HCCP-138 breaking changes for Peering and TGW attachment

docs/data-sources/aws_network_peering.md

@@ -38,7 +38,6 @@ data "hcp_aws_network_peering" "test" {
 - **expires_at** (String) The time after which the network peering will be considered expired if it hasn't transitioned into `ACCEPTED` or `ACTIVE` state.
 - **organization_id** (String) The ID of the HCP organization where the network peering is located. Always matches the HVN's organization.
 - **peer_account_id** (String) The account ID of the peer VPC in AWS.
-- **peer_vpc_cidr_block** (String) The CIDR range of the peer VPC in AWS.
 - **peer_vpc_id** (String) The ID of the peer VPC in AWS.
 - **peer_vpc_region** (String) The region of the peer VPC in AWS.
 - **project_id** (String) The ID of the HCP project where the network peering is located. Always matches the HVN's project.

docs/data-sources/aws_transit_gateway_attachment.md

@@ -37,7 +37,6 @@ data "hcp_aws_transit_gateway_attachment" "test" {
 ### Read-Only
 
 - **created_at** (String) The time that the transit gateway attachment was created.
-- **destination_cidrs** (List of String) The list of associated CIDR ranges. Traffic from these CIDRs will be allowed for all resources in the HVN. Traffic to these CIDRs will be routed into this transit gateway attachment.
 - **expires_at** (String) The time after which the transit gateway attachment will be considered expired if it hasn't transitioned into `ACCEPTED` or `ACTIVE` state.
 - **organization_id** (String) The ID of the HCP organization where the transit gateway attachment is located. Always matches the HVN's organization.
 - **project_id** (String) The ID of the HCP project where the transit gateway attachment is located. Always matches the HVN's project.

docs/guides/peering.md

@@ -41,12 +41,19 @@ resource "aws_vpc" "peer" {
 
 // Create an HCP network peering to peer your HVN with your AWS VPC.
 resource "hcp_aws_network_peering" "example" {
-  peering_id          = var.peer_id
-  hvn_id              = hcp_hvn.example.hvn_id
-  peer_vpc_id         = aws_vpc.peer.id
-  peer_account_id     = aws_vpc.peer.owner_id
-  peer_vpc_region     = var.region
-  peer_vpc_cidr_block = aws_vpc.peer.cidr_block
+  peering_id      = var.peer_id
+  hvn_id          = hcp_hvn.example.hvn_id
+  peer_vpc_id     = aws_vpc.peer.id
+  peer_account_id = aws_vpc.peer.owner_id
+  peer_vpc_region = var.region
+}
+
+// Create an HVN route that targets your HCP network peering and matches your AWS VPC's CIDR block
+resource "hcp_hvn_route" "example" {
+  hvn_link         = hcp_hvn.hvn.self_link
+  hvn_route_id     = var.route_id
+  destination_cidr = aws_vpc.peer.cidr_block
+  target_link      = hcp_aws_network_peering.example.self_link
 }
 
 // Accept the VPC peering within your AWS account.

docs/index.md

@@ -73,12 +73,20 @@ resource "aws_vpc_peering_connection_accepter" "main" {
 }
 
 // Create a network peering between the HVN and the AWS VPC
-resource "hcp_aws_network_peering" "example_peering" {
-  hvn_id              = hcp_hvn.example_hvn.hvn_id
-  peer_vpc_id         = aws_vpc.main.id
-  peer_account_id     = aws_vpc.main.owner_id
-  peer_vpc_region     = data.aws_arn.main.region
-  peer_vpc_cidr_block = aws_vpc.main.cidr_block
+resource "hcp_aws_network_peering" "example" {
+  hvn_id          = hcp_hvn.example_hvn.hvn_id
+  peering_id      = "hcp-tf-example-peering"
+  peer_vpc_id     = aws_vpc.main.id
+  peer_account_id = aws_vpc.main.owner_id
+  peer_vpc_region = data.aws_arn.main.region
+}
+
+// Create an HVN route that targets your HCP network peering and matches your AWS VPC's CIDR block
+resource "hcp_hvn_route" "example" {
+  hvn_link         = hcp_hvn.hvn.self_link
+  hvn_route_id     = "hcp-tf-example-hvn-route"
+  destination_cidr = aws_vpc.main.cidr_block
+  target_link      = hcp_aws_network_peering.example.self_link
 }
 
