chore: adding the initial commit for a scoped network

.github/workflows/release.yml

@@ -0,0 +1,12 @@
+---
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  release:
+    uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-release.yml@main
+    name: GitHub Release

.github/workflows/terraform.yml

@@ -0,0 +1,16 @@
+---
+name: Terraform
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  module-validation:
+    uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-validation.yml@main
+    name: Module Validation
+    with:
+      working-directory: .

.gitignore

@@ -0,0 +1,32 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# Other
+.DS_Store
+todo.md
+

README.md

@@ -0,0 +1,58 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.40.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | aws-ia/vpc/aws | = 4.4.2 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_vpc_ipam_pool.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_ipam_pool) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | The number of availability zone the network should be deployed into | `number` | `2` | no |
+| <a name="input_enable_ipam"></a> [enable\_ipam](#input\_enable\_ipam) | Indicates the cidr block for the network should be assigned from IPAM | `bool` | `true` | no |
+| <a name="input_enable_nat_gateway"></a> [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Indicates the network should provison nat gateways | `bool` | `false` | no |
+| <a name="input_enable_transit_gateway"></a> [enable\_transit\_gateway](#input\_enable\_transit\_gateway) | Indicates the network should provison nat gateways | `bool` | `false` | no |
+| <a name="input_enable_transit_gateway_appliance_mode"></a> [enable\_transit\_gateway\_appliance\_mode](#input\_enable\_transit\_gateway\_appliance\_mode) | Indicates the network should be connected to a transit gateway in appliance mode | `bool` | `false` | no |
+| <a name="input_name"></a> [name](#input\_name) | Is the name of the network to provision | `string` | n/a | yes |
+| <a name="input_nat_gateway_mode"></a> [nat\_gateway\_mode](#input\_nat\_gateway\_mode) | The configuration mode of the NAT gateways | `string` | `"none"` | no |
+| <a name="input_private_subnet_netmask"></a> [private\_subnet\_netmask](#input\_private\_subnet\_netmask) | The netmask for the private subnets | `number` | `17` | no |
+| <a name="input_public_subnet_netmask"></a> [public\_subnet\_netmask](#input\_public\_subnet\_netmask) | The netmask for the public subnets | `string` | `""` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to all resources | `map(string)` | n/a | yes |
+| <a name="input_transit_gateway_id"></a> [transit\_gateway\_id](#input\_transit\_gateway\_id) | If enabled, and not lookup is disabled, the transit gateway id to connect to | `string` | `""` | no |
+| <a name="input_transit_gateway_route"></a> [transit\_gateway\_route](#input\_transit\_gateway\_route) | If enabled, and not lookup is disabled, the transit gateway default routes to add | `list(string)` | `[]` | no |
+| <a name="input_vpc_netmask"></a> [vpc\_netmask](#input\_vpc\_netmask) | An optional range assigned to the VPC | `number` | `0` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_nat_public_ips"></a> [nat\_public\_ips](#output\_nat\_public\_ips) | The public IPs of the NAT Gateways |
+| <a name="output_private_route_table_ids"></a> [private\_route\_table\_ids](#output\_private\_route\_table\_ids) | The IDs of the private route tables |
+| <a name="output_private_subnet_ids"></a> [private\_subnet\_ids](#output\_private\_subnet\_ids) | The IDs of the private subnets |
+| <a name="output_private_subnet_netmask"></a> [private\_subnet\_netmask](#output\_private\_subnet\_netmask) | The netmask for the private subnets |
+| <a name="output_public_subnet_ids"></a> [public\_subnet\_ids](#output\_public\_subnet\_ids) | The IDs of the public subnets |
+| <a name="output_public_subnet_netmask"></a> [public\_subnet\_netmask](#output\_public\_subnet\_netmask) | The netmask for the public subnets |
+| <a name="output_transit_gateway_attachment_id"></a> [transit\_gateway\_attachment\_id](#output\_transit\_gateway\_attachment\_id) | The ID of the transit gateway attachment |
+| <a name="output_transit_subnet_ids"></a> [transit\_subnet\_ids](#output\_transit\_subnet\_ids) | The IDs of the transit gateway subnets |
+| <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
+<!-- END_TF_DOCS -->

