Use a route table with separate (rather than inline) routes

* Allow users to extend the route table using a data reference and adding route resources (e.g. unusual peering setups) * Note: Internally connecting AWS clusters reduces cross-cloud flexibility and inhibits blue-green cluster patterns. It is not recommended
poseidon · Feb 26, 2020 · e7fda2b · e7fda2b
1 parent f4d2606
commit e7fda2b
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 20 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -9,6 +9,7 @@ Notable changes between versions.
 #### AWS
 
 * Fix `worker_node_labels` for setting initial worker node labels on Fedora CoreOS ([#651](https://github.com/poseidon/typhoon/pull/651))
+* Allow VPC route table extension via reference ([])
 
 #### Google Cloud
 

diff --git a/aws/container-linux/kubernetes/network.tf b/aws/container-linux/kubernetes/network.tf
@@ -25,21 +25,23 @@ resource "aws_internet_gateway" "gateway" {
 resource "aws_route_table" "default" {
   vpc_id = aws_vpc.network.id
 
-  route {
-    cidr_block = "0.0.0.0/0"
-    gateway_id = aws_internet_gateway.gateway.id
-  }
-
-  route {
-    ipv6_cidr_block = "::/0"
-    gateway_id      = aws_internet_gateway.gateway.id
-  }
-
   tags = {
     "Name" = var.cluster_name
   }
 }
 
+resource "aws_route" "egress-ipv4" {
+  route_table_id = aws_route_table.default.id
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id = aws_internet_gateway.gateway.id
+}
+
+resource "aws_route" "egress-ipv6" {
+  route_table_id = aws_route_table.default.id
+  destination_ipv6_cidr_block = "::/0"
+  gateway_id = aws_internet_gateway.gateway.id
+}
+
 # Subnets (one per availability zone)
 
 resource "aws_subnet" "public" {

diff --git a/aws/fedora-coreos/kubernetes/network.tf b/aws/fedora-coreos/kubernetes/network.tf
@@ -25,21 +25,23 @@ resource "aws_internet_gateway" "gateway" {
 resource "aws_route_table" "default" {
   vpc_id = aws_vpc.network.id
 
-  route {
-    cidr_block = "0.0.0.0/0"
-    gateway_id = aws_internet_gateway.gateway.id
-  }
-
-  route {
-    ipv6_cidr_block = "::/0"
-    gateway_id      = aws_internet_gateway.gateway.id
-  }
-
   tags = {
     "Name" = var.cluster_name
   }
 }
 
+resource "aws_route" "egress-ipv4" {
+  route_table_id = aws_route_table.default.id
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id = aws_internet_gateway.gateway.id
+}
+
+resource "aws_route" "egress-ipv6" {
+  route_table_id = aws_route_table.default.id
+  destination_ipv6_cidr_block = "::/0"
+  gateway_id = aws_internet_gateway.gateway.id
+}
+
 # Subnets (one per availability zone)
 
 resource "aws_subnet" "public" {

diff --git a/docs/architecture/aws.md b/docs/architecture/aws.md
@@ -79,6 +79,23 @@ resource "aws_security_group_rule" "some-app" {
 }
 ```
 
+## Routes
+
+Add a custom [route](https://www.terraform.io/docs/providers/aws/r/route.html) to the VPC route table.
+
+```tf
+data "aws_route_table" "default" {
+  vpc_id = module.temptest.vpc_id
+  subnet_id = module.tempest.subnet_ids[0]
+}
+
+resource "aws_route" "peering" {
+  route_table_id = data.aws_route_table.default.id
+  destination_cidr_block = "192.168.4.0/24"
+  ...
+}
+```
+
 ## IPv6
 
 AWS Network Load Balancers do not support `dualstack`.