Configure additional routes for the subnets

Author: adrianeib

data.tf

@@ -113,6 +113,37 @@ locals {
   # private subnets with cidrs per az if connect_to_public_eigw = true ...  "privatetwo/us-east-1a"
   private_subnet_names_egress_routed = [for subnet in local.private_per_az : subnet if contains(local.private_subnets_egress_routed, split("/", subnet)[0])]
 
+  # Configure additional routes.
+  # List of private subnets with additional routes.
+  private_subnets_routes = [for type in local.private_subnet_names : type if length(lookup(var.subnets[type], "routes", [])) > 0]
+  # List of routes for the private subnets.
+  # The tricky part here is that we have to identify the subnet names where a route
+  # should be added because the subnet name has suffix /az_name e.g. subnet is created for each zone.
+  private_subnets_az_routes = flatten([
+    for subnet_name in local.private_subnets_routes :
+    [
+      for subnet_name_az in local.private_per_az :
+      [
+        for route in var.subnets[subnet_name].routes :
+        merge(route, { "route_table_name" : subnet_name_az })
+      ] if startswith(subnet_name_az, "${subnet_name}/")
+    ]
+  ])
+  # List of routes for the public subnets.
+  # There is just 1 public subnet and route table names are based on AZ names.
+  public_subnet_az_routes = (length(try(var.subnets.public.routes, [])) > 0
+    ? flatten(
+      [
+        for az in local.azs :
+        [
+          for route in var.subnets.public.routes :
+          merge(route, { "route_table_name" : az })
+        ]
+      ]
+    )
+    : []
+  )
+
   # VPC LATTICE ############################################################
   # If var.vpc_lattice is defined (default = {}), the VPC association is created.
   lattice_association = length(keys(var.vpc_lattice)) > 0

main.tf

@@ -210,6 +210,28 @@ resource "aws_route" "public_to_cwan" {
   ]
 }
 
+# Configure routes provided in the input variable `subnets` for the public subnet(s).
+resource "aws_route" "public_routes" {
+  count = length(local.public_subnet_az_routes)
+
+  destination_cidr_block      = lookup(local.public_subnet_az_routes[count.index], "destination_cidr_block", null)
+  destination_prefix_list_id  = lookup(local.public_subnet_az_routes[count.index], "destination_prefix_list_id", null)
+  destination_ipv6_cidr_block = lookup(local.public_subnet_az_routes[count.index], "destination_ipv6_cidr_block", null)
+
+  carrier_gateway_id        = lookup(local.public_subnet_az_routes[count.index], "carrier_gateway_id", null)
+  core_network_arn          = lookup(local.public_subnet_az_routes[count.index], "core_network_arn", null)
+  egress_only_gateway_id    = lookup(local.public_subnet_az_routes[count.index], "egress_only_gateway_id", null)
+  gateway_id                = lookup(local.public_subnet_az_routes[count.index], "gateway_id", null)
+  nat_gateway_id            = lookup(local.public_subnet_az_routes[count.index], "nat_gateway_id", null)
+  local_gateway_id          = lookup(local.public_subnet_az_routes[count.index], "local_gateway_id", null)
+  network_interface_id      = lookup(local.public_subnet_az_routes[count.index], "network_interface_id", null)
+  transit_gateway_id        = lookup(local.public_subnet_az_routes[count.index], "transit_gateway_id", null)
+  vpc_endpoint_id           = lookup(local.public_subnet_az_routes[count.index], "vpc_endpoint_id", null)
+  vpc_peering_connection_id = lookup(local.public_subnet_az_routes[count.index], "vpc_peering_connection_id", null)
+
+  route_table_id = aws_route_table.private[local.public_subnet_az_routes[count.index].route_table_name].id
+}
+
 # Route: IPv6 routes from public subnets to AWS Cloud WAN's core network (if configured in var.core_network_routes)
 resource "aws_route" "ipv6_public_to_cwan" {
   for_each = (contains(local.subnet_keys, "public") && contains(local.ipv6_subnets_cwan_routed, "public") && local.create_cwan_routes) ? toset(local.azs) : toset([])
@@ -290,6 +312,28 @@ resource "aws_route" "private_to_egress_only" {
   egress_only_gateway_id      = aws_egress_only_internet_gateway.eigw[0].id
 }
 
