chore: always assume 3 network CIDRr for public and private

Without this we get into problems when we extend/change the network and CIDRs clash
opzkit · Oct 15, 2021 · 55349e1 · 55349e1
1 parent 7688e71
commit 55349e1
Show file tree

Hide file tree

Showing 7 changed files with 99 additions and 34 deletions.
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -1,9 +1,6 @@
 module "network" {
-  source = "../../"
-  name   = "name"
-  region = "eu-west-1"
-  #  public_subnet_zones  = ["a", "b", "c"]
+  source               = "../../"
+  name                 = "name"
+  region               = "eu-west-1"
   private_subnet_zones = ["a", "b", "c"]
-  public_subnet_cidrs  = ["172.20.32.0/19", "172.20.64.0/19", "172.20.96.0/19"]
-  private_subnet_cidrs = ["173.20.32.0/19", "173.20.64.0/19", "173.20.96.0/19"]
 }
diff --git a/examples/override/main.tf b/examples/override/main.tf
@@ -0,0 +1,7 @@
+module "network" {
+  source               = "../../"
+  name                 = "name"
+  region               = "eu-west-1"
+  public_subnet_cidrs  = { a = "172.20.32.0/19", b = "172.20.64.0/19", c = "172.20.96.0/19" }
+  private_subnet_cidrs = { a = "173.20.32.0/19", b = "173.20.64.0/19", c = "173.20.96.0/19" }
+}
diff --git a/examples/override/provider.tf b/examples/override/provider.tf
@@ -0,0 +1,18 @@
+provider "aws" {
+  skip_requesting_account_id  = true
+  skip_credentials_validation = true
+  skip_metadata_api_check     = true
+  s3_force_path_style         = true
+  region                      = "eu-west-1"
+  access_key                  = "mock_access_key"
+  secret_key                  = "mock_secret_key"
+}
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.0"
+    }
+  }
+}
diff --git a/examples/public/main.tf b/examples/public/main.tf
@@ -0,0 +1,6 @@
+module "network" {
+  source              = "../../"
+  name                = "name"
+  region              = "eu-west-1"
+  public_subnet_zones = ["a", "b", "c"]
+}
diff --git a/examples/public/provider.tf b/examples/public/provider.tf
@@ -0,0 +1,18 @@
+provider "aws" {
+  skip_requesting_account_id  = true
+  skip_credentials_validation = true
+  skip_metadata_api_check     = true
+  s3_force_path_style         = true
+  region                      = "eu-west-1"
+  access_key                  = "mock_access_key"
+  secret_key                  = "mock_secret_key"
+}
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.0"
+    }
+  }
+}
diff --git a/locals.tf b/locals.tf
@@ -1,17 +1,19 @@
 locals {
   cidrs = cidrsubnets(var.vpc_cidr, 3, 3, 3, 3, 3, 3)
 
-  number_of_private_zones = length(var.private_subnet_zones)
-  create_private_subnets  = local.number_of_private_zones > 0
+  public_zones_to_cidr  = zipmap(["a", "b", "c"], slice(local.cidrs, 0, 3))
+  private_zones_to_cidr = zipmap(["a", "b", "c"], slice(local.cidrs, 3, 6))
 
-  provided_cidrs_from_private_zones = length(var.public_subnet_cidrs) > 0 && length(var.private_subnet_zones) > 0 ? zipmap(var.private_subnet_zones, var.public_subnet_cidrs) : {}
-  provided_cidrs_from_public_zones  = length(var.public_subnet_cidrs) > 0 ? zipmap(var.public_subnet_zones, var.public_subnet_cidrs) : {}
-  provided_cidrs                    = local.create_private_subnets ? local.provided_cidrs_from_private_zones : local.provided_cidrs_from_public_zones
+  // if private zones > public zones
+  // replace with private zones
+  public_zones  = length(var.public_subnet_zones) < length(var.private_subnet_zones) ? var.private_subnet_zones : var.public_subnet_zones
+  private_zones = var.private_subnet_zones
 
