From 5842dca25c8db7221a1640e96fc4769cf5ab2c4f Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Wed, 13 Mar 2024 12:08:34 +0530 Subject: [PATCH 01/10] Add files via upload Changes made to the files for main.tf , output.tf . variables.tf in calling module & examples. --- main.tf | 462 ++++++++++++++++++++------------------------------- outputs.tf | 99 +++++------ providers.tf | 6 + variables.tf | 277 ++---------------------------- 4 files changed, 249 insertions(+), 595 deletions(-) create mode 100644 providers.tf diff --git a/main.tf b/main.tf index d926a5f..a6c799d 100644 --- a/main.tf +++ b/main.tf @@ -1,320 +1,220 @@ -locals { - azs = length(var.availability_zones) - public_subnets_native = var.public_subnet_enabled ? length(var.public_subnet_cidrs) > 0 ? var.public_subnet_cidrs : [for netnum in range(0, local.azs) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_public_subnets = var.public_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(0, local.azs) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets)) - intra_subnets_native = var.intra_subnet_enabled ? length(var.intra_subnet_cidrs) > 0 ? var.intra_subnet_cidrs : [for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_intra_subnets = var.intra_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets)) - private_subnets_native = var.private_subnet_enabled ? length(var.private_subnet_cidrs) > 0 ? var.private_subnet_cidrs : [for netnum in range(local.azs, local.azs * 2) : cidrsubnet(var.vpc_cidr, 4, netnum)] : [] - secondary_private_subnets = var.private_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs, local.azs * 2) : cidrsubnet(cidr_block, 4, netnum) - ] - ] : [] - private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets)) - database_subnets_native = var.database_subnet_enabled ? length(var.database_subnet_cidrs) > 0 ? var.database_subnet_cidrs : [for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_database_subnets = var.database_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets)) - single_nat_gateway = var.one_nat_gateway_per_az == true ? false : true - create_database_subnet_route_table = var.database_subnet_enabled - create_flow_log_cloudwatch_log_group = var.flow_log_enabled == true || var.flow_log_cloudwatch_log_group_skip_destroy == true ? true : false - is_supported_arch = data.aws_ec2_instance_type.arch.supported_architectures[0] == "arm64" ? false : true # for VPN Instance - nacl_allow_vpc_access_rule = [{ - rule_no = 97 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = var.vpc_cidr - } - - ] - enable_ipv6 = var.ipv6_enabled - ipv6_only = var.ipv6_enabled && var.ipv6_only ? true : false - public_subnet_assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - private_subnet_assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - database_subnet_assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - intra_subnet_assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - - public_subnet_ipv6_prefixes = var.public_subnet_enabled ? [for i in range(local.azs) : i] : [] - private_subnet_ipv6_prefixes = var.private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : [] - database_subnet_ipv6_prefixes = var.database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : [] - intra_subnet_ipv6_prefixes = var.intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : [] -} -data "aws_availability_zones" "available" {} -data "aws_ec2_instance_type" "arch" { - instance_type = var.vpn_server_instance_type +resource "aws_eip" "vpn" { + domain = "vpc" + instance = module.vpn_server.id } -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "5.2.0" - name = format("%s-%s-vpc", var.environment, var.name) - cidr = var.vpc_cidr # CIDR FOR VPC - azs = [for n in range(0, local.azs) : data.aws_availability_zones.available.names[n]] - use_ipam_pool = var.ipam_enabled ? true : false - ipv4_ipam_pool_id = var.ipam_enabled && var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : null - ipv4_netmask_length = var.ipam_enabled ? var.ipv4_netmask_length : null - create_database_subnet_group = length(local.database_subnets) > 1 && var.enable_database_subnet_group ? true : false - intra_subnets = local.intra_subnets - public_subnets = local.public_subnets - private_subnets = local.private_subnets - database_subnets = local.database_subnets - enable_flow_log = var.flow_log_enabled - enable_nat_gateway = length(local.private_subnets) > 0 && !var.ipv6_only ? true : false - single_nat_gateway = local.single_nat_gateway - enable_vpn_gateway = false - enable_dns_hostnames = true - flow_log_traffic_type = "ALL" - secondary_cidr_blocks = var.secondry_cidr_enabled ? var.secondary_cidr_blocks : [] - one_nat_gateway_per_az = var.one_nat_gateway_per_az - map_public_ip_on_launch = var.auto_assign_public_ip - flow_log_destination_type = "cloud-watch-logs" - manage_default_network_acl = true - default_network_acl_ingress = concat(local.nacl_allow_vpc_access_rule, var.default_network_acl_ingress) - manage_default_security_group = true - default_security_group_ingress = [] # Enforcing no rules being present in the default security group. - default_security_group_egress = [] - create_database_nat_gateway_route = false - create_database_subnet_route_table = local.create_database_subnet_route_table - create_flow_log_cloudwatch_iam_role = var.flow_log_enabled - create_flow_log_cloudwatch_log_group = local.create_flow_log_cloudwatch_log_group - flow_log_max_aggregation_interval = var.flow_log_max_aggregation_interval - flow_log_cloudwatch_log_group_skip_destroy = var.flow_log_cloudwatch_log_group_skip_destroy - flow_log_cloudwatch_log_group_retention_in_days = var.flow_log_cloudwatch_log_group_retention_in_days - flow_log_cloudwatch_log_group_kms_key_id = var.flow_log_cloudwatch_log_group_kms_key_arn - enable_ipv6 = local.enable_ipv6 - public_subnet_ipv6_native = local.ipv6_only - private_subnet_ipv6_native = local.ipv6_only - database_subnet_ipv6_native = local.ipv6_only - intra_subnet_ipv6_native = local.ipv6_only - #assign_ipv6_address_on_creation = local.assign_ipv6_address_on_creation - public_subnet_assign_ipv6_address_on_creation = local.public_subnet_assign_ipv6_address_on_creation - private_subnet_assign_ipv6_address_on_creation = local.private_subnet_assign_ipv6_address_on_creation - database_subnet_assign_ipv6_address_on_creation = local.database_subnet_assign_ipv6_address_on_creation - intra_subnet_assign_ipv6_address_on_creation = local.intra_subnet_assign_ipv6_address_on_creation - public_subnet_ipv6_prefixes = local.public_subnet_ipv6_prefixes - private_subnet_ipv6_prefixes = local.private_subnet_ipv6_prefixes - database_subnet_ipv6_prefixes = local.database_subnet_ipv6_prefixes - intra_subnet_ipv6_prefixes = local.intra_subnet_ipv6_prefixes +module "security_group_vpn" { + source = "terraform-aws-modules/security-group/aws" + version = "5.1.0" + create = true + name = format("%s-%s-%s", var.environment, var.name, "vpn-sg") + description = "vpn server security group" + vpc_id = var.vpc_id + ingress_with_cidr_blocks = [ + { + from_port = 443 + to_port = 443 + protocol = "tcp" + description = "Public HTTPS access" + cidr_blocks = "0.0.0.0/0" + }, + { + from_port = 80 + to_port = 80 + protocol = "tcp" + description = "Public HTTP access" + cidr_blocks = "0.0.0.0/0" + }, + { + from_port = 10150 + to_port = 10150 + protocol = "udp" + description = "VPN Server Port" + cidr_blocks = "0.0.0.0/0" + }, + { + from_port = 22 + to_port = 22 + protocol = "tcp" + description = "SSH Port" + cidr_blocks = var.vpc_cidr + } + ] - # TAGS TO BE ASSOCIATED WITH EACH RESOURCE + egress_with_cidr_blocks = [ + { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = "0.0.0.0/0" + }, + ] tags = tomap( { - "Name" = format("%s-%s-vpc", var.environment, var.name) + "Name" = format("%s-%s-%s", var.environment, var.name, "vpn-sg") "Environment" = var.environment }, ) +} - public_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-public-subnet" - "Subnet-group" = "public" - "kubernetes.io/role/elb" = 1 - }) - - public_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-public-route-table" - }) - - private_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-private-subnet" - "Subnet-group" = "private" - "kubernetes.io/role/internal-elb" = 1 - }) - - private_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-private-route-table" - }) - - database_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-database-subnet" - "Subnet-group" = "database" - }) - - database_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-database-route-table" - }) - - intra_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-intra-subnet" - "Subnet-group" = "intra" - }) - - intra_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-intra-route-table" - }) - - igw_tags = tomap({ - "Name" = "${var.environment}-${var.name}-igw" - }) - - nat_gateway_tags = tomap({ - "Name" = "${var.environment}-${var.name}-nat" - }) +data "aws_ami" "ubuntu_20_ami" { + owners = ["099720109477"] + most_recent = true - default_network_acl_name = format("%s-%s-nacl", var.environment, var.name) - default_network_acl_tags = { - "Name" = format("%s-%s-nacl", var.environment, var.name) - "Environment" = var.environment + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-*-22.04-amd64-server-*"] } -} -module "vpn_server" { - count = var.vpn_server_enabled && local.is_supported_arch ? 1 : 0 - depends_on = [module.vpc] - source = "./modules/vpn" - name = var.name - vpc_id = module.vpc.vpc_id - vpc_cidr = var.vpc_cidr - environment = var.environment - vpn_key_pair = var.vpn_key_pair_name - public_subnet = module.vpc.public_subnets[0] - vpn_server_instance_type = var.vpn_server_instance_type -} - -resource "aws_vpc_ipam" "ipam" { - count = var.ipam_enabled && var.create_ipam_pool ? 1 : 0 - operating_regions { - region_name = var.region + filter { + name = "virtualization-type" + values = ["hvm"] } +} +data "template_file" "pritunl" { + template = file("${path.module}/scripts/pritunl-vpn.sh") } -# IPv4 -resource "aws_vpc_ipam_pool" "ipam_pool" { - count = var.ipam_enabled && var.create_ipam_pool ? 1 : 0 - description = "IPv4 pool" - address_family = "ipv4" - ipam_scope_id = aws_vpc_ipam.ipam[0].private_default_scope_id - locale = var.region - allocation_default_netmask_length = 16 +data "aws_region" "current" {} +module "vpn_server" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "4.1.4" + name = format("%s-%s-%s", var.environment, var.name, "vpn-ec2-instance") + ami = data.aws_ami.ubuntu_20_ami.image_id + instance_type = var.vpn_server_instance_type + subnet_id = var.public_subnet + key_name = var.vpn_key_pair + associate_public_ip_address = true + vpc_security_group_ids = [module.security_group_vpn.security_group_id] + user_data = join("", data.template_file.pritunl[*].rendered) + iam_instance_profile = join("", aws_iam_instance_profile.vpn_SSM[*].name) + + + root_block_device = [ + { + encrypted = true + volume_type = "gp2" + volume_size = 20 + } + ] + tags = tomap( + { + "Name" = format("%s-%s-%s", var.environment, var.name, "vpn-ec2-instance") + "Environment" = var.environment + }, + ) } -resource "aws_vpc_ipam_pool_cidr" "ipam_pool_cidr" { - count = var.ipam_enabled ? 