From 5afc86933b7e3f9359a0b28f82f47312408cacb9 Mon Sep 17 00:00:00 2001
From: Pablo Sanchez Carmona <pablosc@amazon.es>
Date: Sat, 4 Mar 2023 16:33:40 +0100
Subject: [PATCH 1/3] adding aws_networkmanager_core_network_policy_attachment
 resource and base_policy attribute

---
 .header.md                                    | 69 ++++------------
 .terraform-docs.yaml                          |  3 +-
 README.md                                     | 78 +++++--------------
 UPGRADE-GUIDE-1.0.md                          | 59 ++++++++++++++
 UPGRADE-GUIDE-2.0.md                          | 15 ++++
 examples/base_policy/.header.md               |  9 +++
 examples/base_policy/.terraform-docs.yaml     | 20 +++++
 examples/base_policy/README.md                | 50 ++++++++++++
 examples/base_policy/main.tf                  | 39 ++++++++++
 examples/base_policy/outputs.tf               | 13 ++++
 examples/base_policy/providers.tf             | 15 ++++
 examples/base_policy/variables.tf             | 15 ++++
 examples/basic/.header.md                     |  2 +-
 examples/basic/README.md                      | 10 +--
 examples/basic/main.tf                        |  2 +-
 examples/basic/providers.tf                   |  2 +-
 examples/reference_global_network/.header.md  |  3 +-
 examples/reference_global_network/README.md   | 13 ++--
 examples/reference_global_network/main.tf     |  2 +-
 .../reference_global_network/providers.tf     |  2 +-
 main.tf                                       | 21 +++--
 providers.tf                                  |  2 +-
 test/example_base_policy_test.go              | 17 ++++
 variables.tf                                  |  7 +-
 24 files changed, 327 insertions(+), 141 deletions(-)
 create mode 100644 UPGRADE-GUIDE-1.0.md
 create mode 100644 UPGRADE-GUIDE-2.0.md
 create mode 100644 examples/base_policy/.header.md
 create mode 100644 examples/base_policy/.terraform-docs.yaml
 create mode 100644 examples/base_policy/README.md
 create mode 100644 examples/base_policy/main.tf
 create mode 100644 examples/base_policy/outputs.tf
 create mode 100644 examples/base_policy/providers.tf
 create mode 100644 examples/base_policy/variables.tf
 create mode 100644 test/example_base_policy_test.go

diff --git a/.header.md b/.header.md
index 9eed15b..f27c535 100644
--- a/.header.md
+++ b/.header.md
@@ -8,7 +8,8 @@ The example below builds a Network Manager Global Network and a Cloud WAN Core N
 
 ```hcl
 module "cloudwan" {
-  source = "aws-ia/cloudwan"
+  source  = "aws-ia/cloudwan/aws"
+  version = "2.x.x"
 
   global_network = {
     create      = true
@@ -29,7 +30,8 @@ If you already have a Network Manager Global Network created, you can pass the I
 
 ```hcl
 module "cloudwan" {
-  source = "aws-ia/cloudwan/aws"
+  source  = "aws-ia/cloudwan/aws"
+  version = "2.x.x"
 
