One module output call in another module

KrishnaMohanG · August 10, 2023, 2:00pm

Hello,

I am looking for the best solution to my problem.

Problem statement:
I am creating aws bastion host with ssm on the existing VPC and subnets. I am created terraform scripts in the below structure.
.
├── go
├── modules
│ ├── bastion-ec2
│ │ ├── data.tf
│ │ ├── iam.tf
│ │ ├── main.tf
│ │ ├── output.tf
│ │ └── variables.tf
│ └── bastion-vpc
│ ├── main.tf
│ ├── outputs.tf
│ └── variables.tf
├── scripts
│ └── user-data.sh
├── stages
│ ├── 00-bastion-vpc
│ │ ├── apply.plan
│ │ ├── data.tf
│ │ ├── go
│ │ ├── main.tf
│ │ ├── provider.tf
│ │ ├── terraform.tf
│ │ └── variables.tf
│ └── 01-bastion-ec2
│ ├── apply.plan
│ ├── go
│ ├── main.tf
│ ├── provider.tf
│ ├── terraform.tf
│ └── variables.tf
└── vars
├── base.tfvars
├── nonprod.tfvars
└── prod.tfvars

In the modules/bastiion-vpc/main.tf

###################################################################
# SSM Messages VPC endpoint
###################################################################
resource "aws_security_group" "vpc_bastion_host_security_group" {
  #checkov:skip=CKV2_AWS_5:SG is used in VPC Endpoint and will be used by EC2 but not in this module
  name        = "vpc-bastion-host-security-group"
  description = "Security group for bastion host"
  vpc_id      = var.vpc_id
  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
    description      = "Allow traffic on all ports and ip ranges"
  }
}


resource "aws_vpc_endpoint" "vpc_ssmmessages_vpce" {
  vpc_id              = var.vpc_id
  service_name        = "com.amazonaws.${var.aws_region}.ssmmessages"
  vpc_endpoint_type   = "Interface"
  subnet_ids          = var.vpc_private_subnets
  private_dns_enabled = true
  security_group_ids  = [aws_security_group.vpc_ssmmessages_vpce_security_group.id]

  tags = {
    Name = "${var.tag_application}-${var.target_environment}-vpc-ssmmessages-vpce"
  }

resource "aws_security_group" "vpc_ssmmessages_vpce_security_group" {
  name        = "vpc-ssmmessages-security-group"
  description = "Security group for SSM Messages VPC endpoint"
  vpc_id      = var.vpc_id
}

resource "aws_security_group_rule" "vpc_ssmmessages_vpce_security_group_ingress_rule" {
  security_group_id        = aws_security_group.vpc_ssmmessages_vpce_security_group.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 443
  to_port                  = 443
  source_security_group_id = aws_security_group.vpc_bastion_host_security_group.id
  description              = "vpc ssm messages vpce security group ingress rule"
}

###################################################################
# EC2 Messages VPC endpoint
###################################################################

resource "aws_vpc_endpoint" "vpc_ec2messages_vpce" {
  vpc_id              = var.vpc_id
  service_name        = "com.amazonaws.${var.aws_region}.ec2messages"
  vpc_endpoint_type   = "Interface"
  subnet_ids          = var.vpc_private_subnets
  private_dns_enabled = true
  security_group_ids  = [aws_security_group.vpc_ec2messages_vpce_security_group.id]

  tags = {
    Name = "${var.tag_application}-${var.target_environment}-vpc-ec2messages-vpce"
  }
}

resource "aws_security_group" "vpc_ec2messages_vpce_security_group" {
  name        = "vpc-ec2messages-security-group"
  description = "Security group for EC2 Messages VPC endpoint"
  vpc_id      = var.vpc_id
}

resource "aws_security_group_rule" "vpc_ec2messages_vpce_security_group_ingress_rule" {
  security_group_id        = aws_security_group.vpc_ec2messages_vpce_security_group.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 443
  to_port                  = 443
  source_security_group_id = aws_security_group.vpc_bastion_host_security_group.id
  description              = "vpc ec2 messages vpce security group ingress rule"
}

