Merge pull request #3 from lexxnsk/task_2

Task_2 is done

.github/workflows/terraform-deployment.yml

@@ -6,6 +6,8 @@ on:
   pull_request:
   push:
     branches:
+      - task_xxx # Replace with your branch name to test GitHub Actions without pushing to the dev branch
+      - task_2
       - dev
 
 env:

.gitignore

@@ -5,3 +5,6 @@
 
 #Exclude MacOS garbage
 *.DS_Store
+
+#Exclude SSH keys
+*.pem

PR_descriptions/task_2.md

@@ -0,0 +1,134 @@
+# Task 2 - Pull Request description
+1. Task: [CLICK ME](https://github.com/rolling-scopes-school/tasks/blob/master/devops/modules/1_basic-configuration/task_2.md)
+2. Screenshots (if needed): Check ./screenshots/ folder
+3. Code: [CLICK ME](https://github.com/lexxnsk/rsschool-devops-course-tasks/tree/task2)
+4. Done 2024-10-11 11:11 / deadline 2024-10-14 01:59
+5. Score: 100 / 100
+###### Evaluation Criteria (100 points for covering all criteria)
+
+1. **[+] Terraform Code Implementation (50 points)**
+
+   - [+] Terraform code is created to configure the following:
+     - [+] VPC
+     - [+] 2 public subnets in different AZs - ["10.0.0.0/24", "10.0.1.0/24"]
+     - [+] 2 private subnets in different AZs - ["10.0.2.0/24", "10.0.3.0/24"]
+     - [+] Internet Gateway
+     - [+] Routing configuration:
+       - [+] Instances in all subnets can reach each other
+       - [+] Instances in public subnets can reach addresses outside VPC and vice-versa
+```
+Outputs:
+
+aws_region = "eu-central-1"
+bastion_host_private_ip = "10.0.0.209"
+bastion_host_public_ip = "3.123.42.140"
+dummy_host_private_ip = "10.0.2.240"
+dummy_host_public_ip = ""
+private_keyyyyyy = <sensitive>
+amyslivets@MacBook-Air-Alex rsschool-devops-course-tasks %
+amyslivets@MacBook-Air-Alex rsschool-devops-course-tasks %
+amyslivets@MacBook-Air-Alex rsschool-devops-course-tasks % ssh -i my_key.pem [email protected]                              
+Last login: Tue Oct  8 21:12:01 2024 from 178235183183.dynamic-4-waw-k-4-3-0.vectranet.pl
+   ,     #_
+   ~\_  ####_        Amazon Linux 2
+  ~~  \_#####\
+  ~~     \###|       AL2 End of Life is 2025-06-30.
+  ~~       \#/ ___
+   ~~       V~' '->
+    ~~~         /    A newer version of Amazon Linux is available!
+      ~~._.   _/
+         _/ _/       Amazon Linux 2023, GA and supported until 2028-03-15.
+       _/m/'           https://aws.amazon.com/linux/amazon-linux-2023/
+
+[ec2-user@ip-10-0-0-209 ~]$ ifconfig
+eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9001
+        inet 10.0.0.209  netmask 255.255.255.0  broadcast 10.0.0.255
+        inet6 fe80::98:f7ff:fe09:d861  prefixlen 64  scopeid 0x20<link>
+        ether 02:98:f7:09:d8:61  txqueuelen 1000  (Ethernet)
+        RX packets 96305  bytes 113832720 (108.5 MiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 33186  bytes 3644076 (3.4 MiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+
+lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
+        inet 127.0.0.1  netmask 255.0.0.0
+        inet6 ::1  prefixlen 128  scopeid 0x10<host>
+        loop  txqueuelen 1000  (Local Loopback)
+        RX packets 48  bytes 3888 (3.7 KiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 48  bytes 3888 (3.7 KiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+
+[ec2-user@ip-10-0-0-209 ~]$ ping 1.1.1.1
+PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
