Creation of 'required_group' Moved to Standard_VPC

Also:
* Fixed issue with arns for SNS topic having hard-coded partition.
* Changed misnamed `dns_servers` variable to
  `inbound_resolver_endpoints`
* Added required SG to interconnects.

To be tagged *v0.6.2*

base/account_standards_c2/config_aggregator.tf

@@ -25,7 +25,7 @@ data "aws_iam_policy_document" "config-sns" {
     resources = [ aws_sns_topic.account-alerts.arn ]
     principals {
       type = "AWS"
-      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:aws:iam::${a}:root" ]
+      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
     }
   }
 

base/dns/legacy_dns_entries/vars.tf

@@ -10,7 +10,6 @@ variable legacy_public_dns {
 
 # inherited variables
 variable tags { type = map }
-variable dns_servers { type = list }
 variable dns_info { type = map }
 variable standard_tags { type = map }
 variable aws_account_id { type = string }

base/dns/outbound_dns_resolver/main.tf

@@ -62,7 +62,7 @@ resource "aws_route53_resolver_rule" "private" {
   resolver_endpoint_id = aws_route53_resolver_endpoint.private_resolver.id
 
   dynamic "target_ip" {
-    for_each = var.dns_servers
+    for_each = var.inbound_resolver_endpoints
 
     content {
       ip = target_ip.value
@@ -79,7 +79,7 @@ resource "aws_route53_resolver_rule" "reverse" {
   resolver_endpoint_id = aws_route53_resolver_endpoint.private_resolver.id
 
   dynamic "target_ip" {
-    for_each = var.dns_servers
+    for_each = var.inbound_resolver_endpoints
 
     content {
       ip = target_ip.value

base/dns/outbound_dns_resolver/vars.tf

@@ -15,7 +15,7 @@ variable "additional_vpcs" {
 
 # inherited variables
 variable tags { type = map }
-variable dns_servers { type = list }
+variable inbound_resolver_endpoints { type = list }
 variable dns_info { type = map }
 variable standard_tags { type = map }
 variable aws_account_id { type = string }

base/dns/resolver_instance/main.tf

@@ -2,9 +2,16 @@ locals {
   instance_name = "resolver-${var.aws_partition_alias}"
 }
 
+# Rather than pass in the aws security group, we just look it up. This will
+# probably be useful other places, as well.
+data "aws_security_group" "required" {
+  name   = "required_group"
+  vpc_id = var.vpc_id
+}
+
 resource "aws_network_interface" "instance" {
   subnet_id = var.subnet_id
-  security_groups = [ module.required_security_group.id, aws_security_group.dns_security_group.id ]
+  security_groups = [ data.aws_security_group.required.id, aws_security_group.dns_security_group.id ]
   description = local.instance_name
   tags = merge(var.standard_tags, var.tags, { Name = local.instance_name })
 }
@@ -109,16 +116,6 @@ data "template_cloudinit_config" "cloud-init" {
   #}
 }
 
-module "required_security_group" {
-  source = "../../../submodules/security_group/required_group"
-
-  vpc_id = var.vpc_id
-  cidr_map = var.cidr_map
-  tags = merge(var.standard_tags, var.tags)
-  aws_region = var.aws_region
-  aws_partition = var.aws_partition
-}
-
 resource "aws_security_group" "dns_security_group" {
   name = "dns_security_group"
   description = "DNS Security Group"

base/interconnects/main.tf

@@ -4,10 +4,20 @@ resource "aws_placement_group" "interconnects" {
   strategy = "spread"
 }
 
+module "required_security_group" {
+  source = "../../submodules/security_group/required_group"
+
+  vpc_id = var.security_vpc
+  cidr_map = var.cidr_map
+  tags = merge(var.standard_tags, var.tags)
+  aws_region = var.aws_region
+  aws_partition = var.aws_partition
+}
+
 resource "aws_network_interface" "interconnects" {
   count = var.interconnects_count
   subnet_id = var.subnet_id_map["untrusted"][count.index % 2]
-  security_groups = [ aws_security_group.interconnects_sg.id ]
+  security_groups = [ module.required_security_group.id, aws_security_group.interconnects_sg.id ]
   source_dest_check = false
   private_ips_count = 0
   description = "XDR Interconnect ${count.index}"

base/interconnects/vars.tf

@@ -10,6 +10,7 @@ variable interconnects_count { type = number }
 # Required for DNS module
 variable "dns_info" { type = map }
 
+variable "cidr_map" { type = map }
 variable "instance_termination_protection" { type = bool }
 variable "standard_tags" { type        = map }
 variable "aws_marketplace_ubuntu_owner_id" { type        = string }

base/standard_vpc/security-groups.tf

@@ -87,3 +87,13 @@ module "allow_all_outbound_sg" {
 #  egress_cidr_blocks = [ "0.0.0.0/0" ]
 #  ingress_rules = [ "ssh-tcp", "all-icmp" ]
 #}
+
+module "required_security_group" {
+  source = "../../submodules/security_group/required_group"
+
+  vpc_id = module.vpc.vpc_id
+  cidr_map = var.cidr_map
+  tags = merge(var.standard_tags, var.tags)
+  aws_region = var.aws_region
+  aws_partition = var.aws_partition
+}

base/standard_vpc/vars.tf

@@ -16,6 +16,7 @@ variable "tags" {
 
 # Inherited
 variable "dns_info" { type = map }
+variable "cidr_map" { type = map }
 variable "standard_tags" { type = map }
 variable "aws_region" { type = string }
 variable "aws_account_id" { type = string }