   global_network = {
     create = false
@@ -92,62 +94,23 @@ data "aws_networkmanager_core_network_policy_document" "policy" {
 }
 ```
 
-## What if I was using a version 0.x?
+## When do I need to create the *base_policy*?
 
-If you are using a version 0.x of this module and want to move to a version 1.x, you will find that we have migrated from using the [AWSCC]() provider to [AWS]() provider for the Global and Core Network resources. If you want to udpate the version without re-creating the resources, you need to proceed as follows:
+You will see that one of the attributes of the Core Network is *base_policy_regions*, that it is used in the module to define the *base_policy* and *base_policy_regions* attributes in the `aws_networkmanager_core_network` resource. But... why do we need the *base_policy*?
 
-* First, add in your main.tf (or similar file) a new module definition. In this new definition you need to pass the current Global Network without creating a new one.
+First of all, let's start explaining why we use the `aws_networkmanager_core_network_policy_attachment` resource. When adding an inspection layer to AWS Cloud WAN, a static route is needed - from any of the segments pointing to an Inspection VPC. As you need to reference the attachmend ID of the Inspection VPC(s), a circular dependency is created. To avoid this circular dependency, the `aws_networkmanager_core_network_policy_attachment` was created to decouple the creation of the Core Network to the policy document attachment, so when you deploy from scratch your architecture it proceeds as follows:
 
-```hcl
-module "cloudwan" {
-  source  = "aws-ia/cloudwan/aws"
-  version = "0.x"
+* Creation of Global Network (if not done already) and Core Network.
+* Creation of Core Network attachments.
+* Attachment of the policy document - generation of the network.
 
-  global_network = {
-    create      = true
-    description = "Global Network - AWS CloudWAN Module"
-  }
-  core_network = {
-    description     = "Core Network - AWS CloudWAN Module"
-    policy_document = data.aws_networkmanager_core_network_policy_document.main.json
-  }
+**Important to note** that to get this behaviour you need to use the `aws_networkmanager_core_network_policy_document` data source.
 
-  tags = {
-      Name = "create-global-network"
-  }
-}
+However, there's still one challenge to overcome: you cannot attach resources to the Core Network without an active policy. And it makes sense, as in the policy you indicate the AWS Regions in which you want to create CNEs (Core Network Edges). Without policy, there are no CNEs and it's impossible to attach anything. Here is where *base_policy* is going to help us: a temporal policy document is generated (in the AWS Regions you indicate in *base_policy_regions*) so the attachments can be created before applying the policy document where you reference some of those attachment IDs.
 
-module "new_cloudwan" {
-  source  = "aws-ia/cloudwan/aws"
-  version = "1.x"
+**What happens when adding new attachments to a current Core Network with a live policy?** If any of these attachmens are referenced in the policy document, those are going to be created first and then the policy is going to be updated. The *base_policy* attribute won't do anything, as there's a current live policy - we don't need this temporal policy.
 
-  global_network = {
-    create = false
-    id     = "global-network-XXX"
-  }
-  core_network = {
-    description     = "Core Network - AWS CloudWAN Module"
-    policy_document = data.aws_networkmanager_core_network_policy_document.main.json
-  }
-
-  tags = {
-      Name = "create-global-network"
-  }
-}
-```
-
-* Next, do a Terraform import for the new Global and Core Network resources.
-
-```
-terraform import module.new_cloudwan.aws_networkmanager_global_network.global_network[0] global-network-XXX
-terraform import module.new_cloudwan.aws_networkmanager_core_network.core_network core-network-XXX
-```
-
-* Now you can remove from the Terraform state the old resources
-
-```
-terraform state rm module.cloudwan.awscc_networkmanager_global_network.global_network[0]
-terraform state rm module.new_cloudwan.awscc_networkmanager_core_network.core_network
-```
+**What happens when adding new AWS Regions to a current Core Network with a live policy?** The *base_policy* won't help us here, as creating a temporal policy with the new AWS Region will create a network disruption - as we already have a network configuration applied. That's why, when adding new AWS Regions, we need a two-step deployment:
 
-* Finally, you can remove the definition of the old module (the one using version 0.x) from your main.tf file (or similar)
\ No newline at end of file
+* Step 1: Update and apply the policy document with the new AWS Region(s).
+* Step 2: Create the new attachment(s) and update the policy document if any static route is needed.
\ No newline at end of file
diff --git a/.terraform-docs.yaml b/.terraform-docs.yaml
index 1e310cc..3e85c64 100644
--- a/.terraform-docs.yaml
+++ b/.terraform-docs.yaml
@@ -10,6 +10,7 @@ settings:
   required: true
   sensitive: true
   type: true
+  lockfile: false
 
 sort:
   enabled: true
@@ -17,4 +18,4 @@ sort:
 
 output:
   file: README.md
-  mode: replace
+  mode: replace
\ No newline at end of file
diff --git a/README.md b/README.md
index f9335de..a464ad6 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,8 @@ The example below builds a Network Manager Global Network and a Cloud WAN Core N
 
 ```hcl
 module "cloudwan" {
-  source = "aws-ia/cloudwan"
+  source  = "aws-ia/cloudwan/aws"
+  version = "2.x.x"
 
   global_network = {
     create      = true
@@ -30,7 +31,8 @@ If you already have a Network Manager Global Network created, you can pass the I
 
 ```hcl
 module "cloudwan" {
-  source = "aws-ia/cloudwan/aws"
+  source  = "aws-ia/cloudwan/aws"
+  version = "2.x.x"
 
   global_network = {
     create = false
@@ -93,78 +95,39 @@ data "aws_networkmanager_core_network_policy_document" "policy" {
 }
 ```
 
-## What if I was using a version 0.x?
+## When do I need to create the *base\_policy*?
 
-If you are using a version 0.x of this module and want to move to a version 1.x, you will find that we have migrated from using the [AWSCC]() provider to [AWS]() provider for the Global and Core Network resources. If you want to udpate the version without re-creating the resources, you need to proceed as follows:
+You will see that one of the attributes of the Core Network is *base\_policy\_regions*, that it is used in the module to define the *base\_policy* and *base\_policy\_regions* attributes in the `aws_networkmanager_core_network` resource. But... why do we need the *base\_policy*?
 