+64 bytes from 1.1.1.1: icmp_seq=1 ttl=57 time=1.52 ms
+64 bytes from .1.1.1: icmp_seq=2 ttl=57 time=1.19 ms
+^C
+--- 1.1.1.1 ping statistics ---
+2 packets transmitted, 2 received, 0% packet loss, time 1001ms
+rtt min/avg/max/mdev = 1.194/1.359/1.525/0.169 ms
+[ec2-user@ip-10-0-0-209 ~]$ ping 10.0.2.240
+PING 10.0.2.240 (10.0.2.240) 56(84) bytes of data.
+64 bytes from 10.0.2.240: icmp_seq=1 ttl=255 time=1.10 ms
+64 bytes from 10.0.2.240: icmp_seq=2 ttl=255 time=0.801 ms
+^C
+--- 10.0.2.240 ping statistics ---
+2 packets transmitted, 2 received, 0% packet loss, time 3007ms
+rtt min/avg/max/mdev = 0.708/1.102/1.794/0.426 ms
+[ec2-user@ip-10-0-0-209 ~]$
+[ec2-user@ip-10-0-0-209 ~]$
+[ec2-user@ip-10-0-0-209 ~]$ ssh -i my_key.pem [email protected]
+Last login: Tue Oct  8 21:12:03 2024 from 10.0.0.209
+   ,     #_
+   ~\_  ####_        Amazon Linux 2
+  ~~  \_#####\
+  ~~     \###|       AL2 End of Life is 2025-06-30.
+  ~~       \#/ ___
+   ~~       V~' '->
+    ~~~         /    A newer version of Amazon Linux is available!
+      ~~._.   _/
+         _/ _/       Amazon Linux 2023, GA and supported until 2028-03-15.
+       _/m/'           https://aws.amazon.com/linux/amazon-linux-2023/
+
+[ec2-user@ip-10-0-2-240 ~]$ ping 1.1.1.1
+PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
+64 bytes from 1.1.1.1: icmp_seq=1 ttl=56 time=3.15 ms
+64 bytes from 1.1.1.1: icmp_seq=2 ttl=56 time=2.29 ms
+ć64 bytes from 1.1.1.1: icmp_seq=3 ttl=56 time=1.91 ms
+64 bytes from 1.1.1.1: icmp_seq=4 ttl=56 time=1.89 ms
+^C
+--- 1.1.1.1 ping statistics ---
+4 packets transmitted, 4 received, 0% packet loss, time 3003ms
+rtt min/avg/max/mdev = 1.894/2.315/3.151/0.509 ms
+[ec2-user@ip-10-0-2-240 ~]$ ping 10.0.0.209
+PING 10.0.0.209 (10.0.0.209) 56(84) bytes of data.
+64 bytes from 10.0.0.209: icmp_seq=1 ttl=255 time=0.526 ms
+64 bytes from 10.0.0.209: icmp_seq=2 ttl=255 time=1.26 ms
+^C
+--- 10.0.0.209 ping statistics ---
+2 packets transmitted, 2 received, 0% packet loss, time 1010ms
+rtt min/avg/max/mdev = 0.526/0.893/1.260/0.367 ms
+[ec2-user@ip-10-0-2-240 ~]$ 
+```
+2. **[+] Code Organization (10 points)**
+
+   - [+] Variables are defined in a separate variables file.
+   - [+] Resources are separated into different files for better organization.
+
+3. **[+] Verification (10 points)**
+
+   - [+] Terraform plan is executed successfully.
+   - [+] A resource map screenshot is provided (VPC -> Your VPCs -> your_VPC_name -> Resource map).
+
+4. **[+] Additional Tasks (30 points)**
+   - **[+] Security Groups and Network ACLs (5 points)**
+     - [+] Implement security groups and network ACLs for the VPC and subnets.
+   - **[+] Bastion Host (5 points)**
+     - [+] Create a bastion host for secure access to the private subnets.
+   - **[+] NAT is implemented for private subnets (10 points)**
+     - [+] Orginize NAT for private subnets with simpler or cheaper way
+     - [+] Instances in private subnets should be able to reach addresses outside VPC
+   - **[+] Documentation (5 points)**
+     - Document the infrastructure setup and usage in a README file.
+   - **[+] Submission (5 points)**
+   - [+] A GitHub Actions (GHA) pipeline is set up for the Terraform code: [CLICK ME](https://github.com/lexxnsk/rsschool-devops-course-tasks/actions/workflows/terraform-deployment.yml)

