diff --git a/IAM.md b/IAM.md
index 89bd61d..b9dbc4e 100644
--- a/IAM.md
+++ b/IAM.md
@@ -27,7 +27,8 @@ The Policy required to deploy this module is:
"ec2:CreateEgressOnlyInternetGateway",
"ec2:CreateFlowLogs",
"ec2:CreateInternetGateway",
- "ec2:CreateKeyPair",
+ "ec2:CreateIpam",
+ "ec2:CreateIpamPool",
"ec2:CreateNatGateway",
"ec2:CreateNetworkAcl",
"ec2:CreateNetworkAclEntry",
@@ -37,13 +38,15 @@ The Policy required to deploy this module is:
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVPC",
+ "ec2:CreateVpcEndpoint",
"ec2:CreateVpnGateway",
"ec2:DeleteCustomerGateway",
"ec2:DeleteDhcpOptions",
"ec2:DeleteEgressOnlyInternetGateway",
"ec2:DeleteFlowLogs",
"ec2:DeleteInternetGateway",
- "ec2:DeleteKeyPair",
+ "ec2:DeleteIpam",
+ "ec2:DeleteIpamPool",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
@@ -53,22 +56,27 @@ The Policy required to deploy this module is:
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVPC",
+ "ec2:DeleteVpcEndpoints",
"ec2:DeleteVpnGateway",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
+ "ec2:DescribeAvailabilityZones",
"ec2:DescribeCustomerGateways",
"ec2:DescribeDhcpOptions",
"ec2:DescribeEgressOnlyInternetGateways",
"ec2:DescribeFlowLogs",
+ "ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
- "ec2:DescribeKeyPairs",
+ "ec2:DescribeIpamPools",
+ "ec2:DescribeIpams",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
+ "ec2:DescribePrefixLists",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSpotInstanceRequests",
@@ -76,6 +84,7 @@ The Policy required to deploy this module is:
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
+ "ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"ec2:DescribeVpnGateways",
"ec2:DetachInternetGateway",
@@ -85,9 +94,13 @@ The Policy required to deploy this module is:
"ec2:DisassociateRouteTable",
"ec2:DisassociateVpcCidrBlock",
"ec2:EnableVgwRoutePropagation",
- "ec2:ImportKeyPair",
+ "ec2:GetIpamPoolCidrs",
"ec2:ModifyInstanceAttribute",
+ "ec2:ModifyIpam",
+ "ec2:ModifyIpamPool",
+ "ec2:ModifyVpcEndpoint",
"ec2:MonitorInstances",
+ "ec2:ProvisionIpamPoolCidr",
"ec2:ReleaseAddress",
"ec2:RequestSpotInstances",
"ec2:RevokeSecurityGroupEgress",
@@ -122,25 +135,35 @@ The Policy required to deploy this module is:
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
+ "iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
+ "iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreateRole",
+ "iam:CreateServiceLinkedRole",
+ "iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DetachRolePolicy",
+ "iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
+ "iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:PutRolePermissionsBoundary",
+ "iam:RemoveRoleFromInstanceProfile",
+ "iam:TagInstanceProfile",
"iam:TagPolicy",
"iam:TagRole",
- "iam:UntagPolicy"
+ "iam:UntagInstanceProfile",
+ "iam:UntagPolicy",
+ "iam:UpdateRoleDescription"
],
"Resource": [
"*"
@@ -209,13 +232,13 @@ The Policy required to deploy this module is:
"Sid": "VisualEditor7",
"Effect": "Allow",
"Action": [
- "ssm:AddTagsToResource",
- "ssm:DeleteParameter",
- "ssm:DescribeParameters",
+ "ssm:CreateDocument",
+ "ssm:DeleteDocument",
+ "ssm:DescribeDocument",
+ "ssm:DescribeDocumentPermission",
+ "ssm:GetDocument",
"ssm:GetParameter",
- "ssm:GetParameters",
- "ssm:ListTagsForResource",
- "ssm:PutParameter"
+ "ssm:UpdateDocument"
],
"Resource": [
"*"
diff --git a/README.md b/README.md
index f0895b4..1c2fbc7 100644
--- a/README.md
+++ b/README.md
