Add/ignore cidr blocks (#43)

* add logic to loop through a list and remove cidr blocks * add and update tests * fix for output list of string * fix errors uncovered via terratest GH actions * Auto Format * wrap in parentheses * fix additional errors found when running terratest locally * fix typo * correct error in expected output * Auto Format * fix list error Co-authored-by: cloudpossebot <[email protected]>
cloudposse · Nov 2, 2022 · c9316cb · c9316cb
1 parent db47273
commit c9316cb
Show file tree

Hide file tree

Showing 12 changed files with 103 additions and 24 deletions.
diff --git a/.github/auto-release.yml b/.github/auto-release.yml
@@ -17,7 +17,6 @@ version-resolver:
     - 'bugfix'
     - 'bug'
     - 'hotfix'
-    - 'no-release'
   default: 'minor'
 
 categories:

diff --git a/.github/renovate.json b/.github/renovate.json
@@ -4,9 +4,9 @@
     ":preserveSemverRanges"
   ],
   "labels": ["auto-update"],
+  "dependencyDashboardAutoclose": true,
   "enabledManagers": ["terraform"],
   "terraform": {
     "ignorePaths": ["**/context.tf", "examples/**"]
   }
 }
-
diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml
@@ -10,6 +10,7 @@ jobs:
     steps:
     - name: "Checkout source code at current commit"
       uses: actions/checkout@v2
+      # Leave pinned at 0.7.1 until https://github.com/mszostok/codeowners-validator/issues/173 is resolved
     - uses: mszostok/[email protected]
       if: github.event.pull_request.head.repo.full_name == github.repository
       name: "Full check of CODEOWNERS"

diff --git a/README.md b/README.md
@@ -192,6 +192,7 @@ Available targets:
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_acceptor_allow_remote_vpc_dns_resolution"></a> [acceptor\_allow\_remote\_vpc\_dns\_resolution](#input\_acceptor\_allow\_remote\_vpc\_dns\_resolution) | Allow acceptor VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the requestor VPC | `bool` | `true` | no |
+| <a name="input_acceptor_ignore_cidrs"></a> [acceptor\_ignore\_cidrs](#input\_acceptor\_ignore\_cidrs) | A list of CIDR blocks from the acceptor VPC to ignore | `list(string)` | `[]` | no |
 | <a name="input_acceptor_route_table_tags"></a> [acceptor\_route\_table\_tags](#input\_acceptor\_route\_table\_tags) | Only add peer routes to acceptor VPC route tables matching these tags | `map(string)` | `{}` | no |
 | <a name="input_acceptor_vpc_id"></a> [acceptor\_vpc\_id](#input\_acceptor\_vpc\_id) | Acceptor VPC ID | `string` | `""` | no |
 | <a name="input_acceptor_vpc_tags"></a> [acceptor\_vpc\_tags](#input\_acceptor\_vpc\_tags) | Acceptor VPC tags | `map(string)` | `{}` | no |
@@ -214,6 +215,7 @@ Available targets:
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_requestor_allow_remote_vpc_dns_resolution"></a> [requestor\_allow\_remote\_vpc\_dns\_resolution](#input\_requestor\_allow\_remote\_vpc\_dns\_resolution) | Allow requestor VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the acceptor VPC | `bool` | `true` | no |
+| <a name="input_requestor_ignore_cidrs"></a> [requestor\_ignore\_cidrs](#input\_requestor\_ignore\_cidrs) | A list of CIDR blocks from the requestor VPC to ignore | `list(string)` | `[]` | no |
 | <a name="input_requestor_route_table_tags"></a> [requestor\_route\_table\_tags](#input\_requestor\_route\_table\_tags) | Only add peer routes to requestor VPC route tables matching these tags | `map(string)` | `{}` | no |
 | <a name="input_requestor_vpc_id"></a> [requestor\_vpc\_id](#input\_requestor\_vpc\_id) | Requestor VPC ID | `string` | `""` | no |
 | <a name="input_requestor_vpc_tags"></a> [requestor\_vpc\_tags](#input\_requestor\_vpc\_tags) | Requestor VPC tags | `map(string)` | `{}` | no |
@@ -399,7 +401,7 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply
 