-* First, add in your main.tf (or similar file) a new module definition. In this new definition you need to pass the current Global Network without creating a new one.
+First of all, let's start explaining why we use the `aws_networkmanager_core_network_policy_attachment` resource. When adding an inspection layer to AWS Cloud WAN, a static route is needed - from any of the segments pointing to an Inspection VPC. As you need to reference the attachmend ID of the Inspection VPC(s), a circular dependency is created. To avoid this circular dependency, the `aws_networkmanager_core_network_policy_attachment` was created to decouple the creation of the Core Network to the policy document attachment, so when you deploy from scratch your architecture it proceeds as follows:
 
-```hcl
-module "cloudwan" {
-  source  = "aws-ia/cloudwan/aws"
-  version = "0.x"
+* Creation of Global Network (if not done already) and Core Network.
+* Creation of Core Network attachments.
+* Attachment of the policy document - generation of the network.
 
-  global_network = {
-    create      = true
-    description = "Global Network - AWS CloudWAN Module"
-  }
-  core_network = {
-    description     = "Core Network - AWS CloudWAN Module"
-    policy_document = data.aws_networkmanager_core_network_policy_document.main.json
-  }
+**Important to note** that to get this behaviour you need to use the `aws_networkmanager_core_network_policy_document` data source.
 
-  tags = {
-      Name = "create-global-network"
-  }
-}
+However, there's still one challenge to overcome: you cannot attach resources to the Core Network without an active policy. And it makes sense, as in the policy you indicate the AWS Regions in which you want to create CNEs (Core Network Edges). Without policy, there are no CNEs and it's impossible to attach anything. Here is where *base\_policy* is going to help us: a temporal policy document is generated (in the AWS Regions you indicate in *base\_policy\_regions*) so the attachments can be created before applying the policy document where you reference some of those attachment IDs.
 
-module "new_cloudwan" {
-  source  = "aws-ia/cloudwan/aws"
-  version = "1.x"
+**What happens when adding new attachments to a current Core Network with a live policy?** If any of these attachmens are referenced in the policy document, those are going to be created first and then the policy is going to be updated. The *base\_policy* attribute won't do anything, as there's a current live policy - we don't need this temporal policy.
 
-  global_network = {
-    create = false
-    id     = "global-network-XXX"
-  }
-  core_network = {
-    description     = "Core Network - AWS CloudWAN Module"
-    policy_document = data.aws_networkmanager_core_network_policy_document.main.json
-  }
-
-  tags = {
-      Name = "create-global-network"
-  }
-}
-```
-
-* Next, do a Terraform import for the new Global and Core Network resources.
-
-```
-terraform import module.new_cloudwan.aws_networkmanager_global_network.global_network[0] global-network-XXX
-terraform import module.new_cloudwan.aws_networkmanager_core_network.core_network core-network-XXX
-```
-
-* Now you can remove from the Terraform state the old resources
-
-```
-terraform state rm module.cloudwan.awscc_networkmanager_global_network.global_network[0]
-terraform state rm module.new_cloudwan.awscc_networkmanager_core_network.core_network
-```
+**What happens when adding new AWS Regions to a current Core Network with a live policy?** The *base\_policy* won't help us here, as creating a temporal policy with the new AWS Region will create a network disruption - as we already have a network configuration applied. That's why, when adding new AWS Regions, we need a two-step deployment:
 
-* Finally, you can remove the definition of the old module (the one using version 0.x) from your main.tf file (or similar)
+* Step 1: Update and apply the policy document with the new AWS Region(s).
+* Step 2: Create the new attachment(s) and update the policy document if any static route is needed.
 
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.50.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.57.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.50.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.57.0 |
 