@@ -203,7 +203,7 @@ In this module, we have implemented the following CIS Compliance checks for VPC:
| Name | Source | Version |
|------|--------|---------|
-| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.2.0 |
+| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.9.0 |
| [vpn\_server](#module\_vpn\_server) | ./modules/vpn | n/a |
## Resources
@@ -248,6 +248,7 @@ In this module, we have implemented the following CIS Compliance checks for VPC:
| [ipv4\_netmask\_length](#input\_ipv4\_netmask\_length) | The netmask length for IPAM managed VPC | `number` | `16` | no |
| [ipv6\_enabled](#input\_ipv6\_enabled) | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. | `bool` | `false` | no |
| [ipv6\_only](#input\_ipv6\_only) | Enable it for deploying native IPv6 network | `bool` | `false` | no |
+| [kms\_key\_arn](#input\_kms\_key\_arn) | ARN of the KMS key to encrypt VPN server EBS volume | `string` | `""` | no |
| [name](#input\_name) | Specify the name of the VPC | `string` | `""` | no |
| [one\_nat\_gateway\_per\_az](#input\_one\_nat\_gateway\_per\_az) | Set to true if a NAT Gateway is required per availability zone for Private Subnet Tier | `bool` | `false` | no |
| [private\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_private\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
@@ -280,6 +281,7 @@ In this module, we have implemented the following CIS Compliance checks for VPC:
| [vpc\_ipv6\_association\_id](#output\_vpc\_ipv6\_association\_id) | The association ID for the IPv6 CIDR block |
| [vpc\_secondary\_cidr\_blocks](#output\_vpc\_secondary\_cidr\_blocks) | List of secondary CIDR blocks of the VPC |
| [vpn\_host\_public\_ip](#output\_vpn\_host\_public\_ip) | IP Address of VPN Server |
+| [vpn\_port\_description](#output\_vpn\_port\_description) | Description of VPN server port |
| [vpn\_security\_group](#output\_vpn\_security\_group) | Security Group ID of VPN Server |
diff --git a/examples/complete-vpc-with-vpn/README.md b/examples/complete-vpc-with-vpn/README.md
index 62cdb53..1466934 100644
--- a/examples/complete-vpc-with-vpn/README.md
+++ b/examples/complete-vpc-with-vpn/README.md
@@ -33,9 +33,9 @@ No requirements.
| Name | Source | Version |
|------|--------|---------|
-| [key\_pair\_vpn](#module\_key\_pair\_vpn) | squareops/keypair/aws | n/a |
-| [kms](#module\_kms) | terraform-aws-modules/kms/aws | n/a |
-| [vpc](#module\_vpc) | ../../ | n/a |
+| [key\_pair\_vpn](#module\_key\_pair\_vpn) | squareops/keypair/aws | 1.0.2 |
+| [kms](#module\_kms) | terraform-aws-modules/kms/aws | 3.1.0 |
+| [vpc](#module\_vpc) | squareops/vpc/aws | 3.3.5 |
## Resources
diff --git a/examples/complete-vpc-with-vpn/main.tf b/examples/complete-vpc-with-vpn/main.tf
index 0c63112..2f57e93 100644
--- a/examples/complete-vpc-with-vpn/main.tf
+++ b/examples/complete-vpc-with-vpn/main.tf
@@ -1,29 +1,33 @@
locals {
name = "vpc"
- region = "ap-south-1"
+ region = "us-west-1"
environment = "prod"
additional_aws_tags = {
Owner = "Organization_Name"
Expires = "Never"
Department = "Engineering"
}
- kms_user = null
- vpc_cidr = "10.10.0.0/16"
- current_identity = data.aws_caller_identity.current.arn
+ kms_user = null
+ vpc_cidr = "10.10.0.0/16"
+ availability_zones = ["us-west-1a", "us-west-1b"]
+ current_identity = data.aws_caller_identity.current.arn
+ vpn_server_enabled = true // Set to true, enabling the VPN server within the VPC, which will use the provided key pair for securing VPN connections.