 [![README Footer][readme_footer_img]][readme_footer_link]
 [![Beacon][beacon]][website]
-
+<!-- markdownlint-disable -->
   [logo]: https://cloudposse.com/logo-300x69.svg
   [docs]: https://cpco.io/docs?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-vpc-peering&utm_content=docs
   [website]: https://cpco.io/homepage?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-vpc-peering&utm_content=website
@@ -430,3 +432,4 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply
   [share_googleplus]: https://plus.google.com/share?url=https://github.com/cloudposse/terraform-aws-vpc-peering
   [share_email]: mailto:?subject=terraform-aws-vpc-peering&body=https://github.com/cloudposse/terraform-aws-vpc-peering
   [beacon]: https://ga-beacon.cloudposse.com/UA-76589703-4/cloudposse/terraform-aws-vpc-peering?pixel&cs=github&cm=readme&an=terraform-aws-vpc-peering
+<!-- markdownlint-restore -->
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -36,6 +36,7 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_acceptor_allow_remote_vpc_dns_resolution"></a> [acceptor\_allow\_remote\_vpc\_dns\_resolution](#input\_acceptor\_allow\_remote\_vpc\_dns\_resolution) | Allow acceptor VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the requestor VPC | `bool` | `true` | no |
+| <a name="input_acceptor_ignore_cidrs"></a> [acceptor\_ignore\_cidrs](#input\_acceptor\_ignore\_cidrs) | A list of CIDR blocks from the acceptor VPC to ignore | `list(string)` | `[]` | no |
 | <a name="input_acceptor_route_table_tags"></a> [acceptor\_route\_table\_tags](#input\_acceptor\_route\_table\_tags) | Only add peer routes to acceptor VPC route tables matching these tags | `map(string)` | `{}` | no |
 | <a name="input_acceptor_vpc_id"></a> [acceptor\_vpc\_id](#input\_acceptor\_vpc\_id) | Acceptor VPC ID | `string` | `""` | no |
 | <a name="input_acceptor_vpc_tags"></a> [acceptor\_vpc\_tags](#input\_acceptor\_vpc\_tags) | Acceptor VPC tags | `map(string)` | `{}` | no |
@@ -58,6 +59,7 @@
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_requestor_allow_remote_vpc_dns_resolution"></a> [requestor\_allow\_remote\_vpc\_dns\_resolution](#input\_requestor\_allow\_remote\_vpc\_dns\_resolution) | Allow requestor VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the acceptor VPC | `bool` | `true` | no |
+| <a name="input_requestor_ignore_cidrs"></a> [requestor\_ignore\_cidrs](#input\_requestor\_ignore\_cidrs) | A list of CIDR blocks from the requestor VPC to ignore | `list(string)` | `[]` | no |
 | <a name="input_requestor_route_table_tags"></a> [requestor\_route\_table\_tags](#input\_requestor\_route\_table\_tags) | Only add peer routes to requestor VPC route tables matching these tags | `map(string)` | `{}` | no |
 | <a name="input_requestor_vpc_id"></a> [requestor\_vpc\_id](#input\_requestor\_vpc\_id) | Requestor VPC ID | `string` | `""` | no |
 | <a name="input_requestor_vpc_tags"></a> [requestor\_vpc\_tags](#input\_requestor\_vpc\_tags) | Requestor VPC tags | `map(string)` | `{}` | no |

diff --git a/examples/complete/fixtures.us-east-2.tfvars b/examples/complete/fixtures.us-east-2.tfvars
@@ -11,3 +11,5 @@ name = "vpc-peering"
 requestor_vpc_cidr = "172.16.0.0/16"
 
 acceptor_vpc_cidr = "172.32.0.0/16"
+
+requestor_additional_ipv4_cidr_block = "100.64.0.0/16"
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -3,45 +3,70 @@ provider "aws" {
 }
 
 module "requestor_vpc" {
-  source     = "cloudposse/vpc/aws"
-  version    = "0.18.1"
-  attributes = ["requestor"]
-  cidr_block = var.requestor_vpc_cidr
+  source                  = "cloudposse/vpc/aws"
+  version                 = "1.2.0"
+  attributes              = ["requestor"]
+  ipv4_primary_cidr_block = var.requestor_vpc_cidr
+  ipv4_additional_cidr_block_associations = {
+    "${var.requestor_additional_ipv4_cidr_block}" = {
+      ipv4_cidr_block     = var.requestor_additional_ipv4_cidr_block
+      ipv4_ipam_pool_id   = null
+      ipv4_netmask_length = null
+    }
+  }
 
   context = module.this.context
 }
 
 module "requestor_subnets" {
   source               = "cloudposse/dynamic-subnets/aws"
-  version              = "0.33.0"
+  version              = "2.0.4"
   availability_zones   = var.availability_zones
   attributes           = ["requestor"]
   vpc_id               = module.requestor_vpc.vpc_id
-  igw_id               = module.requestor_vpc.igw_id
-  cidr_block           = module.requestor_vpc.vpc_cidr_block
+  igw_id               = [module.requestor_vpc.igw_id]
+  ipv4_cidr_block      = [module.requestor_vpc.vpc_cidr_block]
   nat_gateway_enabled  = false
   nat_instance_enabled = false
 