 ## Modules
 
@@ -177,15 +140,16 @@ terraform state rm module.new_cloudwan.awscc_networkmanager_core_network.core_ne
 | Name | Type |
 |------|------|
 | [aws_networkmanager_core_network.core_network](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkmanager_core_network) | resource |
+| [aws_networkmanager_core_network_policy_attachment.policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkmanager_core_network_policy_attachment) | resource |
 | [aws_networkmanager_global_network.global_network](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkmanager_global_network) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_core_network"></a> [core\_network](#input\_core\_network) | Core Network definition. The following attributes are required:<br>- `description`     = (string) Core Network's description.<br>- `policy_document` = (any) Core Network's policy in JSON format. It is recommended the use of the [Core Network Document data source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/networkmanager_core_network_policy_document)<pre></pre> | <pre>object({<br>    description     = string<br>    policy_document = any<br>  })</pre> | n/a | yes |
+| <a name="input_core_network"></a> [core\_network](#input\_core\_network) | Core Network definition. The following attributes are required:<br>- `description`     = (string) Core Network's description.<br>- `policy_document` = (any) Core Network's policy in JSON format. It is recommended the use of the [Core Network Document data source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/networkmanager_core_network_policy_document)<br>- `base_policy_regions` = (optional\|list(string)) List of AWS Regions to create the base policy in the Core Network. For more information about the need of the base policy, check the README document.<pre></pre> | <pre>object({<br>    description         = string<br>    policy_document     = any<br>    base_policy_regions = optional(list(string))<br>  })</pre> | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to all resources. | `map(string)` | n/a | yes |
 | <a name="input_global_network"></a> [global\_network](#input\_global\_network) | Global Network definition. This variable expects the following attributes:<br>- `create = (Required|string) Indicating if a Global Network should be created or not. Default to `true`.<br>- `id` = (Optional|string) ID of a current Global Network created outside the module. Attribute required when `var.create\_global\_network` is **false**.<br>- `description` = (Optional|string) Description of the new Global Network to create. Attribute required when `var.create\_global\_network` is **true**.<br>`<pre></pre> | <pre>object({<br>    create      = bool<br>    id          = optional(string)<br>    description = optional(string)<br>  })</pre> | <pre>{<br>  "create": true<br>}</pre> | no |
-| <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to all resources. | `map(string)` | `{}` | no |
 