}
data "aws_caller_identity" "current" {}
module "key_pair_vpn" {
source = "squareops/keypair/aws"
+ version = "1.0.2"
+ count = local.vpn_server_enabled ? 1 : 0
key_name = format("%s-%s-vpn", local.environment, local.name)
environment = local.environment
ssm_parameter_path = format("%s-%s-vpn", local.environment, local.name)
}
module "kms" {
- source = "terraform-aws-modules/kms/aws"
-
+ source = "terraform-aws-modules/kms/aws"
+ version = "3.1.0"
deletion_window_in_days = 7
description = "Symetric Key to Enable Encryption at rest using KMS services."
enable_key_rotation = false
@@ -70,14 +74,16 @@ module "kms" {
module "vpc" {
source = "squareops/vpc/aws"
+ version = "3.4.1"
name = local.name
region = local.region
vpc_cidr = local.vpc_cidr
environment = local.environment
flow_log_enabled = true
- vpn_key_pair_name = module.key_pair_vpn.key_pair_name
- availability_zones = ["ap-south-1a", "ap-south-1b"]
- vpn_server_enabled = true
+ vpn_key_pair_name = local.vpn_server_enabled ? module.key_pair_vpn[0].key_pair_name : null
+ availability_zones = local.availability_zones
+ vpn_server_enabled = local.vpn_server_enabled
+ kms_key_arn = module.kms.key_arn
intra_subnet_enabled = true
public_subnet_enabled = true
auto_assign_public_ip = true
@@ -91,4 +97,4 @@ module "vpc" {
flow_log_cloudwatch_log_group_skip_destroy = true
flow_log_cloudwatch_log_group_retention_in_days = 90
flow_log_cloudwatch_log_group_kms_key_arn = module.kms.key_arn #Enter your kms key arn
-}
\ No newline at end of file
+}
diff --git a/examples/complete-vpc-with-vpn/providers.tf b/examples/complete-vpc-with-vpn/providers.tf
index 2d14d27..de9c9d3 100644
--- a/examples/complete-vpc-with-vpn/providers.tf
+++ b/examples/complete-vpc-with-vpn/providers.tf
@@ -4,3 +4,13 @@ provider "aws" {
tags = local.additional_aws_tags
}
}
+
+terraform {
+ required_version = ">= 1.0"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "= 5.99.1"
+ }
+ }
+}
diff --git a/examples/simple-vpc/main.tf b/examples/simple-vpc/main.tf
index ba6ee41..a794f62 100644
--- a/examples/simple-vpc/main.tf
+++ b/examples/simple-vpc/main.tf
@@ -7,7 +7,8 @@ locals {
Expires = "Never"
Department = "Engineering"
}
- vpc_cidr = "10.10.0.0/16"
+ vpc_cidr = "10.10.0.0/16"
+ availability_zones = ["us-east-1a", "us-east-1b"]
}
module "vpc" {
@@ -15,7 +16,7 @@ module "vpc" {
name = local.name
vpc_cidr = local.vpc_cidr
environment = local.environment
- availability_zones = ["us-east-1a", "us-east-1b"]
+ availability_zones = local.availability_zones
public_subnet_enabled = true
auto_assign_public_ip = true
}
diff --git a/examples/simple-vpc/providers.tf b/examples/simple-vpc/providers.tf
index 1536871..0345567 100644
--- a/examples/simple-vpc/providers.tf
+++ b/examples/simple-vpc/providers.tf
@@ -4,3 +4,13 @@ provider "aws" {
tags = local.additional_aws_tags
}
}
+
+terraform {
+ required_version = ">= 1.0"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "= 5.99.1"
+ }
+ }
+}
