Resource: awsNetworkmanagerCoreNetworkPolicyAttachment
Provides a Core Network Policy Attachment resource. This puts a Core Network Policy to an existing Core Network and executes the change set, which deploys changes globally based on the policy submitted (Sets the policy to live).
\~> NOTE on Core Networks and Policy Attachments: For a given policy attachment, this resource is incompatible with using the awsNetworkmanagerCoreNetwork resource policyDocument argument. When using that argument and this resource, both will attempt to manage the core network's policy document and Terraform will show a permanent difference.
\~> NOTE: Deleting this resource will not delete the current policy defined in this resource. Deleting this resource will also not revert the current live policy to the previous version.
Example Usage
Basic
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsNetworkmanagerCoreNetworkExample =
new aws.networkmanagerCoreNetwork.NetworkmanagerCoreNetwork(this, "example", {
globalNetworkId: "${aws_networkmanager_global_network.example.id}",
});
const awsNetworkmanagerCoreNetworkPolicyAttachmentExample =
new aws.networkmanagerCoreNetworkPolicyAttachment.NetworkmanagerCoreNetworkPolicyAttachment(
this,
"example_1",
{
coreNetworkId: awsNetworkmanagerCoreNetworkExample.id,
policyDocument:
"${data.aws_networkmanager_core_network_policy_document.example.json}",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkmanagerCoreNetworkPolicyAttachmentExample.overrideLogicalId(
"example"
);
With VPC Attachment (Single Region)
The example below illustrates the scenario where your policy document has static routes pointing to VPC attachments and you want to attach your VPCs to the core network before applying the desired policy document. Set the createBasePolicy argument of the awsNetworkmanagerCoreNetwork resource to true if your core network does not currently have any live policies (e.g. this is the first terraformApply with the core network resource), since a live policy is required before VPCs can be attached to the core network. Otherwise, if your core network already has a live policy, you may exclude the createBasePolicy argument.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsNetworkmanagerGlobalNetworkExample =
new aws.networkmanagerGlobalNetwork.NetworkmanagerGlobalNetwork(
this,
"example",
{}
);
const awsNetworkmanagerCoreNetworkExample =
new aws.networkmanagerCoreNetwork.NetworkmanagerCoreNetwork(
this,
"example_1",
{
createBasePolicy: true,
globalNetworkId: awsNetworkmanagerGlobalNetworkExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkmanagerCoreNetworkExample.overrideLogicalId("example");
const awsNetworkmanagerVpcAttachmentExample =
new aws.networkmanagerVpcAttachment.NetworkmanagerVpcAttachment(
this,
"example_2",
{
coreNetworkId: awsNetworkmanagerCoreNetworkExample.id,
subnetArns: "${aws_subnet.example[*].arn}",
vpcArn: "${aws_vpc.example.arn}",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkmanagerVpcAttachmentExample.overrideLogicalId("example");
const dataAwsNetworkmanagerCoreNetworkPolicyDocumentExample =
new aws.dataAwsNetworkmanagerCoreNetworkPolicyDocument.DataAwsNetworkmanagerCoreNetworkPolicyDocument(
this,
"example_3",
{
coreNetworkConfiguration: [
{
asnRanges: ["65022-65534"],
edgeLocations: [
{
location: "us-west-2",
},
],
},
],
segmentActions: [
{
action: "create-route",
destinationCidrBlocks: ["0.0.0.0/0"],
destinations: [awsNetworkmanagerVpcAttachmentExample.id],
segment: "segment",
},
],
segments: [
{
name: "segment",
},
],
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsNetworkmanagerCoreNetworkPolicyDocumentExample.overrideLogicalId(
"example"
);
const awsNetworkmanagerCoreNetworkPolicyAttachmentExample =
new aws.networkmanagerCoreNetworkPolicyAttachment.NetworkmanagerCoreNetworkPolicyAttachment(
this,
"example_4",
{
coreNetworkId: awsNetworkmanagerCoreNetworkExample.id,
policyDocument:
dataAwsNetworkmanagerCoreNetworkPolicyDocumentExample.json,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkmanagerCoreNetworkPolicyAttachmentExample.overrideLogicalId(
"example"
);