###################################################################
# SSM VPC endpoint
###################################################################
#
resource "aws_vpc_endpoint" "vpc_ssm_vpce" {
  vpc_id              = var.vpc_id
  service_name        = "com.amazonaws.${var.aws_region}.ssm"
  vpc_endpoint_type   = "Interface"
  subnet_ids          = var.vpc_private_subnets
  private_dns_enabled = true
  security_group_ids  = [aws_security_group.vpc_ssm_vpce_security_group.id]

  tags = {
    Name = "${var.tag_application}-${var.target_environment}-vpc-ssm-vpce"
  }
}

resource "aws_security_group" "vpc_ssm_vpce_security_group" {
  name        = "vpc-ssm-security-group"
  description = "Security group for SSM VPC endpoint"
  vpc_id      = var.vpc_id
}

resource "aws_security_group_rule" "vpc_ssm_vpce_security_group_bastion_host_ingress_rule" {
  security_group_id        = aws_security_group.vpc_ssm_vpce_security_group.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 443
  to_port                  = 443
  source_security_group_id = aws_security_group.vpc_bastion_host_security_group.id
  description              = "vpc ssm vpce security group ingress rule for bastion host"
}

modules/bastion-vpc/output.tf

output "vpc_bastion_host_security_group" {
  value = aws_security_group.vpc_bastion_host_security_group
}

In stages/00-bastion-vpc/main.tf

module "bastion-vpc" {
  source                   = "../../modules/bastion-vpc"
  vpc_enable_nat_gateway   = var.vpc_enable_nat_gateway
  vpc_enable_dns_hostnames = var.vpc_enable_dns_hostnames
  vpc_enable_dns_support   = var.vpc_enable_dns_support
  vpc_enable_vpn_gateway   = var.vpc_enable_vpn_gateway
  vpc_cidr                 = var.vpc_cidr
  vpc_private_subnets      = var.vpc_private_subnets
  vpc_azs                  = [data.aws_availability_zones.available.names[0]]
  aws_region               = data.aws_region.current.name
  target_environment       = var.target_environment
  tag_application          = var.tag_application
  vpc_id                   = var.vpc_id
  aws_availability_zones  = var.aws_availability_zones
}

Now my requirement is: The subnet vpc output.tf call in the ec2 module.

module/01-bastion-ec2/main.tf

module "bastion-host" {
  source                          = "./bastion-host"
  tag_application                 = var.tag_application
  target_environment              = var.target_environment
  subnet_id                       = module.bastion-vpc.bastion_private_subnet_id
  bastion_host_security_group_ids = [module.bastion-vpc.vpc_bastion_host_security_group]
  instance_type                   = var.instance_type
  bastion_host_policy             = var.bastion_host_policy
}

stages/01-bastion-ec2/main.tf

resource "aws_instance" "bastion_host_ec2_instance" {
  ami                     = data.aws_ami.amazon-linux-2.id
  instance_type           = var.instance_type
  subnet_id               = var.vpc_private_subnets[0]
  vpc_security_group_ids = ""
  #vpc_security_group_ids  = var.bastion_host_security_group_ids
  iam_instance_profile    = aws_iam_instance_profile.bastion-host-instance-profile.name
  disable_api_termination = true

  root_block_device {
    encrypted = true
  }
  monitoring = false
}

When i add and call it is looking for other variables to define. I want only private_subnet_ids

module vpc {
source= ../../modules/bastion-vpc
}

Could some please help me?

Regards,
Krishna Mohan

Topic		Replies	Views
Using output in another module or resource Terraform	2	6609	March 30, 2020
Reference outputs in another module Terraform	1	9025	May 12, 2022
Referencing output of resource outside the module Terraform	2	2318	February 6, 2020
Module composition (aka using output of one module as input for another module) not working Terraform	1	419	December 20, 2021
For each loops and ouput.tf files and how to get output values Terraform hcp-terraform	1	1163	January 4, 2022

One module output call in another module

Related topics