Improve examples (#19)

* Improve examples

* Fix docs

* Improve CI

* Fix CI

Author: snovikov

.github/workflows/master.yml

@@ -19,10 +19,11 @@ jobs:
 
       - name: "make test"
         run: |
-          make test ARGS="-var aws_account_id_hub=${TF_VAR_aws_account_id_hub} -var aws_account_id_satellite=[${TF_VAR_aws_account_id_satellite}]"
+          make test ARGS="-var role_to_assume_hub=${TF_VAR_role_to_assume} -var aws_account_id_hub=${TF_VAR_aws_account_id_hub} -var role_to_assume_satellite=${TF_VAR_role_to_assume} -var aws_account_id_satellite=[${TF_VAR_aws_account_id_satellite}]"
         env:
           AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          TF_VAR_aws_account_id_hub: ${{ secrets.aws_account_id_hub }}
-          TF_VAR_aws_account_id_satellite: ${{ secrets.aws_account_id_satellite }}
+          TF_VAR_role_to_assume: ${{ secrets.ROLE_TO_ASSUME }}
+          TF_VAR_aws_account_id_hub: ${{ secrets.AWS_ACCOUNT_ID_HUB }}
+          TF_VAR_aws_account_id_satellite: ${{ secrets.AWS_ACCOUNT_ID_SATELLITE }}

.github/workflows/terraform.yml

@@ -40,10 +40,11 @@ jobs:
 
       - name: "make test"
         run: |
-          make test ARGS="-var aws_account_id_hub=${TF_VAR_aws_account_id_hub} -var aws_account_id_satellite=[${TF_VAR_aws_account_id_satellite}]"
+          make test ARGS="-var role_to_assume_hub=${TF_VAR_role_to_assume} -var aws_account_id_hub=${TF_VAR_aws_account_id_hub} -var role_to_assume_satellite=${TF_VAR_role_to_assume} -var aws_account_id_satellite=${TF_VAR_aws_account_id_satellite}"
         env:
           AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          TF_VAR_aws_account_id_hub: ${{ secrets.aws_account_id_hub }}
-          TF_VAR_aws_account_id_satellite: ${{ secrets.aws_account_id_satellite }}
+          TF_VAR_role_to_assume: ${{ secrets.ROLE_TO_ASSUME }}
+          TF_VAR_aws_account_id_hub: ${{ secrets.AWS_ACCOUNT_ID_HUB }}
+          TF_VAR_aws_account_id_satellite: ${{ secrets.AWS_ACCOUNT_ID_SATELLITE }}

Makefile

@@ -104,7 +104,46 @@ test: _pull-tf
 		fi; \
 		echo; \
 		echo "------------------------------------------------------------"; \
-		echo "# Terraform plan"; \
+		echo "# Terraform plan (1/2)"; \
+		echo "------------------------------------------------------------"; \
+		if docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY --workdir "$${DOCKER_PATH}" hashicorp/terraform:$(TF_VERSION) \
+			plan -target 'module.tgw-satellite.data.aws_route_tables.all' \
+				$(ARGS) \
+				-out=tfplan \
+				; then \
+			echo "OK"; \
+		else \
+			echo "Failed"; \
+			docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" --entrypoint=rm hashicorp/terraform:$(TF_VERSION) -rf .terraform/ || true; \
+			exit 1; \
+		fi; \
+		echo; \
+		echo "------------------------------------------------------------"; \
+		echo "# Terraform apply (1/2)"; \
+		echo "------------------------------------------------------------"; \
+		if docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY --workdir "$${DOCKER_PATH}" hashicorp/terraform:$(TF_VERSION) \
+			apply -target 'module.tgw-satellite.data.aws_route_tables.all' \
+				-auto-approve \
+				tfplan \
+				; then \
+			echo "Apply OK"; \
+		else \
+			echo "Apply failed"; \
+			if docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY --workdir "$${DOCKER_PATH}" hashicorp/terraform:$(TF_VERSION) \
+				destroy \
+					-auto-approve \
+					$(ARGS) \
+					; then \
+				echo "Destroy OK"; \
+				docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" --entrypoint=rm hashicorp/terraform:$(TF_VERSION) -rf .terraform/ terraform.tfstate terraform.tfstate.backup || true; \
+			else \
+				echo "Destroy failed. You should check for dangling resources."; \
+				exit 1; \
+			fi; \
+		fi; \
+		echo; \
+		echo "------------------------------------------------------------"; \
+		echo "# Terraform plan (2/2)"; \
 		echo "------------------------------------------------------------"; \
 		if docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY --workdir "$${DOCKER_PATH}" hashicorp/terraform:$(TF_VERSION) \
 			plan \
@@ -119,7 +158,7 @@ test: _pull-tf
 		fi; \
 		echo; \
 		echo "------------------------------------------------------------"; \
-		echo "# Terraform apply & destroy"; \
+		echo "# Terraform apply (2/2) & destroy"; \
 		echo "------------------------------------------------------------"; \
 		if docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY --workdir "$${DOCKER_PATH}" hashicorp/terraform:$(TF_VERSION) \
 			apply \
@@ -154,7 +193,6 @@ test: _pull-tf
 		fi; \
 	)
 
