Support lattice-service-network module (#4)

* WIP for lattice-service-network

* Support ram shares and logging for lattice-service-network

* Add exmaple for lattice-service-network

.github/labeler.yaml

@@ -8,6 +8,12 @@
 ":floppy_disk: dx-private-virtual-interface":
 - modules/dx-private-virtual-interface/**/*
 
+":floppy_disk: lattice-service-network":
+- modules/lattice-service-network/**/*
+
+":floppy_disk: lattice-service":
+- modules/lattice-service/**/*
+
 ":floppy_disk: reachability-analyzer-path":
 - modules/reachability-analyzer-path/**/*
 

.github/labels.yaml

@@ -49,6 +49,12 @@
 - color: "fbca04"
   description: "This issue or pull request is related to dx-private-virtual-interface module."
   name: ":floppy_disk: dx-private-virtual-interface"
+- color: "fbca04"
+  description: "This issue or pull request is related to lattice-service-network module."
+  name: ":floppy_disk: lattice-service-network"
+- color: "fbca04"
+  description: "This issue or pull request is related to lattice-service module."
+  name: ":floppy_disk: lattice-service"
 - color: "fbca04"
   description: "This issue or pull request is related to reachability-analyzer-path module."
   name: ":floppy_disk: reachability-analyzer-path"

README.md

@@ -9,6 +9,8 @@ Terraform module which creates VPC Connectivity related resources (VPC Peering,
 - [dx-connection](./modules/dx-connection)
 - [dx-gateway](./modules/dx-gateway)
 - [dx-private-virtual-interface](./modules/dx-private-virtual-interface)
+- [lattice-service-network](./modules/lattice-service-network)
+- [lattice-service](./modules/lattice-service)
 - [reachability-analyzer-path](./modules/reachability-analyzer-path)
 - [vpc-endpoint-service](./modules/vpc-endpoint-service)
 - [vpc-gateway-endpoint](./modules/vpc-gateway-endpoint)
@@ -28,6 +30,10 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws-
     - Endpoint Service
     - Gateway Endpoint
     - Interface Endpoint
+- **AWS VPC Lattice**
+  - Service Network
+  - Service
+  - Target Group
 - **AWS DX (Direct Connect)**
   - Connection
   - Gateway
@@ -41,6 +47,10 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws-
 
 ## Examples
 
+### VPC Lattice
+
+- [lattice-service-network-simple](./examples/lattice-service-network-simple)
+
 ### Network Manager
 
 - [reachability-analyzer](./examples/reachability-analyzer)

examples/lattice-service-network-simple/main.tf

@@ -0,0 +1,21 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+
+###################################################
+# Service Network of VPC Lattice
+###################################################
+
+module "service_network" {
+  source = "../../modules/lattice-service-network"
+  # source  = "tedilabs/vpc-connectivity/aws//modules/lattice-service-network"
+  # version = "~> 0.2.0"
+
+  name      = "test"
+  auth_type = "NONE"
+
+  tags = {
+    "project" = "terraform-aws-vpc-connectivity-examples"
+  }
+}

examples/lattice-service-network-simple/outputs.tf

@@ -0,0 +1,4 @@
+output "service_network" {
+  description = "The service network of VPC Lattice."
+  value       = module.service_network
+}

examples/lattice-service-network-simple/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = "~> 1.5"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}

modules/lattice-service-network/README.md

@@ -0,0 +1,65 @@
+# lattice-service-network
+
+This module creates following resources.
+
+- `aws_vpclattice_service_network`
+- `aws_vpclattice_auth_policy` (optional)
+- `aws_vpclattice_resource_policy` (optional)
+- `aws_vpclattice_service_network_vpc_association` (optional)
+- `aws_vpclattice_service_network_service_association` (optional)
+- `aws_vpclattice_access_log_subscription` (optional)
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.58 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.17.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ec2_network_insights_analysis.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_network_insights_analysis) | resource |
+| [aws_ec2_network_insights_path.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_network_insights_path) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_destination_network"></a> [destination\_network](#input\_destination\_network) | (Required) The configuration of destination network for analysis. `destination_network` as defined below.<br>    (Required) `id` - The ID of resource which is the destination of the path. Can be an Instance, Internet Gateway, Network Interface, Transit Gateway, Transit Gateway Attachment, VPC Endpoint Service, VPC Endpoint, VPC Peering Connection or VPN Gateway.<br>    (Optional) `ip_address` - The IP address of the destination resource.<br>    (Optional) `port` - The port number of destination to analyze access to. | <pre>object({<br>    id         = string<br>    ip_address = optional(string)<br>    port       = optional(number)<br>  })</pre> | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | (Required) The name of the reachability analyzer path. | `string` | n/a | yes |
+| <a name="input_source_network"></a> [source\_network](#input\_source\_network) | (Required) The configuration of source network for analysis. `source_network` as defined below.<br>    (Required) `id` - The ID of resource which is the source of the path. Can be an Instance, Internet Gateway, Network Interface, Transit Gateway, Transit Gateway Attachment, VPC Endpoint Service, VPC Endpoint, VPC Peering Connection or VPN Gateway.<br>    (Optional) `ip_address` - The IP address of the source resource. | <pre>object({<br>    id         = string<br>    ip_address = optional(string)<br>  })</pre> | n/a | yes |
+| <a name="input_analyses"></a> [analyses](#input\_analyses) | (Optional) The configuration of analyses to run with the reachability analyzer path. Each block of `analyses` as defined below.<br>    (Required) `name` - A name of the analysis with the reachability analyzer path.<br>    (Optional) `required_intermediate_components` - A list of ARNs for resources the path must traverse. Intermediate components include Load Balancers, NAT Gateways, and Network Firewall, Transit Gateways, Transit Gateway Attachments, VPC Peering Connections. You cannot use security groups, network access control lists, network interfaces, or route tables as intermediate components.<br>    (Optional) `wait_for_completion` - Whether to wait for the analysis status to change to `succeeded` or `failed`. Setting this to `false` will skip the process. Defaults to `true`. | <pre>list(object({<br>    name = string<br><br>    required_intermediate_components = optional(list(string), [])<br>    wait_for_completion              = optional(bool, true)<br>  }))</pre> | `[]` | no |
+| <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
+| <a name="input_protocol"></a> [protocol](#input\_protocol) | (Optional) The protocol to use for analysis. Valid values are `TCP` or `UDP`. | `string` | `"TCP"` | no |
+| <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
+| <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_analyses"></a> [analyses](#output\_analyses) | A list of histories of the analysis with the reachability analyzer path. |
+| <a name="output_arn"></a> [arn](#output\_arn) | The ARN of the reachability analyzer path. |
+| <a name="output_destination_network"></a> [destination\_network](#output\_destination\_network) | The configuration of destination network for analysis. |
+| <a name="output_id"></a> [id](#output\_id) | The ID of the reachability analyzer path. |
+| <a name="output_name"></a> [name](#output\_name) | The name of the reachability analyzer path. |
+| <a name="output_protocol"></a> [protocol](#output\_protocol) | The protocol to use for analysis. |
+| <a name="output_source_network"></a> [source\_network](#output\_source\_network) | The configuration of source network for analysis. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/lattice-service-network/logging.tf