diff --git a/examples/vpc-dualstack/main.tf b/examples/vpc-dualstack/main.tf
index ab05c36..4c4aae9 100644
--- a/examples/vpc-dualstack/main.tf
+++ b/examples/vpc-dualstack/main.tf
@@ -7,8 +7,9 @@ locals {
Expires = "Never"
Department = "Engineering"
}
- vpc_cidr = "10.10.0.0/16"
- ipv6_enabled = true
+ vpc_cidr = "10.10.0.0/16"
+ availability_zones = ["us-east-1a", "us-east-1b"]
+ ipv6_enabled = true
}
module "vpc" {
@@ -16,7 +17,7 @@ module "vpc" {
name = local.name
vpc_cidr = local.vpc_cidr
environment = local.environment
- availability_zones = ["us-east-1a", "us-east-1b"]
+ availability_zones = local.availability_zones
public_subnet_enabled = true
private_subnet_enabled = true
intra_subnet_enabled = false
diff --git a/examples/vpc-native-ipv6/main.tf b/examples/vpc-native-ipv6/main.tf
index ad12a2a..1630ab3 100644
--- a/examples/vpc-native-ipv6/main.tf
+++ b/examples/vpc-native-ipv6/main.tf
@@ -7,9 +7,10 @@ locals {
Expires = "Never"
Department = "Engineering"
}
- vpc_cidr = "10.10.0.0/16"
- ipv6_enabled = true
- ipv6_only = true
+ vpc_cidr = "10.10.0.0/16"
+ availability_zones = ["us-east-1a", "us-east-1b"]
+ ipv6_enabled = true
+ ipv6_only = true
}
module "vpc" {
@@ -19,7 +20,7 @@ module "vpc" {
ipv6_only = local.ipv6_only
environment = local.environment
ipv6_enabled = local.ipv6_enabled
- availability_zones = ["us-east-1a", "us-east-1b"]
+ availability_zones = local.availability_zones
public_subnet_enabled = true
private_subnet_enabled = true
intra_subnet_enabled = true
diff --git a/examples/vpc-with-private-subnet/main.tf b/examples/vpc-with-private-subnet/main.tf
index b7fa228..430c99a 100644
--- a/examples/vpc-with-private-subnet/main.tf
+++ b/examples/vpc-with-private-subnet/main.tf
@@ -7,7 +7,8 @@ locals {
Expires = "Never"
Department = "Engineering"
}
- vpc_cidr = "10.10.0.0/16"
+ vpc_cidr = "10.10.0.0/16"
+ availability_zones = ["us-east-1a", "us-east-1b"]
}
module "vpc" {
@@ -15,7 +16,7 @@ module "vpc" {
name = local.name
vpc_cidr = local.vpc_cidr
environment = local.environment
- availability_zones = ["us-east-1a", "us-east-1b"]
+ availability_zones = local.availability_zones
public_subnet_enabled = true
private_subnet_enabled = true
auto_assign_public_ip = true
diff --git a/examples/vpc-with-private-subnet/providers.tf b/examples/vpc-with-private-subnet/providers.tf
index fafeca0..de9c9d3 100644
--- a/examples/vpc-with-private-subnet/providers.tf
+++ b/examples/vpc-with-private-subnet/providers.tf
@@ -3,4 +3,14 @@ provider "aws" {
default_tags {
tags = local.additional_aws_tags
}
-}
+}
+
+terraform {
+ required_version = ">= 1.0"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "= 5.99.1"
+ }
+ }
+}
diff --git a/examples/vpc-with-secondary-cidr/main.tf b/examples/vpc-with-secondary-cidr/main.tf
index 19d83cc..834d727 100644
--- a/examples/vpc-with-secondary-cidr/main.tf
+++ b/examples/vpc-with-secondary-cidr/main.tf
@@ -8,6 +8,7 @@ locals {
Department = "Engineering"
}
vpc_cidr = "10.10.0.0/16"
