From 5842dca25c8db7221a1640e96fc4769cf5ab2c4f Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Wed, 13 Mar 2024 12:08:34 +0530 Subject: [PATCH 1/7] Add files via upload Changes made to the files for main.tf , output.tf . variables.tf in calling module & examples. --- main.tf | 462 ++++++++++++++++++++------------------------------- outputs.tf | 99 +++++------ providers.tf | 6 + variables.tf | 277 ++---------------------------- 4 files changed, 249 insertions(+), 595 deletions(-) create mode 100644 providers.tf diff --git a/main.tf b/main.tf index d926a5f..a6c799d 100644 --- a/main.tf +++ b/main.tf @@ -1,320 +1,220 @@ -locals { - azs = length(var.availability_zones) - public_subnets_native = var.public_subnet_enabled ? length(var.public_subnet_cidrs) > 0 ? var.public_subnet_cidrs : [for netnum in range(0, local.azs) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_public_subnets = var.public_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(0, local.azs) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets)) - intra_subnets_native = var.intra_subnet_enabled ? length(var.intra_subnet_cidrs) > 0 ? var.intra_subnet_cidrs : [for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_intra_subnets = var.intra_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets)) - private_subnets_native = var.private_subnet_enabled ? length(var.private_subnet_cidrs) > 0 ? var.private_subnet_cidrs : [for netnum in range(local.azs, local.azs * 2) : cidrsubnet(var.vpc_cidr, 4, netnum)] : [] - secondary_private_subnets = var.private_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs, local.azs * 2) : cidrsubnet(cidr_block, 4, netnum) - ] - ] : [] - private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets)) - database_subnets_native = var.database_subnet_enabled ? length(var.database_subnet_cidrs) > 0 ? var.database_subnet_cidrs : [for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_database_subnets = var.database_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets)) - single_nat_gateway = var.one_nat_gateway_per_az == true ? false : true - create_database_subnet_route_table = var.database_subnet_enabled - create_flow_log_cloudwatch_log_group = var.flow_log_enabled == true || var.flow_log_cloudwatch_log_group_skip_destroy == true ? true : false - is_supported_arch = data.aws_ec2_instance_type.arch.supported_architectures[0] == "arm64" ? false : true # for VPN Instance - nacl_allow_vpc_access_rule = [{ - rule_no = 97 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = var.vpc_cidr - } - - ] - enable_ipv6 = var.ipv6_enabled - ipv6_only = var.ipv6_enabled && var.ipv6_only ? true : false - public_subnet_assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - private_subnet_assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - database_subnet_assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - intra_subnet_assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - - public_subnet_ipv6_prefixes = var.public_subnet_enabled ? [for i in range(local.azs) : i] : [] - private_subnet_ipv6_prefixes = var.private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : [] - database_subnet_ipv6_prefixes = var.database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : [] - intra_subnet_ipv6_prefixes = var.intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : [] -} -data "aws_availability_zones" "available" {} -data "aws_ec2_instance_type" "arch" { - instance_type = var.vpn_server_instance_type +resource "aws_eip" "vpn" { + domain = "vpc" + instance = module.vpn_server.id } -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "5.2.0" - name = format("%s-%s-vpc", var.environment, var.name) - cidr = var.vpc_cidr # CIDR FOR VPC - azs = [for n in range(0, local.azs) : data.aws_availability_zones.available.names[n]] - use_ipam_pool = var.ipam_enabled ? true : false - ipv4_ipam_pool_id = var.ipam_enabled && var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : null - ipv4_netmask_length = var.ipam_enabled ? var.ipv4_netmask_length : null - create_database_subnet_group = length(local.database_subnets) > 1 && var.enable_database_subnet_group ? true : false - intra_subnets = local.intra_subnets - public_subnets = local.public_subnets - private_subnets = local.private_subnets - database_subnets = local.database_subnets - enable_flow_log = var.flow_log_enabled - enable_nat_gateway = length(local.private_subnets) > 0 && !var.ipv6_only ? true : false - single_nat_gateway = local.single_nat_gateway - enable_vpn_gateway = false - enable_dns_hostnames = true - flow_log_traffic_type = "ALL" - secondary_cidr_blocks = var.secondry_cidr_enabled ? var.secondary_cidr_blocks : [] - one_nat_gateway_per_az = var.one_nat_gateway_per_az - map_public_ip_on_launch = var.auto_assign_public_ip - flow_log_destination_type = "cloud-watch-logs" - manage_default_network_acl = true - default_network_acl_ingress = concat(local.nacl_allow_vpc_access_rule, var.default_network_acl_ingress) - manage_default_security_group = true - default_security_group_ingress = [] # Enforcing no rules being present in the default security group. - default_security_group_egress = [] - create_database_nat_gateway_route = false - create_database_subnet_route_table = local.create_database_subnet_route_table - create_flow_log_cloudwatch_iam_role = var.flow_log_enabled - create_flow_log_cloudwatch_log_group = local.create_flow_log_cloudwatch_log_group - flow_log_max_aggregation_interval = var.flow_log_max_aggregation_interval - flow_log_cloudwatch_log_group_skip_destroy = var.flow_log_cloudwatch_log_group_skip_destroy - flow_log_cloudwatch_log_group_retention_in_days = var.flow_log_cloudwatch_log_group_retention_in_days - flow_log_cloudwatch_log_group_kms_key_id = var.flow_log_cloudwatch_log_group_kms_key_arn - enable_ipv6 = local.enable_ipv6 - public_subnet_ipv6_native = local.ipv6_only - private_subnet_ipv6_native = local.ipv6_only - database_subnet_ipv6_native = local.ipv6_only - intra_subnet_ipv6_native = local.ipv6_only - #assign_ipv6_address_on_creation = local.assign_ipv6_address_on_creation - public_subnet_assign_ipv6_address_on_creation = local.public_subnet_assign_ipv6_address_on_creation - private_subnet_assign_ipv6_address_on_creation = local.private_subnet_assign_ipv6_address_on_creation - database_subnet_assign_ipv6_address_on_creation = local.database_subnet_assign_ipv6_address_on_creation - intra_subnet_assign_ipv6_address_on_creation = local.intra_subnet_assign_ipv6_address_on_creation - public_subnet_ipv6_prefixes = local.public_subnet_ipv6_prefixes - private_subnet_ipv6_prefixes = local.private_subnet_ipv6_prefixes - database_subnet_ipv6_prefixes = local.database_subnet_ipv6_prefixes - intra_subnet_ipv6_prefixes = local.intra_subnet_ipv6_prefixes +module "security_group_vpn" { + source = "terraform-aws-modules/security-group/aws" + version = "5.1.0" + create = true + name = format("%s-%s-%s", var.environment, var.name, "vpn-sg") + description = "vpn server security group" + vpc_id = var.vpc_id + ingress_with_cidr_blocks = [ + { + from_port = 443 + to_port = 443 + protocol = "tcp" + description = "Public HTTPS access" + cidr_blocks = "0.0.0.0/0" + }, + { + from_port = 80 + to_port = 80 + protocol = "tcp" + description = "Public HTTP access" + cidr_blocks = "0.0.0.0/0" + }, + { + from_port = 10150 + to_port = 10150 + protocol = "udp" + description = "VPN Server Port" + cidr_blocks = "0.0.0.0/0" + }, + { + from_port = 22 + to_port = 22 + protocol = "tcp" + description = "SSH Port" + cidr_blocks = var.vpc_cidr + } + ] - # TAGS TO BE ASSOCIATED WITH EACH RESOURCE + egress_with_cidr_blocks = [ + { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = "0.0.0.0/0" + }, + ] tags = tomap( { - "Name" = format("%s-%s-vpc", var.environment, var.name) + "Name" = format("%s-%s-%s", var.environment, var.name, "vpn-sg") "Environment" = var.environment }, ) +} - public_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-public-subnet" - "Subnet-group" = "public" - "kubernetes.io/role/elb" = 1 - }) - - public_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-public-route-table" - }) - - private_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-private-subnet" - "Subnet-group" = "private" - "kubernetes.io/role/internal-elb" = 1 - }) - - private_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-private-route-table" - }) - - database_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-database-subnet" - "Subnet-group" = "database" - }) - - database_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-database-route-table" - }) - - intra_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-intra-subnet" - "Subnet-group" = "intra" - }) - - intra_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-intra-route-table" - }) - - igw_tags = tomap({ - "Name" = "${var.environment}-${var.name}-igw" - }) - - nat_gateway_tags = tomap({ - "Name" = "${var.environment}-${var.name}-nat" - }) +data "aws_ami" "ubuntu_20_ami" { + owners = ["099720109477"] + most_recent = true - default_network_acl_name = format("%s-%s-nacl", var.environment, var.name) - default_network_acl_tags = { - "Name" = format("%s-%s-nacl", var.environment, var.name) - "Environment" = var.environment + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-*-22.04-amd64-server-*"] } -} -module "vpn_server" { - count = var.vpn_server_enabled && local.is_supported_arch ? 1 : 0 - depends_on = [module.vpc] - source = "./modules/vpn" - name = var.name - vpc_id = module.vpc.vpc_id - vpc_cidr = var.vpc_cidr - environment = var.environment - vpn_key_pair = var.vpn_key_pair_name - public_subnet = module.vpc.public_subnets[0] - vpn_server_instance_type = var.vpn_server_instance_type -} - -resource "aws_vpc_ipam" "ipam" { - count = var.ipam_enabled && var.create_ipam_pool ? 1 : 0 - operating_regions { - region_name = var.region + filter { + name = "virtualization-type" + values = ["hvm"] } +} +data "template_file" "pritunl" { + template = file("${path.module}/scripts/pritunl-vpn.sh") } -# IPv4 -resource "aws_vpc_ipam_pool" "ipam_pool" { - count = var.ipam_enabled && var.create_ipam_pool ? 1 : 0 - description = "IPv4 pool" - address_family = "ipv4" - ipam_scope_id = aws_vpc_ipam.ipam[0].private_default_scope_id - locale = var.region - allocation_default_netmask_length = 16 +data "aws_region" "current" {} +module "vpn_server" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "4.1.4" + name = format("%s-%s-%s", var.environment, var.name, "vpn-ec2-instance") + ami = data.aws_ami.ubuntu_20_ami.image_id + instance_type = var.vpn_server_instance_type + subnet_id = var.public_subnet + key_name = var.vpn_key_pair + associate_public_ip_address = true + vpc_security_group_ids = [module.security_group_vpn.security_group_id] + user_data = join("", data.template_file.pritunl[*].rendered) + iam_instance_profile = join("", aws_iam_instance_profile.vpn_SSM[*].name) + + + root_block_device = [ + { + encrypted = true + volume_type = "gp2" + volume_size = 20 + } + ] + tags = tomap( + { + "Name" = format("%s-%s-%s", var.environment, var.name, "vpn-ec2-instance") + "Environment" = var.environment + }, + ) } -resource "aws_vpc_ipam_pool_cidr" "ipam_pool_cidr" { - count = var.ipam_enabled ? 1 : 0 - ipam_pool_id = var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : var.ipam_pool_id - cidr = var.create_ipam_pool ? var.vpc_cidr : var.existing_ipam_managed_cidr +resource "aws_iam_role" "vpn_role" { + name = format("%s-%s-%s", var.environment, var.name, "vpnEC2InstanceRole") + assume_role_policy = < 0 ? module.vpc.public_subnets : null -} - -output "private_subnets" { - description = "List of IDs of private subnets" - value = length(module.vpc.private_subnets) > 0 ? module.vpc.private_subnets : null -} - -output "database_subnets" { - description = "List of IDs of database subnets" - value = length(module.vpc.database_subnets) > 0 ? module.vpc.database_subnets : null -} - -output "intra_subnets" { - description = "List of IDs of Intra subnets" - value = length(module.vpc.intra_subnets) > 0 ? module.vpc.intra_subnets : null - -} - -output "vpn_host_public_ip" { - description = "IP Address of VPN Server" - value = var.vpn_server_enabled ? module.vpn_server[0].vpn_host_public_ip : null -} - -output "vpn_security_group" { - description = "Security Group ID of VPN Server" - value = var.vpn_server_enabled ? module.vpn_server[0].vpn_security_group : null -} - -output "vpc_ipv6_association_id" { - description = "The association ID for the IPv6 CIDR block" - value = module.vpc.vpc_ipv6_association_id -} - -output "ipv6_vpc_cidr_block" { - description = "The IPv6 CIDR block" - value = module.vpc.vpc_ipv6_cidr_block -} - -output "vpc_secondary_cidr_blocks" { - description = "List of secondary CIDR blocks of the VPC" - value = module.vpc.vpc_secondary_cidr_blocks -} +# output "aws_region" { +# description = "AWS Region in which VPC is created" +# value = local.aws_region +# } + +output "vpc_id" { + description = "The ID of the VPC" + value = module.vpc.vpc_id +} + +output "vpc_cidr_block" { + description = "AWS Region" + value = module.vpc.vpc_cidr_block +} + +output "vpc_public_subnets" { + description = "List of IDs of public subnets" + value = module.vpc.vpc_public_subnets +} + +output "vpc_private_subnets" { + description = "List of IDs of private subnets" + value = module.vpc.vpc_private_subnets +} + +output "database_subnets" { + description = "List of IDs of database subnets" + value = module.vpc.database_subnets +} + +output "vpc_intra_subnets" { + description = "List of IDs of Intra subnets" + value = module.vpc.vpc_intra_subnets +} + +output "vpn_host_public_ip" { + description = "IP Adress of VPN Server" + value = module.vpc.vpn_host_public_ip +} + +output "vpn_security_group" { + description = "Security Group ID of VPN Server" + value = module.vpc.vpn_security_group +} diff --git a/providers.tf b/providers.tf new file mode 100644 index 0000000..7a8138f --- /dev/null +++ b/providers.tf @@ -0,0 +1,6 @@ +provider "aws" { + region = local.aws_region + default_tags { + tags = local.additional_aws_tags + } +} diff --git a/variables.tf b/variables.tf index ca9a7a5..ffbd1cb 100644 --- a/variables.tf +++ b/variables.tf @@ -1,81 +1,3 @@ -variable "environment" { - description = "Specify the environment indentifier for the VPC" - type = string - default = "" -} - -variable "name" { - description = "Specify the name of the VPC" - type = string - default = "" - -} - -variable "vpc_cidr" { - description = "The CIDR block of the VPC" - default = "10.0.0.0/16" - type = string -} - -variable "availability_zones" { - description = "Number of Availability Zone to be used by VPC Subnets" - default = [] - type = list(any) -} - -variable "public_subnet_enabled" { - description = "Set true to enable public subnets" - default = false - type = bool -} - -variable "public_subnet_cidrs" { - description = "A list of public subnets CIDR to be created inside the VPC" - default = [] - type = list(any) -} - -variable "private_subnet_enabled" { - description = "Set true to enable private subnets" - default = false - type = bool -} - -variable "private_subnet_cidrs" { - description = "A list of private subnets CIDR to be created inside the VPC" - default = [] - type = list(any) -} - -variable "database_subnet_enabled" { - description = "Set true to enable database subnets" - default = false - type = bool -} - -variable "database_subnet_cidrs" { - description = "Database Tier subnet CIDRs to be created" - default = [] - type = list(any) -} - -variable "intra_subnet_enabled" { - description = "Set true to enable intra subnets" - default = false - type = bool -} - -variable "intra_subnet_cidrs" { - description = "A list of intra subnets CIDR to be created" - default = [] - type = list(any) -} - -variable "vpn_server_enabled" { - description = "Set to true if you want to deploy VPN Gateway resource and attach it to the VPC" - default = false - type = bool -} variable "vpn_server_instance_type" { description = "EC2 instance Type for VPN Server, Only amd64 based instance type are supported eg. t2.medium, t3.micro, c5a.large etc. " @@ -83,201 +5,38 @@ variable "vpn_server_instance_type" { type = string } -variable "vpn_key_pair_name" { - description = "Specify the name of AWS Keypair to be used for VPN Server" +variable "environment" { + description = "Specify the environment indentifier for the VPC" default = "" type = string } -variable "default_network_acl_ingress" { - description = "List of maps of ingress rules to set on the Default Network ACL" - type = list(map(string)) - - default = [ - { - rule_no = 98 - action = "deny" - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_block = "0.0.0.0/0" - }, - { - rule_no = 99 - action = "deny" - from_port = 3389 - to_port = 3389 - protocol = "tcp" - cidr_block = "0.0.0.0/0" - }, - { - rule_no = 100 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - { - rule_no = 101 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - ipv6_cidr_block = "::/0" - }, - ] -} - -variable "one_nat_gateway_per_az" { - description = "Set to true if a NAT Gateway is required per availability zone for Private Subnet Tier" - default = false - type = bool -} - -variable "flow_log_enabled" { - description = "Whether or not to enable VPC Flow Logs" - type = bool - default = false -} - -variable "flow_log_cloudwatch_log_group_retention_in_days" { - description = "Specifies the number of days you want to retain log events in the specified log group for VPC flow logs." - type = number - default = null -} - -variable "flow_log_max_aggregation_interval" { - description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds." - type = number - default = 60 -} - -variable "auto_assign_public_ip" { - description = "Specify true to indicate that instances launched into the subnet should be assigned a public IP address." - type = bool - default = false -} - - -variable "ipv6_enabled" { - description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block." - type = bool - default = false -} - -variable "private_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" - type = bool - default = null -} - -variable "public_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" - type = bool - default = null -} - - -variable "database_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" - type = bool - default = null -} - - -variable "intra_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" - type = bool - default = null -} - -variable "flow_log_cloudwatch_log_group_kms_key_arn" { - description = "The ARN of the KMS Key to use when encrypting log data for VPC flow logs" +variable "name" { + description = "Specify the name of the VPC" + default = "" type = string - default = null } -variable "ipv6_only" { - description = "Enable it for deploying native IPv6 network" - type = bool - default = false -} - -variable "secondary_cidr_blocks" { - description = "List of the secondary CIDR blocks which can be at most 5" - type = list(string) - default = [] -} - -variable "secondry_cidr_enabled" { - description = "Whether enable secondary CIDR with VPC" - default = false - type = bool -} - -variable "enable_database_subnet_group" { - description = "Whether create database subnet groups" - default = false - type = bool -} - -# variable "tags" { -# description = "The Tags attached with the resources" -# default = {} -# type = any -# } - -variable "ipam_pool_id" { - description = "The existing IPAM pool id if any" - default = null +variable "public_subnet" { + description = "The VPC Subnet ID to launch in" + default = "" type = string } -variable "ipam_enabled" { - description = "Whether enable IPAM managed VPC or not" - default = false - type = bool -} - -variable "create_ipam_pool" { - description = "Whether create new IPAM pool" - default = true - type = bool -} - -variable "ipv4_netmask_length" { - description = "The netmask length for IPAM managed VPC" - default = 16 - type = number -} - -variable "region" { - description = "The AWS region name" +variable "vpc_cidr" { + description = "The CIDR block of the Default VPC" + default = "10.0.0.0/16" type = string - default = null } -variable "existing_ipam_managed_cidr" { - description = "The existing IPAM pool CIDR" +variable "vpc_id" { + description = "The ID of the VPC" default = "" type = string } -variable "flow_log_cloudwatch_log_group_skip_destroy" { - description = " Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state" - type = bool - default = false -} - -variable "vpc_s3_endpoint_enabled" { - description = "Set to true if you want to enable vpc S3 endpoints" - type = bool - default = false -} - -variable "vpc_ecr_endpoint_enabled" { - description = "Set to true if you want to enable vpc ecr endpoints" - type = bool - default = false -} +variable "vpn_key_pair" { + description = "Specify the name of AWS Keypair to be used for VPN Server" + default = "" + type = string +} \ No newline at end of file From 243d7a5950af6ef90e64af06550d391fb4882df2 Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Thu, 14 Mar 2024 13:06:45 +0530 Subject: [PATCH 2/7] Add files via upload Made changes to main.tf & variable.tf for variables. --- main.tf | 458 +++++++++++++++++++++++++++++++-------------------- variables.tf | 335 +++++++++++++++++++++++++++++++++++-- 2 files changed, 597 insertions(+), 196 deletions(-) diff --git a/main.tf b/main.tf index a6c799d..c27bcc3 100644 --- a/main.tf +++ b/main.tf @@ -1,220 +1,316 @@ -resource "aws_eip" "vpn" { - domain = "vpc" - instance = module.vpn_server.id +locals { + azs = length(var.vpc_availability_zones) + public_subnets_native = var.vpc_public_subnet_enabled ? length(var.vpc_public_subnet_cidrs) > 0 ? var.vpc_public_subnet_cidrs : [for netnum in range(0, local.azs) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_public_subnets = var.vpc_public_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(0, local.azs) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + vpc_public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets)) + intra_subnets_native = var.vpc_intra_subnet_enabled ? length(var.vpc_intra_subnet_cidrs) > 0 ? var.vpc_intra_subnet_cidrs : [for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_intra_subnets = var.vpc_intra_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + vpc_intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets)) + private_subnets_native = var.vpc_private_subnet_enabled ? length(var.vpc_private_subnet_cidrs) > 0 ? var.vpc_private_subnet_cidrs : [for netnum in range(local.azs, local.azs * 2) : cidrsubnet(var.vpc_cidr, 4, netnum)] : [] + secondary_private_subnets = var.vpc_private_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(local.azs, local.azs * 2) : cidrsubnet(cidr_block, 4, netnum) + ] + ] : [] + vpc_private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets)) + database_subnets_native = var.database_subnet_enabled ? length(var.database_subnet_cidrs) > 0 ? var.database_subnet_cidrs : [for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_database_subnets = var.database_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets)) + vpc_single_nat_gateway = var.vpc_one_nat_gateway_per_az == true ? false : true + create_database_subnet_route_table = var.database_subnet_enabled + create_flow_log_cloudwatch_log_group = var.vpc_flow_log_enabled == true || var.vpc_flow_log_cloudwatch_log_group_skip_destroy == true ? true : false + is_supported_arch = data.aws_ec2_instance_type.arch.supported_architectures[0] == "arm64" ? false : true # for VPN Instance + nacl_allow_vpc_access_rule = [{ + rule_no = 97 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = var.vpc_cidr + } + + ] + enable_ipv6 = var.ipv6_enabled + ipv6_only = var.ipv6_enabled && var.ipv6_only ? true : false + public_subnet_assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + private_subnet_assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + database_subnet_assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + intra_subnet_assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + + public_subnet_ipv6_prefixes = var.vpc_public_subnet_enabled ? [for i in range(local.azs) : i] : [] + private_subnet_ipv6_prefixes = var.vpc_private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : [] + database_subnet_ipv6_prefixes = var.database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : [] + intra_subnet_ipv6_prefixes = var.vpc_intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : [] +} +data "aws_availability_zones" "available" {} +data "aws_ec2_instance_type" "arch" { + instance_type = var.vpn_server_instance_type } -module "security_group_vpn" { - source = "terraform-aws-modules/security-group/aws" - version = "5.1.0" - create = true - name = format("%s-%s-%s", var.environment, var.name, "vpn-sg") - description = "vpn server security group" - vpc_id = var.vpc_id +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "5.2.0" + name = format("%s-%s-vpc", var.environment, var.name) + cidr = var.vpc_cidr # CIDR FOR VPC + azs = [for n in range(0, local.azs) : data.aws_availability_zones.available.names[n]] + use_ipam_pool = var.ipam_enabled ? true : false + ipv4_ipam_pool_id = var.ipam_enabled && var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : null + ipv4_netmask_length = var.ipam_enabled ? var.ipv4_netmask_length : null + create_database_subnet_group = length(local.database_subnets) > 1 && var.database_subnet_group_enabled ? true : false + intra_subnets = local.vpc_intra_subnets + public_subnets = local.vpc_public_subnets + private_subnets = local.vpc_private_subnets + database_subnets = local.database_subnets + enable_flow_log = var.vpc_flow_log_enabled + enable_nat_gateway = length(local.vpc_private_subnets) > 0 && !var.ipv6_only ? true : false + single_nat_gateway = local.vpc_single_nat_gateway + enable_vpn_gateway = var.vpn_gateway_enabled + enable_dns_hostnames = var.dns_hostnames_enabled + flow_log_traffic_type = var.vpc_flow_log_traffic_type + secondary_cidr_blocks = var.secondry_cidr_enabled ? var.secondary_cidr_blocks : [] + one_nat_gateway_per_az = var.vpc_one_nat_gateway_per_az + map_public_ip_on_launch = var.auto_assign_public_ip + flow_log_destination_type = var.vpc_flow_log_destination_type + manage_default_network_acl = var.vpc_manage_default_network_acl + default_network_acl_ingress = concat(local.nacl_allow_vpc_access_rule, var.default_network_acl_ingress) + manage_default_security_group = var.manage_vpc_default_security_group + default_security_group_ingress = [] # Enforcing no rules being present in the default security group. + default_security_group_egress = [] + create_database_nat_gateway_route = var.create_database_nat_gateway_route + create_database_subnet_route_table = local.create_database_subnet_route_table + create_flow_log_cloudwatch_iam_role = var.vpc_flow_log_enabled + create_flow_log_cloudwatch_log_group = local.create_flow_log_cloudwatch_log_group + flow_log_max_aggregation_interval = var.vpc_flow_log_max_aggregation_interval + flow_log_cloudwatch_log_group_skip_destroy = var.vpc_flow_log_cloudwatch_log_group_skip_destroy + flow_log_cloudwatch_log_group_retention_in_days = var.vpc_flow_log_cloudwatch_log_group_retention_in_days + flow_log_cloudwatch_log_group_kms_key_id = var.flow_log_cloudwatch_log_group_kms_key_arn + enable_ipv6 = local.enable_ipv6 + public_subnet_ipv6_native = local.ipv6_only + private_subnet_ipv6_native = local.ipv6_only + database_subnet_ipv6_native = local.ipv6_only + intra_subnet_ipv6_native = local.ipv6_only + #assign_ipv6_address_on_creation = local.assign_ipv6_address_on_creation + public_subnet_assign_ipv6_address_on_creation = local.public_subnet_assign_ipv6_address_on_creation + private_subnet_assign_ipv6_address_on_creation = local.private_subnet_assign_ipv6_address_on_creation + database_subnet_assign_ipv6_address_on_creation = local.database_subnet_assign_ipv6_address_on_creation + intra_subnet_assign_ipv6_address_on_creation = local.intra_subnet_assign_ipv6_address_on_creation + public_subnet_ipv6_prefixes = local.public_subnet_ipv6_prefixes + private_subnet_ipv6_prefixes = local.private_subnet_ipv6_prefixes + database_subnet_ipv6_prefixes = local.database_subnet_ipv6_prefixes + intra_subnet_ipv6_prefixes = local.intra_subnet_ipv6_prefixes - ingress_with_cidr_blocks = [ - { - from_port = 443 - to_port = 443 - protocol = "tcp" - description = "Public HTTPS access" - cidr_blocks = "0.0.0.0/0" - }, - { - from_port = 80 - to_port = 80 - protocol = "tcp" - description = "Public HTTP access" - cidr_blocks = "0.0.0.0/0" - }, - { - from_port = 10150 - to_port = 10150 - protocol = "udp" - description = "VPN Server Port" - cidr_blocks = "0.0.0.0/0" - }, - { - from_port = 22 - to_port = 22 - protocol = "tcp" - description = "SSH Port" - cidr_blocks = var.vpc_cidr - } - ] - egress_with_cidr_blocks = [ - { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = "0.0.0.0/0" - }, - ] + # TAGS TO BE ASSOCIATED WITH EACH RESOURCE tags = tomap( { - "Name" = format("%s-%s-%s", var.environment, var.name, "vpn-sg") + "Name" = format("%s-%s-vpc", var.environment, var.name) "Environment" = var.environment }, ) -} -data "aws_ami" "ubuntu_20_ami" { - owners = ["099720109477"] - most_recent = true + public_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-public-subnet" + "Subnet-group" = "public" + "kubernetes.io/role/elb" = 1 + }) - filter { - name = "name" - values = ["ubuntu/images/hvm-ssd/ubuntu-*-22.04-amd64-server-*"] - } + public_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-public-route-table" + }) - filter { - name = "virtualization-type" - values = ["hvm"] - } -} + private_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-private-subnet" + "Subnet-group" = "private" + "kubernetes.io/role/internal-elb" = 1 + }) + private_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-private-route-table" + }) -data "template_file" "pritunl" { - template = file("${path.module}/scripts/pritunl-vpn.sh") -} + database_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-database-subnet" + "Subnet-group" = "database" + }) -data "aws_region" "current" {} + database_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-database-route-table" + }) -module "vpn_server" { - source = "terraform-aws-modules/ec2-instance/aws" - version = "4.1.4" - name = format("%s-%s-%s", var.environment, var.name, "vpn-ec2-instance") - ami = data.aws_ami.ubuntu_20_ami.image_id - instance_type = var.vpn_server_instance_type - subnet_id = var.public_subnet - key_name = var.vpn_key_pair - associate_public_ip_address = true - vpc_security_group_ids = [module.security_group_vpn.security_group_id] - user_data = join("", data.template_file.pritunl[*].rendered) - iam_instance_profile = join("", aws_iam_instance_profile.vpn_SSM[*].name) - - - root_block_device = [ - { - encrypted = true - volume_type = "gp2" - volume_size = 20 - } - ] + intra_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-intra-subnet" + "Subnet-group" = "intra" + }) - tags = tomap( - { - "Name" = format("%s-%s-%s", var.environment, var.name, "vpn-ec2-instance") - "Environment" = var.environment - }, - ) -} + intra_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-intra-route-table" + }) -resource "aws_iam_role" "vpn_role" { - name = format("%s-%s-%s", var.environment, var.name, "vpnEC2InstanceRole") - assume_role_policy = < Date: Thu, 14 Mar 2024 13:34:30 +0530 Subject: [PATCH 3/7] Add files via upload Changed aws hashicorp version from 4.23 to 5.0.0 --- versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.tf b/versions.tf index dffc488..d8e2113 100644 --- a/versions.tf +++ b/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.23" + version = ">= 5.0.0" } } } From bac5267f7ccf9d9dcea78acd8a6b900f0dfce71b Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Fri, 15 Mar 2024 15:26:14 +0530 Subject: [PATCH 4/7] Add files via upload --- main.tf | 402 +++++++++++++-------------------------------------- variables.tf | 70 ++++++--- 2 files changed, 152 insertions(+), 320 deletions(-) diff --git a/main.tf b/main.tf index c27bcc3..81ff109 100644 --- a/main.tf +++ b/main.tf @@ -1,316 +1,112 @@ locals { - azs = length(var.vpc_availability_zones) - public_subnets_native = var.vpc_public_subnet_enabled ? length(var.vpc_public_subnet_cidrs) > 0 ? var.vpc_public_subnet_cidrs : [for netnum in range(0, local.azs) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_public_subnets = var.vpc_public_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(0, local.azs) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - vpc_public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets)) - intra_subnets_native = var.vpc_intra_subnet_enabled ? length(var.vpc_intra_subnet_cidrs) > 0 ? var.vpc_intra_subnet_cidrs : [for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_intra_subnets = var.vpc_intra_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - vpc_intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets)) - private_subnets_native = var.vpc_private_subnet_enabled ? length(var.vpc_private_subnet_cidrs) > 0 ? var.vpc_private_subnet_cidrs : [for netnum in range(local.azs, local.azs * 2) : cidrsubnet(var.vpc_cidr, 4, netnum)] : [] - secondary_private_subnets = var.vpc_private_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs, local.azs * 2) : cidrsubnet(cidr_block, 4, netnum) - ] - ] : [] - vpc_private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets)) - database_subnets_native = var.database_subnet_enabled ? length(var.database_subnet_cidrs) > 0 ? var.database_subnet_cidrs : [for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_database_subnets = var.database_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets)) - vpc_single_nat_gateway = var.vpc_one_nat_gateway_per_az == true ? false : true - create_database_subnet_route_table = var.database_subnet_enabled - create_flow_log_cloudwatch_log_group = var.vpc_flow_log_enabled == true || var.vpc_flow_log_cloudwatch_log_group_skip_destroy == true ? true : false - is_supported_arch = data.aws_ec2_instance_type.arch.supported_architectures[0] == "arm64" ? false : true # for VPN Instance - nacl_allow_vpc_access_rule = [{ - rule_no = 97 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = var.vpc_cidr - } - - ] - enable_ipv6 = var.ipv6_enabled - ipv6_only = var.ipv6_enabled && var.ipv6_only ? true : false - public_subnet_assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - private_subnet_assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - database_subnet_assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - intra_subnet_assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - - public_subnet_ipv6_prefixes = var.vpc_public_subnet_enabled ? [for i in range(local.azs) : i] : [] - private_subnet_ipv6_prefixes = var.vpc_private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : [] - database_subnet_ipv6_prefixes = var.database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : [] - intra_subnet_ipv6_prefixes = var.vpc_intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : [] -} -data "aws_availability_zones" "available" {} -data "aws_ec2_instance_type" "arch" { - instance_type = var.vpn_server_instance_type -} - -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "5.2.0" - name = format("%s-%s-vpc", var.environment, var.name) - cidr = var.vpc_cidr # CIDR FOR VPC - azs = [for n in range(0, local.azs) : data.aws_availability_zones.available.names[n]] - use_ipam_pool = var.ipam_enabled ? true : false - ipv4_ipam_pool_id = var.ipam_enabled && var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : null - ipv4_netmask_length = var.ipam_enabled ? var.ipv4_netmask_length : null - create_database_subnet_group = length(local.database_subnets) > 1 && var.database_subnet_group_enabled ? true : false - intra_subnets = local.vpc_intra_subnets - public_subnets = local.vpc_public_subnets - private_subnets = local.vpc_private_subnets - database_subnets = local.database_subnets - enable_flow_log = var.vpc_flow_log_enabled - enable_nat_gateway = length(local.vpc_private_subnets) > 0 && !var.ipv6_only ? true : false - single_nat_gateway = local.vpc_single_nat_gateway - enable_vpn_gateway = var.vpn_gateway_enabled - enable_dns_hostnames = var.dns_hostnames_enabled - flow_log_traffic_type = var.vpc_flow_log_traffic_type - secondary_cidr_blocks = var.secondry_cidr_enabled ? var.secondary_cidr_blocks : [] - one_nat_gateway_per_az = var.vpc_one_nat_gateway_per_az - map_public_ip_on_launch = var.auto_assign_public_ip - flow_log_destination_type = var.vpc_flow_log_destination_type - manage_default_network_acl = var.vpc_manage_default_network_acl - default_network_acl_ingress = concat(local.nacl_allow_vpc_access_rule, var.default_network_acl_ingress) - manage_default_security_group = var.manage_vpc_default_security_group - default_security_group_ingress = [] # Enforcing no rules being present in the default security group. - default_security_group_egress = [] - create_database_nat_gateway_route = var.create_database_nat_gateway_route - create_database_subnet_route_table = local.create_database_subnet_route_table - create_flow_log_cloudwatch_iam_role = var.vpc_flow_log_enabled - create_flow_log_cloudwatch_log_group = local.create_flow_log_cloudwatch_log_group - flow_log_max_aggregation_interval = var.vpc_flow_log_max_aggregation_interval - flow_log_cloudwatch_log_group_skip_destroy = var.vpc_flow_log_cloudwatch_log_group_skip_destroy - flow_log_cloudwatch_log_group_retention_in_days = var.vpc_flow_log_cloudwatch_log_group_retention_in_days - flow_log_cloudwatch_log_group_kms_key_id = var.flow_log_cloudwatch_log_group_kms_key_arn - enable_ipv6 = local.enable_ipv6 - public_subnet_ipv6_native = local.ipv6_only - private_subnet_ipv6_native = local.ipv6_only - database_subnet_ipv6_native = local.ipv6_only - intra_subnet_ipv6_native = local.ipv6_only - #assign_ipv6_address_on_creation = local.assign_ipv6_address_on_creation - public_subnet_assign_ipv6_address_on_creation = local.public_subnet_assign_ipv6_address_on_creation - private_subnet_assign_ipv6_address_on_creation = local.private_subnet_assign_ipv6_address_on_creation - database_subnet_assign_ipv6_address_on_creation = local.database_subnet_assign_ipv6_address_on_creation - intra_subnet_assign_ipv6_address_on_creation = local.intra_subnet_assign_ipv6_address_on_creation - public_subnet_ipv6_prefixes = local.public_subnet_ipv6_prefixes - private_subnet_ipv6_prefixes = local.private_subnet_ipv6_prefixes - database_subnet_ipv6_prefixes = local.database_subnet_ipv6_prefixes - intra_subnet_ipv6_prefixes = local.intra_subnet_ipv6_prefixes - - - # TAGS TO BE ASSOCIATED WITH EACH RESOURCE - - tags = tomap( - { - "Name" = format("%s-%s-vpc", var.environment, var.name) - "Environment" = var.environment - }, - ) - - public_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-public-subnet" - "Subnet-group" = "public" - "kubernetes.io/role/elb" = 1 - }) - - public_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-public-route-table" - }) - - private_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-private-subnet" - "Subnet-group" = "private" - "kubernetes.io/role/internal-elb" = 1 - }) - - private_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-private-route-table" - }) - - database_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-database-subnet" - "Subnet-group" = "database" - }) - - database_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-database-route-table" - }) - - intra_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-intra-subnet" - "Subnet-group" = "intra" - }) - - intra_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-intra-route-table" - }) - - igw_tags = tomap({ - "Name" = "${var.environment}-${var.name}-igw" - }) - - nat_gateway_tags = tomap({ - "Name" = "${var.environment}-${var.name}-nat" - }) - - default_network_acl_name = format("%s-%s-nacl", var.environment, var.name) - default_network_acl_tags = { - "Name" = format("%s-%s-nacl", var.environment, var.name) - "Environment" = var.environment + vpc_name = "vpc-test" + aws_region = "us-east-1" + aws_account_id = "767398031518" + environment = "prod" + kms_user = null + vpc_cidr = "10.10.0.0/16" + vpc_availability_zones = ["us-east-1a", "us-east-1b"] + kms_deletion_window_in_days = 7 + enable_key_rotation = false + is_enabled = true + vpc_flow_log_enabled = true + vpn_server_enabled = true + vpc_intra_subnet_enabled = true + vpc_public_subnet_enabled = true + auto_assign_public_ip = true + vpc_private_subnet_enabled = true + vpc_one_nat_gateway_per_az = true + vpc_database_subnet_enabled = true + vpc_s3_endpoint_enabled = true + vpc_ecr_endpoint_enabled = true + vpn_server_instance_type = "t3a.small" + vpc_flow_log_cloudwatch_log_group_skip_destroy = false + current_identity = data.aws_caller_identity.current.arn + multi_region = false + additional_aws_tags = { + Owner = "Organization_Name" + Expires = "Never" + Department = "Engineering" } } -module "vpn_server" { - count = var.vpn_server_enabled && local.is_supported_arch ? 1 : 0 - depends_on = [module.vpc] - source = "./modules/vpn" - name = var.name - vpc_id = module.vpc.vpc_id - vpc_cidr = var.vpc_cidr - environment = var.environment - vpn_key_pair = var.vpn_key_pair_name - public_subnet = module.vpc.public_subnets[0] - vpn_server_instance_type = var.vpn_server_instance_type -} - -resource "aws_vpc_ipam" "ipam" { - count = var.ipam_enabled && var.create_ipam_pool ? 1 : 0 - operating_regions { - region_name = var.aws_region - } -} +data "aws_caller_identity" "current" {} -# IPv4 -resource "aws_vpc_ipam_pool" "ipam_pool" { - count = var.ipam_enabled && var.create_ipam_pool ? 1 : 0 - description = "IPv4 pool" - address_family = "ipv4" - ipam_scope_id = aws_vpc_ipam.ipam[0].private_default_scope_id - locale = var.aws_region - allocation_default_netmask_length = 16 +module "key_pair_vpn" { + source = "squareops/keypair/aws" + key_name = format("%s-%s-vpn", local.environment, local.vpc_name) + environment = local.environment + ssm_parameter_path = format("%s-%s-vpn", local.environment, local.vpc_name) } -resource "aws_vpc_ipam_pool_cidr" "ipam_pool_cidr" { - count = var.ipam_enabled ? 1 : 0 - ipam_pool_id = var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : var.ipam_pool_id - cidr = var.create_ipam_pool ? var.vpc_cidr : var.existing_ipam_managed_cidr -} - -# private links for S3 - -data "aws_route_tables" "aws_private_routes" { - count = var.vpc_s3_endpoint_enabled ? 1 : 0 - depends_on = [module.vpc] - vpc_id = module.vpc.vpc_id - tags = { - Name = "${var.environment}-${var.name}-private-route-table" - } -} - -resource "aws_vpc_endpoint" "private-s3" { - count = var.vpc_s3_endpoint_enabled ? 1 : 0 - depends_on = [data.aws_route_tables.aws_private_routes] - vpc_id = module.vpc.vpc_id - service_name = "com.amazonaws.