 // Create a Consul cluster in the same region and cloud provider as the HVN

docs/resources/aws_network_peering.md

@@ -32,16 +32,23 @@ data "aws_arn" "peer" {
   arn = aws_vpc.peer.arn
 }
 
-resource "hcp_aws_network_peering" "peer" {
-  hvn_id              = hcp_hvn.main.hvn_id
-  peer_vpc_id         = aws_vpc.peer.id
-  peer_account_id     = aws_vpc.peer.owner_id
-  peer_vpc_region     = data.aws_arn.peer.region
-  peer_vpc_cidr_block = aws_vpc.peer.cidr_block
+resource "hcp_aws_network_peering" "dev" {
+  hvn_id          = hcp_hvn.main.hvn_id
+  peering_id      = "dev"
+  peer_vpc_id     = aws_vpc.peer.id
+  peer_account_id = aws_vpc.peer.owner_id
+  peer_vpc_region = data.aws_arn.peer.region
+}
+
+resource "hcp_hvn_route" "main-to-dev" {
+  hvn_link         = hcp_hvn.main.self_link
+  hvn_route_id     = "main-to-dev"
+  destination_cidr = "172.31.0.0/16"
+  target_link      = hcp_aws_network_peering.dev.self_link
 }
 
 resource "aws_vpc_peering_connection_accepter" "peer" {
-  vpc_peering_connection_id = hcp_aws_network_peering.peer.provider_peering_id
+  vpc_peering_connection_id = hcp_aws_network_peering.dev.provider_peering_id
   auto_accept               = true
 }
 ```
@@ -53,14 +60,13 @@ resource "aws_vpc_peering_connection_accepter" "peer" {
 
 - **hvn_id** (String) The ID of the HashiCorp Virtual Network (HVN).
 - **peer_account_id** (String) The account ID of the peer VPC in AWS.
-- **peer_vpc_cidr_block** (String) The CIDR range of the peer VPC in AWS.
 - **peer_vpc_id** (String) The ID of the peer VPC in AWS.
 - **peer_vpc_region** (String) The region of the peer VPC in AWS.
+- **peering_id** (String) The ID of the network peering.
 
 ### Optional
 
 - **id** (String) The ID of this resource.
-- **peering_id** (String) The ID of the network peering.
 - **timeouts** (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
 
 ### Read-Only

docs/resources/aws_transit_gateway_attachment.md

@@ -60,7 +60,13 @@ resource "hcp_aws_transit_gateway_attachment" "example" {
   transit_gateway_attachment_id = "example-tgw-attachment"
   transit_gateway_id            = aws_ec2_transit_gateway.example.id
   resource_share_arn            = aws_ram_resource_share.example.arn
-  destination_cidrs             = [aws_vpc.example.cidr_block]
+}
+
+resource "hcp_hvn_route" "route" {
+  hvn_link         = hcp_hvn.main.self_link
+  hvn_route_id     = "hvn-to-tgw-attachment"
+  destination_cidr = aws_vpc.example.cidr_block
+  target_link      = hcp_aws_transit_gateway_attachment.example.self_link
 }
 
 resource "aws_ec2_transit_gateway_vpc_attachment_accepter" "example" {
@@ -75,7 +81,6 @@ resource "aws_ec2_transit_gateway_vpc_attachment_accepter" "example" {
 
 ### Required
 
-- **destination_cidrs** (List of String) The list of associated CIDR ranges. Traffic from these CIDRs will be allowed for all resources in the HVN. Traffic to these CIDRs will be routed into this transit gateway attachment.
 - **hvn_id** (String) The ID of the HashiCorp Virtual Network (HVN).
 - **resource_share_arn** (String, Sensitive) The Amazon Resource Name (ARN) of the Resource Share that is needed to grant HCP access to the transit gateway in AWS. The Resource Share should be associated with the HCP AWS account principal (see [aws_ram_principal_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_principal_association)) and the transit gateway resource (see [aws_ram_resource_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_association))
 - **transit_gateway_attachment_id** (String) The user-settable name of the transit gateway attachment in HCP.

examples/guides/peering/main.tf

@@ -23,12 +23,19 @@ resource "aws_vpc" "peer" {
 
 // Create an HCP network peering to peer your HVN with your AWS VPC.
 resource "hcp_aws_network_peering" "example" {
-  peering_id          = var.peer_id
-  hvn_id              = hcp_hvn.example.hvn_id
-  peer_vpc_id         = aws_vpc.peer.id
