variable "dmz_cidrs_override" {
   type        = "list"
   description = "The CIDR block(s) you want the DMZ subnet(s) to cover."
   default     = ["non_empty_list"]
@@ -64,7 +64,7 @@ variable "enable_dmz_public_ips" {
   default     = ""
 }
 
-variable "lan_cidrs" {
+variable "lan_cidrs_override" {
   type        = "list"
   description = "The CIDR block(s) you want the LAN subnet(s) to cover."
   default     = ["non_empty_list"]