+ availability_zones = ["us-east-1a", "us-east-1b"]
secondry_cidr_enabled = true
secondary_cidr_blocks = ["10.20.0.0/16"]
}
@@ -17,7 +18,7 @@ module "vpc" {
name = local.name
vpc_cidr = local.vpc_cidr
environment = local.environment
- availability_zones = ["us-east-1a", "us-east-1b"]
+ availability_zones = local.availability_zones
public_subnet_enabled = true
private_subnet_enabled = true
auto_assign_public_ip = true
diff --git a/main.tf b/main.tf
index ef6c8f0..3fac233 100644
--- a/main.tf
+++ b/main.tf
@@ -1,3 +1,4 @@
+# Declaration of local variables with values that can be passed in the VPC module
locals {
azs = length(var.availability_zones)
public_subnets_native = var.public_subnet_enabled ? length(var.public_subnet_cidrs) > 0 ? var.public_subnet_cidrs : [for netnum in range(0, local.azs) : cidrsubnet(var.vpc_cidr, 8, netnum)] : []
@@ -54,14 +55,18 @@ locals {
database_subnet_ipv6_prefixes = var.database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : []
intra_subnet_ipv6_prefixes = var.intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : []
}
+
+# Data source for fetching available AWS availability zones
data "aws_availability_zones" "available" {}
+# Data source for fetching information about the VPN sever EC2 instance type
data "aws_ec2_instance_type" "arch" {
instance_type = var.vpn_server_instance_type
}
+# Module block for creating a VPC using terraform-aws-modules/vpc/aws module
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
- version = "5.2.0"
+ version = "5.9.0"
name = format("%s-%s-vpc", var.environment, var.name)
cidr = var.vpc_cidr # CIDR FOR VPC
azs = var.availability_zones
@@ -138,7 +143,7 @@ module "vpc" {
})
private_subnet_tags_per_az = { for az in var.availability_zones : az => {
- "Karpenter" = "${az}"
+ "Karpenter" = "${var.name}-${az}"
} }
private_route_table_tags = tomap({
@@ -178,6 +183,7 @@ module "vpc" {
}
}
+# Module block for creating a VPN server
module "vpn_server" {
count = var.vpn_server_enabled && local.is_supported_arch ? 1 : 0
depends_on = [module.vpc]
@@ -189,8 +195,10 @@ module "vpn_server" {
vpn_key_pair = var.vpn_key_pair_name
public_subnet = module.vpc.public_subnets[0]
vpn_server_instance_type = var.vpn_server_instance_type
+ kms_key_arn = var.kms_key_arn
}
+# Define an AWS VPC IP Address Management (IPAM) resource
resource "aws_vpc_ipam" "ipam" {
count = var.ipam_enabled && var.create_ipam_pool ? 1 : 0
operating_regions {
@@ -200,7 +208,7 @@ resource "aws_vpc_ipam" "ipam" {
}
-# IPv4
+# Define an AWS VPC IP Address Management (IPAM) pool resource
resource "aws_vpc_ipam_pool" "ipam_pool" {
count = var.ipam_enabled && var.create_ipam_pool ? 1 : 0
description = "IPv4 pool"
@@ -208,18 +216,16 @@ resource "aws_vpc_ipam_pool" "ipam_pool" {
ipam_scope_id = aws_vpc_ipam.ipam[0].private_default_scope_id
locale = var.region
allocation_default_netmask_length = 16
-
-
}
+# Define an AWS VPC IP Address Management (IPAM) pool CIDR resource