 ## Outputs
 
diff --git a/UPGRADE-GUIDE-1.0.md b/UPGRADE-GUIDE-1.0.md
new file mode 100644
index 0000000..487a92d
--- /dev/null
+++ b/UPGRADE-GUIDE-1.0.md
@@ -0,0 +1,59 @@
+# Changes from 0.x to 1.x
+
+If you are using a version 0.x of this module and want to move to a version 1.x, you will find that we have migrated from using the [AWSCC](https://registry.terraform.io/providers/hashicorp/awscc/latest) provider to [AWS](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) provider for the Global and Core Network resources. If you want to udpate the version without re-creating the resources, you need to proceed as follows:
+
+* First, add in your main.tf (or similar file) a new module definition. In this new definition you need to pass the current Global Network without creating a new one.
+
+```hcl
+module "cloudwan" {
+  source  = "aws-ia/cloudwan/aws"
+  version = "0.x.x"
+
+  global_network = {
+    create      = true
+    description = "Global Network - AWS CloudWAN Module"
+  }
+  core_network = {
+    description     = "Core Network - AWS CloudWAN Module"
+    policy_document = data.aws_networkmanager_core_network_policy_document.main.json
+  }
+
+  tags = {
+      Name = "create-global-network"
+  }
+}
+
+module "new_cloudwan" {
+  source  = "aws-ia/cloudwan/aws"
+  version = "1.x.x"
+
+  global_network = {
+    create = false
+    id     = "global-network-XXX"
+  }
+  core_network = {
+    description     = "Core Network - AWS CloudWAN Module"
+    policy_document = data.aws_networkmanager_core_network_policy_document.main.json
+  }
+
+  tags = {
+      Name = "create-global-network"
+  }
+}
+```
+
+* Next, do a Terraform import for the new Global and Core Network resources.
+
+```
+terraform import module.new_cloudwan.aws_networkmanager_global_network.global_network[0] global-network-XXX
+terraform import module.new_cloudwan.aws_networkmanager_core_network.core_network core-network-XXX
+```
+
+* Now you can remove from the Terraform state the old resources
+
+```
+terraform state rm module.cloudwan.awscc_networkmanager_global_network.global_network[0]
+terraform state rm module.new_cloudwan.awscc_networkmanager_core_network.core_network
+```
+
+* Finally, you can remove the definition of the old module (the one using version 0.x) from your main.tf file (or similar)
\ No newline at end of file
diff --git a/UPGRADE-GUIDE-2.0.md b/UPGRADE-GUIDE-2.0.md
new file mode 100644
index 0000000..8685c20
--- /dev/null
+++ b/UPGRADE-GUIDE-2.0.md
@@ -0,0 +1,15 @@
+# Changes from 1.x to 2.x
+
+Changes from version 1 to version 2 of this module are minimal, and **don't entail any downtime**. However, check this guide to understand the new behavior.
+
+There's a new resource added -  `aws_networkmanager_core_network_policy_attachment`- that doesn't create new resources, rather it decouples the creation of the Core Network to the policy document attachment. This is used to avoid circular dependencies when you reference Core Network attachment IDs in the policy document.
+
+So, if you move from version 1.x.x to 2.x.x and you do a `terraform plan`, you will see 1 new resource to be created. When doing a `terraform apply`, it will generate a new policy version in the Core Network containing the same policy you currently have (unless you apply changes). You won't have any disruption.
+
+If you want to avoid the creation of this resource and the generation of the new policy version, you can import the resource by doing:
+
+```
+terraform import module.cloudwan.aws_networkmanager_core_network_policy_attachment.policy_attachment core-network-XXX
+```
+
+If you do a `terraform plan`, you won't see any changes in the infrastructure.
\ No newline at end of file
diff --git a/examples/base_policy/.header.md b/examples/base_policy/.header.md
new file mode 100644
index 0000000..dfabfac
--- /dev/null
+++ b/examples/base_policy/.header.md
@@ -0,0 +1,9 @@
+# AWS Cloud WAN Module - Example with base_policy
+
+This example creates a Network Manager Global Network and Cloud WAN Core Network from scratch, using the base_policy attribute.
+
+## Usage
+
+- Initialize Terraform using `terraform init`.
+- Now you can deploy the rest of the infrastructure using `terraform apply`.
+- To delete everything, use `terraform destroy`.
\ No newline at end of file
diff --git a/examples/base_policy/.terraform-docs.yaml b/examples/base_policy/.terraform-docs.yaml
new file mode 100644
index 0000000..1e310cc
--- /dev/null
+++ b/examples/base_policy/.terraform-docs.yaml
@@ -0,0 +1,20 @@
+formatter: markdown
+header-from: .header.md
+settings:
+  anchor: true
+  color: true
+  default: true
+  escape: true
+  html: true
+  indent: 2
+  required: true
+  sensitive: true
+  type: true
+
+sort:
+  enabled: true
+  by: required
+
+output:
+  file: README.md
+  mode: replace
diff --git a/examples/base_policy/README.md b/examples/base_policy/README.md
new file mode 100644
index 0000000..2d17959
--- /dev/null
+++ b/examples/base_policy/README.md
@@ -0,0 +1,50 @@
+<!-- BEGIN_TF_DOCS -->
+# AWS Cloud WAN Module - Example with base\_policy
+
+This example creates a Network Manager Global Network and Cloud WAN Core Network from scratch, using the base\_policy attribute.
+
+## Usage
+
+- Initialize Terraform using `terraform init`.
+- Now you can deploy the rest of the infrastructure using `terraform apply`.
+- To delete everything, use `terraform destroy`.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.57.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.57.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_cloud_wan"></a> [cloud\_wan](#module\_cloud\_wan) | aws-ia/cloudwan/aws | 2.0.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_networkmanager_core_network_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/networkmanager_core_network_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS Region. | `string` | `"eu-west-1"` | no |
+| <a name="input_identifier"></a> [identifier](#input\_identifier) | Example identifier. | `string` | `"base-policy"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_core_network_id"></a> [core\_network\_id](#output\_core\_network\_id) | Core Network ID. |
+| <a name="output_global_network_id"></a> [global\_network\_id](#output\_global\_network\_id) | Global Network ID. |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/examples/base_policy/main.tf b/examples/base_policy/main.tf
new file mode 100644
index 0000000..da83b40
--- /dev/null
+++ b/examples/base_policy/main.tf
@@ -0,0 +1,39 @@
+# --- examples/basic/main.tf ---
+
+# Calling the CloudWAN Module - we are creating both the Global Network and the Core Network
+module "cloud_wan" {
+  source = "../.."
+  #source  = "aws-ia/cloudwan/aws"
+  #version = "2.0.0"
+
+  global_network = {
+    create      = true
+    description = "Global Network - ${var.identifier}"
+  }
+
+  core_network = {
+    description         = "Core Network - ${var.identifier}"
+    policy_document     = data.aws_networkmanager_core_network_policy_document.policy.json
+    base_policy_regions = [var.aws_region]
+  }
+
+  tags = {
+    Name = var.identifier
+  }
+}
+
+data "aws_networkmanager_core_network_policy_document" "policy" {
+  core_network_configuration {
+    vpn_ecmp_support = false
+    asn_ranges       = ["64515-64520"]
+    edge_locations {
+      location = var.aws_region
+    }
+  }
+
+  segments {
+    name                          = "shared"
+    description                   = "SegmentForSharedServices"
+    require_attachment_acceptance = true
+  }
+}
diff --git a/examples/base_policy/outputs.tf b/examples/base_policy/outputs.tf
new file mode 100644
index 0000000..4525c3c
--- /dev/null
+++ b/examples/base_policy/outputs.tf
@@ -0,0 +1,13 @@
+# --- examples/basic/outputs.tf ---
+
+# Global Network ID
+output "global_network_id" {
+  value       = module.cloud_wan.global_network.id
+  description = "Global Network ID."
+}
+
+# Core Network ID
+output "core_network_id" {
+  value       = module.cloud_wan.core_network.id
+  description = "Core Network ID."
+}
\ No newline at end of file
diff --git a/examples/base_policy/providers.tf b/examples/base_policy/providers.tf
new file mode 100644
index 0000000..029231e
--- /dev/null
+++ b/examples/base_policy/providers.tf
@@ -0,0 +1,15 @@
+# --- examples/basic/providers.tf ---
+
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.57.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+}
diff --git a/examples/base_policy/variables.tf b/examples/base_policy/variables.tf
new file mode 100644
index 0000000..3131396
--- /dev/null
+++ b/examples/base_policy/variables.tf
@@ -0,0 +1,15 @@
+# --- examples/basic/variables.tf ---
+
+variable "identifier" {
+  type        = string
+  description = "Example identifier."
+
+  default = "base-policy"
+}
+
+variable "aws_region" {
+  type        = string
+  description = "AWS Region."
+
+  default = "eu-west-1"
+}
\ No newline at end of file
diff --git a/examples/basic/.header.md b/examples/basic/.header.md
index 04619c2..27e263f 100644
--- a/examples/basic/.header.md
+++ b/examples/basic/.header.md
@@ -1,6 +1,6 @@
 # AWS Cloud WAN Module - Example without a Network Manager Global Network created
 
