support any number of peered VPCs

.gitignore

@@ -5,4 +5,5 @@ terraform.tfvars
 todos.md
 .DS_Store
 files/user_data_compiled.sh
-tmp/
+tmp/
+temp/

files/vault_credentials_template.sh

@@ -2,5 +2,5 @@
 
 # This grabs the encrypted credentials file and decrypts it.
 
-aws --profile ${AWS_PROFILE} --region ${AWS_REGION} s3 cp s3://${AWS_S3_BUCKET}/vault_creds_encrypted ./tmp/vault_creds_encrypted
-aws --profile ${AWS_PROFILE} --region ${AWS_REGION} kms decrypt --key-id ${AWS_KMS_KEY_ID} --ciphertext-blob fileb://tmp/vault_creds_encrypted --output text --query Plaintext | base64 --decode > ./tmp/vault_creds_decrypted
+aws --profile ${AWS_PROFILE} --region ${AWS_REGION} s3 cp s3://${AWS_S3_BUCKET}/vault_creds_encrypted ./temp/vault_creds_encrypted
+aws --profile ${AWS_PROFILE} --region ${AWS_REGION} kms decrypt --key-id ${AWS_KMS_KEY_ID} --ciphertext-blob fileb://temp/vault_creds_encrypted --output text --query Plaintext | base64 --decode > ./temp/vault_creds_decrypted

outputs.tf

@@ -1,6 +1,6 @@
 # Here for debugging the compiled userdata.sh file.
 resource "local_file" "userdata_compiled" {
-  content = templatefile("${path.module}/files/userdata_template.sh", {
+  content = templatefile("${path.root}/files/userdata_template.sh", {
     VAULT_VERSION = var.vault_version
     VAULT_CLUSTER_NAME = var.main_project_tag
     VAULT_DNS = var.domain_name
@@ -9,18 +9,18 @@ resource "local_file" "userdata_compiled" {
     VAULT_DYNAMODB_TABLE = var.dynamodb_table_name # dynamodb resource doesn't return name....
     VAULT_S3_BUCKET_NAME = aws_s3_bucket.vault_data.id
   })
-  filename = "${path.module}/tmp/userdata_compiled.sh"
+  filename = "${path.root}/temp/userdata_compiled.sh"
 }
 
 # Output the vault credentials script
 resource "local_file" "vault_credentials" {
-  content = templatefile("${path.module}/files/vault_credentials_template.sh", {
+  content = templatefile("${path.root}/files/vault_credentials_template.sh", {
     AWS_PROFILE = var.aws_profile
     AWS_REGION = data.aws_region.current.name
     AWS_S3_BUCKET = aws_s3_bucket.vault_data.id
     AWS_KMS_KEY_ID = aws_kms_key.seal.key_id
   })
-  filename = "${path.module}/tmp/vault_credentials.sh"
+  filename = "${path.root}/temp/vault_credentials.sh"
 }
 
 # Load Balancer DNS - You need to CNAME or Alias this.

variables.tf

@@ -174,9 +174,9 @@ variable "private_mode" {
   default = false
 }
 
-## A VPC in the SAME AWS Account AND Region as your Vault deployment.  It MUST have "enable dns hostnames" active AND it cannot use the same CIDR block as the Vault VPC.
-variable "peered_vpc_id" {
-  description = "ID of a VPC that can access the Vault VPC and thus access vault privately."
-  type = string
-  default = ""
+## A VPC in the SAME AWS Account and REGION as your Vault deployment.  The VPCs MUST have "enable dns hostnames" active AND cannot use the same CIDR block as the Vault VPC.
+variable "peered_vpc_ids" {
+  description = "A list of of a VPC IDs that can access the Vault VPC and thus access vault privately."
+  type = list(string)
+  default = []
 }

vpc.tf

@@ -265,20 +265,20 @@ resource "aws_vpc_endpoint" "dynamodb" {
 
 
 # VPC Peering
-## Enabled in Private Mode only.
+## Enabled in Private Mode only.  Allows other VPCs in the same account and region to access your Vault VPC.
 
 ## Data from Peered VPC (AKA the external VPC we're letting in)
 data "aws_vpc" "peered_vpc" {
-  count = var.private_mode ? 1 : 0
+  count = var.private_mode && length(var.peered_vpc_ids) > 0 ? length(var.peered_vpc_ids) : 0
 
-  id = var.peered_vpc_id
+  id = var.peered_vpc_ids[count.index]
 }
 
-## Peering Connection
+## Peering Connections
 resource "aws_vpc_peering_connection" "vault" {
-  count = var.private_mode ? 1 : 0
+  count = var.private_mode && length(var.peered_vpc_ids) > 0 ? length(var.peered_vpc_ids) : 0
 
-  peer_vpc_id = var.peered_vpc_id
+  peer_vpc_id = var.peered_vpc_ids[count.index]
   vpc_id = aws_vpc.vault.id
   auto_accept = true
 
@@ -291,27 +291,28 @@ resource "aws_vpc_peering_connection" "vault" {
   }
 
   tags = merge(
-    { "Name" = "${var.main_project_tag}-vpc-peering-connection"},
+    { "Name" = "${var.main_project_tag}-vpc-peering-connection-${count.index + 1}"},
     { "Project" = var.main_project_tag },
     var.vpc_tags
   )
 }
 
-## Peering Connection for the VAULT Route Table
+## Peering Connection Routes for the VAULT Route Table
 resource "aws_route" "requester_peering_route" {
-  count = var.private_mode ? 1 : 0
+  count = var.private_mode && length(var.peered_vpc_ids) > 0 ? length(var.peered_vpc_ids) : 0
 
   route_table_id = aws_route_table.public.id
-  destination_cidr_block = data.aws_vpc.peered_vpc[0].cidr_block
-  vpc_peering_connection_id = aws_vpc_peering_connection.vault[0].id
+  destination_cidr_block = data.aws_vpc.peered_vpc[count.index].cidr_block
+  vpc_peering_connection_id = aws_vpc_peering_connection.vault[count.index].id
 }
 
-## Peering Connection for the External VPC Route Table to allow Vault Traffic
-## Note: this associates it to the external VPC's MAIN ROUTE TABLE.  If you want it associated to a different route table, you'll have to do so manually.
+## Peering Connection Routes for the External VPC Route Tables to allow Vault Traffic
+## Note: this associates it to the external VPC's MAIN ROUTE TABLE.
+## If you want it associated to a different route table, you'll have to do so manually or set the table you want as the main route table.
 resource "aws_route" "accepter_peering_route" {
-  count = var.private_mode ? 1 : 0
+  count = var.private_mode && length(var.peered_vpc_ids) > 0 ? length(var.peered_vpc_ids) : 0
 
-  route_table_id = data.aws_vpc.peered_vpc[0].main_route_table_id
+  route_table_id = data.aws_vpc.peered_vpc[count.index].main_route_table_id
   destination_cidr_block = aws_vpc.vault.cidr_block
-  vpc_peering_connection_id = aws_vpc_peering_connection.vault[0].id
+  vpc_peering_connection_id = aws_vpc_peering_connection.vault[count.index].id
 }