@@ -0,0 +1,48 @@
+###################################################
+# Access Logs for Service Network
+###################################################
+
+resource "aws_vpclattice_access_log_subscription" "cloudwatch" {
+  count = var.logging_to_cloudwatch.enabled ? 1 : 0
+
+  resource_identifier = aws_vpclattice_service_network.this.id
+  destination_arn     = var.logging_to_cloudwatch.log_group
+
+  tags = merge(
+    {
+      "Name" = "${var.name}/cloudwatch"
+    },
+    local.module_tags,
+    var.tags,
+  )
+}
+
+resource "aws_vpclattice_access_log_subscription" "kinesis_data_firehose" {
+  count = var.logging_to_kinesis_data_firehose.enabled ? 1 : 0
+
+  resource_identifier = aws_vpclattice_service_network.this.id
+  destination_arn     = var.logging_to_kinesis_data_firehose.delivery_stream
+
+  tags = merge(
+    {
+      "Name" = "${var.name}/kinesis-data-firehose"
+    },
+    local.module_tags,
+    var.tags,
+  )
+}
+
+resource "aws_vpclattice_access_log_subscription" "s3" {
+  count = var.logging_to_s3.enabled ? 1 : 0
+
+  resource_identifier = aws_vpclattice_service_network.this.id
+  destination_arn     = var.logging_to_s3.bucket
+
+  tags = merge(
+    {
+      "Name" = "${var.name}/s3"
+    },
+    local.module_tags,
+    var.tags,
+  )
+}

modules/lattice-service-network/main.tf

@@ -0,0 +1,84 @@
+locals {
+  metadata = {
+    package = "terraform-aws-vpc-connectivity"
+    version = trimspace(file("${path.module}/../../VERSION"))
+    module  = basename(path.module)
+    name    = var.name
+  }
+  module_tags = var.module_tags_enabled ? {
+    "module.terraform.io/package"   = local.metadata.package
+    "module.terraform.io/version"   = local.metadata.version
+    "module.terraform.io/name"      = local.metadata.module
+    "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}"
+    "module.terraform.io/instance"  = local.metadata.name
+  } : {}
+}
+
+
+###################################################
+# Service Network for VPC Lattice
+###################################################
+
+resource "aws_vpclattice_service_network" "this" {
+  name      = var.name
+  auth_type = var.auth_type
+
+  tags = merge(
+    {
+      "Name" = local.metadata.name
+    },
+    local.module_tags,
+    var.tags,
+  )
+}
+
+
+###################################################
+# VPC Associations of Service Network
+###################################################
+
+resource "aws_vpclattice_service_network_vpc_association" "this" {
+  for_each = {
+    for association in var.vpc_associations :
+    association.vpc => association
+  }
+
+  service_network_identifier = aws_vpclattice_service_network.this.id
+
+  vpc_identifier     = each.key
+  security_group_ids = each.value.security_groups
+
+  tags = merge(
+    {
+      "Name" = "${var.name}/${each.key}"
+    },
+    local.module_tags,
+    var.tags,
+    each.value.tags,
+  )
+}
+
+
+###################################################
+# Service Associations of Service Network
+###################################################
+
+resource "aws_vpclattice_service_network_service_association" "this" {
+  for_each = {
+    for association in var.service_associations :
+    association.name => association
+  }
+
+  service_network_identifier = aws_vpclattice_service_network.this.id
+
+  service_identifier = each.value.service
+
+  tags = merge(
+    {
+      "Name" = "${var.name}/${each.key}"
+    },
+    local.module_tags,
+    var.tags,
+    each.value.tags,
+  )
+}