-This example creates a Network Manager Global Network and Cloud WAN Core Network from scratch, using the Terraform AWS Cloud Control Provider.
+This example creates a Network Manager Global Network and Cloud WAN Core Network from scratch.
 
 ## Usage
 
diff --git a/examples/basic/README.md b/examples/basic/README.md
index ec21ff2..8bf63c9 100644
--- a/examples/basic/README.md
+++ b/examples/basic/README.md
@@ -1,7 +1,7 @@
 <!-- BEGIN_TF_DOCS -->
 # AWS Cloud WAN Module - Example without a Network Manager Global Network created
 
-This example creates a Network Manager Global Network and Cloud WAN Core Network from scratch, using the Terraform AWS Cloud Control Provider.
+This example creates a Network Manager Global Network and Cloud WAN Core Network from scratch.
 
 ## Usage
 
@@ -14,26 +14,24 @@ This example creates a Network Manager Global Network and Cloud WAN Core Network
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9.0 |
-| <a name="requirement_awscc"></a> [awscc](#requirement\_awscc) | >= 0.36.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.57.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.36.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.57.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_cloudwan"></a> [cloudwan](#module\_cloudwan) | aws-ia/cloudwan/aws | 0.0.7 |
+| <a name="module_cloud_wan"></a> [cloud\_wan](#module\_cloud\_wan) | aws-ia/cloudwan/aws | 2.0.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [aws_networkmanager_core_network_policy_document.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/networkmanager_core_network_policy_document) | data source |
 | [aws_networkmanager_core_network_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/networkmanager_core_network_policy_document) | data source |
 
 ## Inputs
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
index d1882a6..eedb8ba 100644
--- a/examples/basic/main.tf
+++ b/examples/basic/main.tf
@@ -3,7 +3,7 @@
 # Calling the CloudWAN Module - we are creating both the Global Network and the Core Network
 module "cloud_wan" {
   source  = "aws-ia/cloudwan/aws"
-  version = "1.0.0"
+  version = "2.0.0"
 
   global_network = {
     create      = true
diff --git a/examples/basic/providers.tf b/examples/basic/providers.tf
index b8f2d51..6c79a0c 100644
--- a/examples/basic/providers.tf
+++ b/examples/basic/providers.tf
@@ -5,7 +5,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.50.0"
+      version = ">= 4.57.0"
     }
   }
 }
diff --git a/examples/reference_global_network/.header.md b/examples/reference_global_network/.header.md
index 227b3ff..fd53f2c 100644
--- a/examples/reference_global_network/.header.md
+++ b/examples/reference_global_network/.header.md
@@ -1,10 +1,9 @@
 # AWS Cloud WAN Module - Example with a Network Manager Global Network created
 
-This example creates a Cloud WAN Core Network from scratch, using the Terraform AWS Cloud Control Provider. It supposes that a Network Manager Global Network is already created (using the Terraform AWS Provider), so it takes the ID as parameter.
+This example creates a Cloud WAN Core Network from scratch. It supposes that a Network Manager Global Network is already created, so it takes the ID as parameter.
 
