From 5842dca25c8db7221a1640e96fc4769cf5ab2c4f Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Wed, 13 Mar 2024 12:08:34 +0530 Subject: [PATCH 01/41] Add files via upload Changes made to the files for main.tf , output.tf . variables.tf in calling module & examples. --- main.tf | 462 ++++++++++++++++++++------------------------------- outputs.tf | 99 +++++------ providers.tf | 6 + variables.tf | 277 ++---------------------------- 4 files changed, 249 insertions(+), 595 deletions(-) create mode 100644 providers.tf diff --git a/main.tf b/main.tf index d926a5f..a6c799d 100644 --- a/main.tf +++ b/main.tf @@ -1,320 +1,220 @@ -locals { - azs = length(var.availability_zones) - public_subnets_native = var.public_subnet_enabled ? length(var.public_subnet_cidrs) > 0 ? var.public_subnet_cidrs : [for netnum in range(0, local.azs) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_public_subnets = var.public_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(0, local.azs) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets)) - intra_subnets_native = var.intra_subnet_enabled ? length(var.intra_subnet_cidrs) > 0 ? var.intra_subnet_cidrs : [for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_intra_subnets = var.intra_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets)) - private_subnets_native = var.private_subnet_enabled ? length(var.private_subnet_cidrs) > 0 ? var.private_subnet_cidrs : [for netnum in range(local.azs, local.azs * 2) : cidrsubnet(var.vpc_cidr, 4, netnum)] : [] - secondary_private_subnets = var.private_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs, local.azs * 2) : cidrsubnet(cidr_block, 4, netnum) - ] - ] : [] - private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets)) - database_subnets_native = var.database_subnet_enabled ? length(var.database_subnet_cidrs) > 0 ? var.database_subnet_cidrs : [for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_database_subnets = var.database_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets)) - single_nat_gateway = var.one_nat_gateway_per_az == true ? false : true - create_database_subnet_route_table = var.database_subnet_enabled - create_flow_log_cloudwatch_log_group = var.flow_log_enabled == true || var.flow_log_cloudwatch_log_group_skip_destroy == true ? true : false - is_supported_arch = data.aws_ec2_instance_type.arch.supported_architectures[0] == "arm64" ? false : true # for VPN Instance - nacl_allow_vpc_access_rule = [{ - rule_no = 97 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = var.vpc_cidr - } - - ] - enable_ipv6 = var.ipv6_enabled - ipv6_only = var.ipv6_enabled && var.ipv6_only ? true : false - public_subnet_assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - private_subnet_assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - database_subnet_assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - intra_subnet_assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - - public_subnet_ipv6_prefixes = var.public_subnet_enabled ? [for i in range(local.azs) : i] : [] - private_subnet_ipv6_prefixes = var.private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : [] - database_subnet_ipv6_prefixes = var.database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : [] - intra_subnet_ipv6_prefixes = var.intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : [] -} -data "aws_availability_zones" "available" {} -data "aws_ec2_instance_type" "arch" { - instance_type = var.vpn_server_instance_type +resource "aws_eip" "vpn" { + domain = "vpc" + instance = module.vpn_server.id } -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "5.2.0" - name = format("%s-%s-vpc", var.environment, var.name) - cidr = var.vpc_cidr # CIDR FOR VPC - azs = [for n in range(0, local.azs) : data.aws_availability_zones.available.names[n]] - use_ipam_pool = var.ipam_enabled ? true : false - ipv4_ipam_pool_id = var.ipam_enabled && var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : null - ipv4_netmask_length = var.ipam_enabled ? var.ipv4_netmask_length : null - create_database_subnet_group = length(local.database_subnets) > 1 && var.enable_database_subnet_group ? true : false - intra_subnets = local.intra_subnets - public_subnets = local.public_subnets - private_subnets = local.private_subnets - database_subnets = local.database_subnets - enable_flow_log = var.flow_log_enabled - enable_nat_gateway = length(local.private_subnets) > 0 && !var.ipv6_only ? true : false - single_nat_gateway = local.single_nat_gateway - enable_vpn_gateway = false - enable_dns_hostnames = true - flow_log_traffic_type = "ALL" - secondary_cidr_blocks = var.secondry_cidr_enabled ? var.secondary_cidr_blocks : [] - one_nat_gateway_per_az = var.one_nat_gateway_per_az - map_public_ip_on_launch = var.auto_assign_public_ip - flow_log_destination_type = "cloud-watch-logs" - manage_default_network_acl = true - default_network_acl_ingress = concat(local.nacl_allow_vpc_access_rule, var.default_network_acl_ingress) - manage_default_security_group = true - default_security_group_ingress = [] # Enforcing no rules being present in the default security group. - default_security_group_egress = [] - create_database_nat_gateway_route = false - create_database_subnet_route_table = local.create_database_subnet_route_table - create_flow_log_cloudwatch_iam_role = var.flow_log_enabled - create_flow_log_cloudwatch_log_group = local.create_flow_log_cloudwatch_log_group - flow_log_max_aggregation_interval = var.flow_log_max_aggregation_interval - flow_log_cloudwatch_log_group_skip_destroy = var.flow_log_cloudwatch_log_group_skip_destroy - flow_log_cloudwatch_log_group_retention_in_days = var.flow_log_cloudwatch_log_group_retention_in_days - flow_log_cloudwatch_log_group_kms_key_id = var.flow_log_cloudwatch_log_group_kms_key_arn - enable_ipv6 = local.enable_ipv6 - public_subnet_ipv6_native = local.ipv6_only - private_subnet_ipv6_native = local.ipv6_only - database_subnet_ipv6_native = local.ipv6_only - intra_subnet_ipv6_native = local.ipv6_only - #assign_ipv6_address_on_creation = local.assign_ipv6_address_on_creation - public_subnet_assign_ipv6_address_on_creation = local.public_subnet_assign_ipv6_address_on_creation - private_subnet_assign_ipv6_address_on_creation = local.private_subnet_assign_ipv6_address_on_creation - database_subnet_assign_ipv6_address_on_creation = local.database_subnet_assign_ipv6_address_on_creation - intra_subnet_assign_ipv6_address_on_creation = local.intra_subnet_assign_ipv6_address_on_creation - public_subnet_ipv6_prefixes = local.public_subnet_ipv6_prefixes - private_subnet_ipv6_prefixes = local.private_subnet_ipv6_prefixes - database_subnet_ipv6_prefixes = local.database_subnet_ipv6_prefixes - intra_subnet_ipv6_prefixes = local.intra_subnet_ipv6_prefixes +module "security_group_vpn" { + source = "terraform-aws-modules/security-group/aws" + version = "5.1.0" + create = true + name = format("%s-%s-%s", var.environment, var.name, "vpn-sg") + description = "vpn server security group" + vpc_id = var.vpc_id + ingress_with_cidr_blocks = [ + { + from_port = 443 + to_port = 443 + protocol = "tcp" + description = "Public HTTPS access" + cidr_blocks = "0.0.0.0/0" + }, + { + from_port = 80 + to_port = 80 + protocol = "tcp" + description = "Public HTTP access" + cidr_blocks = "0.0.0.0/0" + }, + { + from_port = 10150 + to_port = 10150 + protocol = "udp" + description = "VPN Server Port" + cidr_blocks = "0.0.0.0/0" + }, + { + from_port = 22 + to_port = 22 + protocol = "tcp" + description = "SSH Port" + cidr_blocks = var.vpc_cidr + } + ] - # TAGS TO BE ASSOCIATED WITH EACH RESOURCE + egress_with_cidr_blocks = [ + { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = "0.0.0.0/0" + }, + ] tags = tomap( { - "Name" = format("%s-%s-vpc", var.environment, var.name) + "Name" = format("%s-%s-%s", var.environment, var.name, "vpn-sg") "Environment" = var.environment }, ) +} - public_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-public-subnet" - "Subnet-group" = "public" - "kubernetes.io/role/elb" = 1 - }) - - public_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-public-route-table" - }) - - private_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-private-subnet" - "Subnet-group" = "private" - "kubernetes.io/role/internal-elb" = 1 - }) - - private_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-private-route-table" - }) - - database_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-database-subnet" - "Subnet-group" = "database" - }) - - database_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-database-route-table" - }) - - intra_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-intra-subnet" - "Subnet-group" = "intra" - }) - - intra_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-intra-route-table" - }) - - igw_tags = tomap({ - "Name" = "${var.environment}-${var.name}-igw" - }) - - nat_gateway_tags = tomap({ - "Name" = "${var.environment}-${var.name}-nat" - }) +data "aws_ami" "ubuntu_20_ami" { + owners = ["099720109477"] + most_recent = true - default_network_acl_name = format("%s-%s-nacl", var.environment, var.name) - default_network_acl_tags = { - "Name" = format("%s-%s-nacl", var.environment, var.name) - "Environment" = var.environment + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-*-22.04-amd64-server-*"] } -} -module "vpn_server" { - count = var.vpn_server_enabled && local.is_supported_arch ? 1 : 0 - depends_on = [module.vpc] - source = "./modules/vpn" - name = var.name - vpc_id = module.vpc.vpc_id - vpc_cidr = var.vpc_cidr - environment = var.environment - vpn_key_pair = var.vpn_key_pair_name - public_subnet = module.vpc.public_subnets[0] - vpn_server_instance_type = var.vpn_server_instance_type -} - -resource "aws_vpc_ipam" "ipam" { - count = var.ipam_enabled && var.create_ipam_pool ? 1 : 0 - operating_regions { - region_name = var.region + filter { + name = "virtualization-type" + values = ["hvm"] } +} +data "template_file" "pritunl" { + template = file("${path.module}/scripts/pritunl-vpn.sh") } -# IPv4 -resource "aws_vpc_ipam_pool" "ipam_pool" { - count = var.ipam_enabled && var.create_ipam_pool ? 1 : 0 - description = "IPv4 pool" - address_family = "ipv4" - ipam_scope_id = aws_vpc_ipam.ipam[0].private_default_scope_id - locale = var.region - allocation_default_netmask_length = 16 +data "aws_region" "current" {} +module "vpn_server" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "4.1.4" + name = format("%s-%s-%s", var.environment, var.name, "vpn-ec2-instance") + ami = data.aws_ami.ubuntu_20_ami.image_id + instance_type = var.vpn_server_instance_type + subnet_id = var.public_subnet + key_name = var.vpn_key_pair + associate_public_ip_address = true + vpc_security_group_ids = [module.security_group_vpn.security_group_id] + user_data = join("", data.template_file.pritunl[*].rendered) + iam_instance_profile = join("", aws_iam_instance_profile.vpn_SSM[*].name) + + + root_block_device = [ + { + encrypted = true + volume_type = "gp2" + volume_size = 20 + } + ] + tags = tomap( + { + "Name" = format("%s-%s-%s", var.environment, var.name, "vpn-ec2-instance") + "Environment" = var.environment + }, + ) } -resource "aws_vpc_ipam_pool_cidr" "ipam_pool_cidr" { - count = var.ipam_enabled ? 1 : 0 - ipam_pool_id = var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : var.ipam_pool_id - cidr = var.create_ipam_pool ? var.vpc_cidr : var.existing_ipam_managed_cidr +resource "aws_iam_role" "vpn_role" { + name = format("%s-%s-%s", var.environment, var.name, "vpnEC2InstanceRole") + assume_role_policy = < 0 ? module.vpc.public_subnets : null -} - -output "private_subnets" { - description = "List of IDs of private subnets" - value = length(module.vpc.private_subnets) > 0 ? module.vpc.private_subnets : null -} - -output "database_subnets" { - description = "List of IDs of database subnets" - value = length(module.vpc.database_subnets) > 0 ? module.vpc.database_subnets : null -} - -output "intra_subnets" { - description = "List of IDs of Intra subnets" - value = length(module.vpc.intra_subnets) > 0 ? module.vpc.intra_subnets : null - -} - -output "vpn_host_public_ip" { - description = "IP Address of VPN Server" - value = var.vpn_server_enabled ? module.vpn_server[0].vpn_host_public_ip : null -} - -output "vpn_security_group" { - description = "Security Group ID of VPN Server" - value = var.vpn_server_enabled ? module.vpn_server[0].vpn_security_group : null -} - -output "vpc_ipv6_association_id" { - description = "The association ID for the IPv6 CIDR block" - value = module.vpc.vpc_ipv6_association_id -} - -output "ipv6_vpc_cidr_block" { - description = "The IPv6 CIDR block" - value = module.vpc.vpc_ipv6_cidr_block -} - -output "vpc_secondary_cidr_blocks" { - description = "List of secondary CIDR blocks of the VPC" - value = module.vpc.vpc_secondary_cidr_blocks -} +# output "aws_region" { +# description = "AWS Region in which VPC is created" +# value = local.aws_region +# } + +output "vpc_id" { + description = "The ID of the VPC" + value = module.vpc.vpc_id +} + +output "vpc_cidr_block" { + description = "AWS Region" + value = module.vpc.vpc_cidr_block +} + +output "vpc_public_subnets" { + description = "List of IDs of public subnets" + value = module.vpc.vpc_public_subnets +} + +output "vpc_private_subnets" { + description = "List of IDs of private subnets" + value = module.vpc.vpc_private_subnets +} + +output "database_subnets" { + description = "List of IDs of database subnets" + value = module.vpc.database_subnets +} + +output "vpc_intra_subnets" { + description = "List of IDs of Intra subnets" + value = module.vpc.vpc_intra_subnets +} + +output "vpn_host_public_ip" { + description = "IP Adress of VPN Server" + value = module.vpc.vpn_host_public_ip +} + +output "vpn_security_group" { + description = "Security Group ID of VPN Server" + value = module.vpc.vpn_security_group +} diff --git a/providers.tf b/providers.tf new file mode 100644 index 0000000..7a8138f --- /dev/null +++ b/providers.tf @@ -0,0 +1,6 @@ +provider "aws" { + region = local.aws_region + default_tags { + tags = local.additional_aws_tags + } +} diff --git a/variables.tf b/variables.tf index ca9a7a5..ffbd1cb 100644 --- a/variables.tf +++ b/variables.tf @@ -1,81 +1,3 @@ -variable "environment" { - description = "Specify the environment indentifier for the VPC" - type = string - default = "" -} - -variable "name" { - description = "Specify the name of the VPC" - type = string - default = "" - -} - -variable "vpc_cidr" { - description = "The CIDR block of the VPC" - default = "10.0.0.0/16" - type = string -} - -variable "availability_zones" { - description = "Number of Availability Zone to be used by VPC Subnets" - default = [] - type = list(any) -} - -variable "public_subnet_enabled" { - description = "Set true to enable public subnets" - default = false - type = bool -} - -variable "public_subnet_cidrs" { - description = "A list of public subnets CIDR to be created inside the VPC" - default = [] - type = list(any) -} - -variable "private_subnet_enabled" { - description = "Set true to enable private subnets" - default = false - type = bool -} - -variable "private_subnet_cidrs" { - description = "A list of private subnets CIDR to be created inside the VPC" - default = [] - type = list(any) -} - -variable "database_subnet_enabled" { - description = "Set true to enable database subnets" - default = false - type = bool -} - -variable "database_subnet_cidrs" { - description = "Database Tier subnet CIDRs to be created" - default = [] - type = list(any) -} - -variable "intra_subnet_enabled" { - description = "Set true to enable intra subnets" - default = false - type = bool -} - -variable "intra_subnet_cidrs" { - description = "A list of intra subnets CIDR to be created" - default = [] - type = list(any) -} - -variable "vpn_server_enabled" { - description = "Set to true if you want to deploy VPN Gateway resource and attach it to the VPC" - default = false - type = bool -} variable "vpn_server_instance_type" { description = "EC2 instance Type for VPN Server, Only amd64 based instance type are supported eg. t2.medium, t3.micro, c5a.large etc. " @@ -83,201 +5,38 @@ variable "vpn_server_instance_type" { type = string } -variable "vpn_key_pair_name" { - description = "Specify the name of AWS Keypair to be used for VPN Server" +variable "environment" { + description = "Specify the environment indentifier for the VPC" default = "" type = string } -variable "default_network_acl_ingress" { - description = "List of maps of ingress rules to set on the Default Network ACL" - type = list(map(string)) - - default = [ - { - rule_no = 98 - action = "deny" - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_block = "0.0.0.0/0" - }, - { - rule_no = 99 - action = "deny" - from_port = 3389 - to_port = 3389 - protocol = "tcp" - cidr_block = "0.0.0.0/0" - }, - { - rule_no = 100 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - { - rule_no = 101 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - ipv6_cidr_block = "::/0" - }, - ] -} - -variable "one_nat_gateway_per_az" { - description = "Set to true if a NAT Gateway is required per availability zone for Private Subnet Tier" - default = false - type = bool -} - -variable "flow_log_enabled" { - description = "Whether or not to enable VPC Flow Logs" - type = bool - default = false -} - -variable "flow_log_cloudwatch_log_group_retention_in_days" { - description = "Specifies the number of days you want to retain log events in the specified log group for VPC flow logs." - type = number - default = null -} - -variable "flow_log_max_aggregation_interval" { - description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds." - type = number - default = 60 -} - -variable "auto_assign_public_ip" { - description = "Specify true to indicate that instances launched into the subnet should be assigned a public IP address." - type = bool - default = false -} - - -variable "ipv6_enabled" { - description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block." - type = bool - default = false -} - -variable "private_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" - type = bool - default = null -} - -variable "public_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" - type = bool - default = null -} - - -variable "database_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" - type = bool - default = null -} - - -variable "intra_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" - type = bool - default = null -} - -variable "flow_log_cloudwatch_log_group_kms_key_arn" { - description = "The ARN of the KMS Key to use when encrypting log data for VPC flow logs" +variable "name" { + description = "Specify the name of the VPC" + default = "" type = string - default = null } -variable "ipv6_only" { - description = "Enable it for deploying native IPv6 network" - type = bool - default = false -} - -variable "secondary_cidr_blocks" { - description = "List of the secondary CIDR blocks which can be at most 5" - type = list(string) - default = [] -} - -variable "secondry_cidr_enabled" { - description = "Whether enable secondary CIDR with VPC" - default = false - type = bool -} - -variable "enable_database_subnet_group" { - description = "Whether create database subnet groups" - default = false - type = bool -} - -# variable "tags" { -# description = "The Tags attached with the resources" -# default = {} -# type = any -# } - -variable "ipam_pool_id" { - description = "The existing IPAM pool id if any" - default = null +variable "public_subnet" { + description = "The VPC Subnet ID to launch in" + default = "" type = string } -variable "ipam_enabled" { - description = "Whether enable IPAM managed VPC or not" - default = false - type = bool -} - -variable "create_ipam_pool" { - description = "Whether create new IPAM pool" - default = true - type = bool -} - -variable "ipv4_netmask_length" { - description = "The netmask length for IPAM managed VPC" - default = 16 - type = number -} - -variable "region" { - description = "The AWS region name" +variable "vpc_cidr" { + description = "The CIDR block of the Default VPC" + default = "10.0.0.0/16" type = string - default = null } -variable "existing_ipam_managed_cidr" { - description = "The existing IPAM pool CIDR" +variable "vpc_id" { + description = "The ID of the VPC" default = "" type = string } -variable "flow_log_cloudwatch_log_group_skip_destroy" { - description = " Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state" - type = bool - default = false -} - -variable "vpc_s3_endpoint_enabled" { - description = "Set to true if you want to enable vpc S3 endpoints" - type = bool - default = false -} - -variable "vpc_ecr_endpoint_enabled" { - description = "Set to true if you want to enable vpc ecr endpoints" - type = bool - default = false -} +variable "vpn_key_pair" { + description = "Specify the name of AWS Keypair to be used for VPN Server" + default = "" + type = string +} \ No newline at end of file From 243d7a5950af6ef90e64af06550d391fb4882df2 Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Thu, 14 Mar 2024 13:06:45 +0530 Subject: [PATCH 02/41] Add files via upload Made changes to main.tf & variable.tf for variables. --- main.tf | 458 +++++++++++++++++++++++++++++++-------------------- variables.tf | 335 +++++++++++++++++++++++++++++++++++-- 2 files changed, 597 insertions(+), 196 deletions(-) diff --git a/main.tf b/main.tf index a6c799d..c27bcc3 100644 --- a/main.tf +++ b/main.tf @@ -1,220 +1,316 @@ -resource "aws_eip" "vpn" { - domain = "vpc" - instance = module.vpn_server.id +locals { + azs = length(var.vpc_availability_zones) + public_subnets_native = var.vpc_public_subnet_enabled ? length(var.vpc_public_subnet_cidrs) > 0 ? var.vpc_public_subnet_cidrs : [for netnum in range(0, local.azs) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_public_subnets = var.vpc_public_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(0, local.azs) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + vpc_public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets)) + intra_subnets_native = var.vpc_intra_subnet_enabled ? length(var.vpc_intra_subnet_cidrs) > 0 ? var.vpc_intra_subnet_cidrs : [for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_intra_subnets = var.vpc_intra_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + vpc_intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets)) + private_subnets_native = var.vpc_private_subnet_enabled ? length(var.vpc_private_subnet_cidrs) > 0 ? var.vpc_private_subnet_cidrs : [for netnum in range(local.azs, local.azs * 2) : cidrsubnet(var.vpc_cidr, 4, netnum)] : [] + secondary_private_subnets = var.vpc_private_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(local.azs, local.azs * 2) : cidrsubnet(cidr_block, 4, netnum) + ] + ] : [] + vpc_private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets)) + database_subnets_native = var.database_subnet_enabled ? length(var.database_subnet_cidrs) > 0 ? var.database_subnet_cidrs : [for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_database_subnets = var.database_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets)) + vpc_single_nat_gateway = var.vpc_one_nat_gateway_per_az == true ? false : true + create_database_subnet_route_table = var.database_subnet_enabled + create_flow_log_cloudwatch_log_group = var.vpc_flow_log_enabled == true || var.vpc_flow_log_cloudwatch_log_group_skip_destroy == true ? true : false + is_supported_arch = data.aws_ec2_instance_type.arch.supported_architectures[0] == "arm64" ? false : true # for VPN Instance + nacl_allow_vpc_access_rule = [{ + rule_no = 97 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = var.vpc_cidr + } + + ] + enable_ipv6 = var.ipv6_enabled + ipv6_only = var.ipv6_enabled && var.ipv6_only ? true : false + public_subnet_assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + private_subnet_assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + database_subnet_assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + intra_subnet_assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + + public_subnet_ipv6_prefixes = var.vpc_public_subnet_enabled ? [for i in range(local.azs) : i] : [] + private_subnet_ipv6_prefixes = var.vpc_private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : [] + database_subnet_ipv6_prefixes = var.database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : [] + intra_subnet_ipv6_prefixes = var.vpc_intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : [] +} +data "aws_availability_zones" "available" {} +data "aws_ec2_instance_type" "arch" { + instance_type = var.vpn_server_instance_type } -module "security_group_vpn" { - source = "terraform-aws-modules/security-group/aws" - version = "5.1.0" - create = true - name = format("%s-%s-%s", var.environment, var.name, "vpn-sg") - description = "vpn server security group" - vpc_id = var.vpc_id +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "5.2.0" + name = format("%s-%s-vpc", var.environment, var.name) + cidr = var.vpc_cidr # CIDR FOR VPC + azs = [for n in range(0, local.azs) : data.aws_availability_zones.available.names[n]] + use_ipam_pool = var.ipam_enabled ? true : false + ipv4_ipam_pool_id = var.ipam_enabled && var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : null + ipv4_netmask_length = var.ipam_enabled ? var.ipv4_netmask_length : null + create_database_subnet_group = length(local.database_subnets) > 1 && var.database_subnet_group_enabled ? true : false + intra_subnets = local.vpc_intra_subnets + public_subnets = local.vpc_public_subnets + private_subnets = local.vpc_private_subnets + database_subnets = local.database_subnets + enable_flow_log = var.vpc_flow_log_enabled + enable_nat_gateway = length(local.vpc_private_subnets) > 0 && !var.ipv6_only ? true : false + single_nat_gateway = local.vpc_single_nat_gateway + enable_vpn_gateway = var.vpn_gateway_enabled + enable_dns_hostnames = var.dns_hostnames_enabled + flow_log_traffic_type = var.vpc_flow_log_traffic_type + secondary_cidr_blocks = var.secondry_cidr_enabled ? var.secondary_cidr_blocks : [] + one_nat_gateway_per_az = var.vpc_one_nat_gateway_per_az + map_public_ip_on_launch = var.auto_assign_public_ip + flow_log_destination_type = var.vpc_flow_log_destination_type + manage_default_network_acl = var.vpc_manage_default_network_acl + default_network_acl_ingress = concat(local.nacl_allow_vpc_access_rule, var.default_network_acl_ingress) + manage_default_security_group = var.manage_vpc_default_security_group + default_security_group_ingress = [] # Enforcing no rules being present in the default security group. + default_security_group_egress = [] + create_database_nat_gateway_route = var.create_database_nat_gateway_route + create_database_subnet_route_table = local.create_database_subnet_route_table + create_flow_log_cloudwatch_iam_role = var.vpc_flow_log_enabled + create_flow_log_cloudwatch_log_group = local.create_flow_log_cloudwatch_log_group + flow_log_max_aggregation_interval = var.vpc_flow_log_max_aggregation_interval + flow_log_cloudwatch_log_group_skip_destroy = var.vpc_flow_log_cloudwatch_log_group_skip_destroy + flow_log_cloudwatch_log_group_retention_in_days = var.vpc_flow_log_cloudwatch_log_group_retention_in_days + flow_log_cloudwatch_log_group_kms_key_id = var.flow_log_cloudwatch_log_group_kms_key_arn + enable_ipv6 = local.enable_ipv6 + public_subnet_ipv6_native = local.ipv6_only + private_subnet_ipv6_native = local.ipv6_only + database_subnet_ipv6_native = local.ipv6_only + intra_subnet_ipv6_native = local.ipv6_only + #assign_ipv6_address_on_creation = local.assign_ipv6_address_on_creation + public_subnet_assign_ipv6_address_on_creation = local.public_subnet_assign_ipv6_address_on_creation + private_subnet_assign_ipv6_address_on_creation = local.private_subnet_assign_ipv6_address_on_creation + database_subnet_assign_ipv6_address_on_creation = local.database_subnet_assign_ipv6_address_on_creation + intra_subnet_assign_ipv6_address_on_creation = local.intra_subnet_assign_ipv6_address_on_creation + public_subnet_ipv6_prefixes = local.public_subnet_ipv6_prefixes + private_subnet_ipv6_prefixes = local.private_subnet_ipv6_prefixes + database_subnet_ipv6_prefixes = local.database_subnet_ipv6_prefixes + intra_subnet_ipv6_prefixes = local.intra_subnet_ipv6_prefixes - ingress_with_cidr_blocks = [ - { - from_port = 443 - to_port = 443 - protocol = "tcp" - description = "Public HTTPS access" - cidr_blocks = "0.0.0.0/0" - }, - { - from_port = 80 - to_port = 80 - protocol = "tcp" - description = "Public HTTP access" - cidr_blocks = "0.0.0.0/0" - }, - { - from_port = 10150 - to_port = 10150 - protocol = "udp" - description = "VPN Server Port" - cidr_blocks = "0.0.0.0/0" - }, - { - from_port = 22 - to_port = 22 - protocol = "tcp" - description = "SSH Port" - cidr_blocks = var.vpc_cidr - } - ] - egress_with_cidr_blocks = [ - { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = "0.0.0.0/0" - }, - ] + # TAGS TO BE ASSOCIATED WITH EACH RESOURCE tags = tomap( { - "Name" = format("%s-%s-%s", var.environment, var.name, "vpn-sg") + "Name" = format("%s-%s-vpc", var.environment, var.name) "Environment" = var.environment }, ) -} -data "aws_ami" "ubuntu_20_ami" { - owners = ["099720109477"] - most_recent = true + public_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-public-subnet" + "Subnet-group" = "public" + "kubernetes.io/role/elb" = 1 + }) - filter { - name = "name" - values = ["ubuntu/images/hvm-ssd/ubuntu-*-22.04-amd64-server-*"] - } + public_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-public-route-table" + }) - filter { - name = "virtualization-type" - values = ["hvm"] - } -} + private_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-private-subnet" + "Subnet-group" = "private" + "kubernetes.io/role/internal-elb" = 1 + }) + private_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-private-route-table" + }) -data "template_file" "pritunl" { - template = file("${path.module}/scripts/pritunl-vpn.sh") -} + database_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-database-subnet" + "Subnet-group" = "database" + }) -data "aws_region" "current" {} + database_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-database-route-table" + }) -module "vpn_server" { - source = "terraform-aws-modules/ec2-instance/aws" - version = "4.1.4" - name = format("%s-%s-%s", var.environment, var.name, "vpn-ec2-instance") - ami = data.aws_ami.ubuntu_20_ami.image_id - instance_type = var.vpn_server_instance_type - subnet_id = var.public_subnet - key_name = var.vpn_key_pair - associate_public_ip_address = true - vpc_security_group_ids = [module.security_group_vpn.security_group_id] - user_data = join("", data.template_file.pritunl[*].rendered) - iam_instance_profile = join("", aws_iam_instance_profile.vpn_SSM[*].name) - - - root_block_device = [ - { - encrypted = true - volume_type = "gp2" - volume_size = 20 - } - ] + intra_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-intra-subnet" + "Subnet-group" = "intra" + }) - tags = tomap( - { - "Name" = format("%s-%s-%s", var.environment, var.name, "vpn-ec2-instance") - "Environment" = var.environment - }, - ) -} + intra_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-intra-route-table" + }) -resource "aws_iam_role" "vpn_role" { - name = format("%s-%s-%s", var.environment, var.name, "vpnEC2InstanceRole") - assume_role_policy = < Date: Thu, 14 Mar 2024 13:11:53 +0530 Subject: [PATCH 03/41] Add files via upload --- variables.tf | 116 +++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 90 insertions(+), 26 deletions(-) diff --git a/variables.tf b/variables.tf index ca9a7a5..eebb9c5 100644 --- a/variables.tf +++ b/variables.tf @@ -1,3 +1,25 @@ +variable "additional_tags" { + description = "Additional tags to be applied to AWS resources" + type = map(string) + default = { + Owner = "organization_name" + Expires = "Never" + Department = "Engineering" + } +} + +variable "aws_region" { + description = "Name of the AWS region where VPC is to be created." + default = "" + type = string +} + +variable "aws_account_id" { + description = "Account ID of the AWS Account." + default = "1234567890" + type = string +} + variable "environment" { description = "Specify the environment indentifier for the VPC" type = string @@ -17,31 +39,31 @@ variable "vpc_cidr" { type = string } -variable "availability_zones" { - description = "Number of Availability Zone to be used by VPC Subnets" +variable "vpc_availability_zones" { + description = "Number of Availability Zone to be used by VPC Subnets." default = [] type = list(any) } -variable "public_subnet_enabled" { +variable "vpc_public_subnet_enabled" { description = "Set true to enable public subnets" default = false type = bool } -variable "public_subnet_cidrs" { +variable "vpc_public_subnet_cidrs" { description = "A list of public subnets CIDR to be created inside the VPC" default = [] type = list(any) } -variable "private_subnet_enabled" { +variable "vpc_private_subnet_enabled" { description = "Set true to enable private subnets" default = false type = bool } -variable "private_subnet_cidrs" { +variable "vpc_private_subnet_cidrs" { description = "A list of private subnets CIDR to be created inside the VPC" default = [] type = list(any) @@ -59,13 +81,13 @@ variable "database_subnet_cidrs" { type = list(any) } -variable "intra_subnet_enabled" { +variable "vpc_intra_subnet_enabled" { description = "Set true to enable intra subnets" default = false type = bool } -variable "intra_subnet_cidrs" { +variable "vpc_intra_subnet_cidrs" { description = "A list of intra subnets CIDR to be created" default = [] type = list(any) @@ -129,25 +151,25 @@ variable "default_network_acl_ingress" { ] } -variable "one_nat_gateway_per_az" { +variable "vpc_one_nat_gateway_per_az" { description = "Set to true if a NAT Gateway is required per availability zone for Private Subnet Tier" default = false type = bool } -variable "flow_log_enabled" { +variable "vpc_flow_log_enabled" { description = "Whether or not to enable VPC Flow Logs" type = bool default = false } -variable "flow_log_cloudwatch_log_group_retention_in_days" { +variable "vpc_flow_log_cloudwatch_log_group_retention_in_days" { description = "Specifies the number of days you want to retain log events in the specified log group for VPC flow logs." type = number default = null } -variable "flow_log_max_aggregation_interval" { +variable "vpc_flow_log_max_aggregation_interval" { description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds." type = number default = 60 @@ -216,18 +238,12 @@ variable "secondry_cidr_enabled" { type = bool } -variable "enable_database_subnet_group" { +variable "database_subnet_group_enabled" { description = "Whether create database subnet groups" default = false type = bool } -# variable "tags" { -# description = "The Tags attached with the resources" -# default = {} -# type = any -# } - variable "ipam_pool_id" { description = "The existing IPAM pool id if any" default = null @@ -252,19 +268,13 @@ variable "ipv4_netmask_length" { type = number } -variable "region" { - description = "The AWS region name" - type = string - default = null -} - variable "existing_ipam_managed_cidr" { description = "The existing IPAM pool CIDR" default = "" type = string } -variable "flow_log_cloudwatch_log_group_skip_destroy" { +variable "vpc_flow_log_cloudwatch_log_group_skip_destroy" { description = " Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state" type = bool default = false @@ -281,3 +291,57 @@ variable "vpc_ecr_endpoint_enabled" { type = bool default = false } + +variable "vpn_gateway_enabled" { + description = "Whether to enable vpn Gateway" + type = bool + default = false +} + +variable "dns_hostnames_enabled" { + description = "Whether to enable DNS hostnames" + type = bool + default = true +} + +variable "vpc_manage_default_network_acl" { + description = "Should be true to manage Default Network ACL" + type = bool + default = true +} + +variable "vpc_flow_log_traffic_type" { + description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL" + type = string + default = "ALL" +} + +variable "vpc_flow_log_destination_type" { + description = "Type of flow log destination. Can be s3 or cloud-watch-logs" + type = string + default = "cloud-watch-logs" +} + +variable "manage_vpc_default_security_group" { + description = "Should be true to manage Default Security group of vpc" + type = bool + default = true +} + +variable "create_database_nat_gateway_route" { + description = "Nat Gateway route to be created for internet access to database subnets" + type = bool + default = false +} + +# variable "tags" { +# description = "The Tags attached with the resources" +# default = {} +# type = any +# } + +# variable "region" { +# description = "The AWS region name" +# type = string +# default = null +# } \ No newline at end of file From 203e8c5b5dca6992e3b6fe3f570f242a13fbc1e3 Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Thu, 14 Mar 2024 13:33:57 +0530 Subject: [PATCH 04/41] Add files via upload Changed the hashicorp version for aws from 4.23 to 5.0.0 --- versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.tf b/versions.tf index dffc488..d8e2113 100644 --- a/versions.tf +++ b/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.23" + version = ">= 5.0.0" } } } From 51e3271be3188a79baa8c76ed06499e0c23c6bad Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Thu, 14 Mar 2024 13:34:30 +0530 Subject: [PATCH 05/41] Add files via upload Changed aws hashicorp version from 4.23 to 5.0.0 --- versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.tf b/versions.tf index dffc488..d8e2113 100644 --- a/versions.tf +++ b/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.23" + version = ">= 5.0.0" } } } From bac5267f7ccf9d9dcea78acd8a6b900f0dfce71b Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Fri, 15 Mar 2024 15:26:14 +0530 Subject: [PATCH 06/41] Add files via upload --- main.tf | 402 +++++++++++++-------------------------------------- variables.tf | 70 ++++++--- 2 files changed, 152 insertions(+), 320 deletions(-) diff --git a/main.tf b/main.tf index c27bcc3..81ff109 100644 --- a/main.tf +++ b/main.tf @@ -1,316 +1,112 @@ locals { - azs = length(var.vpc_availability_zones) - public_subnets_native = var.vpc_public_subnet_enabled ? length(var.vpc_public_subnet_cidrs) > 0 ? var.vpc_public_subnet_cidrs : [for netnum in range(0, local.azs) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_public_subnets = var.vpc_public_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(0, local.azs) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - vpc_public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets)) - intra_subnets_native = var.vpc_intra_subnet_enabled ? length(var.vpc_intra_subnet_cidrs) > 0 ? var.vpc_intra_subnet_cidrs : [for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_intra_subnets = var.vpc_intra_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - vpc_intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets)) - private_subnets_native = var.vpc_private_subnet_enabled ? length(var.vpc_private_subnet_cidrs) > 0 ? var.vpc_private_subnet_cidrs : [for netnum in range(local.azs, local.azs * 2) : cidrsubnet(var.vpc_cidr, 4, netnum)] : [] - secondary_private_subnets = var.vpc_private_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs, local.azs * 2) : cidrsubnet(cidr_block, 4, netnum) - ] - ] : [] - vpc_private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets)) - database_subnets_native = var.database_subnet_enabled ? length(var.database_subnet_cidrs) > 0 ? var.database_subnet_cidrs : [for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_database_subnets = var.database_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets)) - vpc_single_nat_gateway = var.vpc_one_nat_gateway_per_az == true ? false : true - create_database_subnet_route_table = var.database_subnet_enabled - create_flow_log_cloudwatch_log_group = var.vpc_flow_log_enabled == true || var.vpc_flow_log_cloudwatch_log_group_skip_destroy == true ? true : false - is_supported_arch = data.aws_ec2_instance_type.arch.supported_architectures[0] == "arm64" ? false : true # for VPN Instance - nacl_allow_vpc_access_rule = [{ - rule_no = 97 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = var.vpc_cidr - } - - ] - enable_ipv6 = var.ipv6_enabled - ipv6_only = var.ipv6_enabled && var.ipv6_only ? true : false - public_subnet_assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - private_subnet_assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - database_subnet_assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - intra_subnet_assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - - public_subnet_ipv6_prefixes = var.vpc_public_subnet_enabled ? [for i in range(local.azs) : i] : [] - private_subnet_ipv6_prefixes = var.vpc_private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : [] - database_subnet_ipv6_prefixes = var.database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : [] - intra_subnet_ipv6_prefixes = var.vpc_intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : [] -} -data "aws_availability_zones" "available" {} -data "aws_ec2_instance_type" "arch" { - instance_type = var.vpn_server_instance_type -} - -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "5.2.0" - name = format("%s-%s-vpc", var.environment, var.name) - cidr = var.vpc_cidr # CIDR FOR VPC - azs = [for n in range(0, local.azs) : data.aws_availability_zones.available.names[n]] - use_ipam_pool = var.ipam_enabled ? true : false - ipv4_ipam_pool_id = var.ipam_enabled && var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : null - ipv4_netmask_length = var.ipam_enabled ? var.ipv4_netmask_length : null - create_database_subnet_group = length(local.database_subnets) > 1 && var.database_subnet_group_enabled ? true : false - intra_subnets = local.vpc_intra_subnets - public_subnets = local.vpc_public_subnets - private_subnets = local.vpc_private_subnets - database_subnets = local.database_subnets - enable_flow_log = var.vpc_flow_log_enabled - enable_nat_gateway = length(local.vpc_private_subnets) > 0 && !var.ipv6_only ? true : false - single_nat_gateway = local.vpc_single_nat_gateway - enable_vpn_gateway = var.vpn_gateway_enabled - enable_dns_hostnames = var.dns_hostnames_enabled - flow_log_traffic_type = var.vpc_flow_log_traffic_type - secondary_cidr_blocks = var.secondry_cidr_enabled ? var.secondary_cidr_blocks : [] - one_nat_gateway_per_az = var.vpc_one_nat_gateway_per_az - map_public_ip_on_launch = var.auto_assign_public_ip - flow_log_destination_type = var.vpc_flow_log_destination_type - manage_default_network_acl = var.vpc_manage_default_network_acl - default_network_acl_ingress = concat(local.nacl_allow_vpc_access_rule, var.default_network_acl_ingress) - manage_default_security_group = var.manage_vpc_default_security_group - default_security_group_ingress = [] # Enforcing no rules being present in the default security group. - default_security_group_egress = [] - create_database_nat_gateway_route = var.create_database_nat_gateway_route - create_database_subnet_route_table = local.create_database_subnet_route_table - create_flow_log_cloudwatch_iam_role = var.vpc_flow_log_enabled - create_flow_log_cloudwatch_log_group = local.create_flow_log_cloudwatch_log_group - flow_log_max_aggregation_interval = var.vpc_flow_log_max_aggregation_interval - flow_log_cloudwatch_log_group_skip_destroy = var.vpc_flow_log_cloudwatch_log_group_skip_destroy - flow_log_cloudwatch_log_group_retention_in_days = var.vpc_flow_log_cloudwatch_log_group_retention_in_days - flow_log_cloudwatch_log_group_kms_key_id = var.flow_log_cloudwatch_log_group_kms_key_arn - enable_ipv6 = local.enable_ipv6 - public_subnet_ipv6_native = local.ipv6_only - private_subnet_ipv6_native = local.ipv6_only - database_subnet_ipv6_native = local.ipv6_only - intra_subnet_ipv6_native = local.ipv6_only - #assign_ipv6_address_on_creation = local.assign_ipv6_address_on_creation - public_subnet_assign_ipv6_address_on_creation = local.public_subnet_assign_ipv6_address_on_creation - private_subnet_assign_ipv6_address_on_creation = local.private_subnet_assign_ipv6_address_on_creation - database_subnet_assign_ipv6_address_on_creation = local.database_subnet_assign_ipv6_address_on_creation - intra_subnet_assign_ipv6_address_on_creation = local.intra_subnet_assign_ipv6_address_on_creation - public_subnet_ipv6_prefixes = local.public_subnet_ipv6_prefixes - private_subnet_ipv6_prefixes = local.private_subnet_ipv6_prefixes - database_subnet_ipv6_prefixes = local.database_subnet_ipv6_prefixes - intra_subnet_ipv6_prefixes = local.intra_subnet_ipv6_prefixes - - - # TAGS TO BE ASSOCIATED WITH EACH RESOURCE - - tags = tomap( - { - "Name" = format("%s-%s-vpc", var.environment, var.name) - "Environment" = var.environment - }, - ) - - public_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-public-subnet" - "Subnet-group" = "public" - "kubernetes.io/role/elb" = 1 - }) - - public_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-public-route-table" - }) - - private_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-private-subnet" - "Subnet-group" = "private" - "kubernetes.io/role/internal-elb" = 1 - }) - - private_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-private-route-table" - }) - - database_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-database-subnet" - "Subnet-group" = "database" - }) - - database_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-database-route-table" - }) - - intra_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-intra-subnet" - "Subnet-group" = "intra" - }) - - intra_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-intra-route-table" - }) - - igw_tags = tomap({ - "Name" = "${var.environment}-${var.name}-igw" - }) - - nat_gateway_tags = tomap({ - "Name" = "${var.environment}-${var.name}-nat" - }) - - default_network_acl_name = format("%s-%s-nacl", var.environment, var.name) - default_network_acl_tags = { - "Name" = format("%s-%s-nacl", var.environment, var.name) - "Environment" = var.environment + vpc_name = "vpc-test" + aws_region = "us-east-1" + aws_account_id = "767398031518" + environment = "prod" + kms_user = null + vpc_cidr = "10.10.0.0/16" + vpc_availability_zones = ["us-east-1a", "us-east-1b"] + kms_deletion_window_in_days = 7 + enable_key_rotation = false + is_enabled = true + vpc_flow_log_enabled = true + vpn_server_enabled = true + vpc_intra_subnet_enabled = true + vpc_public_subnet_enabled = true + auto_assign_public_ip = true + vpc_private_subnet_enabled = true + vpc_one_nat_gateway_per_az = true + vpc_database_subnet_enabled = true + vpc_s3_endpoint_enabled = true + vpc_ecr_endpoint_enabled = true + vpn_server_instance_type = "t3a.small" + vpc_flow_log_cloudwatch_log_group_skip_destroy = false + current_identity = data.aws_caller_identity.current.arn + multi_region = false + additional_aws_tags = { + Owner = "Organization_Name" + Expires = "Never" + Department = "Engineering" } } -module "vpn_server" { - count = var.vpn_server_enabled && local.is_supported_arch ? 1 : 0 - depends_on = [module.vpc] - source = "./modules/vpn" - name = var.name - vpc_id = module.vpc.vpc_id - vpc_cidr = var.vpc_cidr - environment = var.environment - vpn_key_pair = var.vpn_key_pair_name - public_subnet = module.vpc.public_subnets[0] - vpn_server_instance_type = var.vpn_server_instance_type -} - -resource "aws_vpc_ipam" "ipam" { - count = var.ipam_enabled && var.create_ipam_pool ? 1 : 0 - operating_regions { - region_name = var.aws_region - } -} +data "aws_caller_identity" "current" {} -# IPv4 -resource "aws_vpc_ipam_pool" "ipam_pool" { - count = var.ipam_enabled && var.create_ipam_pool ? 1 : 0 - description = "IPv4 pool" - address_family = "ipv4" - ipam_scope_id = aws_vpc_ipam.ipam[0].private_default_scope_id - locale = var.aws_region - allocation_default_netmask_length = 16 +module "key_pair_vpn" { + source = "squareops/keypair/aws" + key_name = format("%s-%s-vpn", local.environment, local.vpc_name) + environment = local.environment + ssm_parameter_path = format("%s-%s-vpn", local.environment, local.vpc_name) } -resource "aws_vpc_ipam_pool_cidr" "ipam_pool_cidr" { - count = var.ipam_enabled ? 1 : 0 - ipam_pool_id = var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : var.ipam_pool_id - cidr = var.create_ipam_pool ? var.vpc_cidr : var.existing_ipam_managed_cidr -} - -# private links for S3 - -data "aws_route_tables" "aws_private_routes" { - count = var.vpc_s3_endpoint_enabled ? 1 : 0 - depends_on = [module.vpc] - vpc_id = module.vpc.vpc_id - tags = { - Name = "${var.environment}-${var.name}-private-route-table" - } -} - -resource "aws_vpc_endpoint" "private-s3" { - count = var.vpc_s3_endpoint_enabled ? 1 : 0 - depends_on = [data.aws_route_tables.aws_private_routes] - vpc_id = module.vpc.vpc_id - service_name = "com.amazonaws.${var.aws_region}.s3" - route_table_ids = data.aws_route_tables.aws_private_routes[0].ids - vpc_endpoint_type = "Gateway" - policy = < Date: Mon, 18 Mar 2024 09:48:15 +0530 Subject: [PATCH 07/41] Update main.tf --- main.tf | 403 ++++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 304 insertions(+), 99 deletions(-) diff --git a/main.tf b/main.tf index 81ff109..c2ed73b 100644 --- a/main.tf +++ b/main.tf @@ -1,112 +1,317 @@ locals { - vpc_name = "vpc-test" - aws_region = "us-east-1" - aws_account_id = "767398031518" - environment = "prod" - kms_user = null - vpc_cidr = "10.10.0.0/16" - vpc_availability_zones = ["us-east-1a", "us-east-1b"] - kms_deletion_window_in_days = 7 - enable_key_rotation = false - is_enabled = true - vpc_flow_log_enabled = true - vpn_server_enabled = true - vpc_intra_subnet_enabled = true - vpc_public_subnet_enabled = true - auto_assign_public_ip = true - vpc_private_subnet_enabled = true - vpc_one_nat_gateway_per_az = true - vpc_database_subnet_enabled = true - vpc_s3_endpoint_enabled = true - vpc_ecr_endpoint_enabled = true - vpn_server_instance_type = "t3a.small" - vpc_flow_log_cloudwatch_log_group_skip_destroy = false - current_identity = data.aws_caller_identity.current.arn - multi_region = false - additional_aws_tags = { - Owner = "Organization_Name" - Expires = "Never" - Department = "Engineering" + azs = length(var.vpc_availability_zones) + public_subnets_native = var.vpc_public_subnet_enabled ? length(var.vpc_public_subnet_cidrs) > 0 ? var.vpc_public_subnet_cidrs : [for netnum in range(0, local.azs) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_public_subnets = var.vpc_public_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(0, local.azs) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + vpc_public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets)) + intra_subnets_native = var.vpc_intra_subnet_enabled ? length(var.vpc_intra_subnet_cidrs) > 0 ? var.vpc_intra_subnet_cidrs : [for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_intra_subnets = var.vpc_intra_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + vpc_intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets)) + private_subnets_native = var.vpc_private_subnet_enabled ? length(var.vpc_private_subnet_cidrs) > 0 ? var.vpc_private_subnet_cidrs : [for netnum in range(local.azs, local.azs * 2) : cidrsubnet(var.vpc_cidr, 4, netnum)] : [] + secondary_private_subnets = var.vpc_private_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(local.azs, local.azs * 2) : cidrsubnet(cidr_block, 4, netnum) + ] + ] : [] + vpc_private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets)) + database_subnets_native = var.vpc_database_subnet_enabled ? length(var.vpc_database_subnet_cidrs) > 0 ? var.vpc_database_subnet_cidrs : [for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_database_subnets = var.vpc_database_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets)) + vpc_single_nat_gateway = var.vpc_one_nat_gateway_per_az == true ? false : true + create_database_subnet_route_table = var.vpc_database_subnet_enabled + create_flow_log_cloudwatch_log_group = var.vpc_flow_log_enabled == true || var.vpc_flow_log_cloudwatch_log_group_skip_destroy == true ? true : false + is_supported_arch = data.aws_ec2_instance_type.arch.supported_architectures[0] == "arm64" ? false : true # for VPN Instance + nacl_allow_vpc_access_rule = [{ + rule_no = 97 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = var.vpc_cidr + } + + ] + enable_ipv6 = var.ipv6_enabled + ipv6_only = var.ipv6_enabled && var.ipv6_only ? true : false + public_subnet_assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + private_subnet_assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + database_subnet_assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + intra_subnet_assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + + public_subnet_ipv6_prefixes = var.vpc_public_subnet_enabled ? [for i in range(local.azs) : i] : [] + private_subnet_ipv6_prefixes = var.vpc_private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : [] + database_subnet_ipv6_prefixes = var.vpc_database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : [] + intra_subnet_ipv6_prefixes = var.vpc_intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : [] +} +data "aws_availability_zones" "available" {} +data "aws_ec2_instance_type" "arch" { + instance_type = var.vpn_server_instance_type +} + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "5.2.0" + name = format("%s-%s-vpc", var.environment, var.name) + cidr = var.vpc_cidr # CIDR FOR VPC + azs = [for n in range(0, local.azs) : data.aws_availability_zones.available.names[n]] + use_ipam_pool = var.ipam_enabled ? true : false + ipv4_ipam_pool_id = var.ipam_enabled && var.ipam_pool_enabled ? aws_vpc_ipam_pool.ipam_pool[0].id : null + ipv4_netmask_length = var.ipam_enabled ? var.ipv4_netmask_length : null + create_database_subnet_group = length(local.generate_subnets.vpc_database_subnets) > 1 && var.database_subnet_group_enabled ? true : false + intra_subnets = local.vpc_intra_subnets + public_subnets = local.vpc_public_subnets + private_subnets = local.vpc_private_subnets + database_subnets = local.database_subnets + enable_flow_log = var.vpc_flow_log_enabled + enable_nat_gateway = length(local.generate_subnets.vpc_private_subnets) > 0 && !var.ipv6_only ? true : false + single_nat_gateway = local.vpc_single_nat_gateway + enable_vpn_gateway = var.vpn_gateway_enabled + enable_dns_hostnames = var.dns_hostnames_enabled + flow_log_traffic_type = var.vpc_flow_log_traffic_type + secondary_cidr_blocks = var.secondry_cidr_enabled ? var.secondary_cidr_blocks : [] + one_nat_gateway_per_az = var.vpc_one_nat_gateway_per_az + map_public_ip_on_launch = var.auto_assign_public_ip + flow_log_destination_type = var.vpc_flow_log_destination_type + manage_default_network_acl = var.vpc_manage_default_network_acl + default_network_acl_ingress = concat(local.nacl_allow_vpc_access_rule, var.default_network_acl_ingress) + manage_default_security_group = var.manage_vpc_default_security_group + default_security_group_ingress = var.vpc_default_security_group_ingress # Enforcing no rules being present in the default security group. + default_security_group_egress = vpc_vpc_default_security_group_egress + create_database_nat_gateway_route = var.database_nat_gateway_route_enabled + create_database_subnet_route_table = local.create_database_subnet_route_table + create_flow_log_cloudwatch_iam_role = var.vpc_flow_log_enabled + create_flow_log_cloudwatch_log_group = local.create_flow_log_cloudwatch_log_group + flow_log_max_aggregation_interval = var.vpc_flow_log_max_aggregation_interval + flow_log_cloudwatch_log_group_skip_destroy = var.vpc_flow_log_cloudwatch_log_group_skip_destroy + flow_log_cloudwatch_log_group_retention_in_days = var.vpc_flow_log_cloudwatch_log_group_retention_in_days + flow_log_cloudwatch_log_group_kms_key_id = var.vpc_flow_log_cloudwatch_log_group_kms_key_arn + enable_ipv6 = local.enable_ipv6 + public_subnet_ipv6_native = local.ipv6_only + private_subnet_ipv6_native = local.ipv6_only + database_subnet_ipv6_native = local.ipv6_only + intra_subnet_ipv6_native = local.ipv6_only + #assign_ipv6_address_on_creation = local.assign_ipv6_address_on_creation + public_subnet_assign_ipv6_address_on_creation = local.public_subnet_assign_ipv6_address_on_creation + private_subnet_assign_ipv6_address_on_creation = local.private_subnet_assign_ipv6_address_on_creation + database_subnet_assign_ipv6_address_on_creation = local.database_subnet_assign_ipv6_address_on_creation + intra_subnet_assign_ipv6_address_on_creation = local.intra_subnet_assign_ipv6_address_on_creation + public_subnet_ipv6_prefixes = local.public_subnet_ipv6_prefixes + private_subnet_ipv6_prefixes = local.private_subnet_ipv6_prefixes + database_subnet_ipv6_prefixes = local.database_subnet_ipv6_prefixes + intra_subnet_ipv6_prefixes = local.intra_subnet_ipv6_prefixes + + + # TAGS TO BE ASSOCIATED WITH EACH RESOURCE + + tags = tomap( + { + "Name" = format("%s-%s-vpc", var.environment, var.name) + "Environment" = var.environment + }, + ) + + public_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-public-subnet" + "Subnet-group" = "public" + "kubernetes.io/role/elb" = 1 + }) + + public_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-public-route-table" + }) + + private_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-private-subnet" + "Subnet-group" = "private" + "kubernetes.io/role/internal-elb" = 1 + }) + + private_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-private-route-table" + }) + + database_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-database-subnet" + "Subnet-group" = "database" + }) + + database_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-database-route-table" + }) + + intra_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-intra-subnet" + "Subnet-group" = "intra" + }) + + intra_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-intra-route-table" + }) + + igw_tags = tomap({ + "Name" = "${var.environment}-${var.name}-igw" + }) + + nat_gateway_tags = tomap({ + "Name" = "${var.environment}-${var.name}-nat" + }) + + default_network_acl_name = format("%s-%s-nacl", var.environment, var.name) + default_network_acl_tags = { + "Name" = format("%s-%s-nacl", var.environment, var.name) + "Environment" = var.environment } } -data "aws_caller_identity" "current" {} +module "vpn_server" { + count = var.vpn_server_enabled && local.is_supported_arch ? 1 : 0 + depends_on = [module.vpc] + source = "./modules/vpn" + name = var.name + vpc_id = module.vpc.vpc_id + vpc_cidr = var.vpc_cidr + environment = var.environment + vpn_key_pair = var.vpn_server_key_pair_name + public_subnet = module.vpc.public_subnets[0] + vpn_server_instance_type = var.vpn_server_instance_type +} -module "key_pair_vpn" { - source = "squareops/keypair/aws" - key_name = format("%s-%s-vpn", local.environment, local.vpc_name) - environment = local.environment - ssm_parameter_path = format("%s-%s-vpn", local.environment, local.vpc_name) +resource "aws_vpc_ipam" "ipam" { + count = var.ipam_enabled && var.ipam_pool_enabled ? 