Resource: awsNetworkmanagerCoreNetwork
Provides a core network resource.
\~> NOTE on Core Networks and Policy Attachments: For a given core network, this resource's policyDocument
argument is incompatible with using the awsNetworkmanagerCoreNetworkPolicyAttachment
resource. When using this resource's policyDocument
argument and the awsNetworkmanagerCoreNetworkPolicyAttachment
resource, both will attempt to manage the core network's policy document and Terraform will show a permanent difference.
Example Usage
Basic
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkmanagerCoreNetwork.NetworkmanagerCoreNetwork(this, "example", {
globalNetworkId: "${aws_networkmanager_global_network.example.id}",
});
With description
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkmanagerCoreNetwork.NetworkmanagerCoreNetwork(this, "example", {
description: "example",
globalNetworkId: "${aws_networkmanager_global_network.example.id}",
});
With tags
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkmanagerCoreNetwork.NetworkmanagerCoreNetwork(this, "example", {
globalNetworkId: "${aws_networkmanager_global_network.example.id}",
tags: {
hello: "world",
},
});
With VPC Attachment (Single Region)
The example below illustrates the scenario where your policy document has static routes pointing to VPC attachments and you want to attach your VPCs to the core network before applying the desired policy document. Set the createBasePolicy
argument to true
if your core network does not currently have any live
policies (e.g. this is the first terraformApply
with the core network resource), since a live
policy is required before VPCs can be attached to the core network. Otherwise, if your core network already has a live
policy, you may exclude the createBasePolicy
argument.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsNetworkmanagerGlobalNetworkExample =
new aws.networkmanagerGlobalNetwork.NetworkmanagerGlobalNetwork(
this,
"example",
{}
);
const awsNetworkmanagerCoreNetworkExample =
new aws.networkmanagerCoreNetwork.NetworkmanagerCoreNetwork(
this,
"example_1",
{
createBasePolicy: true,
globalNetworkId: awsNetworkmanagerGlobalNetworkExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkmanagerCoreNetworkExample.overrideLogicalId("example");
const awsNetworkmanagerVpcAttachmentExample =
new aws.networkmanagerVpcAttachment.NetworkmanagerVpcAttachment(
this,
"example_2",
{
coreNetworkId: awsNetworkmanagerCoreNetworkExample.id,
subnetArns: "${aws_subnet.example[*].arn}",
vpcArn: "${aws_vpc.example.arn}",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkmanagerVpcAttachmentExample.overrideLogicalId("example");
const dataAwsNetworkmanagerCoreNetworkPolicyDocumentExample =
new aws.dataAwsNetworkmanagerCoreNetworkPolicyDocument.DataAwsNetworkmanagerCoreNetworkPolicyDocument(
this,
"example_3",
{
coreNetworkConfiguration: [
{
asnRanges: ["65022-65534"],
edgeLocations: [
{
location: "us-west-2",
},
],
},
],
segmentActions: [
{
action: "create-route",
destinationCidrBlocks: ["0.0.0.0/0"],
destinations: [awsNetworkmanagerVpcAttachmentExample.id],
segment: "segment",
},
],
segments: [
{
name: "segment",
},
],
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsNetworkmanagerCoreNetworkPolicyDocumentExample.overrideLogicalId(
"example"
);
const awsNetworkmanagerCoreNetworkPolicyAttachmentExample =
new aws.networkmanagerCoreNetworkPolicyAttachment.NetworkmanagerCoreNetworkPolicyAttachment(
this,
"example_4",
{
coreNetworkId: awsNetworkmanagerCoreNetworkExample.id,
policyDocument:
dataAwsNetworkmanagerCoreNetworkPolicyDocumentExample.json,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkmanagerCoreNetworkPolicyAttachmentExample.overrideLogicalId(
"example"
);
With VPC Attachment (Multi-Region)
The example below illustrates the scenario where your policy document has static routes pointing to VPC attachments and you want to attach your VPCs to the core network before applying the desired policy document. Set the createBasePolicy
argument of the awsNetworkmanagerCoreNetwork
resource to true
if your core network does not currently have any live
policies (e.g. this is the first terraformApply
with the core network resource), since a live
policy is required before VPCs can be attached to the core network. Otherwise, if your core network already has a live
policy, you may exclude the createBasePolicy
argument. For multi-region in a core network that does not yet have a live
policy, pass a list of regions to the awsNetworkmanagerCoreNetwork
basePolicyRegions
argument. In the example below, usWest2
and usEast1
are specified in the base policy.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsNetworkmanagerGlobalNetworkExample =
new aws.networkmanagerGlobalNetwork.NetworkmanagerGlobalNetwork(
this,
"example",
{}
);
const awsNetworkmanagerCoreNetworkExample =
new aws.networkmanagerCoreNetwork.NetworkmanagerCoreNetwork(
this,
"example_1",
{
basePolicyRegions: ["us-west-2", "us-east-1"],
createBasePolicy: true,
globalNetworkId: awsNetworkmanagerGlobalNetworkExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkmanagerCoreNetworkExample.overrideLogicalId("example");
const awsNetworkmanagerVpcAttachmentExampleUsEast1 =
new aws.networkmanagerVpcAttachment.NetworkmanagerVpcAttachment(
this,
"example_us_east_1",
{
coreNetworkId: awsNetworkmanagerCoreNetworkExample.id,
provider: "alternate",
subnetArns: "${aws_subnet.example_us_east_1[*].arn}",
vpcArn: "${aws_vpc.example_us_east_1.arn}",
}
);