README.md

@@ -9,11 +9,19 @@ This repository contains the Terraform configuration files used for provisioning
 ├── screenshots/
 ├── .gitignore
 ├── README.md
+├── ec2.tf
+├── igw.tf
 ├── main.tf
+├── nacl.tf
+├── nat.tf
 ├── outputs.tf
 ├── providers.tf
 ├── resources.tf
+├── route_tables.tf
+├── security_groups.tf
+├── subnets.tf
 ├── variables.tf
+├── vpc.tf
 ```
 
 ### Directory & File Overview
@@ -23,21 +31,37 @@ This repository contains the Terraform configuration files used for provisioning
 - **```PR_descriptions/```**:  
   This directory contains the descriptions for Pull Request.
 - **```screenshots/```**:  
-  This directory contains screenshots that verify the correct configuration of AWS accounts and installed software versions.
+  This directory contains screenshots and texts that verify the correct configuration of AWS accounts and installed software versions.
 - **```.gitignore```**:  
   This file specifies which files or directories should be ignored by Git when tracking changes in a repository.
 - **```README.md```**:  
   This file in GitHub serves as the primary documentation for a repository (you're reading it right now).
+- **```ec2.tf```**:  
+  This file defines resources related to EC2 instances.
+- **```igw.tf```**:  
+  This file defines resources related to the Internet Gateway (IGW).
 - **```main.tf```**:  
   The main configuration file where the core infrastructure is defined. This typically includes high-level resources such as modules, remote backends, and resource declarations.
+- **```nacl.tf```**:  
+  This file defines Network Access Control Lists (NACLs), which act as a firewall for controlling inbound and outbound traffic at the subnet level.
+- **```nat.tf```**:  
+  This file defines resources related to the Network Address Translation (NAT) Gateway.
 - **```outputs.tf```**:  
   This file contains the output definitions for the Terraform resources. Outputs are used to display important information after the Terraform configuration has been applied.
 - **```providers.tf```**:  
   This file specifies the providers required by the project (e.g., AWS, Google Cloud). Providers are responsible for defining resources and interacting with APIs.
 - **```resources.tf```**:  
   This file contains the specific resource declarations that will be managed by Terraform. Resources can include ec2 instances, databases, networking components, IAM roles and more.
+- **```route_tables.tf```**:  
+  This file defines resources related to route tables. Route tables determine how traffic is directed within the VPC.
+- **```security_groups.tf```**:  
+  This file defines Security Groups, which control the inbound and outbound traffic at the instance level.
+- **```subnets.tf```**:  
+  This file defines the subnets in the VPC. 
 - **```variables.tf```**:  
   This file defines the input variables for the Terraform project. This includes variable types, default values, and descriptions, which allow users to customize the deployment.
+- **```vpc.tf```**:  
+  This file defines the Virtual Private Cloud (VPC) and related core networking components, such as the CIDR block, tags, and the overall network structure for resources within the VPC.
 
 ### GitHub variables and GitHub Secrets variables
  1. The IAM role variable ```TERRAFORM_GITHUB_ACTIONS_ROLE_NAME``` and the Terraform version variable ```TERRAFORM_VERSION``` are stored in GitHub Variables. They were created using the following commands:  
@@ -56,22 +80,28 @@ The AWS Account ID variable ```aws_account_id``` should be in lowercase. This is
 
 ---
 
-## How to Use
+## How to Use it manually:
 
 1. **Initialize Terraform:**  
    Before using the configuration, comment terraform backend configuration in ```main.tf``` and initialize Terraform by running:
    ```terraform init```
 2. **Plan and Apply Changes:**  
    Review changes by running:
-   ```terraform plan```  
+   ```terraform plan -var="aws_account_id=XXXXXXXXXXXX"```  
    Apply changes by running:
-   ```terraform apply```
+   ```terraform apply -var="aws_account_id=XXXXXXXXXXXX"```
 3. **Migrate Terraform S3 backend to S3:**  
    Uncomment terraform backend configuration in ```main.tf``` and initialize Terraform by running:  