1 : 0 + operating_regions { + region_name = var.aws_region + } } -module "kms" { - source = "terraform-aws-modules/kms/aws" - - deletion_window_in_days = local.kms_deletion_window_in_days - description = "Symetric Key to Enable Encryption at rest using KMS services." - enable_key_rotation = local.enable_key_rotation - is_enabled = local.is_enabled - key_usage = "ENCRYPT_DECRYPT" - multi_region = local.multi_region - - # Policy - enable_default_policy = true - key_owners = [local.current_identity] - key_administrators = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_users = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_service_users = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_symmetric_encryption_users = [local.current_identity] - key_hmac_users = [local.current_identity] - key_asymmetric_public_encryption_users = [local.current_identity] - key_asymmetric_sign_verify_users = [local.current_identity] - key_statements = [ - { - sid = "AllowCloudWatchLogsEncryption", - effect = "Allow" - actions = [ - "kms:Encrypt*", - "kms:Decrypt*", - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:Describe*" - ] - resources = ["*"] - - principals = [ +# IPv4 +resource "aws_vpc_ipam_pool" "ipam_pool" { + count = var.ipam_enabled && var.ipam_pool_enabled ? 1 : 0 + description = "IPv4 pool" + address_family = var.ipam_address_family + ipam_scope_id = aws_vpc_ipam.ipam[0].private_default_scope_id + locale = var.aws_region + allocation_default_netmask_length = 16 +} + +resource "aws_vpc_ipam_pool_cidr" "ipam_pool_cidr" { + count = var.ipam_enabled ? 1 : 0 + ipam_pool_id = var.ipam_pool_enabled ? aws_vpc_ipam_pool.ipam_pool[0].id : var.ipam_pool_id + cidr = var.ipam_pool_enabled ? var.vpc_cidr : var.existing_ipam_managed_cidr +} + +# private links for S3 + +data "aws_route_tables" "aws_private_routes" { + count = var.vpc_s3_endpoint_enabled ? 1 : 0 + depends_on = [module.vpc] + vpc_id = module.vpc.vpc_id + tags = { + Name = "${var.environment}-${var.name}-private-route-table" + } +} + +resource "aws_vpc_endpoint" "private-s3" { + count = var.vpc_s3_endpoint_enabled ? 1 : 0 + depends_on = [data.aws_route_tables.aws_private_routes] + vpc_id = module.vpc.vpc_id + service_name = "com.amazonaws.${var.aws_region}.s3" + route_table_ids = data.aws_route_tables.aws_private_routes[0].ids + vpc_endpoint_type = var.vpc_endpoint_type_private-s3 + policy = < Date: Mon, 18 Mar 2024 09:48:56 +0530 Subject: [PATCH 08/41] Update variables.tf --- variables.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/variables.tf b/variables.tf index 8fef36c..de0c894 100644 --- a/variables.tf +++ b/variables.tf @@ -364,13 +364,13 @@ variable "vpc_endpoint_type_ecr_api" { default = "Interface" } -variable "vpc_endpoint_type_ecr-dkr" { +variable "vpc_endpoint_type_ecr_dkr" { description = "The type of VPC endpoint for ECR Docker" type = string default = "Interface" } -variable "vpc_endpoint_type_private-s3" { +variable "vpc_endpoint_type_private_s3" { description = "The type of VPC endpoint for ECR Docker" type = string default = "Interface" @@ -380,4 +380,4 @@ variable "ipam_address_family" { description = "The address family for the VPC (ipv4 or ipv6)" type = string default = "ipv4" -} \ No newline at end of file +} From 478b87dbbd131f23e433023007207980d6288567 Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Mon, 18 Mar 2024 09:50:28 +0530 Subject: [PATCH 09/41] Update main.tf --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index c2ed73b..b21781d 100644 --- a/main.tf +++ b/main.tf @@ -221,7 +221,7 @@ data "aws_route_tables" "aws_private_routes" { } } -resource "aws_vpc_endpoint" "private-s3" { +resource "aws_vpc_endpoint" "private_s3" { count = var.vpc_s3_endpoint_enabled ? 1 : 0 depends_on = [data.aws_route_tables.aws_private_routes] vpc_id = module.vpc.vpc_id @@ -262,7 +262,7 @@ resource "aws_security_group" "vpc_endpoints" { } # private links for ECR.dkr -resource "aws_vpc_endpoint" "private-ecr-dkr" { +resource "aws_vpc_endpoint" "private-ecr_dkr" { count = var.vpc_ecr_endpoint_enabled ? 1 : 0 depends_on = [data.aws_route_tables.aws_private_routes] vpc_id = module.vpc.vpc_id @@ -290,7 +290,7 @@ POLICY # private links for ECR.api -resource "aws_vpc_endpoint" "private-ecr-api" { +resource "aws_vpc_endpoint" "private-ecr_api" { count = var.vpc_ecr_endpoint_enabled ? 1 : 0 depends_on = [data.aws_route_tables.aws_private_routes] vpc_id = module.vpc.vpc_id From 543faae56d3ca4b6c691a98809ce1ce51c542d6c Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Mon, 18 Mar 2024 14:23:02 +0530 Subject: [PATCH 10/41] Modified Example --- main.tf | 414 +++++++++++++++----------------------------------------- 1 file changed, 110 insertions(+), 304 deletions(-) diff --git a/main.tf b/main.tf index b21781d..2f02751 100644 --- a/main.tf +++ b/main.tf @@ -1,317 +1,123 @@ locals { - azs = length(var.vpc_availability_zones) - public_subnets_native = var.vpc_public_subnet_enabled ? length(var.vpc_public_subnet_cidrs) > 0 ? var.vpc_public_subnet_cidrs : [for netnum in range(0, local.azs) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_public_subnets = var.vpc_public_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(0, local.azs) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - vpc_public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets)) - intra_subnets_native = var.vpc_intra_subnet_enabled ? length(var.vpc_intra_subnet_cidrs) > 0 ? var.vpc_intra_subnet_cidrs : [for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_intra_subnets = var.vpc_intra_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - vpc_intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets)) - private_subnets_native = var.vpc_private_subnet_enabled ? length(var.vpc_private_subnet_cidrs) > 0 ? var.vpc_private_subnet_cidrs : [for netnum in range(local.azs, local.azs * 2) : cidrsubnet(var.vpc_cidr, 4, netnum)] : [] - secondary_private_subnets = var.vpc_private_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs, local.azs * 2) : cidrsubnet(cidr_block, 4, netnum) - ] - ] : [] - vpc_private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets)) - database_subnets_native = var.vpc_database_subnet_enabled ? length(var.vpc_database_subnet_cidrs) > 0 ? var.vpc_database_subnet_cidrs : [for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] - secondary_database_subnets = var.vpc_database_subnet_enabled && var.secondry_cidr_enabled ? [ - for cidr_block in var.secondary_cidr_blocks : [ - for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(cidr_block, 8, netnum) - ] - ] : [] - database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets)) - vpc_single_nat_gateway = var.vpc_one_nat_gateway_per_az == true ? false : true - create_database_subnet_route_table = var.vpc_database_subnet_enabled - create_flow_log_cloudwatch_log_group = var.vpc_flow_log_enabled == true || var.vpc_flow_log_cloudwatch_log_group_skip_destroy == true ? true : false - is_supported_arch = data.aws_ec2_instance_type.arch.supported_architectures[0] == "arm64" ? false : true # for VPN Instance - nacl_allow_vpc_access_rule = [{ - rule_no = 97 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = var.vpc_cidr - } - - ] - enable_ipv6 = var.ipv6_enabled - ipv6_only = var.ipv6_enabled && var.ipv6_only ? true : false - public_subnet_assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - private_subnet_assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - database_subnet_assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - intra_subnet_assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false - - public_subnet_ipv6_prefixes = var.vpc_public_subnet_enabled ? [for i in range(local.azs) : i] : [] - private_subnet_ipv6_prefixes = var.vpc_private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : [] - database_subnet_ipv6_prefixes = var.vpc_database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : [] - intra_subnet_ipv6_prefixes = var.vpc_intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : [] -} -data "aws_availability_zones" "available" {} -data "aws_ec2_instance_type" "arch" { - instance_type = var.vpn_server_instance_type -} - -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "5.2.0" - name = format("%s-%s-vpc", var.environment, var.name) - cidr = var.vpc_cidr # CIDR FOR VPC - azs = [for n in range(0, local.azs) : data.aws_availability_zones.available.names[n]] - use_ipam_pool = var.ipam_enabled ? true : false - ipv4_ipam_pool_id = var.ipam_enabled && var.ipam_pool_enabled ? aws_vpc_ipam_pool.ipam_pool[0].id : null - ipv4_netmask_length = var.ipam_enabled ? var.ipv4_netmask_length : null - create_database_subnet_group = length(local.generate_subnets.vpc_database_subnets) > 1 && var.database_subnet_group_enabled ? true : false - intra_subnets = local.vpc_intra_subnets - public_subnets = local.vpc_public_subnets - private_subnets = local.vpc_private_subnets - database_subnets = local.database_subnets - enable_flow_log = var.vpc_flow_log_enabled - enable_nat_gateway = length(local.generate_subnets.vpc_private_subnets) > 0 && !var.ipv6_only ? true : false - single_nat_gateway = local.vpc_single_nat_gateway - enable_vpn_gateway = var.vpn_gateway_enabled - enable_dns_hostnames = var.dns_hostnames_enabled - flow_log_traffic_type = var.vpc_flow_log_traffic_type - secondary_cidr_blocks = var.secondry_cidr_enabled ? var.secondary_cidr_blocks : [] - one_nat_gateway_per_az = var.vpc_one_nat_gateway_per_az - map_public_ip_on_launch = var.auto_assign_public_ip - flow_log_destination_type = var.vpc_flow_log_destination_type - manage_default_network_acl = var.vpc_manage_default_network_acl - default_network_acl_ingress = concat(local.nacl_allow_vpc_access_rule, var.default_network_acl_ingress) - manage_default_security_group = var.manage_vpc_default_security_group - default_security_group_ingress = var.vpc_default_security_group_ingress # Enforcing no rules being present in the default security group. - default_security_group_egress = vpc_vpc_default_security_group_egress - create_database_nat_gateway_route = var.database_nat_gateway_route_enabled - create_database_subnet_route_table = local.create_database_subnet_route_table - create_flow_log_cloudwatch_iam_role = var.vpc_flow_log_enabled - create_flow_log_cloudwatch_log_group = local.create_flow_log_cloudwatch_log_group - flow_log_max_aggregation_interval = var.vpc_flow_log_max_aggregation_interval - flow_log_cloudwatch_log_group_skip_destroy = var.vpc_flow_log_cloudwatch_log_group_skip_destroy - flow_log_cloudwatch_log_group_retention_in_days = var.vpc_flow_log_cloudwatch_log_group_retention_in_days - flow_log_cloudwatch_log_group_kms_key_id = var.vpc_flow_log_cloudwatch_log_group_kms_key_arn - enable_ipv6 = local.enable_ipv6 - public_subnet_ipv6_native = local.ipv6_only - private_subnet_ipv6_native = local.ipv6_only - database_subnet_ipv6_native = local.ipv6_only - intra_subnet_ipv6_native = local.ipv6_only - #assign_ipv6_address_on_creation = local.assign_ipv6_address_on_creation - public_subnet_assign_ipv6_address_on_creation = local.public_subnet_assign_ipv6_address_on_creation - private_subnet_assign_ipv6_address_on_creation = local.private_subnet_assign_ipv6_address_on_creation - database_subnet_assign_ipv6_address_on_creation = local.database_subnet_assign_ipv6_address_on_creation - intra_subnet_assign_ipv6_address_on_creation = local.intra_subnet_assign_ipv6_address_on_creation - public_subnet_ipv6_prefixes = local.public_subnet_ipv6_prefixes - private_subnet_ipv6_prefixes = local.private_subnet_ipv6_prefixes - database_subnet_ipv6_prefixes = local.database_subnet_ipv6_prefixes - intra_subnet_ipv6_prefixes = local.intra_subnet_ipv6_prefixes - - - # TAGS TO BE ASSOCIATED WITH EACH RESOURCE - - tags = tomap( - { - "Name" = format("%s-%s-vpc", var.environment, var.name) - "Environment" = var.environment - }, - ) - - public_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-public-subnet" - "Subnet-group" = "public" - "kubernetes.io/role/elb" = 1 - }) - - public_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-public-route-table" - }) - - private_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-private-subnet" - "Subnet-group" = "private" - "kubernetes.io/role/internal-elb" = 1 - }) - - private_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-private-route-table" - }) - - database_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-database-subnet" - "Subnet-group" = "database" - }) - - database_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-database-route-table" - }) - - intra_subnet_tags = tomap({ - "Name" = "${var.environment}-${var.name}-intra-subnet" - "Subnet-group" = "intra" - }) - - intra_route_table_tags = tomap({ - "Name" = "${var.environment}-${var.name}-intra-route-table" - }) - - igw_tags = tomap({ - "Name" = "${var.environment}-${var.name}-igw" - }) - - nat_gateway_tags = tomap({ - "Name" = "${var.environment}-${var.name}-nat" - }) - - default_network_acl_name = format("%s-%s-nacl", var.environment, var.name) - default_network_acl_tags = { - "Name" = format("%s-%s-nacl", var.environment, var.name) - "Environment" = var.environment - } -} - -module "vpn_server" { - count = var.vpn_server_enabled && local.is_supported_arch ? 1 : 0 - depends_on = [module.vpc] - source = "./modules/vpn" - name = var.name - vpc_id = module.vpc.vpc_id - vpc_cidr = var.vpc_cidr - environment = var.environment - vpn_key_pair = var.vpn_server_key_pair_name - public_subnet = module.vpc.public_subnets[0] - vpn_server_instance_type = var.vpn_server_instance_type -} - -resource "aws_vpc_ipam" "ipam" { - count = var.ipam_enabled && var.ipam_pool_enabled ? 1 : 0 - operating_regions { - region_name = var.aws_region + vpc_name = "vpc-test" + aws_region = "ap-northeast-1" + aws_account_id = "767398031518" + environment = "prod" + kms_user = null + vpc_cidr = "10.10.0.0/16" + vpc_availability_zones = ["ap-northeast-1a", "ap-northeast-1b"] + kms_deletion_window_in_days = 7 + enable_key_rotation = false + is_enabled = true + vpc_flow_log_enabled = true + vpn_server_enabled = false + vpc_intra_subnet_enabled = true + vpc_public_subnet_enabled = true + auto_assign_public_ip = true + vpc_private_subnet_enabled = true + vpc_one_nat_gateway_per_az = true + vpc_database_subnet_enabled = true + vpc_s3_endpoint_enabled = true + vpc_ecr_endpoint_enabled = true + vpn_server_instance_type = "t3a.small" + vpc_flow_log_cloudwatch_log_group_skip_destroy = false + current_identity = data.aws_caller_identity.current.arn + multi_region = false + vpc_public_subnets_counts = 2 + vpc_private_subnets_counts = 2 + vpc_database_subnets_counts = 2 + vpc_intra_subnets_counts = 2 + additional_aws_tags = { + Owner = "Organization_Name" + Expires = "Never" + Department = "Engineering" } } -# IPv4 -resource "aws_vpc_ipam_pool" "ipam_pool" { - count = var.ipam_enabled && var.ipam_pool_enabled ? 