feat: enabled sharing of the ssm parametes

modules/trusted/README.md

@@ -16,11 +16,13 @@
 | <a name="input_enable_dns_support"></a> [enable\_dns\_support](#input\_enable\_dns\_support) | Whether DNS support is enabled. | `bool` | `true` | no |
 | <a name="input_enable_external_principals"></a> [enable\_external\_principals](#input\_enable\_external\_principals) | Whether to enable external principals in the RAM share. | `bool` | `true` | no |
 | <a name="input_enable_multicast_support"></a> [enable\_multicast\_support](#input\_enable\_multicast\_support) | Whether multicast support is enabled. | `bool` | `false` | no |
+| <a name="input_enable_ssm_sharing"></a> [enable\_ssm\_sharing](#input\_enable\_ssm\_sharing) | Whether to create and share the SSM parameter for the transit gateway ID. | `bool` | `false` | no |
 | <a name="input_enable_vpn_ecmp_support"></a> [enable\_vpn\_ecmp\_support](#input\_enable\_vpn\_ecmp\_support) | Whether VPN Equal Cost Multipath Protocol support is enabled. | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name of the transit gateway to provision. | `string` | `"tgw"` | no |
 | <a name="input_ram_share_name"></a> [ram\_share\_name](#input\_ram\_share\_name) | The name of the RAM share to create for the transit gateway. | `string` | `"tgw-ram-share"` | no |
 | <a name="input_ram_share_principals"></a> [ram\_share\_principals](#input\_ram\_share\_principals) | The list of organizational units or accounts to share the transit gateway with. | `list(string)` | `[]` | no |
 | <a name="input_services"></a> [services](#input\_services) | A collection of features and services associated with this connectivity domain. | <pre>object({<br/><br/>    egress = optional(object({<br/>      network = object({<br/>        # Defines the configuration for an egress network.<br/>        availability_zones = optional(number, 2)<br/>        # The number of availablity zones to use for the egress network. Defaults to 2.<br/>        ipam_pool_id = optional(string, null)<br/>        # The ID of the IPAM pool to use for the egress network. Defaults to null.<br/>        name = optional(string, "egress")<br/>        # The name of the egress network. Defaults to 'egress'.<br/>        private_netmask = optional(number, 28)<br/>        # The netmask to use for the private network. Defaults to 28.<br/>        public_netmask = optional(number, 28)<br/>        # The netmask to use for the public network. Defaults to 28.<br/>        transit_gateway_routes = optional(map(string), {<br/>          private = "10.0.0.0/8"<br/>          public  = "10.0.0.0/8"<br/>        })<br/>        # The transit gateway route tables entries for the egress network.<br/>        vpc_cidr = optional(string, null)<br/>        # The CIDR block to use for the VPC. Defaults to null, required when not using IPAM<br/>        vpc_netmask = optional(string, null)<br/>        # The netmask to use for the VPC. Defaults to null, required when using IPAM<br/>      })<br/>    }), null)<br/><br/>    dns = optional(object({<br/>      # The list of organizational units or accounts to share the domain rule with.<br/>      resolver_name = optional(string, "dns-resolver")<br/><br/>      # Defines the configuration for the endpoints network.<br/>      network = object({<br/>        # Defines the configuration for the endpoints network.<br/>        availability_zones = optional(number, 2)<br/>        # The number of availablity zones to use for the endpoints network. Defaults to 2.<br/>        ipam_pool_id = optional(string, null)<br/>        # The ID of the IPAM pool to use for the endpoints network. Defaults to null.<br/>        name = optional(string, "central-dns")<br/>        # The name of the endpoints network. Defaults to 'endpoints'.<br/>        private_netmask = optional(number, 24)<br/>        # The netmask to use for the private network. Defaults to 24, ensure space for enough aws services.<br/>        vpc_cidr = optional(string, null)<br/>        # The CIDR block to use for the VPC. Defaults to null, required when not using IPAM<br/>        vpc_netmask = optional(string, null)<br/>        # The netmask to use for the VPC. Defaults to null, required when using IPAM<br/>      }),<br/><br/>      domain_rules = optional(list(object({<br/>        ram_share_name = optional(string, "central-dns")<br/>        # The name of the domain rule - this is mapped to the resource share name<br/>        ram_principals = optional(map(string), {})<br/>        # The name of the resolver to use. Defaults to 'dns-resolver'.<br/>        rules = list(object({<br/>          name = string<br/>          # The name of the rule - the ram share name is domain.name + "-" + rule.name<br/>          # The list of domain rules to apply to the domain.<br/>          domain = string<br/>          # The domain to apply the rule to.<br/>          targets = optional(list(string), [])<br/>          # The list of targets to apply the rule to - defaults to local resolver.<br/>        }))<br/>      })), [])<br/>    }), null)<br/>    ## Centralized DNS, used to house central DNS resolvers and rules<br/><br/>    endpoints = optional(object({<br/>      # Defines the configuration for the endpoints network.<br/>      network = object({<br/>        # Defines the configuration for the endpoints network.<br/>        availability_zones = optional(number, 2)<br/>        # The number of availablity zones to use for the endpoints network. Defaults to 2.<br/>        ipam_pool_id = optional(string, null)<br/>        # The ID of the IPAM pool to use for the endpoints network. Defaults to null.<br/>        name = optional(string, "endpoints")<br/>        # The name of the endpoints network. Defaults to 'endpoints'.<br/>        private_netmask = optional(number, 24)<br/>        # The netmask to use for the private network. Defaults to 24, ensure space for enough aws services.<br/>        vpc_cidr = optional(string, null)<br/>        # The CIDR block to use for the VPC. Defaults to null, required when not using IPAM<br/>        vpc_netmask = optional(string, null)<br/>        # The netmask to use for the VPC. Defaults to null, required when using IPAM<br/>      })<br/><br/>      resolver_rules = optional(object({<br/>        # Defines the configuration for the sharing network via AWS RAM<br/>        principals = optional(list(string), [])<br/>        # The list of organizational units or accounts to share the endpoints resolvers rules with. Defaults to an empty list.<br/>      }), null)<br/><br/>      resolver = optional(object({<br/>        enable = optional(bool, false)<br/>        # Whether to enable the resolver. Defaults to false.<br/>      }), null)<br/><br/>      services = optional(map(object({<br/>        # Whether private DNS is enabled. Defaults to true.<br/>        service_type = optional(string, "Interface")<br/>        # The type of service, i.e. Gateway or Interface. Defaults to 'Interface'<br/>        service = string<br/>        # The name of the service i.e. ec2, ec2messages, ssm, ssmmessages, logs, kms, secretsmanager, s3.awsamazon.com<br/>        policy = optional(string, null)<br/>        # An optional IAM policy to use for the endpoint. Defaults to null.<br/>        })), {<br/>        ec2messages = {<br/>          service = "ec2messages"<br/>        },<br/>        ssm = {<br/>          service = "ssm"<br/>        },<br/>        ssmmessages = {<br/>          service = "ssmmessages"<br/>        },<br/>      })<br/>    }), null)<br/>    ## Centralized private endpoints, using route53 resolver rules instead of private hosted zones<br/><br/>    ingress = optional(object({<br/>      # Defines the configuration for the ingress network.<br/>      network = object({<br/>        # Defines the configuration for the ingress network.<br/>        availability_zones = optional(number, 2)<br/>        # The number of availablity zones to use for the ingress network. Defaults to 2.<br/>        ipam_pool_id = optional(string, null)<br/>        # The ID of the IPAM pool to use for the ingress network. Defaults to null.<br/>        name = optional(string, "ingress")<br/>        # The name of the ingress network. Defaults to 'ingress'.<br/>        private_netmask = number<br/>        # The netmask to use for the private network. Required, ensure space for enough aws services.<br/>        public_netmask = number<br/>        # The netmask to use for the public network. Required, ensure space for enough aws services.<br/>        transit_gateway_routes = optional(map(string), {<br/>          private = "10.0.0.0/8"<br/>          public  = "10.0.0.0/8"<br/>        })<br/>        # The transit gateway route tables entries for the ingress network.<br/>        vpc_cidr = optional(string, null)<br/>        # The CIDR block to use for the VPC. Defaults to null, required when not using IPAM<br/>        vpc_netmask = optional(string, null)<br/>        # The netmask to use for the VPC. Defaults to null, required when using IPAM<br/>      })<br/>    }), null)<br/>    ## Centralized ingress network, used to house all the ingress endpoints<br/>  })</pre> | `{}` | no |
+| <a name="input_transit_ssm_parameter_name"></a> [transit\_ssm\_parameter\_name](#input\_transit\_ssm\_parameter\_name) | The name of the SSM parameter to create for the transit gateway ID. | `string` | `"/landing-zone/%s/transit-gateway/id"` | no |
 
