Resolvers Rules Binding

README.md

@@ -67,8 +67,10 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 
 | Name | Type |
 |------|------|
+| [aws_route53_resolver_rule_association.vpc_associations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource |
 | [aws_vpc_endpoint.vpe_endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_route53_resolver_rules.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_resolver_rules) | data source |
 | [aws_vpc_ipam_pool.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_ipam_pool) | data source |
 
 ## Inputs
@@ -83,10 +85,12 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_enable_ipam"></a> [enable\_ipam](#input\_enable\_ipam) | Indicates the cidr block for the network should be assigned from IPAM | `bool` | `true` | no |
 | <a name="input_enable_nat_gateway"></a> [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Indicates the network should provison nat gateways | `bool` | `false` | no |
 | <a name="input_enable_private_endpoints"></a> [enable\_private\_endpoints](#input\_enable\_private\_endpoints) | Indicates the network should provision private endpoints | `list(string)` | `[]` | no |
+| <a name="input_enable_route53_resolver_rules"></a> [enable\_route53\_resolver\_rules](#input\_enable\_route53\_resolver\_rules) | Automatically associates any shared route53 resolver rules with the VPC | `bool` | `true` | no |
 | <a name="input_enable_ssm"></a> [enable\_ssm](#input\_enable\_ssm) | Indicates we should provision SSM private endpoints | `bool` | `false` | no |
 | <a name="input_enable_transit_gateway"></a> [enable\_transit\_gateway](#input\_enable\_transit\_gateway) | Indicates the network should provison nat gateways | `bool` | `false` | no |
 | <a name="input_enable_transit_gateway_appliance_mode"></a> [enable\_transit\_gateway\_appliance\_mode](#input\_enable\_transit\_gateway\_appliance\_mode) | Indicates the network should be connected to a transit gateway in appliance mode | `bool` | `false` | no |
 | <a name="input_enable_transit_gateway_subnet_natgw"></a> [enable\_transit\_gateway\_subnet\_natgw](#input\_enable\_transit\_gateway\_subnet\_natgw) | Indicates if the transit gateway subnets should be connected to a nat gateway | `bool` | `false` | no |
+| <a name="input_exclude_resolver_rules"></a> [exclude\_resolver\_rules](#input\_exclude\_resolver\_rules) | List of resolver rules to exclude from association | `list(string)` | `[]` | no |
 | <a name="input_ipam_pool_id"></a> [ipam\_pool\_id](#input\_ipam\_pool\_id) | An optional pool id to use for IPAM pool to use | `string` | `""` | no |
 | <a name="input_ipam_pool_name"></a> [ipam\_pool\_name](#input\_ipam\_pool\_name) | An optional pool name to use for IPAM pool to use | `string` | `""` | no |
 | <a name="input_nat_gateway_mode"></a> [nat\_gateway\_mode](#input\_nat\_gateway\_mode) | The configuration mode of the NAT gateways | `string` | `"none"` | no |

locals.tf

@@ -71,5 +71,7 @@ locals {
   ssm_endpoints = var.enable_ssm ? ["ssmmessages", "ssm", "ec2messages"] : []
   # enabled_endpotints is a list of all the private endpoints to enable 
   enabled_endpoints = concat(var.enable_private_endpoints, local.ssm_endpoints)
+  ## Build the list of resolver rules to associate with the vpc 
+  resolver_rules = var.enable_route53_resolver_rules ? [for id in data.aws_route53_resolver_rules.current.resolver_rule_ids : id if !contains(var.exclude_resolver_rules, id)] : []
 }
 

main.tf

@@ -1,13 +1,13 @@
-#
-## Provisions a network within an account
-#
-
 # Get the current region 
 data "aws_region" "current" {}
 
-#
+## Find any forwarding rules which have been shared to us 
+data "aws_route53_resolver_rules" "current" {
+  rule_type    = "FORWARD"
+  share_status = "SHARED_WITH_ME"
+}
+
 ## Lookup the IPAM by protocol
-#
 data "aws_vpc_ipam_pool" "current" {
   count = var.enable_ipam ? 1 : 0
 
@@ -30,9 +30,7 @@ data "aws_vpc_ipam_pool" "current" {
   }
 }
 
-#
 ## Provision the VPC for VPN
-#
 module "vpc" {
   source  = "aws-ia/vpc/aws"
   version = "= 4.4.2"
@@ -51,6 +49,15 @@ module "vpc" {
   vpc_ipv4_netmask_length  = var.vpc_netmask
 }
 
+## Associate any resolver rules with the vpc if required 
+resource "aws_route53_resolver_rule_association" "vpc_associations" {
+  for_each = var.enable_route53_resolver_rules ? local.resolver_rules : {}
+
+  resolver_rule_id = each.value
+  vpc_id           = module.vpc.vpc_attributes.id
+}
+
+## Provision the security groups for the private links 
 module "private_links" {
   source  = "terraform-aws-modules/security-group/aws"
   version = "5.1.2"
@@ -64,7 +71,6 @@ module "private_links" {
   vpc_id              = module.vpc.vpc_attributes.id
 }
 
-#
 ## Provision any private endpoints
 resource "aws_vpc_endpoint" "vpe_endpoints" {
   for_each = toset(local.enabled_endpoints)

variables.tf

@@ -16,6 +16,18 @@ variable "enable_ipam" {
   default     = true
 }
 
+variable "enable_route53_resolver_rules" {
+  description = "Automatically associates any shared route53 resolver rules with the VPC"
+  type        = bool
+  default     = true
+}
+
+variable "exclude_resolver_rules" {
+  description = "List of resolver rules to exclude from association"
+  type        = list(string)
+  default     = []
+}
+
 variable "enable_nat_gateway" {
   description = "Indicates the network should provison nat gateways"
   type        = bool