1 : 0 - description = "IPv4 pool" - address_family = var.ipam_address_family - ipam_scope_id = aws_vpc_ipam.ipam[0].private_default_scope_id - locale = var.aws_region - allocation_default_netmask_length = 16 -} - -resource "aws_vpc_ipam_pool_cidr" "ipam_pool_cidr" { - count = var.ipam_enabled ? 1 : 0 - ipam_pool_id = var.ipam_pool_enabled ? aws_vpc_ipam_pool.ipam_pool[0].id : var.ipam_pool_id - cidr = var.ipam_pool_enabled ? var.vpc_cidr : var.existing_ipam_managed_cidr -} - -# private links for S3 - -data "aws_route_tables" "aws_private_routes" { - count = var.vpc_s3_endpoint_enabled ? 1 : 0 - depends_on = [module.vpc] - vpc_id = module.vpc.vpc_id - tags = { - Name = "${var.environment}-${var.name}-private-route-table" - } -} +data "aws_caller_identity" "current" {} -resource "aws_vpc_endpoint" "private_s3" { - count = var.vpc_s3_endpoint_enabled ? 1 : 0 - depends_on = [data.aws_route_tables.aws_private_routes] - vpc_id = module.vpc.vpc_id - service_name = "com.amazonaws.${var.aws_region}.s3" - route_table_ids = data.aws_route_tables.aws_private_routes[0].ids - vpc_endpoint_type = var.vpc_endpoint_type_private-s3 - policy = < Date: Mon, 18 Mar 2024 15:10:39 +0530 Subject: [PATCH 11/41] Changes for subnet & security rules 1. Added a logic so that the user can provide number of desired subnets want to create. --- main.tf | 420 +++++++++++++++++++++++++++++++++++++-------------- variables.tf | 63 +++++--- 2 files changed, 348 insertions(+), 135 deletions(-) diff --git a/main.tf b/main.tf index 2f02751..7eb1885 100644 --- a/main.tf +++ b/main.tf @@ -1,123 +1,323 @@ locals { - vpc_name = "vpc-test" - aws_region = "ap-northeast-1" - aws_account_id = "767398031518" - environment = "prod" - kms_user = null - vpc_cidr = "10.10.0.0/16" - vpc_availability_zones = ["ap-northeast-1a", "ap-northeast-1b"] - kms_deletion_window_in_days = 7 - enable_key_rotation = false - is_enabled = true - vpc_flow_log_enabled = true - vpn_server_enabled = false - vpc_intra_subnet_enabled = true - vpc_public_subnet_enabled = true - auto_assign_public_ip = true - vpc_private_subnet_enabled = true - vpc_one_nat_gateway_per_az = true - vpc_database_subnet_enabled = true - vpc_s3_endpoint_enabled = true - vpc_ecr_endpoint_enabled = true - vpn_server_instance_type = "t3a.small" - vpc_flow_log_cloudwatch_log_group_skip_destroy = false - current_identity = data.aws_caller_identity.current.arn - multi_region = false - vpc_public_subnets_counts = 2 - vpc_private_subnets_counts = 2 - vpc_database_subnets_counts = 2 - vpc_intra_subnets_counts = 2 - additional_aws_tags = { - Owner = "Organization_Name" - Expires = "Never" - Department = "Engineering" + azs = length(var.vpc_availability_zones) + # public subnets cidr + public_subnets_native = var.vpc_public_subnet_enabled ? length(var.vpc_public_subnet_cidrs) > 0 ? var.vpc_public_subnet_cidrs : [for netnum in range(0, var.vpc_public_subnets_counts) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_public_subnets = var.vpc_public_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(0, var.vpc_public_subnets_counts) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + vpc_public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets)) + + # intra subnets cidr + intra_subnets_native = var.vpc_intra_subnet_enabled ? length(var.vpc_intra_subnet_cidrs) > 0 ? var.vpc_intra_subnet_cidrs : [for netnum in range(var.vpc_intra_subnets_counts * 3, var.vpc_intra_subnets_counts * 4) : cidrsubnet(var.vpc_cidr, 4, netnum)] : [] + secondary_intra_subnets = var.vpc_intra_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(var.vpc_intra_subnets_counts * 3, var.vpc_intra_subnets_counts * 4) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + vpc_intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets)) + + # private subnets cidr + private_subnets_native = var.vpc_private_subnet_enabled ? length(var.vpc_private_subnet_cidrs) > 0 ? var.vpc_private_subnet_cidrs : [for netnum in range(var.vpc_private_subnets_counts * 4, var.vpc_private_subnets_counts * 5) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_private_subnets = var.vpc_private_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(var.vpc_private_subnets_counts, var.vpc_private_subnets_counts * 2) : cidrsubnet(cidr_block, 4, netnum) + ] + ] : [] + vpc_private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets)) + + # database subnets cidr + database_subnets_native = var.vpc_database_subnet_enabled ? length(var.vpc_database_subnet_cidrs) > 0 ? var.vpc_database_subnet_cidrs : [for netnum in range(var.vpc_database_subnets_counts * 2, var.vpc_database_subnets_counts * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] + secondary_database_subnets = var.vpc_database_subnet_enabled && var.secondry_cidr_enabled ? [ + for cidr_block in var.secondary_cidr_blocks : [ + for netnum in range(var.vpc_database_subnets_counts * 2, var.vpc_database_subnets_counts * 3) : cidrsubnet(cidr_block, 8, netnum) + ] + ] : [] + vpc_database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets)) + vpc_single_nat_gateway = var.vpc_one_nat_gateway_per_az == true ? false : true + create_database_subnet_route_table = var.vpc_database_subnet_enabled + create_flow_log_cloudwatch_log_group = var.vpc_flow_log_enabled == true || var.vpc_flow_log_cloudwatch_log_group_skip_destroy == true ? true : false + is_supported_arch = data.aws_ec2_instance_type.arch.supported_architectures[0] == "arm64" ? false : true # for VPN Instance + nacl_allow_vpc_access_rule = [{ + rule_no = 97 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = var.vpc_cidr + } + + ] + enable_ipv6 = var.ipv6_enabled + ipv6_only = var.ipv6_enabled && var.ipv6_only ? true : false + public_subnet_assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + private_subnet_assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + database_subnet_assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + intra_subnet_assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false + + public_subnet_ipv6_prefixes = var.vpc_public_subnet_enabled ? [for i in range(local.azs) : i] : [] + private_subnet_ipv6_prefixes = var.vpc_private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : [] + database_subnet_ipv6_prefixes = var.vpc_database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : [] + intra_subnet_ipv6_prefixes = var.vpc_intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : [] +} +data "aws_availability_zones" "available" {} +data "aws_ec2_instance_type" "arch" { + instance_type = var.vpn_server_instance_type +} + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "5.2.0" + name = format("%s-%s-vpc", var.environment, var.name) + cidr = var.vpc_cidr # CIDR FOR VPC + azs = [for n in range(0, local.azs) : data.aws_availability_zones.available.names[n]] + use_ipam_pool = var.ipam_enabled ? true : false + ipv4_ipam_pool_id = var.ipam_enabled && var.ipam_pool_enabled ? aws_vpc_ipam_pool.ipam_pool[0].id : null + ipv4_netmask_length = var.ipam_enabled ? var.ipv4_netmask_length : null + create_database_subnet_group = length(local.vpc_database_subnets) > 1 && var.database_subnet_group_enabled ? true : false + intra_subnets = local.vpc_intra_subnets + public_subnets = local.vpc_public_subnets + private_subnets = local.vpc_private_subnets + database_subnets = local.vpc_database_subnets + enable_flow_log = var.vpc_flow_log_enabled + enable_nat_gateway = length(local.vpc_private_subnets) > 0 && !var.ipv6_only ? true : false + single_nat_gateway = local.vpc_single_nat_gateway + enable_vpn_gateway = var.vpn_gateway_enabled + enable_dns_hostnames = var.dns_hostnames_enabled + flow_log_traffic_type = var.vpc_flow_log_traffic_type + secondary_cidr_blocks = var.secondry_cidr_enabled ? var.secondary_cidr_blocks : [] + one_nat_gateway_per_az = var.vpc_one_nat_gateway_per_az + map_public_ip_on_launch = var.auto_assign_public_ip + flow_log_destination_type = var.vpc_flow_log_destination_type + manage_default_network_acl = var.vpc_manage_default_network_acl + default_network_acl_ingress = concat(local.nacl_allow_vpc_access_rule, var.default_network_acl_ingress) + manage_default_security_group = var.manage_vpc_default_security_group + default_security_group_ingress = var.vpc_default_security_group_ingress # Enforcing no rules being present in the default security group. + default_security_group_egress = var.vpc_default_security_group_egress + create_database_nat_gateway_route = var.database_nat_gateway_route_enabled + create_database_subnet_route_table = local.create_database_subnet_route_table + create_flow_log_cloudwatch_iam_role = var.vpc_flow_log_enabled + create_flow_log_cloudwatch_log_group = local.create_flow_log_cloudwatch_log_group + flow_log_max_aggregation_interval = var.vpc_flow_log_max_aggregation_interval + flow_log_cloudwatch_log_group_skip_destroy = var.vpc_flow_log_cloudwatch_log_group_skip_destroy + flow_log_cloudwatch_log_group_retention_in_days = var.vpc_flow_log_cloudwatch_log_group_retention_in_days + flow_log_cloudwatch_log_group_kms_key_id = var.vpc_flow_log_cloudwatch_log_group_kms_key_arn + enable_ipv6 = local.enable_ipv6 + public_subnet_ipv6_native = local.ipv6_only + private_subnet_ipv6_native = local.ipv6_only + database_subnet_ipv6_native = local.ipv6_only + intra_subnet_ipv6_native = local.ipv6_only + #assign_ipv6_address_on_creation = local.assign_ipv6_address_on_creation + public_subnet_assign_ipv6_address_on_creation = local.public_subnet_assign_ipv6_address_on_creation + private_subnet_assign_ipv6_address_on_creation = local.private_subnet_assign_ipv6_address_on_creation + database_subnet_assign_ipv6_address_on_creation = local.database_subnet_assign_ipv6_address_on_creation + intra_subnet_assign_ipv6_address_on_creation = local.intra_subnet_assign_ipv6_address_on_creation + public_subnet_ipv6_prefixes = local.public_subnet_ipv6_prefixes + private_subnet_ipv6_prefixes = local.private_subnet_ipv6_prefixes + database_subnet_ipv6_prefixes = local.database_subnet_ipv6_prefixes + intra_subnet_ipv6_prefixes = local.intra_subnet_ipv6_prefixes + + + # TAGS TO BE ASSOCIATED WITH EACH RESOURCE + + tags = tomap( + { + "Name" = format("%s-%s-vpc", var.environment, var.name) + "Environment" = var.environment + }, + ) + + public_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-public-subnet" + "Subnet-group" = "public" + "kubernetes.io/role/elb" = 1 + }) + + public_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-public-route-table" + }) + + private_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-private-subnet" + "Subnet-group" = "private" + "kubernetes.io/role/internal-elb" = 1 + }) + + private_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-private-route-table" + }) + + database_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-database-subnet" + "Subnet-group" = "database" + }) + + database_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-database-route-table" + }) + + intra_subnet_tags = tomap({ + "Name" = "${var.environment}-${var.name}-intra-subnet" + "Subnet-group" = "intra" + }) + + intra_route_table_tags = tomap({ + "Name" = "${var.environment}-${var.name}-intra-route-table" + }) + + igw_tags = tomap({ + "Name" = "${var.environment}-${var.name}-igw" + }) + + nat_gateway_tags = tomap({ + "Name" = "${var.environment}-${var.name}-nat" + }) + + default_network_acl_name = format("%s-%s-nacl", var.environment, var.name) + default_network_acl_tags = { + "Name" = format("%s-%s-nacl", var.environment, var.name) + "Environment" = var.environment } } -data "aws_caller_identity" "current" {} +module "vpn_server" { + count = var.vpn_server_enabled && local.is_supported_arch ? 1 : 0 + depends_on = [module.vpc] + source = "./modules/vpn" + name = var.name + vpc_id = module.vpc.vpc_id + vpc_cidr = var.vpc_cidr + environment = var.environment + vpn_key_pair = var.vpn_server_key_pair_name + public_subnet = module.vpc.public_subnets[0] + vpn_server_instance_type = var.vpn_server_instance_type +} -module "key_pair_vpn" { - source = "squareops/keypair/aws" - key_name = format("%s-%s-vpn", local.environment, local.vpc_name) - environment = local.environment - ssm_parameter_path = format("%s-%s-vpn", local.environment, local.vpc_name) +resource "aws_vpc_ipam" "ipam" { + count = var.ipam_enabled && var.ipam_pool_enabled ? 1 : 0 + operating_regions { + region_name = var.aws_region + } } -module "kms" { - source = "terraform-aws-modules/kms/aws" - - deletion_window_in_days = local.kms_deletion_window_in_days - description = "Symetric Key to Enable Encryption at rest using KMS services." - enable_key_rotation = local.enable_key_rotation - is_enabled = local.is_enabled - key_usage = "ENCRYPT_DECRYPT" - multi_region = local.multi_region - - # Policy - enable_default_policy = true - key_owners = [local.current_identity] - key_administrators = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_users = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_service_users = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_symmetric_encryption_users = [local.current_identity] - key_hmac_users = [local.current_identity] - key_asymmetric_public_encryption_users = [local.current_identity] - key_asymmetric_sign_verify_users = [local.current_identity] - key_statements = [ - { - sid = "AllowCloudWatchLogsEncryption", - effect = "Allow" - actions = [ - "kms:Encrypt*", - "kms:Decrypt*", - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:Describe*" - ] - resources = ["*"] - - principals = [ +# IPv4 +resource "aws_vpc_ipam_pool" "ipam_pool" { + count = var.ipam_enabled && var.ipam_pool_enabled ? 1 : 0 + description = "IPv4 pool" + address_family = var.ipam_address_family + ipam_scope_id = aws_vpc_ipam.ipam[0].private_default_scope_id + locale = var.aws_region + allocation_default_netmask_length = 16 +} + +resource "aws_vpc_ipam_pool_cidr" "ipam_pool_cidr" { + count = var.ipam_enabled ? 1 : 0 + ipam_pool_id = var.ipam_pool_enabled ? aws_vpc_ipam_pool.ipam_pool[0].id : var.ipam_pool_id + cidr = var.ipam_pool_enabled ? var.vpc_cidr : var.existing_ipam_managed_cidr +} + +# private links for S3 + +data "aws_route_tables" "aws_private_routes" { + count = var.vpc_s3_endpoint_enabled ? 1 : 0 + depends_on = [module.vpc] + vpc_id = module.vpc.vpc_id + tags = { + Name = "${var.environment}-${var.name}-private-route-table" + } +} + +resource "aws_vpc_endpoint" "private_s3" { + count = var.vpc_s3_endpoint_enabled ? 