Makes BGP Operational Through Interconnects

Updates modules to solve issues with BGP connections:

* Adds additional useful/necessary grains to cloud init of interconnects
* Adds VPN to commercial TGW
* Enables iBGP between interconnects

base/interconnects/cloud-init.tf

@@ -9,6 +9,10 @@ data "template_file" "cloud-init" {
     fqdn = "interconnect-${count.index}.${var.dns_private["name"]}"
     saltmaster = "salt-master.${ var.dns_public["name"] }"
     environment = var.environment
+    aws_partition = var.aws_partition
+    aws_partition_alias = var.aws_partition_alias
+    interconnect_id = count.index
+    vpc_cidr = var.security_vpc_cidr
   }
 }
 

base/interconnects/cloud-init/cloud-init.tpl

@@ -28,8 +28,12 @@ growpart:
 runcmd:
  - 'echo ${fqdn} > /etc/salt/minion_id'
  - 'echo master: ${saltmaster} > /etc/salt/minion'
- - 'echo grains: > /etc/salt/minion.d/environment.conf'
- - 'echo "  environment: " ${ environment } >> /etc/salt/minion.d/environment.conf'
+ - 'echo grains: > /etc/salt/minion.d/cloud_init_grains.conf'
+ - 'echo "  environment:         " ${ environment }         >> /etc/salt/minion.d/cloud_init_grains.conf'
+ - 'echo "  aws_partition:       " ${ aws_partition }       >> /etc/salt/minion.d/cloud_init_grains.conf'
+ - 'echo "  aws_partition_alias: " ${ aws_partition_alias } >> /etc/salt/minion.d/cloud_init_grains.conf'
+ - 'echo "  interconnect_id:     " ${ interconnect_id }     >> /etc/salt/minion.d/cloud_init_grains.conf'
+ - 'echo "  vpc_cidr:            " ${ vpc_cidr }            >> /etc/salt/minion.d/cloud_init_grains.conf'
  - /bin/systemctl restart salt-minion 
  - /bin/systemctl enable salt-minion
  - /bin/systemctl start amazon-ssm-agent

base/interconnects/security-groups.tf

@@ -15,6 +15,15 @@ resource "aws_security_group_rule" "trusted_ssh" {
   security_group_id = aws_security_group.interconnects_sg.id
 }
 
+resource "aws_security_group_rule" "bgp_ingress" {
+  type              = "ingress"
+  from_port         = 179
+  to_port           = 179
+  protocol          = "tcp"
+  cidr_blocks       = [ var.security_vpc_cidr ]
+  security_group_id = aws_security_group.interconnects_sg.id
+}
+
 resource "aws_security_group_rule" "ipsec_l2tp_ingress" {
   type              = "ingress"
   from_port         = 1701

base/interconnects/vars.tf

@@ -14,7 +14,9 @@ variable "environment" { type        = string }
 variable "trusted_ips" { type = list }
 variable "aws_region" { type = string }
 variable "aws_partition" { type = string }
+variable "aws_partition_alias" { type = string }
 variable "aws_account_id" { type = string }
 variable "default_ami" { type = string }
 variable "dns_public" { type = map }
 variable "dns_private" { type = map }
+variable "security_vpc_cidr" { type = string }

base/transit_gateway_interconnect_vpn/outputs.tf

@@ -5,6 +5,8 @@ output vpn_info {
       for index, connection in aws_vpn_connection.vpn:
       {
         "cgw_public_ip" = var.interconnect_public_ips[index]
+        "cgw_private_ip" = var.interconnect_private_ips[index]
+        "cgw_neighbor_ips" = [ for ip in var.interconnect_private_ips: ip if ip != var.interconnect_private_ips[index] ]
         "vgw_public_ips" = [
             connection.tunnel1_address, 
             connection.tunnel2_address
@@ -35,6 +37,8 @@ output yaml {
         for index, connection in aws_vpn_connection.vpn:
         {
           "cgw_public_ip" = var.interconnect_public_ips[index]
+          "cgw_private_ip" = var.interconnect_private_ips[index]
+          "cgw_neighbor_ips" = [ for ip in var.interconnect_private_ips: ip if ip != var.interconnect_private_ips[index] ]
           "vgw_public_ips" = [
               connection.tunnel1_address, 
               connection.tunnel2_address

base/transit_gateway_interconnect_vpn/vars.tf

@@ -1,4 +1,5 @@
 variable interconnect_public_ips { type = list }
+variable interconnect_private_ips { type = list }
 variable transit_gateway_id { type = string }
 variable interconnects_count { type = number }
 variable interconnect_asn { type = number }