 ## Outputs
 

modules/trusted/ssm.tf

@@ -0,0 +1,39 @@
+
+## SSM Parameters for VPC and Transit Gateway IDs
+resource "aws_ssm_parameter" "transit_gateway_id" {
+  count = var.enable_ssm_sharing ? 1 : 0
+
+  name        = format("%s/%s/id", var.transit_ssm_parameter_prefix, local.region)
+  description = "Contains the Transit Gateway ID for region ${local.region}"
+  type        = "String"
+  value       = module.tgw.ec2_transit_gateway_id
+  tags        = var.tags
+}
+
+resource "aws_ssm_parameter" "transit_gateway_arn" {
+  count = var.enable_ssm_sharing ? 1 : 0
+
+  name        = format("%s/%s/arn", var.transit_ssm_parameter_prefix, local.region)
+  description = "Contains the Transit Gateway ARN for region ${local.region}"
+  type        = "String"
+  value       = module.tgw.ec2_transit_gateway_arn
+  tags        = var.tags
+}
+
+## Share the SSM Parameter using RAM
+module "transit_gateway_ssm_share" {
+  count   = var.enable_ssm_sharing ? 1 : 0
+  source  = "appvia/ram/aws"
+  version = "0.0.1"
+
+  allow_external_principals = false
+  name                      = format("transit-gateway-ssm-%s", local.region)
+  principals                = var.ram_share_principals
+  tags                      = var.tags
+
+  resource_arns = [
+    aws_ssm_parameter.transit_gateway_arn.arn,
+    aws_ssm_parameter.transit_gateway_id.arn,
+  ]
+}
+

modules/trusted/variables.tf

@@ -200,6 +200,18 @@ variable "enable_vpn_ecmp_support" {
   default     = false
 }
 
+variable "transit_ssm_parameter_prefix" {
+  description = "The name of the SSM parameter to create for the transit gateway ID."
+  type        = string
+  default     = "/landing-zone"
+}
+
+variable "enable_ssm_sharing" {
+  description = "Whether to create and share the SSM parameter for the transit gateway ID."
+  type        = bool
+  default     = false
+}
+
 variable "name" {
   description = "The name of the transit gateway to provision."
   type        = string