-  peer_account_id     = aws_vpc.peer.owner_id
-  peer_vpc_region     = var.region
-  peer_vpc_cidr_block = aws_vpc.peer.cidr_block
+  peering_id      = var.peer_id
+  hvn_id          = hcp_hvn.example.hvn_id
+  peer_vpc_id     = aws_vpc.peer.id
+  peer_account_id = aws_vpc.peer.owner_id
+  peer_vpc_region = var.region
+}
+
+// Create an HVN route that targets your HCP network peering and matches your AWS VPC's CIDR block
+resource "hcp_hvn_route" "example" {
+  hvn_link         = hcp_hvn.hvn.self_link
+  hvn_route_id     = var.route_id
+  destination_cidr = aws_vpc.peer.cidr_block
+  target_link      = hcp_aws_network_peering.example.self_link
 }
 
 // Accept the VPC peering within your AWS account.

examples/guides/peering/variables.tf

@@ -17,3 +17,8 @@ variable "peer_id" {
   description = "The ID to use for the HCP network peering."
   type        = string
 }
+
+variable "route_id" {
+  description = "The ID to use for the HCP HVN route."
+  type        = string
+}

examples/provider/provider.tf

@@ -39,12 +39,20 @@ resource "aws_vpc_peering_connection_accepter" "main" {
 }
 
 // Create a network peering between the HVN and the AWS VPC
-resource "hcp_aws_network_peering" "example_peering" {
-  hvn_id              = hcp_hvn.example_hvn.hvn_id
-  peer_vpc_id         = aws_vpc.main.id
-  peer_account_id     = aws_vpc.main.owner_id
-  peer_vpc_region     = data.aws_arn.main.region
-  peer_vpc_cidr_block = aws_vpc.main.cidr_block
+resource "hcp_aws_network_peering" "example" {
+  hvn_id          = hcp_hvn.example_hvn.hvn_id
+  peering_id      = "hcp-tf-example-peering"
+  peer_vpc_id     = aws_vpc.main.id
+  peer_account_id = aws_vpc.main.owner_id
+  peer_vpc_region = data.aws_arn.main.region
+}
+
+// Create an HVN route that targets your HCP network peering and matches your AWS VPC's CIDR block
+resource "hcp_hvn_route" "example" {
+  hvn_link         = hcp_hvn.hvn.self_link
+  hvn_route_id     = "hcp-tf-example-hvn-route"
+  destination_cidr = aws_vpc.main.cidr_block
+  target_link      = hcp_aws_network_peering.example.self_link
 }
 
 // Create a Consul cluster in the same region and cloud provider as the HVN

examples/resources/hcp_aws_network_peering/resource.tf

@@ -17,15 +17,22 @@ data "aws_arn" "peer" {
   arn = aws_vpc.peer.arn
 }
 
-resource "hcp_aws_network_peering" "peer" {
-  hvn_id              = hcp_hvn.main.hvn_id
-  peer_vpc_id         = aws_vpc.peer.id
-  peer_account_id     = aws_vpc.peer.owner_id
-  peer_vpc_region     = data.aws_arn.peer.region
-  peer_vpc_cidr_block = aws_vpc.peer.cidr_block
+resource "hcp_aws_network_peering" "dev" {
+  hvn_id          = hcp_hvn.main.hvn_id
+  peering_id      = "dev"
+  peer_vpc_id     = aws_vpc.peer.id
+  peer_account_id = aws_vpc.peer.owner_id
+  peer_vpc_region = data.aws_arn.peer.region
+}
+
+resource "hcp_hvn_route" "main-to-dev" {
+  hvn_link         = hcp_hvn.main.self_link
+  hvn_route_id     = "main-to-dev"
+  destination_cidr = "172.31.0.0/16"
+  target_link      = hcp_aws_network_peering.dev.self_link
 }
 
 resource "aws_vpc_peering_connection_accepter" "peer" {
-  vpc_peering_connection_id = hcp_aws_network_peering.peer.provider_peering_id
+  vpc_peering_connection_id = hcp_aws_network_peering.dev.provider_peering_id
   auto_accept               = true
 }

examples/resources/hcp_aws_transit_gateway_attachment/resource.tf

@@ -44,7 +44,13 @@ resource "hcp_aws_transit_gateway_attachment" "example" {
   transit_gateway_attachment_id = "example-tgw-attachment"
   transit_gateway_id            = aws_ec2_transit_gateway.example.id
   resource_share_arn            = aws_ram_resource_share.example.arn
-  destination_cidrs             = [aws_vpc.example.cidr_block]
+}
+
+resource "hcp_hvn_route" "route" {
+  hvn_link         = hcp_hvn.main.self_link
+  hvn_route_id     = "hvn-to-tgw-attachment"
+  destination_cidr = aws_vpc.example.cidr_block
+  target_link      = hcp_aws_transit_gateway_attachment.example.self_link
 }
 
