Resource: awsNetworkmanagerCoreNetworkPolicyAttachment
Provides a Core Network Policy Attachment resource. This puts a Core Network Policy to an existing Core Network and executes the change set, which deploys changes globally based on the policy submitted (Sets the policy to live
).
\~> NOTE on Core Networks and Policy Attachments: For a given policy attachment, this resource is incompatible with using the awsNetworkmanagerCoreNetwork
resource policyDocument
argument. When using that argument and this resource, both will attempt to manage the core network's policy document and Terraform will show a permanent difference.
\~> NOTE: Deleting this resource will not delete the current policy defined in this resource. Deleting this resource will also not revert the current live
policy to the previous version.
Example Usage
Basic
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsNetworkmanagerCoreNetworkExample =
new aws.networkmanagerCoreNetwork.NetworkmanagerCoreNetwork(this, "example", {
globalNetworkId: "${aws_networkmanager_global_network.example.id}",
});
const awsNetworkmanagerCoreNetworkPolicyAttachmentExample =
new aws.networkmanagerCoreNetworkPolicyAttachment.NetworkmanagerCoreNetworkPolicyAttachment(
this,
"example_1",
{
coreNetworkId: awsNetworkmanagerCoreNetworkExample.id,
policyDocument:
"${data.aws_networkmanager_core_network_policy_document.example.json}",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkmanagerCoreNetworkPolicyAttachmentExample.overrideLogicalId(
"example"
);
With VPC Attachment (Single Region)
The example below illustrates the scenario where your policy document has static routes pointing to VPC attachments and you want to attach your VPCs to the core network before applying the desired policy document. Set the createBasePolicy
argument of the awsNetworkmanagerCoreNetwork
resource to true
if your core network does not currently have any live
policies (e.g. this is the first terraformApply
with the core network resource), since a live
policy is required before VPCs can be attached to the core network. Otherwise, if your core network already has a live
policy, you may exclude the createBasePolicy
argument.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsNetworkmanagerGlobalNetworkExample =
new aws.networkmanagerGlobalNetwork.NetworkmanagerGlobalNetwork(
this,
"example",
{}
);
const awsNetworkmanagerCoreNetworkExample =
new aws.networkmanagerCoreNetwork.NetworkmanagerCoreNetwork(
this,
"example_1",
{
createBasePolicy: true,
globalNetworkId: awsNetworkmanagerGlobalNetworkExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkmanagerCoreNetworkExample.overrideLogicalId("example");
const awsNetworkmanagerVpcAttachmentExample =
new aws.networkmanagerVpcAttachment.NetworkmanagerVpcAttachment(
this,
"example_2",
{
coreNetworkId: awsNetworkmanagerCoreNetworkExample.id,
subnetArns: "${aws_subnet.example[*].arn}",
vpcArn: "${aws_vpc.example.arn}",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkmanagerVpcAttachmentExample.overrideLogicalId("example");
const dataAwsNetworkmanagerCoreNetworkPolicyDocumentExample =
new aws.dataAwsNetworkmanagerCoreNetworkPolicyDocument.DataAwsNetworkmanagerCoreNetworkPolicyDocument(
this,
"example_3",
{
coreNetworkConfiguration: [
{
asnRanges: ["65022-65534"],
edgeLocations: [
{
location: "us-west-2",
},
],
},
],
segmentActions: [
{
action: "create-route",
destinationCidrBlocks: ["0.0.0.0/0"],
destinations: [awsNetworkmanagerVpcAttachmentExample.id],
segment: "segment",
},
],
segments: [
{
name: "segment",
},
],
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsNetworkmanagerCoreNetworkPolicyDocumentExample.overrideLogicalId(
"example"
);
const awsNetworkmanagerCoreNetworkPolicyAttachmentExample =
new aws.networkmanagerCoreNetworkPolicyAttachment.NetworkmanagerCoreNetworkPolicyAttachment(
this,
"example_4",
{
coreNetworkId: awsNetworkmanagerCoreNetworkExample.id,
policyDocument:
dataAwsNetworkmanagerCoreNetworkPolicyDocumentExample.json,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkmanagerCoreNetworkPolicyAttachmentExample.overrideLogicalId(
"example"
);
