Assuming you're using a remote state backend, you can pull in the OPS network stack as a remote state data source and then make changes to its routing tables from whichever ephemeral stack you want it to be able to route to.
Will try and do a minimal example (obviously missing lots of boiler plate):
# my_ops_stack.tf
provider "aws" {
region = "eu-west-1"
}
module "ops_stack" {
source = "/my/modules/ops_stack"
cidr = "10.1.0.0/16"
// other vars probably
}
// the outputs which will be accessible
// via the remote state data source:
output "routing_table_id" {
value = "${module.ops_stack.routing_table_id}"
}
output "vpc_id" {
value = "${module.ops_stack.vpc_id}"
}
output "vpc_cidr" {
value = "10.1.0.0/16"
}
I'll now configure a remote state backend for this stack using terraform cli (this will soon be possible in config):
# Run in the same folder as my_ops_stack.tf
terraform remote config \
-backend=s3 \
-backend-config="bucket=my-state-bucket" \
-backend-config="key=ops-stack/terraform.tfstate" \
-backend-config="region=eu-west-1"
Now the state backend is configured, any changes you apply to the stack will synchronise to that backend:
terraform apply
# the usual stuff... but now synced with s3!
Now, in the template of your new ephemeral stack (dev,prod,qa,stg,uat,cte etc.):
# my_dev_stack.tf
provider "aws" {
region = "eu-west-1"
}
// Pull in your ops stack from the remote backend:
data "terraform_remote_state" "ops_stack" {
backend = "s3"
config {
bucket = "my-state-bucket"
key = "ops-stack/terraform.tfstate"
region = "eu-west-1"
}
}
// Create your dev stack
module "dev_stack" {
source = "/my/modules/dev_stack"
cidr = "10.2.0.0/16"
// The ops_stack vpc id for creating the peering connection:
ops_vpc_id = "${data.terraform_remote_state.ops_stack.vpc_id}"
// Maybe some security group rules you wanna setup
allow_access_from = "${data.terraform_remote_state.ops_stack.vpc_cidr}"
// other vars probably
}
// And use its outputs to add a route to the
// ops vpc routing table from the dev stack!
resource "aws_route" "ops_to_dev" {
route_table_id = "${data.terraform_remote_state.ops_stack.routing_table_id}"
destination_cidr_block = "10.2.0.0/16" // dev_stack's cidr
vpc_peering_connection_id = "${module.dev_stack.vpcx_id}"
}
Once you're done with the ephemeral stack, you can safely destroy it and it will even clean up its route in the ops stack.
Hope this is what you were after!