-
 # -------------------------------------------------------------------------------------------------
 # Helper Targets
 # -------------------------------------------------------------------------------------------------

examples/hub-and-satellite/README.md

@@ -12,7 +12,7 @@ No providers.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_tgw-hub"></a> [tgw-hub](#module\_tgw-hub) | ../../ | n/a |
-| <a name="module_tgw-satellite"></a> [tgw-satellite](#module\_tgw-satellite) | github.com/Flaconi/terraform-aws-transit-gateway-satellite.git | v2.5.0 |
+| <a name="module_tgw-satellite"></a> [tgw-satellite](#module\_tgw-satellite) | github.com/Flaconi/terraform-aws-transit-gateway-satellite.git | v2.6.0 |
 
 ## Resources
 
@@ -24,7 +24,7 @@ No resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_attachment_subnet_filters"></a> [attachment\_subnet\_filters](#input\_attachment\_subnet\_filters) | List of maps selecting the subnet(s) where TGW will be attached | <pre>list(object({<br>    name   = string<br>    values = list(string)<br>  }))</pre> | n/a | yes |
 | <a name="input_aws_account_id_hub"></a> [aws\_account\_id\_hub](#input\_aws\_account\_id\_hub) | AWS account number containing the TGW hub | `string` | n/a | yes |
-| <a name="input_aws_account_id_satellite"></a> [aws\_account\_id\_satellite](#input\_aws\_account\_id\_satellite) | List of AWS account numbers representing the satellites of the TGW | `list(string)` | n/a | yes |
+| <a name="input_aws_account_id_satellite"></a> [aws\_account\_id\_satellite](#input\_aws\_account\_id\_satellite) | AWS account ID representing the satellites of the TGW | `string` | n/a | yes |
 | <a name="input_description"></a> [description](#input\_description) | Description of the Transit Gateway | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | Name to be used on all the resources as identifier | `string` | n/a | yes |
 | <a name="input_role_to_assume_hub"></a> [role\_to\_assume\_hub](#input\_role\_to\_assume\_hub) | IAM role name to assume in the AWS account containing the TGW hub (eg. ASSUME-ROLE-HUB) | `string` | n/a | yes |

examples/hub-and-satellite/locals.tf

@@ -9,13 +9,13 @@ module "tgw-hub" {
   description = var.description
 
   aws_account_id_hub       = var.aws_account_id_hub
-  aws_account_id_satellite = var.aws_account_id_satellite
+  aws_account_id_satellite = [var.aws_account_id_satellite]
 
   allow_external_principals = true
 }
 
 module "tgw-satellite" {
-  source = "github.com/Flaconi/terraform-aws-transit-gateway-satellite.git?ref=v2.5.0"
+  source = "github.com/Flaconi/terraform-aws-transit-gateway-satellite.git?ref=v2.6.0"
 
   providers = {
     aws.satellite = aws.satellite
@@ -25,10 +25,7 @@ module "tgw-satellite" {
   satellite_create = var.satellite_create
 