With VPC Attachment (Multi-Region)
The example below illustrates the scenario where your policy document has static routes pointing to VPC attachments and you want to attach your VPCs to the core network before applying the desired policy document. Set the createBasePolicy
argument of the awsNetworkmanagerCoreNetwork
resource to true
if your core network does not currently have any live
policies (e.g. this is the first terraformApply
with the core network resource), since a live
policy is required before VPCs can be attached to the core network. Otherwise, if your core network already has a live
policy, you may exclude the createBasePolicy
argument. For multi-region in a core network that does not yet have a live
policy, pass a list of regions to the awsNetworkmanagerCoreNetwork
basePolicyRegions
argument. In the example below, usWest2
and usEast1
are specified in the base policy.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsNetworkmanagerGlobalNetworkExample =
new aws.networkmanagerGlobalNetwork.NetworkmanagerGlobalNetwork(
this,
"example",
{}
);
const awsNetworkmanagerCoreNetworkExample =
new aws.networkmanagerCoreNetwork.NetworkmanagerCoreNetwork(
this,
"example_1",
{
basePolicyRegions: ["us-west-2", "us-east-1"],
createBasePolicy: true,
globalNetworkId: awsNetworkmanagerGlobalNetworkExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkmanagerCoreNetworkExample.overrideLogicalId("example");
const awsNetworkmanagerVpcAttachmentExampleUsEast1 =
new aws.networkmanagerVpcAttachment.NetworkmanagerVpcAttachment(
this,
"example_us_east_1",
{
coreNetworkId: awsNetworkmanagerCoreNetworkExample.id,
provider: "alternate",
subnetArns: "${aws_subnet.example_us_east_1[*].arn}",
vpcArn: "${aws_vpc.example_us_east_1.arn}",
}
);
const awsNetworkmanagerVpcAttachmentExampleUsWest2 =
new aws.networkmanagerVpcAttachment.NetworkmanagerVpcAttachment(
this,
"example_us_west_2",
{
coreNetworkId: awsNetworkmanagerCoreNetworkExample.id,
subnetArns: "${aws_subnet.example_us_west_2[*].arn}",
vpcArn: "${aws_vpc.example_us_west_2.arn}",
}
);
const dataAwsNetworkmanagerCoreNetworkPolicyDocumentExample =
new aws.dataAwsNetworkmanagerCoreNetworkPolicyDocument.DataAwsNetworkmanagerCoreNetworkPolicyDocument(
this,
"example_4",
{
coreNetworkConfiguration: [
{
asnRanges: ["65022-65534"],
edgeLocations: [
{
location: "us-west-2",
},
{
location: "us-east-1",
},
],
},
],
segmentActions: [
{
action: "create-route",
destinationCidrBlocks: ["10.0.0.0/16"],
destinations: [awsNetworkmanagerVpcAttachmentExampleUsWest2.id],
segment: "segment",
},
{
action: "create-route",
destinationCidrBlocks: ["10.1.0.0/16"],
destinations: [awsNetworkmanagerVpcAttachmentExampleUsEast1.id],
segment: "segment",
},
],
segments: [
{
name: "segment",
},
{
name: "segment2",
},
],
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsNetworkmanagerCoreNetworkPolicyDocumentExample.overrideLogicalId(
"example"
);
const awsNetworkmanagerCoreNetworkPolicyAttachmentExample =
new aws.networkmanagerCoreNetworkPolicyAttachment.NetworkmanagerCoreNetworkPolicyAttachment(
this,
"example_5",
{
coreNetworkId: awsNetworkmanagerCoreNetworkExample.id,
policyDocument:
dataAwsNetworkmanagerCoreNetworkPolicyDocumentExample.json,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsNetworkmanagerCoreNetworkPolicyAttachmentExample.overrideLogicalId(
"example"
);
Argument Reference
The following arguments are supported:
coreNetworkId
- (Required) The ID of the core network that a policy will be attached to and madelive
.policyDocument
- (Required) Policy document for creating a core network. Note that updating this argument will result in the new policy document version being set as thelatest
andlive
policy document. Refer to the Core network policies documentation for more information.
Timeouts
update
- (Default30M
). If this is the first time attaching a policy to a core network then this timeout value is also used as thecreate
timeout value.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
state
- Current state of a core network.
Import
awsNetworkmanagerCoreNetworkPolicyAttachment
can be imported using the core network ID, e.g.