1 : 0 - ipam_pool_id = var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : var.ipam_pool_id - cidr = var.create_ipam_pool ? var.vpc_cidr : var.existing_ipam_managed_cidr +resource "aws_iam_role" "vpn_role" { + name = format("%s-%s-%s", var.environment, var.name, "vpnEC2InstanceRole") + assume_role_policy = < 0 ? module.vpc.public_subnets : null -} - -output "private_subnets" { - description = "List of IDs of private subnets" - value = length(module.vpc.private_subnets) > 0 ? module.vpc.private_subnets : null -} - -output "database_subnets" { - description = "List of IDs of database subnets" - value = length(module.vpc.database_subnets) > 0 ? module.vpc.database_subnets : null -} - -output "intra_subnets" { - description = "List of IDs of Intra subnets" - value = length(module.vpc.intra_subnets) > 0 ? module.vpc.intra_subnets : null - -} - -output "vpn_host_public_ip" { - description = "IP Address of VPN Server" - value = var.vpn_server_enabled ? module.vpn_server[0].vpn_host_public_ip : null -} - -output "vpn_security_group" { - description = "Security Group ID of VPN Server" - value = var.vpn_server_enabled ? module.vpn_server[0].vpn_security_group : null -} - -output "vpc_ipv6_association_id" { - description = "The association ID for the IPv6 CIDR block" - value = module.vpc.vpc_ipv6_association_id -} - -output "ipv6_vpc_cidr_block" { - description = "The IPv6 CIDR block" - value = module.vpc.vpc_ipv6_cidr_block -} - -output "vpc_secondary_cidr_blocks" { - description = "List of secondary CIDR blocks of the VPC" - value = module.vpc.vpc_secondary_cidr_blocks -} +# output "aws_region" { +# description = "AWS Region in which VPC is created" +# value = local.aws_region +# } + +output "vpc_id" { + description = "The ID of the VPC" + value = module.vpc.vpc_id +} + +output "vpc_cidr_block" { + description = "AWS Region" + value = module.vpc.vpc_cidr_block +} + +output "vpc_public_subnets" { + description = "List of IDs of public subnets" + value = module.vpc.vpc_public_subnets +} + +output "vpc_private_subnets" { + description = "List of IDs of private subnets" + value = module.vpc.vpc_private_subnets +} + +output "database_subnets" { + description = "List of IDs of database subnets" + value = module.vpc.database_subnets +} + +output "vpc_intra_subnets" { + description = "List of IDs of Intra subnets" + value = module.vpc.vpc_intra_subnets +} + +output "vpn_host_public_ip" { + description = "IP Adress of VPN Server" + value = module.vpc.vpn_host_public_ip +} + +output "vpn_security_group" { + description = "Security Group ID of VPN Server" + value = module.vpc.vpn_security_group +} diff --git a/providers.tf b/providers.tf new file mode 100644 index 0000000..7a8138f --- /dev/null +++ b/providers.tf @@ -0,0 +1,6 @@ +provider "aws" { + region = local.aws_region + default_tags { + tags = local.additional_aws_tags + } +} diff --git a/variables.tf b/variables.tf index ca9a7a5..ffbd1cb 100644 --- a/variables.tf +++ b/variables.tf @@ -1,81 +1,3 @@ -variable "environment" { - description = "Specify the environment indentifier for the VPC" - type = string - default = "" -} - -variable "name" { - description = "Specify the name of the VPC" - type = string - default = "" - -} - -variable "vpc_cidr" { - description = "The CIDR block of the VPC" - default = "10.0.0.0/16" - type = string -} - -variable "availability_zones" { - description = "Number of Availability Zone to be used by VPC Subnets" - default = [] - type = list(any) -} - -variable "public_subnet_enabled" { - description = "Set true to enable public subnets" - default = false - type = bool -} - -variable "public_subnet_cidrs" { - description = "A list of public subnets CIDR to be created inside the VPC" - default = [] - type = list(any) -} - -variable "private_subnet_enabled" { - description = "Set true to enable private subnets" - default = false - type = bool -} - -variable "private_subnet_cidrs" { - description = "A list of private subnets CIDR to be created inside the VPC" - default = [] - type = list(any) -} - -variable "database_subnet_enabled" { - description = "Set true to enable database subnets" - default = false - type = bool -} - -variable "database_subnet_cidrs" { - description = "Database Tier subnet CIDRs to be created" - default = [] - type = list(any) -} - -variable "intra_subnet_enabled" { - description = "Set true to enable intra subnets" - default = false - type = bool -} - -variable "intra_subnet_cidrs" { - description = "A list of intra subnets CIDR to be created" - default = [] - type = list(any) -} - -variable "vpn_server_enabled" { - description = "Set to true if you want to deploy VPN Gateway resource and attach it to the VPC" - default = false - type = bool -} variable "vpn_server_instance_type" { description = "EC2 instance Type for VPN Server, Only amd64 based instance type are supported eg. t2.medium, t3.micro, c5a.large etc. " @@ -83,201 +5,38 @@ variable "vpn_server_instance_type" { type = string } -variable "vpn_key_pair_name" { - description = "Specify the name of AWS Keypair to be used for VPN Server" +variable "environment" { + description = "Specify the environment indentifier for the VPC" default = "" type = string } -variable "default_network_acl_ingress" { - description = "List of maps of ingress rules to set on the Default Network ACL" - type = list(map(string)) - - default = [ - { - rule_no = 98 - action = "deny" - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_block = "0.0.0.0/0" - }, - { - rule_no = 99 - action = "deny" - from_port = 3389 - to_port = 3389 - protocol = "tcp" - cidr_block = "0.0.0.0/0" - }, - { - rule_no = 100 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - { - rule_no = 101 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - ipv6_cidr_block = "::/0" - }, - ] -} - -variable "one_nat_gateway_per_az" { - description = "Set to true if a NAT Gateway is required per availability zone for Private Subnet Tier" - default = false - type = bool -} - -variable "flow_log_enabled" { - description = "Whether or not to enable VPC Flow Logs" - type = bool - default = false -} - -variable "flow_log_cloudwatch_log_group_retention_in_days" { - description = "Specifies the number of days you want to retain log events in the specified log group for VPC flow logs." - type = number - default = null -} - -variable "flow_log_max_aggregation_interval" { - description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds." - type = number - default = 60 -} - -variable "auto_assign_public_ip" { - description = "Specify true to indicate that instances launched into the subnet should be assigned a public IP address." - type = bool - default = false -} - - -variable "ipv6_enabled" { - description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block." - type = bool - default = false -} - -variable "private_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" - type = bool - default = null -} - -variable "public_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" - type = bool - default = null -} - - -variable "database_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" - type = bool - default = null -} - - -variable "intra_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" - type = bool - default = null -} - -variable "flow_log_cloudwatch_log_group_kms_key_arn" { - description = "The ARN of the KMS Key to use when encrypting log data for VPC flow logs" +variable "name" { + description = "Specify the name of the VPC" + default = "" type = string - default = null } -variable "ipv6_only" { - description = "Enable it for deploying native IPv6 network" - type = bool - default = false -} - -variable "secondary_cidr_blocks" { - description = "List of the secondary CIDR blocks which can be at most 5" - type = list(string) - default = [] -} - -variable "secondry_cidr_enabled" { - description = "Whether enable secondary CIDR with VPC" - default = false - type = bool -} - -variable "enable_database_subnet_group" { - description = "Whether create database subnet groups" - default = false - type = bool -} - -# variable "tags" { -# description = "The Tags attached with the resources" -# default = {} -# type = any -# } - -variable "ipam_pool_id" { - description = "The existing IPAM pool id if any" - default = null +variable "public_subnet" { + description = "The VPC Subnet ID to launch in" + default = "" type = string } -variable "ipam_enabled" { - description = "Whether enable IPAM managed VPC or not" - default = false - type = bool -} - -variable "create_ipam_pool" { - description = "Whether create new IPAM pool" - default = true - type = bool -} - -variable "ipv4_netmask_length" { - description = "The netmask length for IPAM managed VPC" - default = 16 - type = number -} - -variable "region" { - description = "The AWS region name" +variable "vpc_cidr" { + description = "The CIDR block of the Default VPC" + default = "10.0.0.0/16" type = string - default = null } -variable "existing_ipam_managed_cidr" { - description = "The existing IPAM pool CIDR" +variable "vpc_id" { + description = "The ID of the VPC" default = "" type = string } -variable "flow_log_cloudwatch_log_group_skip_destroy" { - description = " Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state" - type = bool - default = false -} - -variable "vpc_s3_endpoint_enabled" { - description = "Set to true if you want to enable vpc S3 endpoints" - type = bool - default = false -} - -variable "vpc_ecr_endpoint_enabled" { - description = "Set to true if you want to enable vpc ecr endpoints" - type = bool - default = false -} +variable "vpn_key_pair" { + description = "Specify the name of AWS Keypair to be used for VPN Server" + default = "" + type = string +} \ No newline at end of file From 243d7a5950af6ef90e64af06550d391fb4882df2 Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Thu, 14 Mar 2024 13:06:45 +0530 Subject: [PATCH 02/10] Add files via upload Made changes to main.tf & variable.tf for variables. --- main.tf | 458 +++++++++++++++++++++++++++++++-------------------- variables.tf | 335 +++++++++++++++++++++++++++++++++++-- 2 files changed, 597 insertions(+), 196 deletions(-) diff --git a/main.tf b/main.tf index a6c799d..c27bcc3 100644 --- a/main.tf +++ b/main.tf @@ -1,220 +1,316 @@ -resource "aws_eip" "vpn" { - domain = "vpc" - instance = module.vpn_server.id +locals { + azs = length(var.vpc_availability_zones) + public_subnets_native = var.vpc_public_subnet_enabled ? length(var.vpc_public_subnet_cidrs) > 0 ? var.vpc_public_subnet_cidrs : [for netnum in range(0, local.azs) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_public_subnets = var.vpc_public_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(0, local.azs) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + vpc_public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets)) + intra_subnets_native = var.vpc_intra_subnet_enabled ? length(var.vpc_intra_subnet_cidrs) > 0 ? var.vpc_intra_subnet_cidrs : [for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_intra_subnets = var.vpc_intra_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + vpc_intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets)) + private_subnets_native = var.vpc_private_subnet_enabled ? length(var.vpc_private_subnet_cidrs) > 0 ? var.vpc_private_subnet_cidrs : [for netnum in range(local.azs, local.azs * 2) : cidrsubnet(var.vpc_cidr, 4, netnum)] : [] + secondary_private_subnets = var.vpc_private_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(local.azs, local.azs * 2) : cidrsubnet(cidr_block, 4, netnum) + ] + ] : [] + vpc_private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets)) + database_subnets_native = var.database_subnet_enabled ? length(var.database_subnet_cidrs) > 0 ? var.database_subnet_cidrs : [for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_database_subnets = var.database_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets)) + vpc_single_nat_gateway = var.vpc_one_nat_gateway_per_az == true ? false : true + create_database_subnet_route_table = var.database_subnet_enabled + create_flow_log_cloudwatch_log_group = var.vpc_flow_log_enabled == true || var.vpc_flow_log_cloudwatch_log_group_skip_destroy == true ? true : false + is_supported_arch = data.aws_ec2_instance_type.arch.supported_architectures[0] == "arm64" ? false : true # for VPN Instance + nacl_allow_vpc_access_rule = [{ + rule_no = 97 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = var.vpc_cidr + } + + ] + enable_ipv6 = var.ipv6_enabled + ipv6_only = var.ipv6_enabled && var.ipv6_only ? true : false + public_subnet_assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + private_subnet_assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + database_subnet_assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + intra_subnet_assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + + public_subnet_ipv6_prefixes = var.vpc_public_subnet_enabled ? [for i in range(local.azs) : i] : [] + private_subnet_ipv6_prefixes = var.vpc_private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : [] + database_subnet_ipv6_prefixes = var.database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : [] + intra_subnet_ipv6_prefixes = var.vpc_intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : [] +} +data "aws_availability_zones" "available" {} +data "aws_ec2_instance_type" "arch" { + instance_type = var.vpn_server_instance_type } -module "security_group_vpn" { - source = "terraform-aws-modules/security-group/aws" - version = "5.1.0" - create = true - name = format("%s-%s-%s", var.environment, var.name, "vpn-sg") - description = "vpn server security group" - vpc_id = var.vpc_id +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "5.2.0" + name = format("%s-%s-vpc", var.environment, var.name) + cidr = var.vpc_cidr # CIDR FOR VPC + azs = [for n in range(0, local.azs) : data.aws_availability_zones.available.names[n]] + use_ipam_pool = var.ipam_enabled ? true : false + ipv4_ipam_pool_id = var.ipam_enabled && var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : null + ipv4_netmask_length = var.ipam_enabled ? var.ipv4_netmask_length : null + create_database_subnet_group = length(local.database_subnets) > 1 && var.database_subnet_group_enabled ? true : false + intra_subnets = local.vpc_intra_subnets + public_subnets = local.vpc_public_subnets + private_subnets = local.vpc_private_subnets + database_subnets = local.database_subnets + enable_flow_log = var.vpc_flow_log_enabled + enable_nat_gateway = length(local.vpc_private_subnets) > 0 && !var.ipv6_only ? true : false + single_nat_gateway = local.vpc_single_nat_gateway + enable_vpn_gateway = var.vpn_gateway_enabled + enable_dns_hostnames = var.dns_hostnames_enabled + flow_log_traffic_type = var.vpc_flow_log_traffic_type + secondary_cidr_blocks = var.secondry_cidr_enabled ? var.secondary_cidr_blocks : [] + one_nat_gateway_per_az = var.vpc_one_nat_gateway_per_az + map_public_ip_on_launch = var.auto_assign_public_ip + flow_log_destination_type = var.vpc_flow_log_destination_type + manage_default_network_acl = var.vpc_manage_default_network_acl + default_network_acl_ingress = concat(local.nacl_allow_vpc_access_rule, var.default_network_acl_ingress) + manage_default_security_group = var.manage_vpc_default_security_group + default_security_group_ingress = [] # Enforcing no rules being present in the default security group. + default_security_group_egress = [] + create_database_nat_gateway_route = var.create_database_nat_gateway_route + create_database_subnet_route_table = local.create_database_subnet_route_table + create_flow_log_cloudwatch_iam_role = var.vpc_flow_log_enabled + create_flow_log_cloudwatch_log_group = local.create_flow_log_cloudwatch_log_group + flow_log_max_aggregation_interval = var.vpc_flow_log_max_aggregation_interval + flow_log_cloudwatch_log_group_skip_destroy = var.vpc_flow_log_cloudwatch_log_group_skip_destroy + flow_log_cloudwatch_log_group_retention_in_days = var.vpc_flow_log_cloudwatch_log_group_retention_in_days + flow_log_cloudwatch_log_group_kms_key_id = var.flow_log_cloudwatch_log_group_kms_key_arn + enable_ipv6 = local.enable_ipv6 + public_subnet_ipv6_native = local.ipv6_only + private_subnet_ipv6_native = local.ipv6_only + database_subnet_ipv6_native = local.ipv6_only + intra_subnet_ipv6_native = local.ipv6_only + #assign_ipv6_address_on_creation = local.assign_ipv6_address_on_creation + public_subnet_assign_ipv6_address_on_creation = local.public_subnet_assign_ipv6_address_on_creation + private_subnet_assign_ipv6_address_on_creation = local.private_subnet_assign_ipv6_address_on_creation + database_subnet_assign_ipv6_address_on_creation = local.database_subnet_assign_ipv6_address_on_creation + intra_subnet_assign_ipv6_address_on_creation = local.intra_subnet_assign_ipv6_address_on_creation + public_subnet_ipv6_prefixes = local.public_subnet_ipv6_prefixes + private_subnet_ipv6_prefixes = local.private_subnet_ipv6_prefixes + database_subnet_ipv6_prefixes = local.database_subnet_ipv6_prefixes + intra_subnet_ipv6_prefixes = local.intra_subnet_ipv6_prefixes - ingress_with_cidr_blocks = [ - { - from_port = 443 - to_port = 443 - protocol = "tcp" - description = "Public HTTPS access" - cidr_blocks = "0.0.0.0/0" - }, - { - from_port = 80 - to_port = 80 - protocol = "tcp" - description = "Public HTTP access" - cidr_blocks = "0.0.0.0/0" - }, - { - from_port = 10150 - to_port = 10150 - protocol = "udp" - description = "VPN Server Port" - cidr_blocks = "0.0.0.0/0" - }, - { - from_port = 22 - to_port = 22 - protocol = "tcp" - description = "SSH Port" - cidr_blocks = var.vpc_cidr - } - ] - egress_with_cidr_blocks = [ - { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = "0.0.0.0/0" - }, - ] + # TAGS TO BE ASSOCIATED WITH EACH RESOURCE tags = tomap( { - "Name" = format("%s-%s-%s", var.environment, var.name, "vpn-sg") + "Name" = format("%s-%s-vpc", var.environment, var.name) "Environment" = var.environment }, ) -} -data "aws_ami" "ubuntu_20_ami" { - owners = ["099720109477"] - most_recent = true + public_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-public-subnet" + "Subnet-group" = "public" + "kubernetes.io/role/elb" = 1 + }) - filter { - name = "name" - values = ["ubuntu/images/hvm-ssd/ubuntu-*-22.04-amd64-server-*"] - } + public_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-public-route-table" + }) - filter { - name = "virtualization-type" - values = ["hvm"] - } -} + private_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-private-subnet" + "Subnet-group" = "private" + "kubernetes.io/role/internal-elb" = 1 + }) + private_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-private-route-table" + }) -data "template_file" "pritunl" { - template = file("${path.module}/scripts/pritunl-vpn.sh") -} + database_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-database-subnet" + "Subnet-group" = "database" + }) -data "aws_region" "current" {} + database_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-database-route-table" + }) -module "vpn_server" { - source = "terraform-aws-modules/ec2-instance/aws" - version = "4.1.4" - name = format("%s-%s-%s", var.environment, var.name, "vpn-ec2-instance") - ami = data.aws_ami.ubuntu_20_ami.image_id - instance_type = var.vpn_server_instance_type - subnet_id = var.public_subnet - key_name = var.vpn_key_pair - associate_public_ip_address = true - vpc_security_group_ids = [module.security_group_vpn.security_group_id] - user_data = join("", data.template_file.pritunl[*].rendered) - iam_instance_profile = join("", aws_iam_instance_profile.vpn_SSM[*].name) - - - root_block_device = [ - { - encrypted = true - volume_type = "gp2" - volume_size = 20 - } - ] + intra_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-intra-subnet" + "Subnet-group" = "intra" + }) - tags = tomap( - { - "Name" = format("%s-%s-%s", var.environment, var.name, "vpn-ec2-instance") - "Environment" = var.environment - }, - ) -} + intra_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-intra-route-table" + }) -resource "aws_iam_role" "vpn_role" { - name = format("%s-%s-%s", var.environment, var.name, "vpnEC2InstanceRole") - assume_role_policy = < Date: Thu, 14 Mar 2024 13:34:30 +0530 Subject: [PATCH 03/10] Add files via upload Changed aws hashicorp version from 4.23 to 5.0.0 --- versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.tf b/versions.tf index dffc488..d8e2113 100644 --- a/versions.tf +++ b/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.23" + version = ">= 5.0.0" } } } From bac5267f7ccf9d9dcea78acd8a6b900f0dfce71b Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Fri, 15 Mar 2024 15:26:14 +0530 Subject: [PATCH 04/10] Add files via upload --- main.tf | 402 +++++++++++++-------------------------------------- variables.tf | 70 ++++++--- 2 files changed, 152 insertions(+), 320 deletions(-) diff --git a/main.tf b/main.tf index c27bcc3..81ff109 100644 --- a/main.tf +++ b/main.tf @@ -1,316 +1,112 @@ locals { - azs = length(var.vpc_availability_zones) - public_subnets_native = var.vpc_public_subnet_enabled ? length(var.vpc_public_subnet_cidrs) > 0 ? var.vpc_public_subnet_cidrs : [for netnum in range(0, local.azs) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_public_subnets = var.vpc_public_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(0, local.azs) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - vpc_public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets)) - intra_subnets_native = var.vpc_intra_subnet_enabled ? length(var.vpc_intra_subnet_cidrs) > 0 ? var.vpc_intra_subnet_cidrs : [for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_intra_subnets = var.vpc_intra_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - vpc_intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets)) - private_subnets_native = var.vpc_private_subnet_enabled ? length(var.vpc_private_subnet_cidrs) > 0 ? var.vpc_private_subnet_cidrs : [for netnum in range(local.azs, local.azs * 2) : cidrsubnet(var.vpc_cidr, 4, netnum)] : [] - secondary_private_subnets = var.vpc_private_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs, local.azs * 2) : cidrsubnet(cidr_block, 4, netnum) - ] - ] : [] - vpc_private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets)) - database_subnets_native = var.database_subnet_enabled ? length(var.database_subnet_cidrs) > 0 ? var.database_subnet_cidrs : [for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_database_subnets = var.database_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets)) - vpc_single_nat_gateway = var.vpc_one_nat_gateway_per_az == true ? false : true - create_database_subnet_route_table = var.database_subnet_enabled - create_flow_log_cloudwatch_log_group = var.vpc_flow_log_enabled == true || var.vpc_flow_log_cloudwatch_log_group_skip_destroy == true ? true : false - is_supported_arch = data.aws_ec2_instance_type.arch.supported_architectures[0] == "arm64" ? false : true # for VPN Instance - nacl_allow_vpc_access_rule = [{ - rule_no = 97 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = var.vpc_cidr - } - - ] - enable_ipv6 = var.ipv6_enabled - ipv6_only = var.ipv6_enabled && var.ipv6_only ? true : false - public_subnet_assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - private_subnet_assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - database_subnet_assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - intra_subnet_assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - - public_subnet_ipv6_prefixes = var.vpc_public_subnet_enabled ? [for i in range(local.azs) : i] : [] - private_subnet_ipv6_prefixes = var.vpc_private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : [] - database_subnet_ipv6_prefixes = var.database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : [] - intra_subnet_ipv6_prefixes = var.vpc_intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : [] -} -data "aws_availability_zones" "available" {} -data "aws_ec2_instance_type" "arch" { - instance_type = var.vpn_server_instance_type -} - -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "5.2.0" - name = format("%s-%s-vpc", var.environment, var.name) - cidr = var.vpc_cidr # CIDR FOR VPC - azs = [for n in range(0, local.azs) : data.aws_availability_zones.available.names[n]] - use_ipam_pool = var.ipam_enabled ? true : false - ipv4_ipam_pool_id = var.ipam_enabled && var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : null - ipv4_netmask_length = var.ipam_enabled ? var.ipv4_netmask_length : null - create_database_subnet_group = length(local.database_subnets) > 1 && var.database_subnet_group_enabled ? true : false - intra_subnets = local.vpc_intra_subnets - public_subnets = local.vpc_public_subnets - private_subnets = local.vpc_private_subnets - database_subnets = local.database_subnets - enable_flow_log = var.vpc_flow_log_enabled - enable_nat_gateway = length(local.vpc_private_subnets) > 0 && !var.ipv6_only ? true : false - single_nat_gateway = local.vpc_single_nat_gateway - enable_vpn_gateway = var.vpn_gateway_enabled - enable_dns_hostnames = var.dns_hostnames_enabled - flow_log_traffic_type = var.vpc_flow_log_traffic_type - secondary_cidr_blocks = var.secondry_cidr_enabled ? var.secondary_cidr_blocks : [] - one_nat_gateway_per_az = var.vpc_one_nat_gateway_per_az - map_public_ip_on_launch = var.auto_assign_public_ip - flow_log_destination_type = var.vpc_flow_log_destination_type - manage_default_network_acl = var.vpc_manage_default_network_acl - default_network_acl_ingress = concat(local.nacl_allow_vpc_access_rule, var.default_network_acl_ingress) - manage_default_security_group = var.manage_vpc_default_security_group - default_security_group_ingress = [] # Enforcing no rules being present in the default security group. - default_security_group_egress = [] - create_database_nat_gateway_route = var.create_database_nat_gateway_route - create_database_subnet_route_table = local.create_database_subnet_route_table - create_flow_log_cloudwatch_iam_role = var.vpc_flow_log_enabled - create_flow_log_cloudwatch_log_group = local.create_flow_log_cloudwatch_log_group - flow_log_max_aggregation_interval = var.vpc_flow_log_max_aggregation_interval - flow_log_cloudwatch_log_group_skip_destroy = var.vpc_flow_log_cloudwatch_log_group_skip_destroy - flow_log_cloudwatch_log_group_retention_in_days = var.vpc_flow_log_cloudwatch_log_group_retention_in_days - flow_log_cloudwatch_log_group_kms_key_id = var.flow_log_cloudwatch_log_group_kms_key_arn - enable_ipv6 = local.enable_ipv6 - public_subnet_ipv6_native = local.ipv6_only - private_subnet_ipv6_native = local.ipv6_only - database_subnet_ipv6_native = local.ipv6_only - intra_subnet_ipv6_native = local.ipv6_only - #assign_ipv6_address_on_creation = local.assign_ipv6_address_on_creation - public_subnet_assign_ipv6_address_on_creation = local.public_subnet_assign_ipv6_address_on_creation - private_subnet_assign_ipv6_address_on_creation = local.private_subnet_assign_ipv6_address_on_creation - database_subnet_assign_ipv6_address_on_creation = local.database_subnet_assign_ipv6_address_on_creation - intra_subnet_assign_ipv6_address_on_creation = local.intra_subnet_assign_ipv6_address_on_creation - public_subnet_ipv6_prefixes = local.public_subnet_ipv6_prefixes - private_subnet_ipv6_prefixes = local.private_subnet_ipv6_prefixes - database_subnet_ipv6_prefixes = local.database_subnet_ipv6_prefixes - intra_subnet_ipv6_prefixes = local.intra_subnet_ipv6_prefixes - - - # TAGS TO BE ASSOCIATED WITH EACH RESOURCE - - tags = tomap( - { - "Name" = format("%s-%s-vpc", var.environment, var.name) - "Environment" = var.environment - }, - ) - - public_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-public-subnet" - "Subnet-group" = "public" - "kubernetes.io/role/elb" = 1 - }) - - public_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-public-route-table" - }) - - private_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-private-subnet" - "Subnet-group" = "private" - "kubernetes.io/role/internal-elb" = 1 - }) - - private_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-private-route-table" - }) - - database_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-database-subnet" - "Subnet-group" = "database" - }) - - database_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-database-route-table" - }) - - intra_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-intra-subnet" - "Subnet-group" = "intra" - }) - - intra_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-intra-route-table" - }) - - igw_tags = tomap({ - "Name" = "${var.environment}-${var.name}-igw" - }) - - nat_gateway_tags = tomap({ - "Name" = "${var.environment}-${var.name}-nat" - }) - - default_network_acl_name = format("%s-%s-nacl", var.environment, var.name) - default_network_acl_tags = { - "Name" = format("%s-%s-nacl", var.environment, var.name) - "Environment" = var.environment + vpc_name = "vpc-test" + aws_region = "us-east-1" + aws_account_id = "767398031518" + environment = "prod" + kms_user = null + vpc_cidr = "10.10.0.0/16" + vpc_availability_zones = ["us-east-1a", "us-east-1b"] + kms_deletion_window_in_days = 7 + enable_key_rotation = false + is_enabled = true + vpc_flow_log_enabled = true + vpn_server_enabled = true + vpc_intra_subnet_enabled = true + vpc_public_subnet_enabled = true + auto_assign_public_ip = true + vpc_private_subnet_enabled = true + vpc_one_nat_gateway_per_az = true + vpc_database_subnet_enabled = true + vpc_s3_endpoint_enabled = true + vpc_ecr_endpoint_enabled = true + vpn_server_instance_type = "t3a.small" + vpc_flow_log_cloudwatch_log_group_skip_destroy = false + current_identity = data.aws_caller_identity.current.arn + multi_region = false + additional_aws_tags = { + Owner = "Organization_Name" + Expires = "Never" + Department = "Engineering" } } -module "vpn_server" { - count = var.vpn_server_enabled && local.is_supported_arch ? 1 : 0 - depends_on = [module.vpc] - source = "./modules/vpn" - name = var.name - vpc_id = module.vpc.vpc_id - vpc_cidr = var.vpc_cidr - environment = var.environment - vpn_key_pair = var.vpn_key_pair_name - public_subnet = module.vpc.public_subnets[0] - vpn_server_instance_type = var.vpn_server_instance_type -} - -resource "aws_vpc_ipam" "ipam" { - count = var.ipam_enabled && var.create_ipam_pool ? 1 : 0 - operating_regions { - region_name = var.aws_region - } -} +data "aws_caller_identity" "current" {} -# IPv4 -resource "aws_vpc_ipam_pool" "ipam_pool" { - count = var.ipam_enabled && var.create_ipam_pool ? 1 : 0 - description = "IPv4 pool" - address_family = "ipv4" - ipam_scope_id = aws_vpc_ipam.ipam[0].private_default_scope_id - locale = var.aws_region - allocation_default_netmask_length = 16 +module "key_pair_vpn" { + source = "squareops/keypair/aws" + key_name = format("%s-%s-vpn", local.environment, local.vpc_name) + environment = local.environment + ssm_parameter_path = format("%s-%s-vpn", local.environment, local.vpc_name) } -resource "aws_vpc_ipam_pool_cidr" "ipam_pool_cidr" { - count = var.ipam_enabled ? 1 : 0 - ipam_pool_id = var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : var.ipam_pool_id - cidr = var.create_ipam_pool ? var.vpc_cidr : var.existing_ipam_managed_cidr -} - -# private links for S3 - -data "aws_route_tables" "aws_private_routes" { - count = var.vpc_s3_endpoint_enabled ? 1 : 0 - depends_on = [module.vpc] - vpc_id = module.vpc.vpc_id - tags = { - Name = "${var.environment}-${var.name}-private-route-table" - } -} - -resource "aws_vpc_endpoint" "private-s3" { - count = var.vpc_s3_endpoint_enabled ? 1 : 0 - depends_on = [data.aws_route_tables.aws_private_routes] - vpc_id = module.vpc.vpc_id - service_name = "com.amazonaws.