Allow computed gateway IDs

rhythmictech · Jan 10, 2025 · 0b9b57a · 0b9b57a
1 parent bdf3d3f
commit 0b9b57a
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -60,6 +60,7 @@ Creates a site-to-site VPN connection intended to terminate to a FortiGate firew
 | <a name="input_tunnel2_psk"></a> [tunnel2\_psk](#input\_tunnel2\_psk) | Specify a Tunnel 2 PSK explicitly (optional) | `string` | `""` | no |
 | <a name="input_tunnel2_psk_version"></a> [tunnel2\_psk\_version](#input\_tunnel2\_psk\_version) | Version to use for PSK (increment to generate a new PSK) | `number` | `1` | no |
 | <a name="input_use_secrets_manager"></a> [use\_secrets\_manager](#input\_use\_secrets\_manager) | Use Secrets Manager to store/manage PSKs | `bool` | `true` | no |
+| <a name="input_use_tgw"></a> [use\_tgw](#input\_use\_tgw) | Set to true if attaching the VPN to a Transit Gateway | `bool` | `false` | no |
 | <a name="input_vgw_id"></a> [vgw\_id](#input\_vgw\_id) | Virtual Private Gateway to attach VPN to (required if `transit_gateway_id` not set) | `string` | `null` | no |
 | <a name="input_wan_interface"></a> [wan\_interface](#input\_wan\_interface) | WAN interface to use in fortigate config template | `string` | `"wan1"` | no |
 

diff --git a/main.tf b/main.tf
@@ -1,10 +1,10 @@
 data "aws_vpn_gateway" "this" {
-  count = var.vgw_id == null ? 0 : 1
+  count = var.use_tgw ? 0 : 1
   id    = var.vgw_id
 }
 
 data "aws_ec2_transit_gateway" "this" {
-  count = var.transit_gateway_id == null ? 0 : 1
+  count = var.use_tgw ? 1 : 0
   id    = var.transit_gateway_id
 }
 
@@ -40,8 +40,11 @@ locals {
     "Name" = "${var.account_name}<=>${var.customer_name}"
     }
   )
+
+  tgw_id      = var.use_tgw ? var.transit_gateway_id : null
   tunnel1_psk = var.use_secrets_manager ? module.psk1.secret : var.tunnel1_psk
   tunnel2_psk = var.use_secrets_manager ? module.psk2.secret : var.tunnel2_psk
+  vgw_id      = var.use_tgw ? null : var.vgw_id
 
   # compute aws bgp asn
   amazon_bgp_asn = try(data.aws_ec2_transit_gateway.this[0].amazon_side_asn, data.aws_vpn_gateway.this[0].amazon_side_asn)
@@ -57,13 +60,13 @@ resource "aws_customer_gateway" "this" {
 resource "aws_vpn_connection" "this" {
   customer_gateway_id   = aws_customer_gateway.this.id
   tags                  = local.tags_with_name
-  transit_gateway_id    = var.transit_gateway_id
+  transit_gateway_id    = local.tgw_id
   tunnel1_inside_cidr   = var.tunnel1_inside_cidr
   tunnel1_preshared_key = local.tunnel1_psk
   tunnel2_inside_cidr   = var.tunnel2_inside_cidr
   tunnel2_preshared_key = local.tunnel2_psk
   type                  = aws_customer_gateway.this.type
-  vpn_gateway_id        = var.vgw_id
+  vpn_gateway_id        = local.vgw_id
 }
 
 resource "local_file" "this" {

diff --git a/variables.tf b/variables.tf
@@ -95,3 +95,9 @@ variable "wan_interface" {
   description = "WAN interface to use in fortigate config template"
   type        = string
 }
+
+variable "use_tgw" {
+  default     = false
+  description = "Set to true if attaching the VPN to a Transit Gateway"
+  type        = bool
+}