const awsNetworkmanagerVpcAttachmentExampleUsWest2 =
new aws.networkmanagerVpcAttachment.NetworkmanagerVpcAttachment(
this,
"example_us_west_2",
{
coreNetworkId: awsNetworkmanagerCoreNetworkExample.id,
subnetArns: "${aws_subnet.example_us_west_2[*].arn}",
vpcArn: "${aws_vpc.example_us_west_2.arn}",
}
);
const dataAwsNetworkmanagerCoreNetworkPolicyDocumentExample =
new aws.dataAwsNetworkmanagerCoreNetworkPolicyDocument.DataAwsNetworkmanagerCoreNetworkPolicyDocument(
this,
"example_4",
{
coreNetworkConfiguration: [
{
asnRanges: ["65022-65534"],
edgeLocations: [
{
location: "us-west-2",
},
{
location: "us-east-1",
},
],
},
],
segmentActions: [
{
action: "create-route",
destinationCidrBlocks: ["10.0.0.0/16"],
destinations: [awsNetworkmanagerVpcAttachmentExampleUsWest2.id],
segment: "segment",
},
{
action: "create-route",
destinationCidrBlocks: ["10.1.0.0/16"],
destinations: [awsNetworkmanagerVpcAttachmentExampleUsEast1.id],
segment: "segment",
},
],
segments: [
{
name: "segment",
},
{
name: "segment2",
},
],
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsNetworkmanagerCoreNetworkPolicyDocumentExample.overrideLogicalId(
"example"
);
const awsNetworkmanagerCoreNetworkPolicyAttachmentExample =
new aws.networkmanagerCoreNetworkPolicyAttachment.NetworkmanagerCoreNetworkPolicyAttachment(
this,
"example_5",
{
coreNetworkId: awsNetworkmanagerCoreNetworkExample.id,
policyDocument:
dataAwsNetworkmanagerCoreNetworkPolicyDocumentExample.json,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkmanagerCoreNetworkPolicyAttachmentExample.overrideLogicalId(
"example"
);
Argument Reference
The following arguments are supported:
description
- (Optional) Description of the Core Network.basePolicyRegion
- (Optional, Deprecated use thebasePolicyRegions
argument instead) The base policy created by setting thecreateBasePolicy
argument totrue
requires a region to be set in theedgeLocations
,location
key. IfbasePolicyRegion
is not specified, the region used in the base policy defaults to the region specified in theprovider
block.basePolicyRegions
- (Optional) A list of regions to add to the base policy. The base policy created by setting thecreateBasePolicy
argument totrue
requires one or more regions to be set in theedgeLocations
,location
key. IfbasePolicyRegions
is not specified, the region used in the base policy defaults to the region specified in theprovider
block.createBasePolicy
- (Optional) Specifies whether to create a base policy when a core network is created or updated. A base policy is created and set tolive
to allow attachments to the core network (e.g. VPC Attachments) before applying a policy document provided using theawsNetworkmanagerCoreNetworkPolicyAttachment
resource. This base policy is needed if your core network does not have anylive
policies (e.g. a core network resource created without thepolicyDocument
argument) and your policy document has static routes pointing to VPC attachments and you want to attach your VPCs to the core network before applying the desired policy document. Valid values aretrue
orfalse
. Conflicts withpolicyDocument
. An example of this Terraform snippet can be found above for VPC Attachment in a single region and for VPC Attachment multi-region. An example base policy is shown below. This base policy is overridden with the policy that you specify in theawsNetworkmanagerCoreNetworkPolicyAttachment
resource.
{
"version": "2021.12",
"core-network-configuration": {
"asn-ranges": [
"64512-65534"
],
"vpn-ecmp-support": false,
"edge-locations": [
{
"location": "us-east-1"
}
]
},
"segments": [
{
"name": "segment",
"description": "base-policy",
"isolate-attachments": false,
"require-attachment-acceptance": false
}
]
}
globalNetworkId
- (Required) The ID of the global network that a core network will be a part of.policyDocument
- (Optional, Deprecated use theawsNetworkmanagerCoreNetworkPolicyAttachment
resource instead) Policy document for creating a core network. Note that updating this argument will result in the new policy document version being set as thelatest
andlive
policy document. Refer to the Core network policies documentation for more information. Conflicts withcreateBasePolicy
.tags
- (Optional) Key-value tags for the Core Network. If configured with a providerdefaultTags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
Timeouts
create
- (Default30M
)delete
- (Default30M
)update
- (Default30M
)
Attributes Reference
In addition to all arguments above, the following attributes are exported:
arn
- Core Network Amazon Resource Name (ARN).createdAt
- Timestamp when a core network was created.edges
- One or more blocks detailing the edges within a core network. Detailed below.id
- Core Network ID.segments
- One or more blocks detailing the segments within a core network. Detailed below.state
- Current state of a core network.tagsAll
- A map of tags assigned to the resource, including those inherited from the providerdefaultTags
configuration block.
edges
The edges
configuration block supports the following arguments:
asn
- ASN of a core network edge.edgeLocation
- Region where a core network edge is located.insideCidrBlocks
- Inside IP addresses used for core network edges.
segments
The segments
configuration block supports the following arguments:
edgeLocations
- Regions where the edges are located.name
- Name of a core network segment.sharedSegments
- Shared segments of a core network.
Import
awsNetworkmanagerCoreNetwork
can be imported using the core network ID, e.g.