-  generated_cidrs_from_private_zones = zipmap(var.private_subnet_zones, slice(local.cidrs, 0, local.number_of_private_zones))
-  generated_cidrs_from_public_zones  = zipmap(var.public_subnet_zones, slice(local.cidrs, 0, length(var.public_subnet_zones)))
-  generated_cidrs                    = local.create_private_subnets ? local.generated_cidrs_from_private_zones : local.generated_cidrs_from_public_zones
+  // if provided zones
+  override = length(var.public_subnet_cidrs) > 0
 
-  public_cidrs  = length(var.public_subnet_cidrs) > 0 ? local.provided_cidrs : local.generated_cidrs
-  private_cidrs = length(var.private_subnet_cidrs) > 0 ? zipmap(var.private_subnet_zones, var.private_subnet_cidrs) : zipmap(var.private_subnet_zones, slice(local.cidrs, length(local.public_cidrs), length(local.public_cidrs) + local.number_of_private_zones))
+  create_private_subnets = length(var.private_subnet_zones) > 0
+
+  public_cidrs  = local.override ? var.public_subnet_cidrs : tomap({ for z in local.public_zones : z => local.public_zones_to_cidr[z] })
+  private_cidrs = local.override ? var.private_subnet_cidrs : tomap({ for z in local.private_zones : z => local.private_zones_to_cidr[z] })
 }
diff --git a/vars.tf b/vars.tf
@@ -22,46 +22,63 @@ variable "public_subnet_zones" {
   type        = list(string)
   default     = ["a", "b", "c"]
   description = "The public subnet group zones. If private_subnet_zones is set the values from that variable will be used instead and these ignored"
-  validation {
-    condition     = length(var.public_subnet_zones) <= 3
-    error_message = "No more than 3 public zones can be provided."
-  }
-  validation {
-    condition     = length(var.public_subnet_zones) > 0
-    error_message = "At least one public zone must be provided."
-  }
+  #  validation {
+  #    condition     = length(var.public_subnet_zones) <= 3
+  #    error_message = "No more than 3 public zones can be provided."
+  #  }
+  #  validation {
+  #    condition     = length(var.public_subnet_zones) > 0
+  #    error_message = "At least one public zone must be provided."
+  #  }
 }
 
 variable "additional_public_subnet_tags" {
-  type        = map(any)
+  type        = map(string)
   default     = {}
   description = "Additional tags for public subnets."
 }
 
 variable "public_subnet_cidrs" {
-  type        = list(string)
-  default     = []
+  type        = map(string)
+  default     = {}
   description = "Override generated CIDRs for public subnets. If specified, this list must match public_subnet_zones."
 }
 
 variable "private_subnet_zones" {
   type        = list(string)
   default     = []
   description = "The private subnet group zones"
-  validation {
-    condition     = length(var.private_subnet_zones) <= 3
-    error_message = "No more than 3 private zones can be provided."
-  }
+  #  validation {
+  #    condition     = length(var.private_subnet_zones) <= 3
+  #    error_message = "No more than 3 private zones can be provided."
+  #  }
 }
 
 variable "additional_private_subnet_tags" {
-  type        = map(any)
+  type        = map(string)
   default     = {}
   description = "Additional tags for private subnets."
 }
 
 variable "private_subnet_cidrs" {
-  type        = list(string)
-  default     = []
+  type        = map(string)
+  default     = {}
   description = "Override generated CIDRs for private subnets. If specified, this list must match private_subnet_zones."
 }
+
+
+resource "null_resource" "private_subnet_zones_check" {
+  count = length(var.private_subnet_zones) > 3 ? "No more than 3 private zones can be provided." : 0
+}
+
+resource "null_resource" "public_subnet_zones_check_0" {
+  count = length(var.private_subnet_zones) > 3 ? "No more than 3 public zones can be provided." : 0
+}
+
+resource "null_resource" "public_subnet_zones_check_1" {
+  count = length(var.public_subnet_zones) < 1 && length(var.public_subnet_cidrs) < 1 ? "At least one public zone (or override) must be provided." : 0
+}
+
+resource "null_resource" "public_peivate_subnet_zones_check" {
+  count = length(var.private_subnet_cidrs) > 0 && (keys(var.private_subnet_cidrs) != keys(var.public_subnet_cidrs)) ? "The same zones must be supplied when overriding CIDRs" : 0
+}