 resource "aws_ec2_transit_gateway_vpc_attachment_accepter" "example" {

internal/provider/data_source_aws_network_peering.go

@@ -57,11 +57,6 @@ func dataSourceAwsNetworkPeering() *schema.Resource {
 				Type:        schema.TypeString,
 				Computed:    true,
 			},
-			"peer_vpc_cidr_block": {
-				Description: "The CIDR range of the peer VPC in AWS.",
-				Type:        schema.TypeString,
-				Computed:    true,
-			},
 			"provider_peering_id": {
 				Description: "The peering connection ID used by AWS.",
 				Type:        schema.TypeString,

internal/provider/data_source_aws_transit_gateway_attachment.go

@@ -55,14 +55,6 @@ func dataSourceAwsTransitGatewayAttachment() *schema.Resource {
 				Type:        schema.TypeString,
 				Computed:    true,
 			},
-			"destination_cidrs": {
-				Description: "The list of associated CIDR ranges. Traffic from these CIDRs will be allowed for all resources in the HVN. Traffic to these CIDRs will be routed into this transit gateway attachment.",
-				Type:        schema.TypeList,
-				Elem: &schema.Schema{
-					Type: schema.TypeString,
-				},
-				Computed: true,
-			},
 			"provider_transit_gateway_attachment_id": {
 				Description: "The transit gateway attachment ID used by AWS.",
 				Type:        schema.TypeString,

internal/provider/resource_aws_network_peering.go

@@ -12,7 +12,7 @@ import (
 	sharedmodels "github.com/hashicorp/hcp-sdk-go/clients/cloud-shared/v1/models"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+
 	"github.com/hashicorp/terraform-provider-hcp/internal/clients"
 )
 
@@ -45,6 +45,13 @@ func resourceAwsNetworkPeering() *schema.Resource {
 				ForceNew:         true,
 				ValidateDiagFunc: validateSlugID,
 			},
+			"peering_id": {
+				Description:      "The ID of the network peering.",
+				Type:             schema.TypeString,
+				Required:         true,
+				ForceNew:         true,
+				ValidateDiagFunc: validateSlugID,
+			},
 			"peer_account_id": {
 				Description: "The account ID of the peer VPC in AWS.",
 				Type:        schema.TypeString,
@@ -66,22 +73,6 @@ func resourceAwsNetworkPeering() *schema.Resource {
 					return strings.ToLower(old) == strings.ToLower(new)
 				},
 			},
-			"peer_vpc_cidr_block": {
-				Description:  "The CIDR range of the peer VPC in AWS.",
-				Type:         schema.TypeString,
-				Required:     true,
-				ForceNew:     true,
-				ValidateFunc: validation.IsCIDR,
-			},
-			// Optional inputs
-			"peering_id": {
-				Description:      "The ID of the network peering.",
-				Type:             schema.TypeString,
-				Optional:         true,
-				ForceNew:         true,
-				Computed:         true,
-				ValidateDiagFunc: validateSlugID,
-			},
 			// Computed outputs
 			"organization_id": {
 				Description: "The ID of the HCP organization where the network peering is located. Always matches the HVN's organization.",
@@ -125,7 +116,6 @@ func resourceAwsNetworkPeeringCreate(ctx context.Context, d *schema.ResourceData
 	peerAccountID := d.Get("peer_account_id").(string)
 	peerVpcID := d.Get("peer_vpc_id").(string)
 	peerVpcRegion := d.Get("peer_vpc_region").(string)
-	peerVpcCidr := d.Get("peer_vpc_cidr_block").(string)
 
 	loc := &sharedmodels.HashicorpCloudLocationLocation{
 		OrganizationID: client.Config.OrganizationID,
@@ -174,7 +164,6 @@ func resourceAwsNetworkPeeringCreate(ctx context.Context, d *schema.ResourceData
 					AccountID: peerAccountID,
 					VpcID:     peerVpcID,
 					Region:    peerVpcRegion,
-					Cidr:      peerVpcCidr,
 				},
 			},
 		},
@@ -316,9 +305,6 @@ func setPeeringResourceData(d *schema.ResourceData, peering *networkmodels.Hashi
 	if err := d.Set("peer_vpc_region", peering.Target.AwsTarget.Region); err != nil {
 		return err
 	}
-	if err := d.Set("peer_vpc_cidr_block", peering.Target.AwsTarget.Cidr); err != nil {
-		return err
-	}
 	if err := d.Set("organization_id", peering.Hvn.Location.OrganizationID); err != nil {
 		return err
 	}