 ## Usage
 
 - Initialize Terraform using `terraform init`.
-- As the Global Network should be created beforehand, first you need to deploy that resource first: `terraform apply -target=aws_networkmanager_global_network.global_network`
 - Now you can deploy the rest of the infrastructure using `terraform apply`.
 - To delete everything, use `terraform destroy`.
\ No newline at end of file
diff --git a/examples/reference_global_network/README.md b/examples/reference_global_network/README.md
index d4abb96..7a3fb39 100644
--- a/examples/reference_global_network/README.md
+++ b/examples/reference_global_network/README.md
@@ -1,12 +1,11 @@
 <!-- BEGIN_TF_DOCS -->
 # AWS Cloud WAN Module - Example with a Network Manager Global Network created
 
-This example creates a Cloud WAN Core Network from scratch, using the Terraform AWS Cloud Control Provider. It supposes that a Network Manager Global Network is already created (using the Terraform AWS Provider), so it takes the ID as parameter.
+This example creates a Cloud WAN Core Network from scratch. It supposes that a Network Manager Global Network is already created, so it takes the ID as parameter.
 
 ## Usage
 
 - Initialize Terraform using `terraform init`.
-- As the Global Network should be created beforehand, first you need to deploy that resource first: `terraform apply -target=aws_networkmanager_global_network.global_network`
 - Now you can deploy the rest of the infrastructure using `terraform apply`.
 - To delete everything, use `terraform destroy`.
 
@@ -15,27 +14,25 @@ This example creates a Cloud WAN Core Network from scratch, using the Terraform
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9.0 |
-| <a name="requirement_awscc"></a> [awscc](#requirement\_awscc) | >= 0.36.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.57.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.36.1 |
-| <a name="provider_awscc"></a> [awscc](#provider\_awscc) | 0.33.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.57.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_cloudwan"></a> [cloudwan](#module\_cloudwan) | aws-ia/cloudwan/aws | 0.0.7 |
+| <a name="module_cloudwan"></a> [cloudwan](#module\_cloudwan) | aws-ia/cloudwan/aws | 2.0.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [awscc_networkmanager_global_network.global_network](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/networkmanager_global_network) | resource |
+| [aws_networkmanager_global_network.global_network](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkmanager_global_network) | resource |
 | [aws_networkmanager_core_network_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/networkmanager_core_network_policy_document) | data source |
 
 ## Inputs
diff --git a/examples/reference_global_network/main.tf b/examples/reference_global_network/main.tf
index 6c5c40e..3ce0924 100644
--- a/examples/reference_global_network/main.tf
+++ b/examples/reference_global_network/main.tf
@@ -12,7 +12,7 @@ resource "aws_networkmanager_global_network" "global_network" {
 # AWS Cloud WAN module - creating Core Network
 module "cloudwan" {
   source  = "aws-ia/cloudwan/aws"
-  version = "1.0.0"
+  version = "2.0.0"
 
   global_network = {
     create = false
diff --git a/examples/reference_global_network/providers.tf b/examples/reference_global_network/providers.tf
index 1452e58..7da022f 100644
--- a/examples/reference_global_network/providers.tf
+++ b/examples/reference_global_network/providers.tf
@@ -5,7 +5,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.50.0"
+      version = ">= 4.57.0"
     }
   }
 }
diff --git a/main.tf b/main.tf
index b6cb36c..605636a 100644
--- a/main.tf
+++ b/main.tf
@@ -9,18 +9,29 @@ resource "aws_networkmanager_global_network" "global_network" {
   tags = module.tags.tags_aws
 }
 
+# Local variable to determine if the base_policy has to be created
+locals {
+  create_base_policy = var.core_network.base_policy_regions == null ? false : true
+}
+
 # CORE NETWORK
 resource "aws_networkmanager_core_network" "core_network" {
-  description = var.core_network.description
+  description       = var.core_network.description
   global_network_id = var.global_network.create ? aws_networkmanager_global_network.global_network[0].id : var.global_network.id
-  policy_document = jsonencode(jsondecode(var.core_network.policy_document))
+
+  create_base_policy  = local.create_base_policy
+  base_policy_regions = var.core_network.base_policy_regions
 
