From 060e1dde6475f0df8b2b47f4d04bcb03eba19a62 Mon Sep 17 00:00:00 2001 From: Gary Mclean Date: Wed, 12 Feb 2025 17:39:08 +0000 Subject: [PATCH 1/2] Updated to allow Name tag creation of the BPA Resource --- examples/block-public-access/README.md | 3 +++ examples/block-public-access/main.tf | 2 ++ main.tf | 4 +++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/examples/block-public-access/README.md b/examples/block-public-access/README.md index 21c6bd116..e73cd9dc9 100644 --- a/examples/block-public-access/README.md +++ b/examples/block-public-access/README.md @@ -45,12 +45,14 @@ or at the subnet level e.g.: vpc_block_public_access_exclusions = { exclude_subnet_private1 = { exclude_subnet = true + exclude_name = "private-subnet-1" subnet_type = "private" subnet_index = 1 internet_gateway_exclusion_mode = "allow-egress" } exclude_subnet_private2 = { exclude_subnet = true + exclude_name = "private-subnet-2" subnet_type = "private" subnet_index = 2 internet_gateway_exclusion_mode = "allow-egress" @@ -62,6 +64,7 @@ One of `exclude_vpc` or `exclude_subnet` must be set to true. Value of `subnet_type` can be `public`, `private`, `database`, `redshift`, `elasticache`, `intra` or `custom`. Value of `subnet_index` is the index of the subnet in the corresponding subnet list. Value of `internet_gateway_exclusion_mode` can be `allow-egress` and `allow-bidirectional`. +Value of `exclude_name` is string value of the Name tag for the resource. If omitted, the default name of VPC Name-bpa-exclusion is applied. After deployment, VPC block public access options can be verified with the following command: diff --git a/examples/block-public-access/main.tf b/examples/block-public-access/main.tf index 6957610ee..374d683ba 100644 --- a/examples/block-public-access/main.tf +++ b/examples/block-public-access/main.tf @@ -48,12 +48,14 @@ module "vpc" { # vpc_block_public_access_exclusions = { # exclude_subnet_private1 = { # exclude_subnet = true + # exclude_name = "private-subnet-1" # subnet_type = "private" # subnet_index = 1 # internet_gateway_exclusion_mode = "allow-egress" # } # exclude_subnet_private2 = { # exclude_subnet = true + # exclude_name = "private-subnet-2" # subnet_type = "private" # subnet_index = 2 # internet_gateway_exclusion_mode = "allow-egress" diff --git a/main.tf b/main.tf index 82faa7eee..79598e70c 100644 --- a/main.tf +++ b/main.tf @@ -86,7 +86,9 @@ resource "aws_vpc_block_public_access_exclusion" "this" { internet_gateway_exclusion_mode = each.value.internet_gateway_exclusion_mode - tags = var.tags + tags = merge( + { "Name" = try(coalesce(each.value.exclude_name), "${var.name}-bpa-exclusion") }, + var.tags, ) } ################################################################################ From a0fe977523ae7ff9718388177da3e2815fa48113 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Mon, 21 Apr 2025 18:46:53 -0500 Subject: [PATCH 2/2] fix: Use generic `tags` to set `Name` or other tag values --- .pre-commit-config.yaml | 2 +- examples/block-public-access/README.md | 11 ++++------- examples/block-public-access/main.tf | 20 -------------------- main.tf | 9 +++++---- 4 files changed, 10 insertions(+), 32 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b348aea04..837f45982 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.96.2 + rev: v1.99.0 hooks: - id: terraform_fmt - id: terraform_docs diff --git a/examples/block-public-access/README.md b/examples/block-public-access/README.md index e73cd9dc9..ccfa6137f 100644 --- a/examples/block-public-access/README.md +++ b/examples/block-public-access/README.md @@ -30,8 +30,8 @@ Currently only `internet_gateway_block_mode` is