With VPC Attachment (Multi-Region)
The example below illustrates the scenario where your policy document has static routes pointing to VPC attachments and you want to attach your VPCs to the core network before applying the desired policy document. Set the createBasePolicy argument of the awsNetworkmanagerCoreNetwork resource to true if your core network does not currently have any live policies (e.g. this is the first terraformApply with the core network resource), since a live policy is required before VPCs can be attached to the core network. Otherwise, if your core network already has a live policy, you may exclude the createBasePolicy argument. For multi-region in a core network that does not yet have a live policy, pass a list of regions to the awsNetworkmanagerCoreNetwork basePolicyRegions argument. In the example below, usWest2 and usEast1 are specified in the base policy.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsNetworkmanagerGlobalNetworkExample =
new aws.networkmanagerGlobalNetwork.NetworkmanagerGlobalNetwork(
this,
"example",
{}
);
const awsNetworkmanagerCoreNetworkExample =
new aws.networkmanagerCoreNetwork.NetworkmanagerCoreNetwork(
this,
"example_1",
{
basePolicyRegions: ["us-west-2", "us-east-1"],
createBasePolicy: true,
globalNetworkId: awsNetworkmanagerGlobalNetworkExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkmanagerCoreNetworkExample.overrideLogicalId("example");
const awsNetworkmanagerVpcAttachmentExampleUsEast1 =
new aws.networkmanagerVpcAttachment.NetworkmanagerVpcAttachment(
this,
"example_us_east_1",
{
coreNetworkId: awsNetworkmanagerCoreNetworkExample.id,
provider: "alternate",
subnetArns: "${aws_subnet.example_us_east_1[*].arn}",
vpcArn: "${aws_vpc.example_us_east_1.arn}",
}
);
const awsNetworkmanagerVpcAttachmentExampleUsWest2 =
new aws.networkmanagerVpcAttachment.NetworkmanagerVpcAttachment(
this,
"example_us_west_2",
{
coreNetworkId: awsNetworkmanagerCoreNetworkExample.id,
subnetArns: "${aws_subnet.example_us_west_2[*].arn}",
vpcArn: "${aws_vpc.example_us_west_2.arn}",
}
);
const dataAwsNetworkmanagerCoreNetworkPolicyDocumentExample =
new aws.dataAwsNetworkmanagerCoreNetworkPolicyDocument.DataAwsNetworkmanagerCoreNetworkPolicyDocument(
this,
"example_4",
{
coreNetworkConfiguration: [
{
asnRanges: ["65022-65534"],
edgeLocations: [
{
location: "us-west-2",
},
{
location: "us-east-1",
},
],
},
],
segmentActions: [
{
action: "create-route",
destinationCidrBlocks: ["10.0.0.0/16"],
destinations: [awsNetworkmanagerVpcAttachmentExampleUsWest2.id],
segment: "segment",
},
{
action: "create-route",
destinationCidrBlocks: ["10.1.0.0/16"],
destinations: [awsNetworkmanagerVpcAttachmentExampleUsEast1.id],
segment: "segment",
},
],
segments: [
{
name: "segment",
},
{
name: "segment2",
},
],
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsNetworkmanagerCoreNetworkPolicyDocumentExample.overrideLogicalId(
"example"
);
const awsNetworkmanagerCoreNetworkPolicyAttachmentExample =
new aws.networkmanagerCoreNetworkPolicyAttachment.NetworkmanagerCoreNetworkPolicyAttachment(
this,
"example_5",
{
coreNetworkId: awsNetworkmanagerCoreNetworkExample.id,
policyDocument:
dataAwsNetworkmanagerCoreNetworkPolicyDocumentExample.json,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkmanagerCoreNetworkPolicyAttachmentExample.overrideLogicalId(
"example"
);
Argument Reference
The following arguments are supported:
coreNetworkId- (Required) The ID of the core network that a policy will be attached to and madelive.policyDocument- (Required) Policy document for creating a core network. Note that updating this argument will result in the new policy document version being set as thelatestandlivepolicy document. Refer to the Core network policies documentation for more information.
Timeouts
update- (Default30M). If this is the first time attaching a policy to a core network then this timeout value is also used as thecreatetimeout value.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
state- Current state of a core network.
Import
awsNetworkmanagerCoreNetworkPolicyAttachment can be imported using the core network ID, e.g.