   tags = module.tags.tags_aws
 }
 
-# Sanitizes tags for both aws / awscc providers
-# aws   tags = module.tags.tags_aws
-# awscc tags = module.tags.tags
+# CORE NETWORK POLICY ATTACHMENT
+resource "aws_networkmanager_core_network_policy_attachment" "policy_attachment" {
+  core_network_id = aws_networkmanager_core_network.core_network.id
+  policy_document = var.core_network.policy_document
+}
+
+# Sanitizes tags
 module "tags" {
   source  = "aws-ia/label/aws"
   version = "0.0.5"
diff --git a/providers.tf b/providers.tf
index 5edbb24..735bd02 100644
--- a/providers.tf
+++ b/providers.tf
@@ -5,7 +5,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.50.0"
+      version = ">= 4.57.0"
     }
   }
 }
\ No newline at end of file
diff --git a/test/example_base_policy_test.go b/test/example_base_policy_test.go
new file mode 100644
index 0000000..1326cd6
--- /dev/null
+++ b/test/example_base_policy_test.go
@@ -0,0 +1,17 @@
+package test
+
+import (
+	"testing"
+
+	"github.com/gruntwork-io/terratest/modules/terraform"
+)
+
+func TestExamplesBasePolicy(t *testing.T) {
+
+	terraformOptions := &terraform.Options{
+		TerraformDir: "../examples/base_policy",
+	}
+
+	defer terraform.Destroy(t, terraformOptions)
+	terraform.InitAndApply(t, terraformOptions)
+}
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index 1277a70..60de70c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -38,11 +38,13 @@ variable "core_network" {
   Core Network definition. The following attributes are required:
   - `description`     = (string) Core Network's description.
   - `policy_document` = (any) Core Network's policy in JSON format. It is recommended the use of the [Core Network Document data source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/networkmanager_core_network_policy_document)
+  - `base_policy_regions` = (optional|list(string)) List of AWS Regions to create the base policy in the Core Network. For more information about the need of the base policy, check the README document.
   ```
 EOF
   type = object({
-    description     = string
-    policy_document = any
+    description         = string
+    policy_document     = any
+    base_policy_regions = optional(list(string))
   })
 }
 
@@ -50,5 +52,4 @@ EOF
 variable "tags" {
   description = "Tags to apply to all resources."
   type        = map(string)
-  default     = {}
 }

From 7bb2e4484a609a515f084ffd08723ebddb509c99 Mon Sep 17 00:00:00 2001
From: Pablo Sanchez Carmona <pablosc@amazon.es>
Date: Sat, 4 Mar 2023 16:35:13 +0100
Subject: [PATCH 2/3] minor example change

---
 examples/base_policy/main.tf | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/examples/base_policy/main.tf b/examples/base_policy/main.tf
index da83b40..91ff83d 100644
--- a/examples/base_policy/main.tf
+++ b/examples/base_policy/main.tf
@@ -2,9 +2,8 @@
 
 # Calling the CloudWAN Module - we are creating both the Global Network and the Core Network
 module "cloud_wan" {
-  source = "../.."
-  #source  = "aws-ia/cloudwan/aws"
-  #version = "2.0.0"
+  source  = "aws-ia/cloudwan/aws"
+  version = "2.0.0"
 
   global_network = {
     create      = true

From f369ed36cc90aa2dc25151db2235b03884b1d443 Mon Sep 17 00:00:00 2001
From: Pablo Sanchez Carmona <pablosc@amazon.es>
Date: Sat, 4 Mar 2023 16:36:02 +0100
Subject: [PATCH 3/3] README update

---
 .header.md | 2 +-
 README.md  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.header.md b/.header.md
index f27c535..bcc3586 100644
--- a/.header.md
+++ b/.header.md
@@ -94,7 +94,7 @@ data "aws_networkmanager_core_network_policy_document" "policy" {
 }
 ```
 
-## When do I need to create the *base_policy*?
+## When do I need to create the *base_policy*?
 
 You will see that one of the attributes of the Core Network is *base_policy_regions*, that it is used in the module to define the *base_policy* and *base_policy_regions* attributes in the `aws_networkmanager_core_network` resource. But... why do we need the *base_policy*?
 
diff --git a/README.md b/README.md
index a464ad6..7a9f9d4 100644
--- a/README.md
+++ b/README.md
@@ -95,7 +95,7 @@ data "aws_networkmanager_core_network_policy_document" "policy" {
 }
 ```
 
-## When do I need to create the *base\_policy*?
+## When do I need to create the *base\_policy*?
 
 You will see that one of the attributes of the Core Network is *base\_policy\_regions*, that it is used in the module to define the *base\_policy* and *base\_policy\_regions* attributes in the `aws_networkmanager_core_network` resource. But... why do we need the *base\_policy*?