   context = module.this.context
 }
 
+module "requestor_subnets_additional" {
+  source                 = "cloudposse/dynamic-subnets/aws"
+  version                = "2.0.4"
+  availability_zones     = var.availability_zones
+  attributes             = ["requestor"]
+  vpc_id                 = module.requestor_vpc.vpc_id
+  igw_id                 = [module.requestor_vpc.igw_id]
+  ipv4_cidr_block        = [var.requestor_additional_ipv4_cidr_block]
+  nat_gateway_enabled    = false
+  nat_instance_enabled   = false
+  public_subnets_enabled = false
+
+  context = module.this.context
+
+  # necessary for clean destory, see open issue: https://github.com/hashicorp/terraform-provider-aws/issues/9592
+  depends_on = [module.requestor_vpc]
+}
+
 module "acceptor_vpc" {
-  source     = "cloudposse/vpc/aws"
-  version    = "0.18.1"
-  attributes = ["acceptor"]
-  cidr_block = var.acceptor_vpc_cidr
+  source                  = "cloudposse/vpc/aws"
+  version                 = "1.2.0"
+  attributes              = ["acceptor"]
+  ipv4_primary_cidr_block = var.acceptor_vpc_cidr
 
   context = module.this.context
 }
 
 module "acceptor_subnets" {
   source               = "cloudposse/dynamic-subnets/aws"
-  version              = "0.33.0"
+  version              = "2.0.4"
   availability_zones   = var.availability_zones
   attributes           = ["acceptor"]
   vpc_id               = module.acceptor_vpc.vpc_id
-  igw_id               = module.acceptor_vpc.igw_id
-  cidr_block           = module.acceptor_vpc.vpc_cidr_block
+  igw_id               = [module.acceptor_vpc.igw_id]
+  ipv4_cidr_block      = [module.acceptor_vpc.vpc_cidr_block]
   nat_gateway_enabled  = false
   nat_instance_enabled = false
 
@@ -55,6 +80,7 @@ module "vpc_peering" {
   acceptor_allow_remote_vpc_dns_resolution  = true
   requestor_vpc_id                          = module.requestor_vpc.vpc_id
   acceptor_vpc_id                           = module.acceptor_vpc.vpc_id
+  requestor_ignore_cidrs                    = [var.requestor_additional_ipv4_cidr_block]
   create_timeout                            = "5m"
   update_timeout                            = "5m"
   delete_timeout                            = "10m"

diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
@@ -1,6 +1,11 @@
 output "requestor_vpc_cidr" {
   value       = module.requestor_vpc.vpc_cidr_block
-  description = "Requestor VPC ID"
+  description = "Requestor VPC CIDR block"
+}
+
+output "requestor_vpc_additional_cidrs" {
+  value       = module.requestor_vpc.additional_cidr_blocks
+  description = "Requestor VPC additional CIDR block associations"
 }
 
 output "requestor_public_subnet_cidrs" {
@@ -13,6 +18,11 @@ output "requestor_private_subnet_cidrs" {
   description = "Requestor private subnet CIDRs"
 }
 
+output "requestor_additional_subnet_cidrs" {
+  value       = module.requestor_subnets_additional.private_subnet_cidrs
+  description = "Requestor additional subnet CIDRs"
+}
+
 output "acceptor_vpc_cidr" {
   value       = module.acceptor_vpc.vpc_cidr_block
   description = "Acceptor VPC ID"

diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
@@ -17,3 +17,8 @@ variable "acceptor_vpc_cidr" {
   type        = string
   description = "Acceptor VPC CIDR"
 }
+
+variable "requestor_additional_ipv4_cidr_block" {
+  description = "An additional IPv4 CIDR block to associate with the VPC"
+  type        = string
+}
diff --git a/main.tf b/main.tf
@@ -48,20 +48,29 @@ data "aws_route_tables" "acceptor" {
   tags   = var.acceptor_route_table_tags
 }
 