+# Configure routes provided in the input variable `subnets` for the private subnet(s).
+resource "aws_route" "private_routes" {
+  count = length(local.private_subnets_az_routes)
+
+  destination_cidr_block      = lookup(local.private_subnets_az_routes[count.index], "destination_cidr_block", null)
+  destination_prefix_list_id  = lookup(local.private_subnets_az_routes[count.index], "destination_prefix_list_id", null)
+  destination_ipv6_cidr_block = lookup(local.private_subnets_az_routes[count.index], "destination_ipv6_cidr_block", null)
+
+  carrier_gateway_id        = lookup(local.private_subnets_az_routes[count.index], "carrier_gateway_id", null)
+  core_network_arn          = lookup(local.private_subnets_az_routes[count.index], "core_network_arn", null)
+  egress_only_gateway_id    = lookup(local.private_subnets_az_routes[count.index], "egress_only_gateway_id", null)
+  gateway_id                = lookup(local.private_subnets_az_routes[count.index], "gateway_id", null)
+  nat_gateway_id            = lookup(local.private_subnets_az_routes[count.index], "nat_gateway_id", null)
+  local_gateway_id          = lookup(local.private_subnets_az_routes[count.index], "local_gateway_id", null)
+  network_interface_id      = lookup(local.private_subnets_az_routes[count.index], "network_interface_id", null)
+  transit_gateway_id        = lookup(local.private_subnets_az_routes[count.index], "transit_gateway_id", null)
+  vpc_endpoint_id           = lookup(local.private_subnets_az_routes[count.index], "vpc_endpoint_id", null)
+  vpc_peering_connection_id = lookup(local.private_subnets_az_routes[count.index], "vpc_peering_connection_id", null)
+
+  route_table_id = aws_route_table.private[local.private_subnets_az_routes[count.index].route_table_name].id
+}
+
 # Route: IPv4 routes from private subnets to the Transit Gateway (if configured in var.transit_gateway_routes)
 resource "aws_route" "private_to_tgw" {
   for_each = toset(local.private_subnet_key_names_tgw_routed)
@@ -521,4 +565,4 @@ resource "aws_vpclattice_service_network_vpc_association" "vpc_lattice_service_n
     module.tags.tags_aws,
     module.vpc_lattice_tags.tags_aws
   )
-}
+}

variables.tf

@@ -112,6 +112,7 @@ variable "subnets" {
   - `assign_ipv6_cidr` = (Optional|bool) **Cannot set if `ipv6_cidrs` is set.** If true, it will calculate a /64 block from the IPv6 VPC CIDR to set in the subnets.
   - `ipv6_cidrs`       = (Optional|list(string)) **Cannot set if `assign_ipv6_cidr` is set.** List of IPv6 CIDRs to set to subnets. The subnet size must use a /64 prefix length. Count of CIDRs defined must match quantity of azs in `az_count`.
   - `name_prefix`      = (Optional|String) A string prefix to use for the name of your subnet and associated resources. Subnet type key name is used if omitted (aka private, public, transit_gateway). Example `name_prefix = "private"` for `var.subnets.private` is redundant.
+  - `routes`           = (optional|list(map(string)) List of maps, where each map represents an `aws_route` resource. All `aws_route` attributes are supported for both the `destination` and `target` arguments.
   - `tags`             = (Optional|map(string)) Tags to set on the subnet and associated resources.
 
   **Any private subnet type options:**
@@ -161,6 +162,14 @@ variable "subnets" {
       assign_ipv6_cidr = true
       connect_to_eigw  = true
     }
+    # Additional routes
+    private = {
+      netmask                  = 24
+      routes                   = [{
+        destination_cidr_block = "0.0.0.0/0"
+        transit_gateway_id     = "tgw-01238768912345678"
+      }]
+    }
     # Transit gateway subnets (dual-stack)
     transit_gateway = {
       netmask                                         = 24