   aws_account_id_hub       = var.aws_account_id_hub
-  aws_account_id_satellite = local.aws_account_id_satellite
-
-  role_to_assume_hub       = var.role_to_assume_hub
-  role_to_assume_satellite = var.role_to_assume_satellite
+  aws_account_id_satellite = var.aws_account_id_satellite
 
   vpc_name_to_attach        = var.vpc_name_to_attach
   attachment_subnet_filters = var.attachment_subnet_filters
@@ -39,4 +36,6 @@ module "tgw-satellite" {
   transit_gateway_route_table_id = module.tgw-hub.transit_gateway_route_table_id
   transit_gateway_id             = module.tgw-hub.transit_gateway_id
   ram_resource_association_id    = module.tgw-hub.ram_resource_association_id
+
+  depends_on = [module.tgw-hub]
 }

examples/hub-and-satellite/main.tf

@@ -2,7 +2,7 @@ provider "aws" {
   alias  = "satellite"
   region = "eu-central-1"
   assume_role {
-    role_arn     = "arn:aws:iam::${local.aws_account_id_satellite}:role/${var.role_to_assume_satellite}"
+    role_arn     = "arn:aws:iam::${var.aws_account_id_satellite}:role/${var.role_to_assume_satellite}"
     session_name = "tf-tgw-module-satellite"
   }
 }

examples/hub-and-satellite/providers.tf

@@ -3,9 +3,6 @@ description = "test-tgw"
 
 satellite_create = true
 
-role_to_assume_hub       = "ASSUME-ENG-CI"
-role_to_assume_satellite = "ASSUME-ENG-CI"
-
 vpc_name_to_attach = "ci-tgw"
 
 satellite_destination_cidr_blocks = ["208.67.222.222/32", "208.67.220.220/32"]

examples/hub-and-satellite/variables.auto.tfvars

@@ -19,16 +19,16 @@ variable "aws_account_id_hub" {
   type        = string
 }
 
-variable "aws_account_id_satellite" {
-  description = "List of AWS account numbers representing the satellites of the TGW"
-  type        = list(string)
-}
-
 variable "role_to_assume_hub" {
   description = "IAM role name to assume in the AWS account containing the TGW hub (eg. ASSUME-ROLE-HUB)"
   type        = string
 }
 
+variable "aws_account_id_satellite" {
+  description = "AWS account ID representing the satellites of the TGW"
+  type        = string
+}
+
 variable "role_to_assume_satellite" {
   description = "IAM role name to assume in the AWS account containing the TGW satellite (eg. ASSUME-ROLE-SATELLITE)"
   type        = string

examples/hub-and-satellite/variables.tf

@@ -22,10 +22,11 @@ No resources.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_account_id_hub"></a> [aws\_account\_id\_hub](#input\_aws\_account\_id\_hub) | AWS account number containing the TGW hub | `string` | n/a | yes |
-| <a name="input_aws_account_id_satellite"></a> [aws\_account\_id\_satellite](#input\_aws\_account\_id\_satellite) | List of AWS account numbers representing the satellites of the TGW | `list(string)` | n/a | yes |
+| <a name="input_aws_account_id_satellite"></a> [aws\_account\_id\_satellite](#input\_aws\_account\_id\_satellite) | AWS account ID representing the satellites of the TGW | `string` | n/a | yes |
 | <a name="input_description"></a> [description](#input\_description) | Description of the Transit Gateway | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | Name to be used on all the resources as identifier | `string` | n/a | yes |
 | <a name="input_role_to_assume_hub"></a> [role\_to\_assume\_hub](#input\_role\_to\_assume\_hub) | IAM role name to assume in the AWS account containing the TGW hub (eg. ASSUME-ROLE-HUB) | `string` | n/a | yes |
+| <a name="input_role_to_assume_satellite"></a> [role\_to\_assume\_satellite](#input\_role\_to\_assume\_satellite) | IAM role name to assume in the AWS account containing the TGW satellite (eg. ASSUME-ROLE-SATELLITE) | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 
 ## Outputs