main.tf

@@ -0,0 +1,93 @@
+#
+## Provisions a network within an account
+#
+
+locals {
+  # Is the IPAM pool id
+  ipam_pool_id = var.enable_ipam ? data.aws_vpc_ipam_pool.current[0].id : null
+
+  # The id for the transit_gateway_id passed into the module
+  transit_gateway_id = var.enable_transit_gateway ? var.transit_gateway_id : null
+
+  # Is the routes to propagate down the transit gateway 
+  transit_routes = var.enable_transit_gateway && length(var.transit_gateway_route) > 0 ? {
+    private = var.transit_gateway_route
+  } : null
+
+  # The configuration for the private subnets
+  private_subnet = {
+    private = {
+      connect_to_public_natgw = var.enable_nat_gateway ? true : null
+      netmask                 = var.private_subnet_netmask
+      tags                    = var.tags
+    }
+  }
+
+  # Public subnets are optional
+  public_subnet = length(var.public_subnet_netmask) > 0 ? {
+    public = {
+      connect_to_public_natgw   = var.enable_nat_gateway ? true : null
+      nat_gateway_configuration = var.nat_gateway_mode
+      netmask                   = var.public_subnet_netmask
+      tags                      = var.tags
+    }
+  } : null
+
+
+  # Configuration for the transit subnets 
+  transit_subnet = var.enable_transit_gateway ? {
+    transit_gateway = {
+      connect_to_public_natgw                         = false
+      netmask                                         = 28
+      tags                                            = var.tags
+      transit_gateway_appliance_mode_support          = var.enable_transit_gateway_appliance_mode ? "enable" : "disable"
+      transit_gateway_default_route_table_association = true
+      transit_gateway_default_route_table_propagation = true
+      transit_gateway_dns_support                     = "enable"
+    }
+  } : null
+
+  # The subnet id for the private subnets
+  private_subnet_ids = [for k, x in module.vpc.private_subnet_attributes_by_az : x.id if startswith(k, "private/")]
+  # The subnet id for the public subnets
+  public_subnet_ids = [for k, x in module.vpc.public_subnet_attributes_by_az : x.id]
+  # The subnet id for the transit subnets
+  transit_subnet_ids = [for k, x in module.vpc.tgw_subnet_attributes_by_az : x.id]
+  # The routing tables for the private subnets
+  private_route_table_ids = [for k, x in module.vpc.rt_attributes_by_type_by_az.private : x.id]
+
+  subnets = merge(
+    local.private_subnet,
+    local.public_subnet,
+    local.transit_subnet,
+  )
+}
+
+#
+## Lookup the IPAM by protocol
+#
+data "aws_vpc_ipam_pool" "current" {
+  count = var.enable_ipam ? 1 : 0
+
+  filter {
+    name   = "address-family"
+    values = ["ipv4"]
+  }
+}
+
+#
+## Provision the VPC for VPN
+#
+module "vpc" {
+  source  = "aws-ia/vpc/aws"
+  version = "= 4.4.2"
+
+  name                    = var.name
+  az_count                = var.availability_zones
+  tags                    = var.tags
+  vpc_ipv4_ipam_pool_id   = local.ipam_pool_id
+  vpc_ipv4_netmask_length = var.vpc_netmask
+  transit_gateway_id      = local.transit_gateway_id
+  transit_gateway_routes  = local.transit_routes
+  subnets                 = local.subnets
+}

outputs.tf

@@ -0,0 +1,49 @@
+#
+## Related to the outputs of the module 
+#
+
+output "vpc_id" {
+  description = "The ID of the VPC"
+  value       = module.vpc.vpc_attributes.id
+}
+
+output "private_subnet_netmask" {
+  description = "The netmask for the private subnets"
+  value       = var.private_subnet_netmask
+}
+
+output "public_subnet_netmask" {
+  description = "The netmask for the public subnets"
+  value       = var.public_subnet_netmask
+}
+
+output "private_subnet_ids" {
+  description = "The IDs of the private subnets"
+  value       = local.private_subnet_ids
+}
+
+output "public_subnet_ids" {
+  description = "The IDs of the public subnets"
+  value       = local.public_subnet_ids
+}
+
+output "private_route_table_ids" {
+  description = "The IDs of the private route tables"
+  value       = local.private_route_table_ids
+}
+
+output "transit_gateway_attachment_id" {
+  description = "The ID of the transit gateway attachment"
+  value       = var.enable_transit_gateway ? module.vpc.transit_gateway_attachment_id : null
+}
+
+output "transit_subnet_ids" {
+  description = "The IDs of the transit gateway subnets"
+  value       = var.enable_transit_gateway ? local.transit_subnet_ids : null
+}
+
+output "nat_public_ips" {
+  description = "The public IPs of the NAT Gateways"
+  value       = var.enable_nat_gateway ? [] : [for x in module.vpc.nat_gateway_attributes_by_az : x.public_ip]
+}
+