TGW, TGW attachment & Routing extensibility for secure mode

defenseunicorns / delivery-aws-iac

Apache License 2.0

14 stars 5 forks source link

TGW, TGW attachment & Routing extensibility for secure mode #139

Open ntwkninja opened 1 year ago

ntwkninja commented 1 year ago

As a platform engineer / user of secure mode, I would like the ability to place my k8s workloads behind a separate boundary / account.

I would like the following in the VPC module or example.

add VPC private subnet CIDRs to existing TGW peering attachments route table to enable ingress routing
create a TGW attachment & TGW Route Table to attach VPC to existing TGW
add a 0.0.0.0/0 route to a private_subnet that maps to the attached TGW to enable egress routing
add allowed egress routes to VPC TGW Route Table (i.e. 0.0.0.0/0 to remote/peering TGW) to enable egress routing

This feature is needed to place the private eks loadbalancer behind a boundary in a different VPC connected via TGW.

ntwkninja commented 1 year ago

VPC-A, subnet-A and EC2-A are provisioned VPC-B, subnet-B and EC2-B are provisioned TGW-A & TGW-B are provisioned and attached on both sides

I can add a 0.0.0.0/0 route (or a more specific route) to Subnet A or B that maps to a destination of TGW-A / TGW-B I can add a 0.0.0.0/0 route (or a more specific route) to the TGW-A / TGW-B route table that points to the remote TGW

Definition of Done There is an example in this repo that allows EC2-A to talk to EC2-B via a TGW.

done edit: We essentially just want to add logic to our VPC module where we optionally create a TGW and attach another VPC

Question: Can I add routes for subnets with our current VPC module?

RothAndrew commented 1 year ago

I think we should decide which direction we want to go here before starting to execute on it. 3 options were discussed:

Utilize the module from CloudPosse
Utilize the module from terraform-aws-modules
Make our own module

Do we want to vote on it or something? Or just have @ntwkninja make the call?

zack-is-cool commented 1 year ago

^ I vote https://github.com/terraform-aws-modules/terraform-aws-transit-gateway as it looks like the vpc module that we are already using integrates with it nicely.

ntwkninja commented 1 year ago

^ I vote https://github.com/terraform-aws-modules/terraform-aws-transit-gateway as it looks like the vpc module that we are already using integrates with it nicely.

my vote would be to use this as it feels weird to use some cloud posse iac modules and not others; however, I'm not opposed to evaluating previous decisions on this and shaking up a lot of the IaC things