resource "aws_vpc_ipam_pool_cidr" "ipam_pool_cidr" {
count = var.ipam_enabled ? 1 : 0
ipam_pool_id = var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : var.ipam_pool_id
cidr = var.create_ipam_pool ? var.vpc_cidr : var.existing_ipam_managed_cidr
}
-# private links for S3
-
+# Define a data source to fetch AWS Route Tables for private routes
data "aws_route_tables" "aws_private_routes" {
count = var.vpc_s3_endpoint_enabled ? 1 : 0
depends_on = [module.vpc]
@@ -229,6 +235,7 @@ data "aws_route_tables" "aws_private_routes" {
}
}
+# Define an AWS VPC endpoint for S3
resource "aws_vpc_endpoint" "private-s3" {
count = var.vpc_s3_endpoint_enabled ? 1 : 0
depends_on = [data.aws_route_tables.aws_private_routes]
@@ -253,7 +260,7 @@ POLICY
}
}
-# allow 443 to access ecr repo
+# Allow access to ECR repo at port 443
resource "aws_security_group" "vpc_endpoints" {
count = var.vpc_ecr_endpoint_enabled ? 1 : 0
name_prefix = "${var.environment}-vpc-endpoints"
@@ -268,8 +275,8 @@ resource "aws_security_group" "vpc_endpoints" {
cidr_blocks = [var.vpc_cidr]
}
}
-# private links for ECR.dkr
+# private links for ECR.dkr
resource "aws_vpc_endpoint" "private-ecr-dkr" {
count = var.vpc_ecr_endpoint_enabled ? 1 : 0
depends_on = [data.aws_route_tables.aws_private_routes]
diff --git a/modules/vpc_peering/main.tf b/modules/vpc_peering/main.tf
index 533721f..84ad68b 100644
--- a/modules/vpc_peering/main.tf
+++ b/modules/vpc_peering/main.tf
@@ -33,6 +33,7 @@ data "aws_route_tables" "requester" {
provider = aws.peer
}
+# Create a VPC peering connection request
resource "aws_vpc_peering_connection" "this" {
count = var.peering_enabled ? 1 : 0
vpc_id = var.requester_vpc_id
@@ -45,6 +46,7 @@ resource "aws_vpc_peering_connection" "this" {
}
}
+# Allow destination VPC to acess the peering request.
resource "aws_vpc_peering_connection_accepter" "this" {
count = var.peering_enabled ? 1 : 0
depends_on = [aws_vpc_peering_connection.this]
@@ -56,6 +58,7 @@ resource "aws_vpc_peering_connection_accepter" "this" {
}
}
+# Define AWS VPC peering connection options
resource "aws_vpc_peering_connection_options" "this" {
count = var.peering_enabled ? 1 : 0
depends_on = [aws_vpc_peering_connection_accepter.this]
diff --git a/modules/vpn/README.md b/modules/vpn/README.md
index bf0d988..6e6dcbb 100644
--- a/modules/vpn/README.md
+++ b/modules/vpn/README.md
@@ -33,8 +33,8 @@ Refer [this](https://pritunl.com/) for more information.
| Name | Source | Version |
|------|--------|---------|
-| [security\_group\_vpn](#module\_security\_group\_vpn) | terraform-aws-modules/security-group/aws | 4.13.0 |
-| [vpn\_server](#module\_vpn\_server) | terraform-aws-modules/ec2-instance/aws | 4.1.4 |
+| [security\_group\_vpn](#module\_security\_group\_vpn) | terraform-aws-modules/security-group/aws | 5.1.2 |
+| [vpn\_server](#module\_vpn\_server) | terraform-aws-modules/ec2-instance/aws | 5.2.1 |
## Resources
@@ -49,7 +49,7 @@ Refer [this](https://pritunl.com/) for more information.
