Skip to content

Commit

Permalink
docs(netm): core net multi-region vpc att
Browse files Browse the repository at this point in the history
  • Loading branch information
GlennChia committed Feb 24, 2023
1 parent efc3226 commit 087013d
Show file tree
Hide file tree
Showing 2 changed files with 159 additions and 4 deletions.
84 changes: 81 additions & 3 deletions website/docs/r/networkmanager_core_network.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ resource "aws_networkmanager_core_network" "example" {
}
```

### With VPC Attachment
### With VPC Attachment single region

The example below illustrates the scenario where your policy document has static routes pointing to VPC attachments and you want to attach your VPCs to the core network before applying the desired policy document. Set the `create_base_policy` argument to `true` if your core network does not currently have any `LIVE` policies (e.g. this is the first `terraform apply` with the core network resource), since a `LIVE` policy is required before VPCs can be attached to the core network. Otherwise, if your core network already has a `LIVE` policy, you may exclude the `create_base_policy` argument.

Expand Down Expand Up @@ -92,13 +92,91 @@ resource "aws_networkmanager_vpc_attachment" "example" {
}
```

### With VPC Attachment multi region

The example below illustrates the scenario where your policy document has static routes pointing to VPC attachments and you want to attach your VPCs to the core network before applying the desired policy document. Set the `create_base_policy` argument of the [`aws_networkmanager_core_network` resource](/docs/providers/aws/r/networkmanager_core_network.html) to `true` if your core network does not currently have any `LIVE` policies (e.g. this is the first `terraform apply` with the core network resource), since a `LIVE` policy is required before VPCs can be attached to the core network. Otherwise, if your core network already has a `LIVE` policy, you may exclude the `create_base_policy` argument. For multi-region in a core network that does not yet have a `LIVE` policy, pass a list of regions to the `aws_networkmanager_core_network` base policy. This is specified using the `aws_networkmanager_core_network` `base_policy_regions` argument. In the example below, `us-west-2` and `us-east-1` are specified in the base policy.

```terraform
resource "aws_networkmanager_global_network" "example" {}
data "aws_networkmanager_core_network_policy_document" "example" {
core_network_configuration {
asn_ranges = ["65022-65534"]
edge_locations {
location = "us-west-2"
}
edge_locations {
location = "us-east-1"
}
}
segments {
name = "segment"
}
segments {
name = "segment2"
}
segment_actions {
action = "create-route"
segment = "segment"
destination_cidr_blocks = [
"10.0.0.0/16"
]
destinations = [
aws_networkmanager_vpc_attachment.example_us_west_2.id,
]
}
segment_actions {
action = "create-route"
segment = "segment"
destination_cidr_blocks = [
"10.1.0.0/16"
]
destinations = [
aws_networkmanager_vpc_attachment.example_us_east_1.id,
]
}
}
resource "aws_networkmanager_core_network" "example" {
global_network_id = aws_networkmanager_global_network.example.id
base_policy_regions = ["us-west-2", "us-east-1"]
create_base_policy = true
}
resource "aws_networkmanager_core_network_policy_attachment" "example" {
core_network_id = aws_networkmanager_core_network.example.id
policy_document = data.aws_networkmanager_core_network_policy_document.example.json
}
resource "aws_networkmanager_vpc_attachment" "example_us_west_2" {
core_network_id = aws_networkmanager_core_network.example.id
subnet_arns = aws_subnet.example_us_west_2[*].arn
vpc_arn = aws_vpc.example_us_west_2.arn
}
resource "aws_networkmanager_vpc_attachment" "example_us_east_1" {
provider = "alternate"
core_network_id = aws_networkmanager_core_network.example.id
subnet_arns = aws_subnet.example_us_east_1[*].arn
vpc_arn = aws_vpc.example_us_east_1.arn
}
```

## Argument Reference

The following arguments are supported:

* `description` - (Optional) Description of the Core Network.
* `base_policy_region` - (Optional) The base policy created by setting the `create_base_policy` argument to `true` requires a region to be set in the `edge-locations`, `location` key. If `base_policy_region` is not specified, the region used in the base policy defaults to the region specified in the `provider` block.
* `create_base_policy` - (Optional) Specifies whether to create a base policy when a core network is created or updated. A base policy is created and set to `LIVE` to allow attachments to the core network (e.g. VPC Attachments) before applying a policy document provided using the [`aws_networkmanager_core_network_policy_attachment` resource](/docs/providers/aws/r/networkmanager_core_network_policy_attachment.html). This base policy is needed if your core network does not have any `LIVE` policies (e.g. a core network resource created without the `policy_document` argument) and your policy document has static routes pointing to VPC attachments and you want to attach your VPCs to the core network before applying the desired policy document. Valid values are `true` or `false`. Conflicts with `policy_document`. An example of this Terraform snippet can be found [above](#with-vpc-attachment). An example of a base policy created is shown below. The region specified in the `location` key can be configured using the `base_policy_region` argument. If `base_policy_region` is not specified, the region defaults to the region specified in the `provider` block. This base policy is overridden with the policy that you specify in the [`aws_networkmanager_core_network_policy_attachment` resource](/docs/providers/aws/r/networkmanager_core_network_policy_attachment.html).
* `base_policy_region` - (Optional, **Deprecated** use the `base_policy_regions` argument) The base policy created by setting the `create_base_policy` argument to `true` requires a region to be set in the `edge-locations`, `location` key. If `base_policy_region` is not specified, the region used in the base policy defaults to the region specified in the `provider` block.
* `base_policy_regions` - (Optional) A list of regions to add to the base policy. The base policy created by setting the `create_base_policy` argument to `true` requires one or more regions to be set in the `edge-locations`, `location` key. If `base_policy_regions` is not specified, the region used in the base policy defaults to the region specified in the `provider` block.
* `create_base_policy` - (Optional) Specifies whether to create a base policy when a core network is created or updated. A base policy is created and set to `LIVE` to allow attachments to the core network (e.g. VPC Attachments) before applying a policy document provided using the [`aws_networkmanager_core_network_policy_attachment` resource](/docs/providers/aws/r/networkmanager_core_network_policy_attachment.html). This base policy is needed if your core network does not have any `LIVE` policies (e.g. a core network resource created without the `policy_document` argument) and your policy document has static routes pointing to VPC attachments and you want to attach your VPCs to the core network before applying the desired policy document. Valid values are `true` or `false`. Conflicts with `policy_document`. An example of this Terraform snippet can be found above [for VPC Attachment in a single region](#with-vpc-attachment-single-region) and [for VPC Attachment multi-region](#with-vpc-attachment-multi-region). An example of a base policy created is shown below. The region specified in the `location` key can be configured using the `base_policy_region` argument. If `base_policy_region` is not specified, the region defaults to the region specified in the `provider` block. This base policy is overridden with the policy that you specify in the [`aws_networkmanager_core_network_policy_attachment` resource](/docs/providers/aws/r/networkmanager_core_network_policy_attachment.html).

```json
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ resource "aws_networkmanager_core_network_policy_attachment" "example" {
}
```

### With VPC Attachment
### With VPC Attachment single region

The example below illustrates the scenario where your policy document has static routes pointing to VPC attachments and you want to attach your VPCs to the core network before applying the desired policy document. Set the `create_base_policy` argument of the [`aws_networkmanager_core_network` resource](/docs/providers/aws/r/networkmanager_core_network.html) to `true` if your core network does not currently have any `LIVE` policies (e.g. this is the first `terraform apply` with the core network resource), since a `LIVE` policy is required before VPCs can be attached to the core network. Otherwise, if your core network already has a `LIVE` policy, you may exclude the `create_base_policy` argument.

Expand Down Expand Up @@ -78,6 +78,83 @@ resource "aws_networkmanager_vpc_attachment" "example" {
}
```

### With VPC Attachment multi region

The example below illustrates the scenario where your policy document has static routes pointing to VPC attachments and you want to attach your VPCs to the core network before applying the desired policy document. Set the `create_base_policy` argument of the [`aws_networkmanager_core_network` resource](/docs/providers/aws/r/networkmanager_core_network.html) to `true` if your core network does not currently have any `LIVE` policies (e.g. this is the first `terraform apply` with the core network resource), since a `LIVE` policy is required before VPCs can be attached to the core network. Otherwise, if your core network already has a `LIVE` policy, you may exclude the `create_base_policy` argument. For multi-region in a core network that does not yet have a `LIVE` policy, pass a list of regions to the `aws_networkmanager_core_network` base policy. This is specified using the `aws_networkmanager_core_network` `base_policy_regions` argument. In the example below, `us-west-2` and `us-east-1` are specified in the base policy.

```terraform
resource "aws_networkmanager_global_network" "example" {}
data "aws_networkmanager_core_network_policy_document" "example" {
core_network_configuration {
asn_ranges = ["65022-65534"]
edge_locations {
location = "us-west-2"
}
edge_locations {
location = "us-east-1"
}
}
segments {
name = "segment"
}
segments {
name = "segment2"
}
segment_actions {
action = "create-route"
segment = "segment"
destination_cidr_blocks = [
"10.0.0.0/16"
]
destinations = [
aws_networkmanager_vpc_attachment.example_us_west_2.id,
]
}
segment_actions {
action = "create-route"
segment = "segment"
destination_cidr_blocks = [
"10.1.0.0/16"
]
destinations = [
aws_networkmanager_vpc_attachment.example_us_east_1.id,
]
}
}
resource "aws_networkmanager_core_network" "example" {
global_network_id = aws_networkmanager_global_network.example.id
base_policy_regions = ["us-west-2", "us-east-1"]
create_base_policy = true
}
resource "aws_networkmanager_core_network_policy_attachment" "example" {
core_network_id = aws_networkmanager_core_network.example.id
policy_document = data.aws_networkmanager_core_network_policy_document.example.json
}
resource "aws_networkmanager_vpc_attachment" "example_us_west_2" {
core_network_id = aws_networkmanager_core_network.example.id
subnet_arns = aws_subnet.example_us_west_2[*].arn
vpc_arn = aws_vpc.example_us_west_2.arn
}
resource "aws_networkmanager_vpc_attachment" "example_us_east_1" {
provider = "alternate"
core_network_id = aws_networkmanager_core_network.example.id
subnet_arns = aws_subnet.example_us_east_1[*].arn
vpc_arn = aws_vpc.example_us_east_1.arn
}
```

## Argument Reference

The following arguments are supported:
Expand Down

0 comments on commit 087013d

Please sign in to comment.