+locals {
+  requestor_cidr_blocks = module.this.enabled ? tolist(setsubtract([
+    for k, v in data.aws_vpc.requestor.0.cidr_block_associations : v.cidr_block
+  ], var.requestor_ignore_cidrs)) : []
+  acceptor_cidr_blocks = module.this.enabled ? tolist(setsubtract([
+    for k, v in data.aws_vpc.acceptor.0.cidr_block_associations : v.cidr_block
+  ], var.acceptor_ignore_cidrs)) : []
+}
+
 # Create routes from requestor to acceptor
 resource "aws_route" "requestor" {
-  count                     = module.this.enabled ? length(distinct(sort(data.aws_route_tables.requestor.0.ids))) * length(data.aws_vpc.acceptor.0.cidr_block_associations) : 0
-  route_table_id            = element(distinct(sort(data.aws_route_tables.requestor.0.ids)), ceil(count.index / length(data.aws_vpc.acceptor.0.cidr_block_associations)))
-  destination_cidr_block    = data.aws_vpc.acceptor.0.cidr_block_associations[count.index % length(data.aws_vpc.acceptor.0.cidr_block_associations)]["cidr_block"]
+  count                     = module.this.enabled ? length(distinct(sort(data.aws_route_tables.requestor.0.ids))) * length(local.acceptor_cidr_blocks) : 0
+  route_table_id            = element(distinct(sort(data.aws_route_tables.requestor.0.ids)), ceil(count.index / length(local.acceptor_cidr_blocks)))
+  destination_cidr_block    = local.acceptor_cidr_blocks[count.index % length(local.acceptor_cidr_blocks)]
   vpc_peering_connection_id = join("", aws_vpc_peering_connection.default.*.id)
   depends_on                = [data.aws_route_tables.requestor, aws_vpc_peering_connection.default]
 }
 
 # Create routes from acceptor to requestor
 resource "aws_route" "acceptor" {
-  count                     = module.this.enabled ? length(distinct(sort(data.aws_route_tables.acceptor.0.ids))) * length(data.aws_vpc.requestor.0.cidr_block_associations) : 0
-  route_table_id            = element(distinct(sort(data.aws_route_tables.acceptor.0.ids)), ceil(count.index / length(data.aws_vpc.requestor.0.cidr_block_associations)))
-  destination_cidr_block    = data.aws_vpc.requestor.0.cidr_block_associations[count.index % length(data.aws_vpc.requestor.0.cidr_block_associations)]["cidr_block"]
+  count                     = module.this.enabled ? length(distinct(sort(data.aws_route_tables.acceptor.0.ids))) * length(local.requestor_cidr_blocks) : 0
+  route_table_id            = element(distinct(sort(data.aws_route_tables.acceptor.0.ids)), ceil(count.index / length(local.requestor_cidr_blocks)))
+  destination_cidr_block    = local.requestor_cidr_blocks[count.index % length(local.requestor_cidr_blocks)]
   vpc_peering_connection_id = join("", aws_vpc_peering_connection.default.*.id)
   depends_on                = [data.aws_route_tables.acceptor, aws_vpc_peering_connection.default]
 }
diff --git a/test/src/examples_complete_test.go b/test/src/examples_complete_test.go
@@ -51,6 +51,11 @@ func TestExamplesComplete(t *testing.T) {
 	// Verify we're getting back the outputs we expect
 	assert.Equal(t, "172.16.0.0/16", requestorVpcCidr)
 
+	// Run `terraform output` to get the value of an output variable
+	requestorVpcAdditionalCidrs := terraform.OutputList(t, terraformOptions, "requestor_vpc_additional_cidrs")
+	// Verify we're getting back the outputs we expect
+	assert.Equal(t, []string{"100.64.0.0/16"}, requestorVpcAdditionalCidrs)	
+
 	// Run `terraform output` to get the value of an output variable
 	requestorPrivateSubnetCidrs := terraform.OutputList(t, terraformOptions, "requestor_private_subnet_cidrs")
 	// Verify we're getting back the outputs we expect
@@ -61,6 +66,11 @@ func TestExamplesComplete(t *testing.T) {
 	// Verify we're getting back the outputs we expect
 	assert.Equal(t, []string{"172.16.96.0/19", "172.16.128.0/19"}, requestorPublicSubnetCidrs)
 
+	// Run `terraform output` to get the value of an output variable
+	requestorAdditionalSubnetCidrs := terraform.OutputList(t, terraformOptions, "requestor_additional_subnet_cidrs")
+	// Verify we're getting back the outputs we expect
+	assert.Equal(t, []string{"100.64.0.0/18", "100.64.64.0/18"}, requestorAdditionalSubnetCidrs)
+
 	// Run `terraform output` to get the value of an output variable
 	acceptorVpcCidr := terraform.Output(t, terraformOptions, "acceptor_vpc_cidr")
 	// Verify we're getting back the outputs we expect

diff --git a/variables.tf b/variables.tf
@@ -69,3 +69,15 @@ variable "delete_timeout" {
   description = "VPC peering connection delete timeout. For more details, see https://www.terraform.io/docs/configuration/resources.html#operation-timeouts"
   default     = "5m"
 }
+
+variable "requestor_ignore_cidrs" {
+  type        = list(string)
+  description = "A list of CIDR blocks from the requestor VPC to ignore"
+  default     = []
+}
+
+variable "acceptor_ignore_cidrs" {
+  type        = list(string)
+  description = "A list of CIDR blocks from the acceptor VPC to ignore"
+  default     = []
+}