| [aws_ssm_document.ssm_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_document) | resource |
| [null_resource.delete_secret](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [time_sleep.wait_3_min](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
-| [aws_ami.ubuntu_20_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_ami.ubuntu_22_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
| [aws_iam_policy.SSMManagedInstanceCore](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
| [aws_iam_policy.SecretsManagerReadWrite](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
@@ -60,6 +60,7 @@ Refer [this](https://pritunl.com/) for more information.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [environment](#input\_environment) | Specify the environment indentifier for the VPC | `string` | `""` | no |
+| [kms\_key\_arn](#input\_kms\_key\_arn) | ARN of the KMS key to encrypt VPN server EBS volume | `string` | `""` | no |
| [name](#input\_name) | Specify the name of the VPC | `string` | `""` | no |
| [public\_subnet](#input\_public\_subnet) | The VPC Subnet ID to launch in | `string` | `""` | no |
| [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block of the Default VPC | `string` | `"10.0.0.0/16"` | no |
@@ -73,5 +74,6 @@ Refer [this](https://pritunl.com/) for more information.
|------|-------------|
| [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
| [vpn\_host\_public\_ip](#output\_vpn\_host\_public\_ip) | IP Address of VPN Server |
+| [vpn\_port\_description](#output\_vpn\_port\_description) | Allow traffic from UDP port 10150 in your secutiy group server |
| [vpn\_security\_group](#output\_vpn\_security\_group) | Security Group ID of VPN Server |
diff --git a/modules/vpn/main.tf b/modules/vpn/main.tf
index 473138e..7027eb0 100644
--- a/modules/vpn/main.tf
+++ b/modules/vpn/main.tf
@@ -1,11 +1,13 @@
+# Allocate an Elastic IP (EIP) in the VPC
resource "aws_eip" "vpn" {
domain = "vpc"
instance = module.vpn_server.id
}
+# Security group created for VPN server EC2 instance
module "security_group_vpn" {
source = "terraform-aws-modules/security-group/aws"
- version = "4.13.0"
+ version = "5.1.2"
create = true
name = format("%s-%s-%s", var.environment, var.name, "vpn-sg")
description = "vpn server security group"
@@ -59,7 +61,8 @@ module "security_group_vpn" {
)
}
-data "aws_ami" "ubuntu_20_ami" {
+# Data block for selecting AMI for VPN server
+data "aws_ami" "ubuntu_22_ami" {
owners = ["099720109477"]
most_recent = true
@@ -74,18 +77,20 @@ data "aws_ami" "ubuntu_20_ami" {
}
}
-
+# Linux script to install pritunl vpn service.
data "template_file" "pritunl" {
template = file("${path.module}/scripts/pritunl-vpn.sh")
}
+# Get the current AWS Region
data "aws_region" "current" {}
+# Module block for calling AWS module to create a VPN server.
module "vpn_server" {
source = "terraform-aws-modules/ec2-instance/aws"
- version = "4.1.4"
+ version = "5.2.1"
name = format("%s-%s-%s", var.environment, var.name, "vpn-ec2-instance")
- ami = data.aws_ami.ubuntu_20_ami.image_id
+ ami = data.aws_ami.ubuntu_22_ami.image_id
instance_type = var.vpn_server_instance_type
subnet_id = var.public_subnet
key_name = var.vpn_key_pair
@@ -93,13 +98,15 @@ module "vpn_server" {
vpc_security_group_ids = [module.security_group_vpn.security_group_id]
user_data = join("", data.template_file.pritunl[*].rendered)
iam_instance_profile = join("", aws_iam_instance_profile.vpn_SSM[*].name)
+ ignore_ami_changes = true
root_block_device = [
{
encrypted = true
- volume_type = "gp2"
+ volume_type = "gp3"
volume_size = 20
+ kms_key_id = var.kms_key_arn
}
]
@@ -111,6 +118,7 @@ module "vpn_server" {
)
}
+# Define an IAM role for the VPN EC2 instance
resource "aws_iam_role" "vpn_role" {
name = format("%s-%s-%s", var.environment, var.name, "vpnEC2InstanceRole")
assume_role_policy = <