supported, for which valid value VPC block public access exclusions can be applied at the VPC level e.g.: -``` -vpc_block_public_access_exclusions = { +```hcl + vpc_block_public_access_exclusions = { exclude_vpc = { exclude_vpc = true internet_gateway_exclusion_mode = "allow-bidirectional" @@ -41,18 +41,16 @@ vpc_block_public_access_exclusions = { or at the subnet level e.g.: -``` -vpc_block_public_access_exclusions = { +```hcl + vpc_block_public_access_exclusions = { exclude_subnet_private1 = { exclude_subnet = true - exclude_name = "private-subnet-1" subnet_type = "private" subnet_index = 1 internet_gateway_exclusion_mode = "allow-egress" } exclude_subnet_private2 = { exclude_subnet = true - exclude_name = "private-subnet-2" subnet_type = "private" subnet_index = 2 internet_gateway_exclusion_mode = "allow-egress" @@ -64,7 +62,6 @@ One of `exclude_vpc` or `exclude_subnet` must be set to true. Value of `subnet_type` can be `public`, `private`, `database`, `redshift`, `elasticache`, `intra` or `custom`. Value of `subnet_index` is the index of the subnet in the corresponding subnet list. Value of `internet_gateway_exclusion_mode` can be `allow-egress` and `allow-bidirectional`. -Value of `exclude_name` is string value of the Name tag for the resource. If omitted, the default name of VPC Name-bpa-exclusion is applied. After deployment, VPC block public access options can be verified with the following command: diff --git a/examples/block-public-access/main.tf b/examples/block-public-access/main.tf index 374d683ba..a76efdff1 100644 --- a/examples/block-public-access/main.tf +++ b/examples/block-public-access/main.tf @@ -31,12 +31,10 @@ module "vpc" { azs = local.azs private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)] - ### VPC Block Public Access Options vpc_block_public_access_options = { internet_gateway_block_mode = "block-bidirectional" } - ### VPC Block Public Access Exclusion at the VPC level vpc_block_public_access_exclusions = { exclude_vpc = { exclude_vpc = true @@ -44,23 +42,5 @@ module "vpc" { } } - ### VPC Block Public Access Exclusion at the subnet level - # vpc_block_public_access_exclusions = { - # exclude_subnet_private1 = { - # exclude_subnet = true - # exclude_name = "private-subnet-1" - # subnet_type = "private" - # subnet_index = 1 - # internet_gateway_exclusion_mode = "allow-egress" - # } - # exclude_subnet_private2 = { - # exclude_subnet = true - # exclude_name = "private-subnet-2" - # subnet_type = "private" - # subnet_index = 2 - # internet_gateway_exclusion_mode = "allow-egress" - # } - # } - tags = local.tags } diff --git a/main.tf b/main.tf index 79598e70c..618aa2c10 100644 --- a/main.tf +++ b/main.tf @@ -68,9 +68,9 @@ resource "aws_vpc_block_public_access_options" "this" { resource "aws_vpc_block_public_access_exclusion" "this" { for_each = { for k, v in var.vpc_block_public_access_exclusions : k => v if local.create_vpc } - vpc_id = lookup(each.value, "exclude_vpc", false) ? local.vpc_id : null + vpc_id = try(each.value.exclude_vpc, false) ? local.vpc_id : null - subnet_id = lookup(each.value, "exclude_subnet", false) ? lookup( + subnet_id = try(each.value.exclude_subnet, false) ? lookup( { private = aws_subnet.private[*].id, public = aws_subnet.public[*].id, @@ -87,8 +87,9 @@ resource "aws_vpc_block_public_access_exclusion" "this" { internet_gateway_exclusion_mode = each.value.internet_gateway_exclusion_mode tags = merge( - { "Name" = try(coalesce(each.value.exclude_name), "${var.name}-bpa-exclusion") }, - var.tags, ) + var.tags, + try(each.value.tags, {}), + ) } ################################################################################