${var.aws_region}.s3" - route_table_ids = data.aws_route_tables.aws_private_routes[0].ids - vpc_endpoint_type = "Gateway" - policy = < Date: Mon, 18 Mar 2024 09:48:15 +0530 Subject: [PATCH 05/10] Update main.tf --- main.tf | 403 ++++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 304 insertions(+), 99 deletions(-) diff --git a/main.tf b/main.tf index 81ff109..c2ed73b 100644 --- a/main.tf +++ b/main.tf @@ -1,112 +1,317 @@ locals { - vpc_name = "vpc-test" - aws_region = "us-east-1" - aws_account_id = "767398031518" - environment = "prod" - kms_user = null - vpc_cidr = "10.10.0.0/16" - vpc_availability_zones = ["us-east-1a", "us-east-1b"] - kms_deletion_window_in_days = 7 - enable_key_rotation = false - is_enabled = true - vpc_flow_log_enabled = true - vpn_server_enabled = true - vpc_intra_subnet_enabled = true - vpc_public_subnet_enabled = true - auto_assign_public_ip = true - vpc_private_subnet_enabled = true - vpc_one_nat_gateway_per_az = true - vpc_database_subnet_enabled = true - vpc_s3_endpoint_enabled = true - vpc_ecr_endpoint_enabled = true - vpn_server_instance_type = "t3a.small" - vpc_flow_log_cloudwatch_log_group_skip_destroy = false - current_identity = data.aws_caller_identity.current.arn - multi_region = false - additional_aws_tags = { - Owner = "Organization_Name" - Expires = "Never" - Department = "Engineering" + azs = length(var.vpc_availability_zones) + public_subnets_native = var.vpc_public_subnet_enabled ? length(var.vpc_public_subnet_cidrs) > 0 ? var.vpc_public_subnet_cidrs : [for netnum in range(0, local.azs) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_public_subnets = var.vpc_public_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(0, local.azs) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + vpc_public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets)) + intra_subnets_native = var.vpc_intra_subnet_enabled ? length(var.vpc_intra_subnet_cidrs) > 0 ? var.vpc_intra_subnet_cidrs : [for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_intra_subnets = var.vpc_intra_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + vpc_intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets)) + private_subnets_native = var.vpc_private_subnet_enabled ? length(var.vpc_private_subnet_cidrs) > 0 ? var.vpc_private_subnet_cidrs : [for netnum in range(local.azs, local.azs * 2) : cidrsubnet(var.vpc_cidr, 4, netnum)] : [] + secondary_private_subnets = var.vpc_private_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(local.azs, local.azs * 2) : cidrsubnet(cidr_block, 4, netnum) + ] + ] : [] + vpc_private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets)) + database_subnets_native = var.vpc_database_subnet_enabled ? length(var.vpc_database_subnet_cidrs) > 0 ? var.vpc_database_subnet_cidrs : [for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_database_subnets = var.vpc_database_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets)) + vpc_single_nat_gateway = var.vpc_one_nat_gateway_per_az == true ? false : true + create_database_subnet_route_table = var.vpc_database_subnet_enabled + create_flow_log_cloudwatch_log_group = var.vpc_flow_log_enabled == true || var.vpc_flow_log_cloudwatch_log_group_skip_destroy == true ? true : false + is_supported_arch = data.aws_ec2_instance_type.arch.supported_architectures[0] == "arm64" ? false : true # for VPN Instance + nacl_allow_vpc_access_rule = [{ + rule_no = 97 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = var.vpc_cidr + } + + ] + enable_ipv6 = var.ipv6_enabled + ipv6_only = var.ipv6_enabled && var.ipv6_only ? true : false + public_subnet_assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + private_subnet_assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + database_subnet_assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + intra_subnet_assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + + public_subnet_ipv6_prefixes = var.vpc_public_subnet_enabled ? [for i in range(local.azs) : i] : [] + private_subnet_ipv6_prefixes = var.vpc_private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : [] + database_subnet_ipv6_prefixes = var.vpc_database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : [] + intra_subnet_ipv6_prefixes = var.vpc_intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : [] +} +data "aws_availability_zones" "available" {} +data "aws_ec2_instance_type" "arch" { + instance_type = var.vpn_server_instance_type +} + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "5.2.0" + name = format("%s-%s-vpc", var.environment, var.name) + cidr = var.vpc_cidr # CIDR FOR VPC + azs = [for n in range(0, local.azs) : data.aws_availability_zones.available.names[n]] + use_ipam_pool = var.ipam_enabled ? true : false + ipv4_ipam_pool_id = var.ipam_enabled && var.ipam_pool_enabled ? aws_vpc_ipam_pool.ipam_pool[0].id : null + ipv4_netmask_length = var.ipam_enabled ? var.ipv4_netmask_length : null + create_database_subnet_group = length(local.generate_subnets.vpc_database_subnets) > 1 && var.database_subnet_group_enabled ? true : false + intra_subnets = local.vpc_intra_subnets + public_subnets = local.vpc_public_subnets + private_subnets = local.vpc_private_subnets + database_subnets = local.database_subnets + enable_flow_log = var.vpc_flow_log_enabled + enable_nat_gateway = length(local.generate_subnets.vpc_private_subnets) > 0 && !var.ipv6_only ? true : false + single_nat_gateway = local.vpc_single_nat_gateway + enable_vpn_gateway = var.vpn_gateway_enabled + enable_dns_hostnames = var.dns_hostnames_enabled + flow_log_traffic_type = var.vpc_flow_log_traffic_type + secondary_cidr_blocks = var.secondry_cidr_enabled ? var.secondary_cidr_blocks : [] + one_nat_gateway_per_az = var.vpc_one_nat_gateway_per_az + map_public_ip_on_launch = var.auto_assign_public_ip + flow_log_destination_type = var.vpc_flow_log_destination_type + manage_default_network_acl = var.vpc_manage_default_network_acl + default_network_acl_ingress = concat(local.nacl_allow_vpc_access_rule, var.default_network_acl_ingress) + manage_default_security_group = var.manage_vpc_default_security_group + default_security_group_ingress = var.vpc_default_security_group_ingress # Enforcing no rules being present in the default security group. + default_security_group_egress = vpc_vpc_default_security_group_egress + create_database_nat_gateway_route = var.database_nat_gateway_route_enabled + create_database_subnet_route_table = local.create_database_subnet_route_table + create_flow_log_cloudwatch_iam_role = var.vpc_flow_log_enabled + create_flow_log_cloudwatch_log_group = local.create_flow_log_cloudwatch_log_group + flow_log_max_aggregation_interval = var.vpc_flow_log_max_aggregation_interval + flow_log_cloudwatch_log_group_skip_destroy = var.vpc_flow_log_cloudwatch_log_group_skip_destroy + flow_log_cloudwatch_log_group_retention_in_days = var.vpc_flow_log_cloudwatch_log_group_retention_in_days + flow_log_cloudwatch_log_group_kms_key_id = var.vpc_flow_log_cloudwatch_log_group_kms_key_arn + enable_ipv6 = local.enable_ipv6 + public_subnet_ipv6_native = local.ipv6_only + private_subnet_ipv6_native = local.ipv6_only + database_subnet_ipv6_native = local.ipv6_only + intra_subnet_ipv6_native = local.ipv6_only + #assign_ipv6_address_on_creation = local.assign_ipv6_address_on_creation + public_subnet_assign_ipv6_address_on_creation = local.public_subnet_assign_ipv6_address_on_creation + private_subnet_assign_ipv6_address_on_creation = local.private_subnet_assign_ipv6_address_on_creation + database_subnet_assign_ipv6_address_on_creation = local.database_subnet_assign_ipv6_address_on_creation + intra_subnet_assign_ipv6_address_on_creation = local.intra_subnet_assign_ipv6_address_on_creation + public_subnet_ipv6_prefixes = local.public_subnet_ipv6_prefixes + private_subnet_ipv6_prefixes = local.private_subnet_ipv6_prefixes + database_subnet_ipv6_prefixes = local.database_subnet_ipv6_prefixes + intra_subnet_ipv6_prefixes = local.intra_subnet_ipv6_prefixes + + + # TAGS TO BE ASSOCIATED WITH EACH RESOURCE + + tags = tomap( + { + "Name" = format("%s-%s-vpc", var.environment, var.name) + "Environment" = var.environment + }, + ) + + public_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-public-subnet" + "Subnet-group" = "public" + "kubernetes.io/role/elb" = 1 + }) + + public_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-public-route-table" + }) + + private_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-private-subnet" + "Subnet-group" = "private" + "kubernetes.io/role/internal-elb" = 1 + }) + + private_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-private-route-table" + }) + + database_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-database-subnet" + "Subnet-group" = "database" + }) + + database_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-database-route-table" + }) + + intra_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-intra-subnet" + "Subnet-group" = "intra" + }) + + intra_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-intra-route-table" + }) + + igw_tags = tomap({ + "Name" = "${var.environment}-${var.name}-igw" + }) + + nat_gateway_tags = tomap({ + "Name" = "${var.environment}-${var.name}-nat" + }) + + default_network_acl_name = format("%s-%s-nacl", var.environment, var.name) + default_network_acl_tags = { + "Name" = format("%s-%s-nacl", var.environment, var.name) + "Environment" = var.environment } } -data "aws_caller_identity" "current" {} +module "vpn_server" { + count = var.vpn_server_enabled && local.is_supported_arch ? 1 : 0 + depends_on = [module.vpc] + source = "./modules/vpn" + name = var.name + vpc_id = module.vpc.vpc_id + vpc_cidr = var.vpc_cidr + environment = var.environment + vpn_key_pair = var.vpn_server_key_pair_name + public_subnet = module.vpc.public_subnets[0] + vpn_server_instance_type = var.vpn_server_instance_type +} -module "key_pair_vpn" { - source = "squareops/keypair/aws" - key_name = format("%s-%s-vpn", local.environment, local.vpc_name) - environment = local.environment - ssm_parameter_path = format("%s-%s-vpn", local.environment, local.vpc_name) +resource "aws_vpc_ipam" "ipam" { + count = var.ipam_enabled && var.ipam_pool_enabled ? 1 : 0 + operating_regions { + region_name = var.aws_region + } } -module "kms" { - source = "terraform-aws-modules/kms/aws" - - deletion_window_in_days = local.kms_deletion_window_in_days - description = "Symetric Key to Enable Encryption at rest using KMS services." - enable_key_rotation = local.enable_key_rotation - is_enabled = local.is_enabled - key_usage = "ENCRYPT_DECRYPT" - multi_region = local.multi_region - - # Policy - enable_default_policy = true - key_owners = [local.current_identity] - key_administrators = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_users = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_service_users = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_symmetric_encryption_users = [local.current_identity] - key_hmac_users = [local.current_identity] - key_asymmetric_public_encryption_users = [local.current_identity] - key_asymmetric_sign_verify_users = [local.current_identity] - key_statements = [ - { - sid = "AllowCloudWatchLogsEncryption", - effect = "Allow" - actions = [ - "kms:Encrypt*", - "kms:Decrypt*", - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:Describe*" - ] - resources = ["*"] - - principals = [ +# IPv4 +resource "aws_vpc_ipam_pool" "ipam_pool" { + count = var.ipam_enabled && var.ipam_pool_enabled ? 1 : 0 + description = "IPv4 pool" + address_family = var.ipam_address_family + ipam_scope_id = aws_vpc_ipam.ipam[0].private_default_scope_id + locale = var.aws_region + allocation_default_netmask_length = 16 +} + +resource "aws_vpc_ipam_pool_cidr" "ipam_pool_cidr" { + count = var.ipam_enabled ? 1 : 0 + ipam_pool_id = var.ipam_pool_enabled ? aws_vpc_ipam_pool.ipam_pool[0].id : var.ipam_pool_id + cidr = var.ipam_pool_enabled ? var.vpc_cidr : var.existing_ipam_managed_cidr +} + +# private links for S3 + +data "aws_route_tables" "aws_private_routes" { + count = var.vpc_s3_endpoint_enabled ? 1 : 0 + depends_on = [module.vpc] + vpc_id = module.vpc.vpc_id + tags = { + Name = "${var.environment}-${var.name}-private-route-table" + } +} + +resource "aws_vpc_endpoint" "private-s3" { + count = var.vpc_s3_endpoint_enabled ? 