${var.aws_region}.s3" - route_table_ids = data.aws_route_tables.aws_private_routes[0].ids - vpc_endpoint_type = "Gateway" - policy = < Date: Mon, 18 Mar 2024 09:48:15 +0530 Subject: [PATCH 5/7] Update main.tf --- main.tf | 403 ++++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 304 insertions(+), 99 deletions(-) diff --git a/main.tf b/main.tf index 81ff109..c2ed73b 100644 --- a/main.tf +++ b/main.tf @@ -1,112 +1,317 @@ locals { - vpc_name = "vpc-test" - aws_region = "us-east-1" - aws_account_id = "767398031518" - environment = "prod" - kms_user = null - vpc_cidr = "10.10.0.0/16" - vpc_availability_zones = ["us-east-1a", "us-east-1b"] - kms_deletion_window_in_days = 7 - enable_key_rotation = false - is_enabled = true - vpc_flow_log_enabled = true - vpn_server_enabled = true - vpc_intra_subnet_enabled = true - vpc_public_subnet_enabled = true - auto_assign_public_ip = true - vpc_private_subnet_enabled = true - vpc_one_nat_gateway_per_az = true - vpc_database_subnet_enabled = true - vpc_s3_endpoint_enabled = true - vpc_ecr_endpoint_enabled = true - vpn_server_instance_type = "t3a.small" - vpc_flow_log_cloudwatch_log_group_skip_destroy = false - current_identity = data.aws_caller_identity.current.arn - multi_region = false - additional_aws_tags = { - Owner = "Organization_Name" - Expires = "Never" - Department = "Engineering" + azs = length(var.vpc_availability_zones) + public_subnets_native = var.vpc_public_subnet_enabled ? length(var.vpc_public_subnet_cidrs) > 0 ? var.vpc_public_subnet_cidrs : [for netnum in range(0, local.azs) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_public_subnets = var.vpc_public_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(0, local.azs) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + vpc_public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets)) + intra_subnets_native = var.vpc_intra_subnet_enabled ? length(var.vpc_intra_subnet_cidrs) > 0 ? var.vpc_intra_subnet_cidrs : [for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_intra_subnets = var.vpc_intra_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + vpc_intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets)) + private_subnets_native = var.vpc_private_subnet_enabled ? length(var.vpc_private_subnet_cidrs) > 0 ? var.vpc_private_subnet_cidrs : [for netnum in range(local.azs, local.azs * 2) : cidrsubnet(var.vpc_cidr, 4, netnum)] : [] + secondary_private_subnets = var.vpc_private_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(local.azs, local.azs * 2) : cidrsubnet(cidr_block, 4, netnum) + ] + ] : [] + vpc_private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets)) + database_subnets_native = var.vpc_database_subnet_enabled ? length(var.vpc_database_subnet_cidrs) > 0 ? var.vpc_database_subnet_cidrs : [for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_database_subnets = var.vpc_database_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets)) + vpc_single_nat_gateway = var.vpc_one_nat_gateway_per_az == true ? false : true + create_database_subnet_route_table = var.vpc_database_subnet_enabled + create_flow_log_cloudwatch_log_group = var.vpc_flow_log_enabled == true || var.vpc_flow_log_cloudwatch_log_group_skip_destroy == true ? true : false + is_supported_arch = data.aws_ec2_instance_type.arch.supported_architectures[0] == "arm64" ? false : true # for VPN Instance + nacl_allow_vpc_access_rule = [{ + rule_no = 97 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = var.vpc_cidr + } + + ] + enable_ipv6 = var.ipv6_enabled + ipv6_only = var.ipv6_enabled && var.ipv6_only ? true : false + public_subnet_assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + private_subnet_assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + database_subnet_assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + intra_subnet_assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + + public_subnet_ipv6_prefixes = var.vpc_public_subnet_enabled ? [for i in range(local.azs) : i] : [] + private_subnet_ipv6_prefixes = var.vpc_private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : [] + database_subnet_ipv6_prefixes = var.vpc_database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : [] + intra_subnet_ipv6_prefixes = var.vpc_intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : [] +} +data "aws_availability_zones" "available" {} +data "aws_ec2_instance_type" "arch" { + instance_type = var.vpn_server_instance_type +} + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "5.2.0" + name = format("%s-%s-vpc", var.environment, var.name) + cidr = var.vpc_cidr # CIDR FOR VPC + azs = [for n in range(0, local.azs) : data.aws_availability_zones.available.names[n]] + use_ipam_pool = var.ipam_enabled ? true : false + ipv4_ipam_pool_id = var.ipam_enabled && var.ipam_pool_enabled ? aws_vpc_ipam_pool.ipam_pool[0].id : null + ipv4_netmask_length = var.ipam_enabled ? var.ipv4_netmask_length : null + create_database_subnet_group = length(local.generate_subnets.vpc_database_subnets) > 1 && var.database_subnet_group_enabled ? true : false + intra_subnets = local.vpc_intra_subnets + public_subnets = local.vpc_public_subnets + private_subnets = local.vpc_private_subnets + database_subnets = local.database_subnets + enable_flow_log = var.vpc_flow_log_enabled + enable_nat_gateway = length(local.generate_subnets.vpc_private_subnets) > 0 && !var.ipv6_only ? true : false + single_nat_gateway = local.vpc_single_nat_gateway + enable_vpn_gateway = var.vpn_gateway_enabled + enable_dns_hostnames = var.dns_hostnames_enabled + flow_log_traffic_type = var.vpc_flow_log_traffic_type + secondary_cidr_blocks = var.secondry_cidr_enabled ? var.secondary_cidr_blocks : [] + one_nat_gateway_per_az = var.vpc_one_nat_gateway_per_az + map_public_ip_on_launch = var.auto_assign_public_ip + flow_log_destination_type = var.vpc_flow_log_destination_type + manage_default_network_acl = var.vpc_manage_default_network_acl + default_network_acl_ingress = concat(local.nacl_allow_vpc_access_rule, var.default_network_acl_ingress) + manage_default_security_group = var.manage_vpc_default_security_group + default_security_group_ingress = var.vpc_default_security_group_ingress # Enforcing no rules being present in the default security group. + default_security_group_egress = vpc_vpc_default_security_group_egress + create_database_nat_gateway_route = var.database_nat_gateway_route_enabled + create_database_subnet_route_table = local.create_database_subnet_route_table + create_flow_log_cloudwatch_iam_role = var.vpc_flow_log_enabled + create_flow_log_cloudwatch_log_group = local.create_flow_log_cloudwatch_log_group + flow_log_max_aggregation_interval = var.vpc_flow_log_max_aggregation_interval + flow_log_cloudwatch_log_group_skip_destroy = var.vpc_flow_log_cloudwatch_log_group_skip_destroy + flow_log_cloudwatch_log_group_retention_in_days = var.vpc_flow_log_cloudwatch_log_group_retention_in_days + flow_log_cloudwatch_log_group_kms_key_id = var.vpc_flow_log_cloudwatch_log_group_kms_key_arn + enable_ipv6 = local.enable_ipv6 + public_subnet_ipv6_native = local.ipv6_only + private_subnet_ipv6_native = local.ipv6_only + database_subnet_ipv6_native = local.ipv6_only + intra_subnet_ipv6_native = local.ipv6_only + #assign_ipv6_address_on_creation = local.assign_ipv6_address_on_creation + public_subnet_assign_ipv6_address_on_creation = local.public_subnet_assign_ipv6_address_on_creation + private_subnet_assign_ipv6_address_on_creation = local.private_subnet_assign_ipv6_address_on_creation + database_subnet_assign_ipv6_address_on_creation = local.database_subnet_assign_ipv6_address_on_creation + intra_subnet_assign_ipv6_address_on_creation = local.intra_subnet_assign_ipv6_address_on_creation + public_subnet_ipv6_prefixes = local.public_subnet_ipv6_prefixes + private_subnet_ipv6_prefixes = local.private_subnet_ipv6_prefixes + database_subnet_ipv6_prefixes = local.database_subnet_ipv6_prefixes + intra_subnet_ipv6_prefixes = local.intra_subnet_ipv6_prefixes + + + # TAGS TO BE ASSOCIATED WITH EACH RESOURCE + + tags = tomap( + { + "Name" = format("%s-%s-vpc", var.environment, var.name) + "Environment" = var.environment + }, + ) + + public_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-public-subnet" + "Subnet-group" = "public" + "kubernetes.io/role/elb" = 1 + }) + + public_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-public-route-table" + }) + + private_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-private-subnet" + "Subnet-group" = "private" + "kubernetes.io/role/internal-elb" = 1 + }) + + private_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-private-route-table" + }) + + database_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-database-subnet" + "Subnet-group" = "database" + }) + + database_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-database-route-table" + }) + + intra_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-intra-subnet" + "Subnet-group" = "intra" + }) + + intra_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-intra-route-table" + }) + + igw_tags = tomap({ + "Name" = "${var.environment}-${var.name}-igw" + }) + + nat_gateway_tags = tomap({ + "Name" = "${var.environment}-${var.name}-nat" + }) + + default_network_acl_name = format("%s-%s-nacl", var.environment, var.name) + default_network_acl_tags = { + "Name" = format("%s-%s-nacl", var.environment, var.name) + "Environment" = var.environment } } -data "aws_caller_identity" "current" {} +module "vpn_server" { + count = var.vpn_server_enabled && local.is_supported_arch ? 1 : 0 + depends_on = [module.vpc] + source = "./modules/vpn" + name = var.name + vpc_id = module.vpc.vpc_id + vpc_cidr = var.vpc_cidr + environment = var.environment + vpn_key_pair = var.vpn_server_key_pair_name + public_subnet = module.vpc.public_subnets[0] + vpn_server_instance_type = var.vpn_server_instance_type +} -module "key_pair_vpn" { - source = "squareops/keypair/aws" - key_name = format("%s-%s-vpn", local.environment, local.vpc_name) - environment = local.environment - ssm_parameter_path = format("%s-%s-vpn", local.environment, local.vpc_name) +resource "aws_vpc_ipam" "ipam" { + count = var.ipam_enabled && var.ipam_pool_enabled ? 1 : 0 + operating_regions { + region_name = var.aws_region + } } -module "kms" { - source = "terraform-aws-modules/kms/aws" - - deletion_window_in_days = local.kms_deletion_window_in_days - description = "Symetric Key to Enable Encryption at rest using KMS services." - enable_key_rotation = local.enable_key_rotation - is_enabled = local.is_enabled - key_usage = "ENCRYPT_DECRYPT" - multi_region = local.multi_region - - # Policy - enable_default_policy = true - key_owners = [local.current_identity] - key_administrators = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_users = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_service_users = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_symmetric_encryption_users = [local.current_identity] - key_hmac_users = [local.current_identity] - key_asymmetric_public_encryption_users = [local.current_identity] - key_asymmetric_sign_verify_users = [local.current_identity] - key_statements = [ - { - sid = "AllowCloudWatchLogsEncryption", - effect = "Allow" - actions = [ - "kms:Encrypt*", - "kms:Decrypt*", - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:Describe*" - ] - resources = ["*"] - - principals = [ +# IPv4 +resource "aws_vpc_ipam_pool" "ipam_pool" { + count = var.ipam_enabled && var.ipam_pool_enabled ? 1 : 0 + description = "IPv4 pool" + address_family = var.ipam_address_family + ipam_scope_id = aws_vpc_ipam.ipam[0].private_default_scope_id + locale = var.aws_region + allocation_default_netmask_length = 16 +} + +resource "aws_vpc_ipam_pool_cidr" "ipam_pool_cidr" { + count = var.ipam_enabled ? 1 : 0 + ipam_pool_id = var.ipam_pool_enabled ? aws_vpc_ipam_pool.ipam_pool[0].id : var.ipam_pool_id + cidr = var.ipam_pool_enabled ? var.vpc_cidr : var.existing_ipam_managed_cidr +} + +# private links for S3 + +data "aws_route_tables" "aws_private_routes" { + count = var.vpc_s3_endpoint_enabled ? 1 : 0 + depends_on = [module.vpc] + vpc_id = module.vpc.vpc_id + tags = { + Name = "${var.environment}-${var.name}-private-route-table" + } +} + +resource "aws_vpc_endpoint" "private-s3" { + count = var.vpc_s3_endpoint_enabled ? 1 : 0 + depends_on = [data.aws_route_tables.aws_private_routes] + vpc_id = module.vpc.vpc_id + service_name = "com.amazonaws.${var.aws_region}.s3" + route_table_ids = data.aws_route_tables.aws_private_routes[0].ids + vpc_endpoint_type = var.vpc_endpoint_type_private-s3 + policy = < Date: Mon, 18 Mar 2024 09:48:56 +0530 Subject: [PATCH 6/7] Update variables.tf --- variables.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/variables.tf b/variables.tf index 8fef36c..de0c894 100644 --- a/variables.tf +++ b/variables.tf @@ -364,13 +364,13 @@ variable "vpc_endpoint_type_ecr_api" { default = "Interface" } -variable "vpc_endpoint_type_ecr-dkr" { +variable "vpc_endpoint_type_ecr_dkr" { description = "The type of VPC endpoint for ECR Docker" type = string default = "Interface" } -variable "vpc_endpoint_type_private-s3" { +variable "vpc_endpoint_type_private_s3" { description = "The type of VPC endpoint for ECR Docker" type = string default = "Interface" @@ -380,4 +380,4 @@ variable "ipam_address_family" { description = "The address family for the VPC (ipv4 or ipv6)" type = string default = "ipv4" -} \ No newline at end of file +} From 478b87dbbd131f23e433023007207980d6288567 Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Mon, 18 Mar 2024 09:50:28 +0530 Subject: [PATCH 7/7] Update main.tf --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index c2ed73b..b21781d 100644 --- a/main.tf +++ b/main.tf @@ -221,7 +221,7 @@ data "aws_route_tables" "aws_private_routes" { } } -resource "aws_vpc_endpoint" "private-s3" { +resource "aws_vpc_endpoint" "private_s3" { count = var.vpc_s3_endpoint_enabled ? 1 : 0 depends_on = [data.aws_route_tables.aws_private_routes] vpc_id = module.vpc.vpc_id @@ -262,7 +262,7 @@ resource "aws_security_group" "vpc_endpoints" { } # private links for ECR.dkr -resource "aws_vpc_endpoint" "private-ecr-dkr" { +resource "aws_vpc_endpoint" "private-ecr_dkr" { count = var.vpc_ecr_endpoint_enabled ? 1 : 0 depends_on = [data.aws_route_tables.aws_private_routes] vpc_id = module.vpc.vpc_id @@ -290,7 +290,7 @@ POLICY # private links for ECR.api -resource "aws_vpc_endpoint" "private-ecr-api" { +resource "aws_vpc_endpoint" "private-ecr_api" { count = var.vpc_ecr_endpoint_enabled ? 1 : 0 depends_on = [data.aws_route_tables.aws_private_routes] vpc_id = module.vpc.vpc_id