    ```terraform init```
-4. **Plan and Apply Changes:**  
+4. **Plan and Apply Changes:** 
    Review changes by running:
-   ```terraform plan```  
+   ```terraform plan -var="aws_account_id=XXXXXXXXXXXX"```  
    Apply changes by running:
-   ```terraform apply```
-5. **Now you have up and running Terraform using S3 bucket and Dynamo DB as a backend**:  
+   ```terraform apply -var="aws_account_id=XXXXXXXXXXXX"```
+5. **Now you have up and running Terraform using S3 bucket and Dynamo DB as a backend + the all the infrastructure**  
+
+---
+
+## How to Use it automatically:
+1. **GitHub Actions:**  
+   Before committing, check the ```.github/workflows/terraform-deployment.yml``` file and update the branch name to trigger the GitHub workflow automatically.​⬤

ec2.tf

@@ -0,0 +1,37 @@
+# ec2.tf
+
+
+
+# # # # # # # # # # # Task_2 code start # # # # # # # # # #
+
+# Create a Bastion Host instance for secure access to private subnets
+resource "aws_instance" "bastion_host" {
+  ami           = var.ec2_ami_amazon_linux
+  instance_type = "t2.micro"
+  subnet_id     = aws_subnet.public[0].id
+  vpc_security_group_ids = [
+    aws_security_group.allow_ssh.id,
+    aws_security_group.allow_icmp.id
+  ]
+  key_name = aws_key_pair.my_key.key_name
+  tags = {
+    Name = "Bastion Host"
+  }
+}
+
+# Create a Dummy Host instance in Private nerwork to test connection from Bastion host
+resource "aws_instance" "dummy_host" {
+  ami           = var.ec2_ami_amazon_linux
+  instance_type = "t2.micro"
+  subnet_id     = aws_subnet.private[0].id
+  vpc_security_group_ids = [
+    aws_security_group.allow_ssh.id,
+    aws_security_group.allow_icmp.id
+  ]
+  key_name = aws_key_pair.my_key.key_name
+  tags = {
+    Name = "Dummy Host"
+  }
+}
+
+# # # # # # # # # # # Task_2 code end # # # # # # # # # #

igw.tf

@@ -0,0 +1,15 @@
+# igw.tf
+
+
+
+# # # # # # # # # # # Task_2 code start # # # # # # # # # #
+
+# Create Internet Gateway
+resource "aws_internet_gateway" "igw" {
+  vpc_id = aws_vpc.main_vpc.id
+  tags = {
+    Name = "Internet Gateway"
+  }
+}
+
+# # # # # # # # # # # Task_2 code end # # # # # # # # # #

main.tf

@@ -8,4 +8,11 @@ terraform {
     encrypt        = true
     dynamodb_table = "amyslivets.terraform-state-lock-table"
   }
+  required_providers {
+    tls = {
+      source  = "hashicorp/tls"
+      version = "~> 4.0"
+    }
+  }
+  required_version = ">= 0.12"
 }

nacl.tf

@@ -0,0 +1,64 @@
+# nacl.tf
+
+
+
+# # # # # # # # # # # Task_2 code start # # # # # # # # # #
+
+# Create a Public Network ACL
+resource "aws_network_acl" "public_acl" {
+  vpc_id = aws_vpc.main_vpc.id
+  tags = {
+    Name = "Public Network ACL"
+  }
+}
+
+# Create Inbound Rule for ICMP traffic for the Public Network ACL
+resource "aws_network_acl_rule" "inbound_rule_icmp" {
+  network_acl_id = aws_network_acl.public_acl.id
+  rule_number    = 101
+  egress         = false
+  protocol       = "icmp"
+  rule_action    = "allow"
+  cidr_block     = "0.0.0.0/0"
+  icmp_type      = -1
+  icmp_code      = -1
+}
+
+# Create Inbound Rule for SSH traffic for the Public Network ACL
+resource "aws_network_acl_rule" "inbound_rule_ssh" {
+  network_acl_id = aws_network_acl.public_acl.id
+  rule_number    = 102
+  egress         = false
+  protocol       = "tcp"
+  rule_action    = "allow"
+  cidr_block     = "0.0.0.0/0"
+  from_port      = 22
+  to_port        = 22
+}
+
+# Create Inbound Rule for ephemeral ports for the Public Network ACL
+# https://alliescomputing.com/knowledge-base/how-to-handle-ephemeral-ports
+resource "aws_network_acl_rule" "inbound_rule_ephemeral" {
+  network_acl_id = aws_network_acl.public_acl.id
+  rule_number    = 103
+  egress         = false
+  protocol       = "tcp"
+  rule_action    = "allow"
+  cidr_block     = "0.0.0.0/0"
+  from_port      = 1024
+  to_port        = 65535
+}
+
+# Create Outbound Rule for the Public Network ACL
+resource "aws_network_acl_rule" "outbound_rule" {
+  network_acl_id = aws_network_acl.public_acl.id
+  rule_number    = 100
+  egress         = true
+  protocol       = "all"
+  rule_action    = "allow"
+  cidr_block     = "0.0.0.0/0"
+  from_port      = 0
+  to_port        = 0
+}
+
+# # # # # # # # # # # Task_2 code end # # # # # # # # # #