1 : 0 + depends_on = [data.aws_route_tables.aws_private_routes] + vpc_id = module.vpc.vpc_id + service_name = "com.amazonaws.${var.aws_region}.s3" + route_table_ids = data.aws_route_tables.aws_private_routes[0].ids + vpc_endpoint_type = var.vpc_endpoint_type_private-s3 + policy = < Date: Mon, 18 Mar 2024 09:48:56 +0530 Subject: [PATCH 06/10] Update variables.tf --- variables.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/variables.tf b/variables.tf index 8fef36c..de0c894 100644 --- a/variables.tf +++ b/variables.tf @@ -364,13 +364,13 @@ variable "vpc_endpoint_type_ecr_api" { default = "Interface" } -variable "vpc_endpoint_type_ecr-dkr" { +variable "vpc_endpoint_type_ecr_dkr" { description = "The type of VPC endpoint for ECR Docker" type = string default = "Interface" } -variable "vpc_endpoint_type_private-s3" { +variable "vpc_endpoint_type_private_s3" { description = "The type of VPC endpoint for ECR Docker" type = string default = "Interface" @@ -380,4 +380,4 @@ variable "ipam_address_family" { description = "The address family for the VPC (ipv4 or ipv6)" type = string default = "ipv4" -} \ No newline at end of file +} From 478b87dbbd131f23e433023007207980d6288567 Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Mon, 18 Mar 2024 09:50:28 +0530 Subject: [PATCH 07/10] Update main.tf --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index c2ed73b..b21781d 100644 --- a/main.tf +++ b/main.tf @@ -221,7 +221,7 @@ data "aws_route_tables" "aws_private_routes" { } } -resource "aws_vpc_endpoint" "private-s3" { +resource "aws_vpc_endpoint" "private_s3" { count = var.vpc_s3_endpoint_enabled ? 1 : 0 depends_on = [data.aws_route_tables.aws_private_routes] vpc_id = module.vpc.vpc_id @@ -262,7 +262,7 @@ resource "aws_security_group" "vpc_endpoints" { } # private links for ECR.dkr -resource "aws_vpc_endpoint" "private-ecr-dkr" { +resource "aws_vpc_endpoint" "private-ecr_dkr" { count = var.vpc_ecr_endpoint_enabled ? 1 : 0 depends_on = [data.aws_route_tables.aws_private_routes] vpc_id = module.vpc.vpc_id @@ -290,7 +290,7 @@ POLICY # private links for ECR.api -resource "aws_vpc_endpoint" "private-ecr-api" { +resource "aws_vpc_endpoint" "private-ecr_api" { count = var.vpc_ecr_endpoint_enabled ? 1 : 0 depends_on = [data.aws_route_tables.aws_private_routes] vpc_id = module.vpc.vpc_id From 543faae56d3ca4b6c691a98809ce1ce51c542d6c Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Mon, 18 Mar 2024 14:23:02 +0530 Subject: [PATCH 08/10] Modified Example --- main.tf | 414 +++++++++++++++----------------------------------------- 1 file changed, 110 insertions(+), 304 deletions(-) diff --git a/main.tf b/main.tf index b21781d..2f02751 100644 --- a/main.tf +++ b/main.tf @@ -1,317 +1,123 @@ locals { - azs = length(var.vpc_availability_zones) - public_subnets_native = var.vpc_public_subnet_enabled ? length(var.vpc_public_subnet_cidrs) > 0 ? var.vpc_public_subnet_cidrs : [for netnum in range(0, local.azs) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_public_subnets = var.vpc_public_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(0, local.azs) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - vpc_public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets)) - intra_subnets_native = var.vpc_intra_subnet_enabled ? length(var.vpc_intra_subnet_cidrs) > 0 ? var.vpc_intra_subnet_cidrs : [for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_intra_subnets = var.vpc_intra_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - vpc_intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets)) - private_subnets_native = var.vpc_private_subnet_enabled ? length(var.vpc_private_subnet_cidrs) > 0 ? var.vpc_private_subnet_cidrs : [for netnum in range(local.azs, local.azs * 2) : cidrsubnet(var.vpc_cidr, 4, netnum)] : [] - secondary_private_subnets = var.vpc_private_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs, local.azs * 2) : cidrsubnet(cidr_block, 4, netnum) - ] - ] : [] - vpc_private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets)) - database_subnets_native = var.vpc_database_subnet_enabled ? length(var.vpc_database_subnet_cidrs) > 0 ? var.vpc_database_subnet_cidrs : [for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_database_subnets = var.vpc_database_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets)) - vpc_single_nat_gateway = var.vpc_one_nat_gateway_per_az == true ? false : true - create_database_subnet_route_table = var.vpc_database_subnet_enabled - create_flow_log_cloudwatch_log_group = var.vpc_flow_log_enabled == true || var.vpc_flow_log_cloudwatch_log_group_skip_destroy == true ? true : false - is_supported_arch = data.aws_ec2_instance_type.arch.supported_architectures[0] == "arm64" ? false : true # for VPN Instance - nacl_allow_vpc_access_rule = [{ - rule_no = 97 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = var.vpc_cidr - } - - ] - enable_ipv6 = var.ipv6_enabled - ipv6_only = var.ipv6_enabled && var.ipv6_only ? true : false - public_subnet_assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - private_subnet_assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - database_subnet_assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - intra_subnet_assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - - public_subnet_ipv6_prefixes = var.vpc_public_subnet_enabled ? [for i in range(local.azs) : i] : [] - private_subnet_ipv6_prefixes = var.vpc_private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : [] - database_subnet_ipv6_prefixes = var.vpc_database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : [] - intra_subnet_ipv6_prefixes = var.vpc_intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : [] -} -data "aws_availability_zones" "available" {} -data "aws_ec2_instance_type" "arch" { - instance_type = var.vpn_server_instance_type -} - -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "5.2.0" - name = format("%s-%s-vpc", var.environment, var.name) - cidr = var.vpc_cidr # CIDR FOR VPC - azs = [for n in range(0, local.azs) : data.aws_availability_zones.available.names[n]] - use_ipam_pool = var.ipam_enabled ? true : false - ipv4_ipam_pool_id = var.ipam_enabled && var.ipam_pool_enabled ? aws_vpc_ipam_pool.ipam_pool[0].id : null - ipv4_netmask_length = var.ipam_enabled ? var.ipv4_netmask_length : null - create_database_subnet_group = length(local.generate_subnets.vpc_database_subnets) > 1 && var.database_subnet_group_enabled ? true : false - intra_subnets = local.vpc_intra_subnets - public_subnets = local.vpc_public_subnets - private_subnets = local.vpc_private_subnets - database_subnets = local.database_subnets - enable_flow_log = var.vpc_flow_log_enabled - enable_nat_gateway = length(local.generate_subnets.vpc_private_subnets) > 0 && !var.ipv6_only ? true : false - single_nat_gateway = local.vpc_single_nat_gateway - enable_vpn_gateway = var.vpn_gateway_enabled - enable_dns_hostnames = var.dns_hostnames_enabled - flow_log_traffic_type = var.vpc_flow_log_traffic_type - secondary_cidr_blocks = var.secondry_cidr_enabled ? var.secondary_cidr_blocks : [] - one_nat_gateway_per_az = var.vpc_one_nat_gateway_per_az - map_public_ip_on_launch = var.auto_assign_public_ip - flow_log_destination_type = var.vpc_flow_log_destination_type - manage_default_network_acl = var.vpc_manage_default_network_acl - default_network_acl_ingress = concat(local.nacl_allow_vpc_access_rule, var.default_network_acl_ingress) - manage_default_security_group = var.manage_vpc_default_security_group - default_security_group_ingress = var.vpc_default_security_group_ingress # Enforcing no rules being present in the default security group. - default_security_group_egress = vpc_vpc_default_security_group_egress - create_database_nat_gateway_route = var.database_nat_gateway_route_enabled - create_database_subnet_route_table = local.create_database_subnet_route_table - create_flow_log_cloudwatch_iam_role = var.vpc_flow_log_enabled - create_flow_log_cloudwatch_log_group = local.create_flow_log_cloudwatch_log_group - flow_log_max_aggregation_interval = var.vpc_flow_log_max_aggregation_interval - flow_log_cloudwatch_log_group_skip_destroy = var.vpc_flow_log_cloudwatch_log_group_skip_destroy - flow_log_cloudwatch_log_group_retention_in_days = var.vpc_flow_log_cloudwatch_log_group_retention_in_days - flow_log_cloudwatch_log_group_kms_key_id = var.vpc_flow_log_cloudwatch_log_group_kms_key_arn - enable_ipv6 = local.enable_ipv6 - public_subnet_ipv6_native = local.ipv6_only - private_subnet_ipv6_native = local.ipv6_only - database_subnet_ipv6_native = local.ipv6_only - intra_subnet_ipv6_native = local.ipv6_only - #assign_ipv6_address_on_creation = local.assign_ipv6_address_on_creation - public_subnet_assign_ipv6_address_on_creation = local.public_subnet_assign_ipv6_address_on_creation - private_subnet_assign_ipv6_address_on_creation = local.private_subnet_assign_ipv6_address_on_creation - database_subnet_assign_ipv6_address_on_creation = local.database_subnet_assign_ipv6_address_on_creation - intra_subnet_assign_ipv6_address_on_creation = local.intra_subnet_assign_ipv6_address_on_creation - public_subnet_ipv6_prefixes = local.public_subnet_ipv6_prefixes - private_subnet_ipv6_prefixes = local.private_subnet_ipv6_prefixes - database_subnet_ipv6_prefixes = local.database_subnet_ipv6_prefixes - intra_subnet_ipv6_prefixes = local.intra_subnet_ipv6_prefixes - - - # TAGS TO BE ASSOCIATED WITH EACH RESOURCE - - tags = tomap( - { - "Name" = format("%s-%s-vpc", var.environment, var.name) - "Environment" = var.environment - }, - ) - - public_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-public-subnet" - "Subnet-group" = "public" - "kubernetes.io/role/elb" = 1 - }) - - public_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-public-route-table" - }) - - private_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-private-subnet" - "Subnet-group" = "private" - "kubernetes.io/role/internal-elb" = 1 - }) - - private_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-private-route-table" - }) - - database_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-database-subnet" - "Subnet-group" = "database" - }) - - database_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-database-route-table" - }) - - intra_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-intra-subnet" - "Subnet-group" = "intra" - }) - - intra_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-intra-route-table" - }) - - igw_tags = tomap({ - "Name" = "${var.environment}-${var.name}-igw" - }) - - nat_gateway_tags = tomap({ - "Name" = "${var.environment}-${var.name}-nat" - }) - - default_network_acl_name = format("%s-%s-nacl", var.environment, var.name) - default_network_acl_tags = { - "Name" = format("%s-%s-nacl", var.environment, var.name) - "Environment" = var.environment - } -} - -module "vpn_server" { - count = var.vpn_server_enabled && local.is_supported_arch ? 1 : 0 - depends_on = [module.vpc] - source = "./modules/vpn" - name = var.name - vpc_id = module.vpc.vpc_id - vpc_cidr = var.vpc_cidr - environment = var.environment - vpn_key_pair = var.vpn_server_key_pair_name - public_subnet = module.vpc.public_subnets[0] - vpn_server_instance_type = var.vpn_server_instance_type -} - -resource "aws_vpc_ipam" "ipam" { - count = var.ipam_enabled && var.ipam_pool_enabled ? 1 : 0 - operating_regions { - region_name = var.aws_region + vpc_name = "vpc-test" + aws_region = "ap-northeast-1" + aws_account_id = "767398031518" + environment = "prod" + kms_user = null + vpc_cidr = "10.10.0.0/16" + vpc_availability_zones = ["ap-northeast-1a", "ap-northeast-1b"] + kms_deletion_window_in_days = 7 + enable_key_rotation = false + is_enabled = true + vpc_flow_log_enabled = true + vpn_server_enabled = false + vpc_intra_subnet_enabled = true + vpc_public_subnet_enabled = true + auto_assign_public_ip = true + vpc_private_subnet_enabled = true + vpc_one_nat_gateway_per_az = true + vpc_database_subnet_enabled = true + vpc_s3_endpoint_enabled = true + vpc_ecr_endpoint_enabled = true + vpn_server_instance_type = "t3a.small" + vpc_flow_log_cloudwatch_log_group_skip_destroy = false + current_identity = data.aws_caller_identity.current.arn + multi_region = false + vpc_public_subnets_counts = 2 + vpc_private_subnets_counts = 2 + vpc_database_subnets_counts = 2 + vpc_intra_subnets_counts = 2 + additional_aws_tags = { + Owner = "Organization_Name" + Expires = "Never" + Department = "Engineering" } } -# IPv4 -resource "aws_vpc_ipam_pool" "ipam_pool" { - count = var.ipam_enabled && var.ipam_pool_enabled ? 1 : 0 - description = "IPv4 pool" - address_family = var.ipam_address_family - ipam_scope_id = aws_vpc_ipam.ipam[0].private_default_scope_id - locale = var.aws_region - allocation_default_netmask_length = 16 -} - -resource "aws_vpc_ipam_pool_cidr" "ipam_pool_cidr" { - count = var.ipam_enabled ? 1 : 0 - ipam_pool_id = var.ipam_pool_enabled ? aws_vpc_ipam_pool.ipam_pool[0].id : var.ipam_pool_id - cidr = var.ipam_pool_enabled ? var.vpc_cidr : var.existing_ipam_managed_cidr -} - -# private links for S3 - -data "aws_route_tables" "aws_private_routes" { - count = var.vpc_s3_endpoint_enabled ? 1 : 0 - depends_on = [module.vpc] - vpc_id = module.vpc.vpc_id - tags = { - Name = "${var.environment}-${var.name}-private-route-table" - } -} +data "aws_caller_identity" "current" {} -resource "aws_vpc_endpoint" "private_s3" { - count = var.vpc_s3_endpoint_enabled ? 1 : 0 - depends_on = [data.aws_route_tables.aws_private_routes] - vpc_id = module.vpc.vpc_id - service_name = "com.amazonaws.${var.aws_region}.s3" - route_table_ids = data.aws_route_tables.aws_private_routes[0].ids - vpc_endpoint_type = var.vpc_endpoint_type_private-s3 - policy = < Date: Mon, 18 Mar 2024 15:10:39 +0530 Subject: [PATCH 09/10] Changes for subnet & security rules 1. Added a logic so that the user can provide number of desired subnets want to create. --- main.tf | 420 +++++++++++++++++++++++++++++++++++++-------------- variables.tf | 63 +++++--- 2 files changed, 348 insertions(+), 135 deletions(-) diff --git a/main.tf b/main.tf index 2f02751..7eb1885 100644 --- a/main.tf +++ b/main.tf @@ -1,123 +1,323 @@ locals { - vpc_name = "vpc-test" - aws_region = "ap-northeast-1" - aws_account_id = "767398031518" - environment = "prod" - kms_user = null - vpc_cidr = "10.10.0.0/16" - vpc_availability_zones = ["ap-northeast-1a", "ap-northeast-1b"] - kms_deletion_window_in_days = 7 - enable_key_rotation = false - is_enabled = true - vpc_flow_log_enabled = true - vpn_server_enabled = false - vpc_intra_subnet_enabled = true - vpc_public_subnet_enabled = true - auto_assign_public_ip = true - vpc_private_subnet_enabled = true - vpc_one_nat_gateway_per_az = true - vpc_database_subnet_enabled = true - vpc_s3_endpoint_enabled = true - vpc_ecr_endpoint_enabled = true - vpn_server_instance_type = "t3a.small" - vpc_flow_log_cloudwatch_log_group_skip_destroy = false - current_identity = data.aws_caller_identity.current.arn - multi_region = false - vpc_public_subnets_counts = 2 - vpc_private_subnets_counts = 2 - vpc_database_subnets_counts = 2 - vpc_intra_subnets_counts = 2 - additional_aws_tags = { - Owner = "Organization_Name" - Expires = "Never" - Department = "Engineering" + azs = length(var.vpc_availability_zones) + # public subnets cidr + public_subnets_native = var.vpc_public_subnet_enabled ? length(var.vpc_public_subnet_cidrs) > 0 ? var.vpc_public_subnet_cidrs : [for netnum in range(0, var.vpc_public_subnets_counts) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_public_subnets = var.vpc_public_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(0, var.vpc_public_subnets_counts) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + vpc_public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets)) + + # intra subnets cidr + intra_subnets_native = var.vpc_intra_subnet_enabled ? length(var.vpc_intra_subnet_cidrs) > 0 ? var.vpc_intra_subnet_cidrs : [for netnum in range(var.vpc_intra_subnets_counts * 3, var.vpc_intra_subnets_counts * 4) : cidrsubnet(var.vpc_cidr, 4, netnum)] : [] + secondary_intra_subnets = var.vpc_intra_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(var.vpc_intra_subnets_counts * 3, var.vpc_intra_subnets_counts * 4) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + vpc_intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets)) + + # private subnets cidr + private_subnets_native = var.vpc_private_subnet_enabled ? length(var.vpc_private_subnet_cidrs) > 0 ? var.vpc_private_subnet_cidrs : [for netnum in range(var.vpc_private_subnets_counts * 4, var.vpc_private_subnets_counts * 5) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_private_subnets = var.vpc_private_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(var.vpc_private_subnets_counts, var.vpc_private_subnets_counts * 2) : cidrsubnet(cidr_block, 4, netnum) + ] + ] : [] + vpc_private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets)) + + # database subnets cidr + database_subnets_native = var.vpc_database_subnet_enabled ? length(var.vpc_database_subnet_cidrs) > 0 ? var.vpc_database_subnet_cidrs : [for netnum in range(var.vpc_database_subnets_counts * 2, var.vpc_database_subnets_counts * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_database_subnets = var.vpc_database_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(var.vpc_database_subnets_counts * 2, var.vpc_database_subnets_counts * 3) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + vpc_database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets)) + vpc_single_nat_gateway = var.vpc_one_nat_gateway_per_az == true ? false : true + create_database_subnet_route_table = var.vpc_database_subnet_enabled + create_flow_log_cloudwatch_log_group = var.vpc_flow_log_enabled == true || var.vpc_flow_log_cloudwatch_log_group_skip_destroy == true ? true : false + is_supported_arch = data.aws_ec2_instance_type.arch.supported_architectures[0] == "arm64" ? false : true # for VPN Instance + nacl_allow_vpc_access_rule = [{ + rule_no = 97 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = var.vpc_cidr + } + + ] + enable_ipv6 = var.ipv6_enabled + ipv6_only = var.ipv6_enabled && var.ipv6_only ? true : false + public_subnet_assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + private_subnet_assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + database_subnet_assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + intra_subnet_assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + + public_subnet_ipv6_prefixes = var.vpc_public_subnet_enabled ? [for i in range(local.azs) : i] : [] + private_subnet_ipv6_prefixes = var.vpc_private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : [] + database_subnet_ipv6_prefixes = var.vpc_database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : [] + intra_subnet_ipv6_prefixes = var.vpc_intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : [] +} +data "aws_availability_zones" "available" {} +data "aws_ec2_instance_type" "arch" { + instance_type = var.vpn_server_instance_type +} + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "5.2.0" + name = format("%s-%s-vpc", var.environment, var.name) + cidr = var.vpc_cidr # CIDR FOR VPC + azs = [for n in range(0, local.azs) : data.aws_availability_zones.available.names[n]] + use_ipam_pool = var.ipam_enabled ? true : false + ipv4_ipam_pool_id = var.ipam_enabled && var.ipam_pool_enabled ? aws_vpc_ipam_pool.ipam_pool[0].id : null + ipv4_netmask_length = var.ipam_enabled ? var.ipv4_netmask_length : null + create_database_subnet_group = length(local.vpc_database_subnets) > 1 && var.database_subnet_group_enabled ? true : false + intra_subnets = local.vpc_intra_subnets + public_subnets = local.vpc_public_subnets + private_subnets = local.vpc_private_subnets + database_subnets = local.vpc_database_subnets + enable_flow_log = var.vpc_flow_log_enabled + enable_nat_gateway = length(local.vpc_private_subnets) > 0 && !var.ipv6_only ? true : false + single_nat_gateway = local.vpc_single_nat_gateway + enable_vpn_gateway = var.vpn_gateway_enabled + enable_dns_hostnames = var.dns_hostnames_enabled + flow_log_traffic_type = var.vpc_flow_log_traffic_type + secondary_cidr_blocks = var.secondry_cidr_enabled ? var.secondary_cidr_blocks : [] + one_nat_gateway_per_az = var.vpc_one_nat_gateway_per_az + map_public_ip_on_launch = var.auto_assign_public_ip + flow_log_destination_type = var.vpc_flow_log_destination_type + manage_default_network_acl = var.vpc_manage_default_network_acl + default_network_acl_ingress = concat(local.nacl_allow_vpc_access_rule, var.default_network_acl_ingress) + manage_default_security_group = var.manage_vpc_default_security_group + default_security_group_ingress = var.vpc_default_security_group_ingress # Enforcing no rules being present in the default security group. + default_security_group_egress = var.vpc_default_security_group_egress + create_database_nat_gateway_route = var.database_nat_gateway_route_enabled + create_database_subnet_route_table = local.create_database_subnet_route_table + create_flow_log_cloudwatch_iam_role = var.vpc_flow_log_enabled + create_flow_log_cloudwatch_log_group = local.create_flow_log_cloudwatch_log_group + flow_log_max_aggregation_interval = var.vpc_flow_log_max_aggregation_interval + flow_log_cloudwatch_log_group_skip_destroy = var.vpc_flow_log_cloudwatch_log_group_skip_destroy + flow_log_cloudwatch_log_group_retention_in_days = var.vpc_flow_log_cloudwatch_log_group_retention_in_days + flow_log_cloudwatch_log_group_kms_key_id = var.vpc_flow_log_cloudwatch_log_group_kms_key_arn + enable_ipv6 = local.enable_ipv6 + public_subnet_ipv6_native = local.ipv6_only + private_subnet_ipv6_native = local.ipv6_only + database_subnet_ipv6_native = local.ipv6_only + intra_subnet_ipv6_native = local.ipv6_only + #assign_ipv6_address_on_creation = local.assign_ipv6_address_on_creation + public_subnet_assign_ipv6_address_on_creation = local.public_subnet_assign_ipv6_address_on_creation + private_subnet_assign_ipv6_address_on_creation = local.private_subnet_assign_ipv6_address_on_creation + database_subnet_assign_ipv6_address_on_creation = local.database_subnet_assign_ipv6_address_on_creation + intra_subnet_assign_ipv6_address_on_creation = local.intra_subnet_assign_ipv6_address_on_creation + public_subnet_ipv6_prefixes = local.public_subnet_ipv6_prefixes + private_subnet_ipv6_prefixes = local.private_subnet_ipv6_prefixes + database_subnet_ipv6_prefixes = local.database_subnet_ipv6_prefixes + intra_subnet_ipv6_prefixes = local.intra_subnet_ipv6_prefixes + + + # TAGS TO BE ASSOCIATED WITH EACH RESOURCE + + tags = tomap( + { + "Name" = format("%s-%s-vpc", var.environment, var.name) + "Environment" = var.environment + }, + ) + + public_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-public-subnet" + "Subnet-group" = "public" + "kubernetes.io/role/elb" = 1 + }) + + public_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-public-route-table" + }) + + private_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-private-subnet" + "Subnet-group" = "private" + "kubernetes.io/role/internal-elb" = 1 + }) + + private_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-private-route-table" + }) + + database_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-database-subnet" + "Subnet-group" = "database" + }) + + database_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-database-route-table" + }) + + intra_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-intra-subnet" + "Subnet-group" = "intra" + }) + + intra_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-intra-route-table" + }) + + igw_tags = tomap({ + "Name" = "${var.environment}-${var.name}-igw" + }) + + nat_gateway_tags = tomap({ + "Name" = "${var.environment}-${var.name}-nat" + }) + + default_network_acl_name = format("%s-%s-nacl", var.environment, var.name) + default_network_acl_tags = { + "Name" = format("%s-%s-nacl", var.environment, var.name) + "Environment" = var.environment } } -data "aws_caller_identity" "current" {} +module "vpn_server" { + count = var.vpn_server_enabled && local.is_supported_arch ? 1 : 0 + depends_on = [module.vpc] + source = "./modules/vpn" + name = var.name + vpc_id = module.vpc.vpc_id + vpc_cidr = var.vpc_cidr + environment = var.environment + vpn_key_pair = var.vpn_server_key_pair_name + public_subnet = module.vpc.public_subnets[0] + vpn_server_instance_type = var.vpn_server_instance_type +} -module "key_pair_vpn" { - source = "squareops/keypair/aws" - key_name = format("%s-%s-vpn", local.environment, local.vpc_name) - environment = local.environment - ssm_parameter_path = format("%s-%s-vpn", local.environment, local.vpc_name) +resource "aws_vpc_ipam" "ipam" { + count = var.ipam_enabled && var.ipam_pool_enabled ? 1 : 0 + operating_regions { + region_name = var.aws_region + } } -module "kms" { - source = "terraform-aws-modules/kms/aws" - - deletion_window_in_days = local.kms_deletion_window_in_days - description = "Symetric Key to Enable Encryption at rest using KMS services." - enable_key_rotation = local.enable_key_rotation - is_enabled = local.is_enabled - key_usage = "ENCRYPT_DECRYPT" - multi_region = local.multi_region - - # Policy - enable_default_policy = true - key_owners = [local.current_identity] - key_administrators = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_users = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_service_users = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_symmetric_encryption_users = [local.current_identity] - key_hmac_users = [local.current_identity] - key_asymmetric_public_encryption_users = [local.current_identity] - key_asymmetric_sign_verify_users = [local.current_identity] - key_statements = [ - { - sid = "AllowCloudWatchLogsEncryption", - effect = "Allow" - actions = [ - "kms:Encrypt*", - "kms:Decrypt*", - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:Describe*" - ] - resources = ["*"] - - principals = [ +# IPv4 +resource "aws_vpc_ipam_pool" "ipam_pool" { + count = var.ipam_enabled && var.ipam_pool_enabled ? 1 : 0 + description = "IPv4 pool" + address_family = var.ipam_address_family + ipam_scope_id = aws_vpc_ipam.ipam[0].private_default_scope_id + locale = var.aws_region + allocation_default_netmask_length = 16 +} + +resource "aws_vpc_ipam_pool_cidr" "ipam_pool_cidr" { + count = var.ipam_enabled ? 1 : 0 + ipam_pool_id = var.ipam_pool_enabled ? aws_vpc_ipam_pool.ipam_pool[0].id : var.ipam_pool_id + cidr = var.ipam_pool_enabled ? var.vpc_cidr : var.existing_ipam_managed_cidr +} + +# private links for S3 + +data "aws_route_tables" "aws_private_routes" { + count = var.vpc_s3_endpoint_enabled ? 1 : 0 + depends_on = [module.vpc] + vpc_id = module.vpc.vpc_id + tags = { + Name = "${var.environment}-${var.name}-private-route-table" + } +} + +resource "aws_vpc_endpoint" "private_s3" { + count = var.vpc_s3_endpoint_enabled ? 1 : 0 + depends_on = [data.aws_route_tables.aws_private_routes] + vpc_id = module.vpc.vpc_id + service_name = "com.amazonaws.${var.aws_region}.s3" + route_table_ids = data.aws_route_tables.aws_private_routes[0].ids + vpc_endpoint_type = var.vpc_endpoint_type_private_s3 + policy = < Date: Mon, 18 Mar 2024 15:11:33 +0530 Subject: [PATCH 10/10] Update main.tf --- examples/complete-vpc-with-vpn/main.tf | 107 ++++++++++++++++--------- 1 file changed, 68 insertions(+), 39 deletions(-) diff --git a/examples/complete-vpc-with-vpn/main.tf b/examples/complete-vpc-with-vpn/main.tf index 1d8798c..dd00290 100644 --- a/examples/complete-vpc-with-vpn/main.tf +++ b/examples/complete-vpc-with-vpn/main.tf @@ -1,42 +1,64 @@ locals { - name = "vpc" - region = "ap-south-1" - environment = "prod" + vpc_name = "vpc-test" + aws_region = "ap-northeast-1" + aws_account_id = "767398031518" + environment = "prod" + kms_user = null + vpc_cidr = "10.10.0.0/16" + vpc_availability_zones = ["ap-northeast-1a", "ap-northeast-1b"] + kms_deletion_window_in_days = 7 + enable_key_rotation = false + is_enabled = true + vpc_flow_log_enabled = true + vpn_server_enabled = false + vpc_intra_subnet_enabled = true + vpc_public_subnet_enabled = true + auto_assign_public_ip = true + vpc_private_subnet_enabled = true + vpc_one_nat_gateway_per_az = true + vpc_database_subnet_enabled = true + vpc_s3_endpoint_enabled = true + vpc_ecr_endpoint_enabled = true + vpn_server_instance_type = "t3a.small" + vpc_flow_log_cloudwatch_log_group_skip_destroy = false + current_identity = data.aws_caller_identity.current.arn + multi_region = false + vpc_public_subnets_counts = 2 + vpc_private_subnets_counts = 2 + vpc_database_subnets_counts = 2 + vpc_intra_subnets_counts = 2 additional_aws_tags = { Owner = "Organization_Name" Expires = "Never" Department = "Engineering" } - kms_user = null - vpc_cidr = "10.10.0.0/16" - current_identity = data.aws_caller_identity.current.arn } data "aws_caller_identity" "current" {} module "key_pair_vpn" { source = "squareops/keypair/aws" - key_name = format("%s-%s-vpn", local.environment, local.name) + key_name = format("%s-%s-vpn", local.environment, local.vpc_name) environment = local.environment - ssm_parameter_path = format("%s-%s-vpn", local.environment, local.name) + ssm_parameter_path = format("%s-%s-vpn", local.environment, local.vpc_name) } module "kms" { source = "terraform-aws-modules/kms/aws" - deletion_window_in_days = 7 + deletion_window_in_days = local.kms_deletion_window_in_days description = "Symetric Key to Enable Encryption at rest using KMS services." - enable_key_rotation = false - is_enabled = true + enable_key_rotation = local.enable_key_rotation + is_enabled = local.is_enabled key_usage = "ENCRYPT_DECRYPT" - multi_region = false + multi_region = local.multi_region # Policy enable_default_policy = true key_owners = [local.current_identity] - key_administrators = local.kms_user == null ? ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_users = local.kms_user == null ? ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_service_users = local.kms_user == null ? ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user + key_administrators = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user + key_users = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user + key_service_users = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user key_symmetric_encryption_users = [local.current_identity] key_hmac_users = [local.current_identity] key_asymmetric_public_encryption_users = [local.current_identity] @@ -57,38 +79,45 @@ module "kms" { principals = [ { type = "Service" - identifiers = ["logs.${local.region}.amazonaws.com"] + identifiers = ["logs.${local.aws_region}.amazonaws.com"] } ] } ] # Aliases - aliases = ["${local.name}-KMS"] + aliases = ["${local.vpc_name}-KMS"] aliases_use_name_prefix = true } module "vpc" { - source = "squareops/vpc/aws" - name = local.name - region = local.region - vpc_cidr = local.vpc_cidr - environment = local.environment - flow_log_enabled = true - vpn_key_pair_name = module.key_pair_vpn.key_pair_name - availability_zones = ["ap-south-1a", "ap-south-1b"] - vpn_server_enabled = true - intra_subnet_enabled = true - public_subnet_enabled = true - auto_assign_public_ip = true - private_subnet_enabled = true - one_nat_gateway_per_az = true - database_subnet_enabled = true - vpn_server_instance_type = "t3a.small" - vpc_s3_endpoint_enabled = true - vpc_ecr_endpoint_enabled = true - flow_log_max_aggregation_interval = 60 # In seconds - flow_log_cloudwatch_log_group_skip_destroy = true - flow_log_cloudwatch_log_group_retention_in_days = 90 - flow_log_cloudwatch_log_group_kms_key_arn = module.kms.key_arn #Enter your kms key arn + source = "../../" + name = local.vpc_name + aws_region = local.aws_region + vpc_cidr = local.vpc_cidr + environment = local.environment + vpc_flow_log_enabled = local.vpc_flow_log_enabled + vpn_server_key_pair_name = module.key_pair_vpn.key_pair_name + vpc_availability_zones = local.vpc_availability_zones + vpn_server_enabled = local.vpn_server_enabled + vpc_intra_subnet_enabled = local.vpc_intra_subnet_enabled + vpc_public_subnet_enabled = local.vpc_public_subnet_enabled + auto_assign_public_ip = local.auto_assign_public_ip + vpc_private_subnet_enabled = local.vpc_private_subnet_enabled + vpc_one_nat_gateway_per_az = local.vpc_one_nat_gateway_per_az + vpc_database_subnet_enabled = local.vpc_database_subnet_enabled + vpn_server_instance_type = local.vpn_server_instance_type + vpc_s3_endpoint_enabled = local.vpc_s3_endpoint_enabled + vpc_ecr_endpoint_enabled = local.vpc_ecr_endpoint_enabled + vpc_flow_log_max_aggregation_interval = 60 # In seconds + vpc_flow_log_cloudwatch_log_group_skip_destroy = local.vpc_flow_log_cloudwatch_log_group_skip_destroy + vpc_flow_log_cloudwatch_log_group_retention_in_days = 90 + vpc_flow_log_cloudwatch_log_group_kms_key_arn = module.kms.key_arn #Enter your kms key arn + vpc_public_subnets_counts = local.vpc_public_subnets_counts + vpc_private_subnets_counts = local.vpc_private_subnets_counts + vpc_database_subnets_counts = local.vpc_database_subnets_counts + vpc_intra_subnets_counts = local.vpc_intra_subnets_counts + vpc_endpoint_type_private_s3 = "Gateway" + vpc_endpoint_type_ecr_dkr = "Interface" + vpc_endpoint_type_ecr_api = "Interface" }