1 : 0 + depends_on = [data.aws_route_tables.aws_private_routes] + vpc_id = module.vpc.vpc_id + service_name = "com.amazonaws.${var.aws_region}.s3" + route_table_ids = data.aws_route_tables.aws_private_routes[0].ids + vpc_endpoint_type = var.vpc_endpoint_type_private_s3 + policy = < Date: Mon, 18 Mar 2024 15:11:33 +0530 Subject: [PATCH 12/41] Update main.tf --- examples/complete-vpc-with-vpn/main.tf | 107 ++++++++++++++++--------- 1 file changed, 68 insertions(+), 39 deletions(-) diff --git a/examples/complete-vpc-with-vpn/main.tf b/examples/complete-vpc-with-vpn/main.tf index 1d8798c..dd00290 100644 --- a/examples/complete-vpc-with-vpn/main.tf +++ b/examples/complete-vpc-with-vpn/main.tf @@ -1,42 +1,64 @@ locals { - name = "vpc" - region = "ap-south-1" - environment = "prod" + vpc_name = "vpc-test" + aws_region = "ap-northeast-1" + aws_account_id = "767398031518" + environment = "prod" + kms_user = null + vpc_cidr = "10.10.0.0/16" + vpc_availability_zones = ["ap-northeast-1a", "ap-northeast-1b"] + kms_deletion_window_in_days = 7 + enable_key_rotation = false + is_enabled = true + vpc_flow_log_enabled = true + vpn_server_enabled = false + vpc_intra_subnet_enabled = true + vpc_public_subnet_enabled = true + auto_assign_public_ip = true + vpc_private_subnet_enabled = true + vpc_one_nat_gateway_per_az = true + vpc_database_subnet_enabled = true + vpc_s3_endpoint_enabled = true + vpc_ecr_endpoint_enabled = true + vpn_server_instance_type = "t3a.small" + vpc_flow_log_cloudwatch_log_group_skip_destroy = false + current_identity = data.aws_caller_identity.current.arn + multi_region = false + vpc_public_subnets_counts = 2 + vpc_private_subnets_counts = 2 + vpc_database_subnets_counts = 2 + vpc_intra_subnets_counts = 2 additional_aws_tags = { Owner = "Organization_Name" Expires = "Never" Department = "Engineering" } - kms_user = null - vpc_cidr = "10.10.0.0/16" - current_identity = data.aws_caller_identity.current.arn } data "aws_caller_identity" "current" {} module "key_pair_vpn" { source = "squareops/keypair/aws" - key_name = format("%s-%s-vpn", local.environment, local.name) + key_name = format("%s-%s-vpn", local.environment, local.vpc_name) environment = local.environment - ssm_parameter_path = format("%s-%s-vpn", local.environment, local.name) + ssm_parameter_path = format("%s-%s-vpn", local.environment, local.vpc_name) } module "kms" { source = "terraform-aws-modules/kms/aws" - deletion_window_in_days = 7 + deletion_window_in_days = local.kms_deletion_window_in_days description = "Symetric Key to Enable Encryption at rest using KMS services." - enable_key_rotation = false - is_enabled = true + enable_key_rotation = local.enable_key_rotation + is_enabled = local.is_enabled key_usage = "ENCRYPT_DECRYPT" - multi_region = false + multi_region = local.multi_region # Policy enable_default_policy = true key_owners = [local.current_identity] - key_administrators = local.kms_user == null ? ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_users = local.kms_user == null ? ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user - key_service_users = local.kms_user == null ? ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user + key_administrators = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user + key_users = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user + key_service_users = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user key_symmetric_encryption_users = [local.current_identity] key_hmac_users = [local.current_identity] key_asymmetric_public_encryption_users = [local.current_identity] @@ -57,38 +79,45 @@ module "kms" { principals = [ { type = "Service" - identifiers = ["logs.${local.region}.amazonaws.com"] + identifiers = ["logs.${local.aws_region}.amazonaws.com"] } ] } ] # Aliases - aliases = ["${local.name}-KMS"] + aliases = ["${local.vpc_name}-KMS"] aliases_use_name_prefix = true } module "vpc" { - source = "squareops/vpc/aws" - name = local.name - region = local.region - vpc_cidr = local.vpc_cidr - environment = local.environment - flow_log_enabled = true - vpn_key_pair_name = module.key_pair_vpn.key_pair_name - availability_zones = ["ap-south-1a", "ap-south-1b"] - vpn_server_enabled = true - intra_subnet_enabled = true - public_subnet_enabled = true - auto_assign_public_ip = true - private_subnet_enabled = true - one_nat_gateway_per_az = true - database_subnet_enabled = true - vpn_server_instance_type = "t3a.small" - vpc_s3_endpoint_enabled = true - vpc_ecr_endpoint_enabled = true - flow_log_max_aggregation_interval = 60 # In seconds - flow_log_cloudwatch_log_group_skip_destroy = true - flow_log_cloudwatch_log_group_retention_in_days = 90 - flow_log_cloudwatch_log_group_kms_key_arn = module.kms.key_arn #Enter your kms key arn + source = "../../" + name = local.vpc_name + aws_region = local.aws_region + vpc_cidr = local.vpc_cidr + environment = local.environment + vpc_flow_log_enabled = local.vpc_flow_log_enabled + vpn_server_key_pair_name = module.key_pair_vpn.key_pair_name + vpc_availability_zones = local.vpc_availability_zones + vpn_server_enabled = local.vpn_server_enabled + vpc_intra_subnet_enabled = local.vpc_intra_subnet_enabled + vpc_public_subnet_enabled = local.vpc_public_subnet_enabled + auto_assign_public_ip = local.auto_assign_public_ip + vpc_private_subnet_enabled = local.vpc_private_subnet_enabled + vpc_one_nat_gateway_per_az = local.vpc_one_nat_gateway_per_az + vpc_database_subnet_enabled = local.vpc_database_subnet_enabled + vpn_server_instance_type = local.vpn_server_instance_type + vpc_s3_endpoint_enabled = local.vpc_s3_endpoint_enabled + vpc_ecr_endpoint_enabled = local.vpc_ecr_endpoint_enabled + vpc_flow_log_max_aggregation_interval = 60 # In seconds + vpc_flow_log_cloudwatch_log_group_skip_destroy = local.vpc_flow_log_cloudwatch_log_group_skip_destroy + vpc_flow_log_cloudwatch_log_group_retention_in_days = 90 + vpc_flow_log_cloudwatch_log_group_kms_key_arn = module.kms.key_arn #Enter your kms key arn + vpc_public_subnets_counts = local.vpc_public_subnets_counts + vpc_private_subnets_counts = local.vpc_private_subnets_counts + vpc_database_subnets_counts = local.vpc_database_subnets_counts + vpc_intra_subnets_counts = local.vpc_intra_subnets_counts + vpc_endpoint_type_private_s3 = "Gateway" + vpc_endpoint_type_ecr_dkr = "Interface" + vpc_endpoint_type_ecr_api = "Interface" } From 1c9109d984c694d8a636dfb6cdfe5dfcee914e01 Mon Sep 17 00:00:00 2001 From: rachit89 Date: Thu, 21 Mar 2024 10:52:37 +0530 Subject: [PATCH 13/41] Added example of AWS multi account vpc peering --- examples/multi-account-vpc-peering/main.tf | 25 ++++++++ examples/multi-account-vpc-peering/output.tf | 9 +++ .../multi-account-vpc-peering/provider.tf | 17 ++++++ modules/vpc_peering/main.tf | 57 +++++++++++-------- modules/vpc_peering/outputs.tf | 6 +- modules/vpc_peering/variables.tf | 28 +++++++-- 6 files changed, 109 insertions(+), 33 deletions(-) create mode 100644 examples/multi-account-vpc-peering/main.tf create mode 100644 examples/multi-account-vpc-peering/output.tf create mode 100644 examples/multi-account-vpc-peering/provider.tf diff --git a/examples/multi-account-vpc-peering/main.tf b/examples/multi-account-vpc-peering/main.tf new file mode 100644 index 0000000..94731b2 --- /dev/null +++ b/examples/multi-account-vpc-peering/main.tf @@ -0,0 +1,25 @@ +locals { + accepter_name = "tenent-peering" + accepter_region = "us-east-1" + accepter_vpc_id = "vpc-07a2c1d0328341493" + requester_name = "management-peering" + requester_region = "ap-northeast-1" + requester_vpc_id = "vpc-0ce36808b9b133608" + additional_tags = { + Owner = "tenent" + Tenancy = "dedicated" + } +} + +module "vpc_peering" { + source = "../../modules/vpc_peering" + accepter_name = local.accepter_name + vpc_peering_accepter_vpc_id = local.accepter_vpc_id + vpc_peering_accepter_vpc_region = local.accepter_region + requester_name = local.requester_name + vpc_peering_requester_vpc_id = local.requester_vpc_id + vpc_peering_requester_vpc_region = local.requester_region + vpc_peering_multi_account_enabled = true + vpc_peering_requester_aws_profile = "peer" + vpc_peering_accepter_aws_profile = "accepter" +} \ No newline at end of file diff --git a/examples/multi-account-vpc-peering/output.tf b/examples/multi-account-vpc-peering/output.tf new file mode 100644 index 0000000..a4ae83d --- /dev/null +++ b/examples/multi-account-vpc-peering/output.tf @@ -0,0 +1,9 @@ +output "vpc_peering_connection_id" { + description = "Peering connection ID" + value = module.vpc_peering.vpc_peering_connection_id +} + +output "vpc_peering_accept_status" { + description = "Accept status for the connection" + value = module.vpc_peering.vpc_peering_accept_status +} diff --git a/examples/multi-account-vpc-peering/provider.tf b/examples/multi-account-vpc-peering/provider.tf new file mode 100644 index 0000000..aa69792 --- /dev/null +++ b/examples/multi-account-vpc-peering/provider.tf @@ -0,0 +1,17 @@ +provider "aws" { + alias = "peer" + region = "ap-northeast-1" + aws_account_id = "" + default_tags { + tags = local.additional_tags + } +} + +provider "aws" { + alias = "accepter" + region = "ap-northeast-1" + aws_account_id = "" + default_tags { + tags = local.additional_tags + } +} \ No newline at end of file diff --git a/modules/vpc_peering/main.tf b/modules/vpc_peering/main.tf index 533721f..2023b60 100644 --- a/modules/vpc_peering/main.tf +++ b/modules/vpc_peering/main.tf @@ -1,52 +1,59 @@ locals { - requester_route_tables_ids = data.aws_route_tables.requester.ids - accepter_route_tables_ids = data.aws_route_tables.accepter.ids + vpc_peering_requester_route_tables_ids = data.aws_route_tables.requester.ids + vpc_peering_accepter_route_tables_ids = data.aws_route_tables.accepter.ids } provider "aws" { - alias = "peer" - region = var.requester_vpc_region + alias = "peer" + region = var.vpc_peering_requester_vpc_region + profile = var.vpc_peering_multi_account_enabled ? var.vpc_peering_requester_aws_profile : "default" } provider "aws" { - alias = "accepter" - region = var.accepter_vpc_region + alias = "accepter" + region = var.vpc_peering_accepter_vpc_region + profile = var.vpc_peering_multi_account_enabled ? var.vpc_peering_accepter_aws_profile : "default" } data "aws_vpc" "accepter" { - id = var.accepter_vpc_id + id = var.vpc_peering_accepter_vpc_id provider = aws.accepter } data "aws_route_tables" "accepter" { - vpc_id = var.accepter_vpc_id + vpc_id = var.vpc_peering_accepter_vpc_id provider = aws.accepter } data "aws_vpc" "requester" { - id = var.requester_vpc_id + id = var.vpc_peering_requester_vpc_id provider = aws.peer } data "aws_route_tables" "requester" { - vpc_id = var.requester_vpc_id + vpc_id = var.vpc_peering_requester_vpc_id provider = aws.peer } +data "aws_caller_identity" "accepter" { + provider = aws.accepter +} + resource "aws_vpc_peering_connection" "this" { - count = var.peering_enabled ? 1 : 0 - vpc_id = var.requester_vpc_id - peer_vpc_id = var.accepter_vpc_id - peer_region = var.accepter_vpc_region - auto_accept = false - provider = aws.peer + count = var.vpc_peering_enabled ? 1 : 0 + vpc_id = var.vpc_peering_requester_vpc_id + peer_vpc_id = var.vpc_peering_accepter_vpc_id + peer_region = var.vpc_peering_multi_account_enabled ? var.vpc_peering_accepter_vpc_region : null + auto_accept = false + peer_owner_id = var.vpc_peering_multi_account_enabled ? data.aws_caller_identity.accepter.id : null + provider = aws.peer tags = { Name = format("%s-%s-%s", var.requester_name, "to", var.accepter_name) } } resource "aws_vpc_peering_connection_accepter" "this" { - count = var.peering_enabled ? 1 : 0 + count = var.vpc_peering_enabled ? 1 : 0 depends_on = [aws_vpc_peering_connection.this] provider = aws.accepter vpc_peering_connection_id = aws_vpc_peering_connection.this[0].id @@ -57,7 +64,7 @@ resource "aws_vpc_peering_connection_accepter" "this" { } resource "aws_vpc_peering_connection_options" "this" { - count = var.peering_enabled ? 1 : 0 + count = var.vpc_peering_enabled ? 1 : 0 depends_on = [aws_vpc_peering_connection_accepter.this] vpc_peering_connection_id = aws_vpc_peering_connection.this[0].id accepter { @@ -70,17 +77,17 @@ resource "aws_vpc_peering_connection_options" "this" { #### route tables #### resource "aws_route" "requester" { - count = var.peering_enabled ? length(local.requester_route_tables_ids) : 0 - route_table_id = local.requester_route_tables_ids[count.index] + count = var.vpc_peering_enabled ? length(local.vpc_peering_requester_route_tables_ids) : 0 + route_table_id = local.vpc_peering_requester_route_tables_ids[count.index] destination_cidr_block = data.aws_vpc.accepter.cidr_block - vpc_peering_connection_id = var.peering_enabled ? aws_vpc_peering_connection.this[0].id : null + vpc_peering_connection_id = var.vpc_peering_enabled ? aws_vpc_peering_connection.this[0].id : null provider = aws.peer } resource "aws_route" "accepter" { - count = var.peering_enabled ? length(local.accepter_route_tables_ids) : 0 - route_table_id = local.accepter_route_tables_ids[count.index] + count = var.vpc_peering_enabled ? length(local.vpc_peering_accepter_route_tables_ids) : 0 + route_table_id = local.vpc_peering_accepter_route_tables_ids[count.index] destination_cidr_block = data.aws_vpc.requester.cidr_block - vpc_peering_connection_id = var.peering_enabled ? aws_vpc_peering_connection.this[0].id : null + vpc_peering_connection_id = var.vpc_peering_enabled ? aws_vpc_peering_connection.this[0].id : null provider = aws.accepter -} +} \ No newline at end of file diff --git a/modules/vpc_peering/outputs.tf b/modules/vpc_peering/outputs.tf index 1d8a27a..1381a64 100644 --- a/modules/vpc_peering/outputs.tf +++ b/modules/vpc_peering/outputs.tf @@ -1,9 +1,9 @@ output "vpc_peering_connection_id" { description = "Peering connection ID" - value = var.peering_enabled ? aws_vpc_peering_connection.this[0].id : null + value = var.vpc_peering_enabled ? aws_vpc_peering_connection.this[0].id : null } output "vpc_peering_accept_status" { description = "Status for the connection" - value = var.peering_enabled ? aws_vpc_peering_connection_accepter.this[0].accept_status : null -} + value = var.vpc_peering_enabled ? aws_vpc_peering_connection_accepter.this[0].accept_status : null +} diff --git a/modules/vpc_peering/variables.tf b/modules/vpc_peering/variables.tf index 9865a10..12d7b5f 100644 --- a/modules/vpc_peering/variables.tf +++ b/modules/vpc_peering/variables.tf @@ -1,22 +1,22 @@ -variable "accepter_vpc_id" { +variable "vpc_peering_accepter_vpc_id" { type = string description = "Specify the unique identifier of the VPC that will act as the Acceptor in the VPC peering connection." default = "" } -variable "accepter_vpc_region" { +variable "vpc_peering_accepter_vpc_region" { type = string description = "Provide the AWS region where the Acceptor VPC is located. This helps in identifying the correct region for establishing the VPC peering connection." default = "" } -variable "requester_vpc_id" { +variable "vpc_peering_requester_vpc_id" { type = string description = "Specify the unique identifier of the VPC that will act as the Reqester in the VPC peering connection." default = "" } -variable "requester_vpc_region" { +variable "vpc_peering_requester_vpc_region" { type = string description = "Specify the AWS region where the Requester VPC resides. It ensures the correct region is used for setting up the VPC peering." default = "" @@ -34,8 +34,26 @@ variable "accepter_name" { default = "" } -variable "peering_enabled" { +variable "vpc_peering_enabled" { type = bool description = "Set this variable to true if you want to create the VPC peering connection. Set it to false if you want to skip the creation process." default = true } + +variable "vpc_peering_multi_account_enabled" { + type = bool + description = "Set this variable to true if you want to create the VPC peering connection between reagions. Set it to false if you want to skip the creation process." + default = true +} + +variable "vpc_peering_requester_aws_profile" { + type = string + description = "Provide the AWS profile where the requester VPC is located." + default = "" +} + +variable "vpc_peering_accepter_aws_profile" { + type = string + description = "Provide the AWS profile where the accepter VPC is located." + default = "" +} \ No newline at end of file From 0c9bc0d6f5bd87f54f592ed7940ee28647a2d646 Mon Sep 17 00:00:00 2001 From: rachit89 Date: Fri, 29 Mar 2024 16:55:27 +0530 Subject: [PATCH 14/41] Modified Variables & upgraded version of vpn modules and vpn security groups --- README.md | 80 +++++++++++-------- examples/complete-vpc-with-vpn/README.md | 7 +- examples/complete-vpc-with-vpn/main.tf | 6 +- examples/complete-vpc-with-vpn/outputs.tf | 19 ++--- examples/complete-vpc-with-vpn/providers.tf | 2 +- examples/multi-account-vpc-peering/main.tf | 2 +- .../multi-account-vpc-peering/provider.tf | 2 +- main.tf | 25 +++--- modules/vpc_peering/README.md | 18 +++-- modules/vpc_peering/main.tf | 6 +- modules/vpc_peering/variables.tf | 6 +- modules/vpn/README.md | 14 ++-- modules/vpn/main.tf | 22 ++--- outputs.tf | 17 ++-- providers.tf | 12 +-- variables.tf | 10 +-- 16 files changed, 126 insertions(+), 122 deletions(-) diff --git a/README.md b/README.md index f0895b4..f98aca1 100644 --- a/README.md +++ b/README.md @@ -191,13 +191,13 @@ In this module, we have implemented the following CIS Compliance checks for VPC: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.23 | +| [aws](#requirement\_aws) | >= 5.0.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.23 | +| [aws](#provider\_aws) | >= 5.0.0 | ## Modules @@ -211,9 +211,9 @@ In this module, we have implemented the following CIS Compliance checks for VPC: | Name | Type | |------|------| | [aws_security_group.vpc_endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | -| [aws_vpc_endpoint.private-ecr-api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.private-ecr-dkr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.private-s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | +| [aws_vpc_endpoint.private_ecr_api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | +| [aws_vpc_endpoint.private_ecr_dkr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | +| [aws_vpc_endpoint.private_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | | [aws_vpc_ipam.ipam](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam) | resource | | [aws_vpc_ipam_pool.ipam_pool](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool) | resource | | [aws_vpc_ipam_pool_cidr.ipam_pool_cidr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool_cidr) | resource | @@ -225,61 +225,77 @@ In this module, we have implemented the following CIS Compliance checks for VPC: | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [additional\_aws\_tags](#input\_additional\_aws\_tags) | Additional tags to be applied to AWS resources | `map(string)` | `{}` | no | | [auto\_assign\_public\_ip](#input\_auto\_assign\_public\_ip) | Specify true to indicate that instances launched into the subnet should be assigned a public IP address. | `bool` | `false` | no | -| [availability\_zones](#input\_availability\_zones) | Number of Availability Zone to be used by VPC Subnets | `list(any)` | `[]` | no | -| [create\_ipam\_pool](#input\_create\_ipam\_pool) | Whether create new IPAM pool | `bool` | `true` | no | +| [aws\_account\_id](#input\_aws\_account\_id) | Account ID of the AWS Account. | `string` | `"1234567890"` | no | +| [aws\_region](#input\_aws\_region) | Name of the AWS region where VPC is to be created. | `string` | `""` | no | +| [database\_nat\_gateway\_route\_enabled](#input\_database\_nat\_gateway\_route\_enabled) | Nat Gateway route to be created for internet access to database subnets | `bool` | `false` | no | | [database\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_database\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no | -| [database\_subnet\_cidrs](#input\_database\_subnet\_cidrs) | Database Tier subnet CIDRs to be created | `list(any)` | `[]` | no | -| [database\_subnet\_enabled](#input\_database\_subnet\_enabled) | Set true to enable database subnets | `bool` | `false` | no | +| [database\_subnet\_group\_enabled](#input\_database\_subnet\_group\_enabled) | Whether create database subnet groups | `bool` | `false` | no | | [default\_network\_acl\_ingress](#input\_default\_network\_acl\_ingress) | List of maps of ingress rules to set on the Default Network ACL | `list(map(string))` | 
[
  {
    "action": "deny",
    "cidr_block": "0.0.0.0/0",
    "from_port": 22,
    "protocol": "tcp",
    "rule_no": 98,
    "to_port": 22
  },
  {
    "action": "deny",
    "cidr_block": "0.0.0.0/0",
    "from_port": 3389,
    "protocol": "tcp",
    "rule_no": 99,
    "to_port": 3389
  },
  {
    "action": "allow",
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_no": 100,
    "to_port": 0
  },
  {
    "action": "allow",
    "from_port": 0,
    "ipv6_cidr_block": "::/0",
    "protocol": "-1",
    "rule_no": 101,
    "to_port": 0
  }
]
| no | -| [enable\_database\_subnet\_group](#input\_enable\_database\_subnet\_group) | Whether create database subnet groups | `bool` | `false` | no | +| [dns\_hostnames\_enabled](#input\_dns\_hostnames\_enabled) | Whether to enable DNS hostnames | `bool` | `true` | no | | [environment](#input\_environment) | Specify the environment indentifier for the VPC | `string` | `""` | no | | [existing\_ipam\_managed\_cidr](#input\_existing\_ipam\_managed\_cidr) | The existing IPAM pool CIDR | `string` | `""` | no | -| [flow\_log\_cloudwatch\_log\_group\_kms\_key\_arn](#input\_flow\_log\_cloudwatch\_log\_group\_kms\_key\_arn) | The ARN of the KMS Key to use when encrypting log data for VPC flow logs | `string` | `null` | no | -| [flow\_log\_cloudwatch\_log\_group\_retention\_in\_days](#input\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs. | `number` | `null` | no | -| [flow\_log\_cloudwatch\_log\_group\_skip\_destroy](#input\_flow\_log\_cloudwatch\_log\_group\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | `bool` | `false` | no | -| [flow\_log\_enabled](#input\_flow\_log\_enabled) | Whether or not to enable VPC Flow Logs | `bool` | `false` | no | -| [flow\_log\_max\_aggregation\_interval](#input\_flow\_log\_max\_aggregation\_interval) | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds. | `number` | `60` | no | | [intra\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_intra\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no | -| [intra\_subnet\_cidrs](#input\_intra\_subnet\_cidrs) | A list of intra subnets CIDR to be created | `list(any)` | `[]` | no | -| [intra\_subnet\_enabled](#input\_intra\_subnet\_enabled) | Set true to enable intra subnets | `bool` | `false` | no | +| [ipam\_address\_family](#input\_ipam\_address\_family) | The address family for the VPC (ipv4 or ipv6) | `string` | `"ipv4"` | no | | [ipam\_enabled](#input\_ipam\_enabled) | Whether enable IPAM managed VPC or not | `bool` | `false` | no | +| [ipam\_pool\_enabled](#input\_ipam\_pool\_enabled) | Whether create new IPAM pool | `bool` | `true` | no | | [ipam\_pool\_id](#input\_ipam\_pool\_id) | The existing IPAM pool id if any | `string` | `null` | no | | [ipv4\_netmask\_length](#input\_ipv4\_netmask\_length) | The netmask length for IPAM managed VPC | `number` | `16` | no | | [ipv6\_enabled](#input\_ipv6\_enabled) | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. | `bool` | `false` | no | | [ipv6\_only](#input\_ipv6\_only) | Enable it for deploying native IPv6 network | `bool` | `false` | no | +| [manage\_vpc\_default\_security\_group](#input\_manage\_vpc\_default\_security\_group) | Should be true to manage Default Security group of vpc | `bool` | `true` | no | | [name](#input\_name) | Specify the name of the VPC | `string` | `""` | no | -| [one\_nat\_gateway\_per\_az](#input\_one\_nat\_gateway\_per\_az) | Set to true if a NAT Gateway is required per availability zone for Private Subnet Tier | `bool` | `false` | no | | [private\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_private\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no | -| [private\_subnet\_cidrs](#input\_private\_subnet\_cidrs) | A list of private subnets CIDR to be created inside the VPC | `list(any)` | `[]` | no | -| [private\_subnet\_enabled](#input\_private\_subnet\_enabled) | Set true to enable private subnets | `bool` | `false` | no | | [public\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_public\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no | -| [public\_subnet\_cidrs](#input\_public\_subnet\_cidrs) | A list of public subnets CIDR to be created inside the VPC | `list(any)` | `[]` | no | -| [public\_subnet\_enabled](#input\_public\_subnet\_enabled) | Set true to enable public subnets | `bool` | `false` | no | -| [region](#input\_region) | The AWS region name | `string` | `null` | no | | [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | List of the secondary CIDR blocks which can be at most 5 | `list(string)` | `[]` | no | | [secondry\_cidr\_enabled](#input\_secondry\_cidr\_enabled) | Whether enable secondary CIDR with VPC | `bool` | `false` | no | +| [vpc\_availability\_zones](#input\_vpc\_availability\_zones) | Number of Availability Zone to be used by VPC Subnets. | `list(any)` | `[]` | no | | [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block of the VPC | `string` | `"10.0.0.0/16"` | no | +| [vpc\_database\_subnet\_cidrs](#input\_vpc\_database\_subnet\_cidrs) | Database Tier subnet CIDRs to be created | `list(any)` | `[]` | no | +| [vpc\_database\_subnet\_enabled](#input\_vpc\_database\_subnet\_enabled) | Set true to enable database subnets | `bool` | `false` | no | +| [vpc\_database\_subnets\_counts](#input\_vpc\_database\_subnets\_counts) | List of counts for database subnets | `number` | `1` | no | +| [vpc\_default\_security\_group\_egress](#input\_vpc\_default\_security\_group\_egress) | List of maps of egress rules to set on the default security group | `list(map(string))` | `[]` | no | +| [vpc\_default\_security\_group\_ingress](#input\_vpc\_default\_security\_group\_ingress) | List of maps of ingress rules to set on the default security group | `list(map(string))` | `[]` | no | | [vpc\_ecr\_endpoint\_enabled](#input\_vpc\_ecr\_endpoint\_enabled) | Set to true if you want to enable vpc ecr endpoints | `bool` | `false` | no | +| [vpc\_endpoint\_type\_ecr\_api](#input\_vpc\_endpoint\_type\_ecr\_api) | The type of VPC endpoint for ECR api | `string` | `"Interface"` | no | +| [vpc\_endpoint\_type\_ecr\_dkr](#input\_vpc\_endpoint\_type\_ecr\_dkr) | The type of VPC endpoint for ECR Docker | `string` | `"Interface"` | no | +| [vpc\_endpoint\_type\_private\_s3](#input\_vpc\_endpoint\_type\_private\_s3) | The type of VPC endpoint for ECR Docker | `string` | `"Gateway"` | no | +| [vpc\_flow\_log\_cloudwatch\_log\_group\_kms\_key\_arn](#input\_vpc\_flow\_log\_cloudwatch\_log\_group\_kms\_key\_arn) | The ARN of the KMS Key to use when encrypting log data for VPC flow logs | `string` | `null` | no | +| [vpc\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days](#input\_vpc\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs. | `number` | `null` | no | +| [vpc\_flow\_log\_cloudwatch\_log\_group\_skip\_destroy](#input\_vpc\_flow\_log\_cloudwatch\_log\_group\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | `bool` | `false` | no | +| [vpc\_flow\_log\_destination\_type](#input\_vpc\_flow\_log\_destination\_type) | Type of flow log destination. Can be s3 or cloud-watch-logs | `string` | `"cloud-watch-logs"` | no | +| [vpc\_flow\_log\_enabled](#input\_vpc\_flow\_log\_enabled) | Whether or not to enable VPC Flow Logs | `bool` | `false` | no | +| [vpc\_flow\_log\_max\_aggregation\_interval](#input\_vpc\_flow\_log\_max\_aggregation\_interval) | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds. | `number` | `60` | no | +| [vpc\_flow\_log\_traffic\_type](#input\_vpc\_flow\_log\_traffic\_type) | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL | `string` | `"ALL"` | no | +| [vpc\_intra\_subnet\_cidrs](#input\_vpc\_intra\_subnet\_cidrs) | A list of intra subnets CIDR to be created | `list(any)` | `[]` | no | +| [vpc\_intra\_subnet\_enabled](#input\_vpc\_intra\_subnet\_enabled) | Set true to enable intra subnets | `bool` | `false` | no | +| [vpc\_intra\_subnets\_counts](#input\_vpc\_intra\_subnets\_counts) | List of counts for intra subnets | `number` | `1` | no | +| [vpc\_manage\_default\_network\_acl](#input\_vpc\_manage\_default\_network\_acl) | Should be true to manage Default Network ACL | `bool` | `true` | no | +| [vpc\_one\_nat\_gateway\_per\_az](#input\_vpc\_one\_nat\_gateway\_per\_az) | Set to true if a NAT Gateway is required per availability zone for Private Subnet Tier | `bool` | `false` | no | +| [vpc\_private\_subnet\_cidrs](#input\_vpc\_private\_subnet\_cidrs) | A list of private subnets CIDR to be created inside the VPC | `list(any)` | `[]` | no | +| [vpc\_private\_subnet\_enabled](#input\_vpc\_private\_subnet\_enabled) | Set true to enable private subnets | `bool` | `false` | no | +| [vpc\_private\_subnets\_counts](#input\_vpc\_private\_subnets\_counts) | List of counts for private subnets | `number` | `1` | no | +| [vpc\_public\_subnet\_cidrs](#input\_vpc\_public\_subnet\_cidrs) | A list of public subnets CIDR to be created inside the VPC | `list(any)` | `[]` | no | +| [vpc\_public\_subnet\_enabled](#input\_vpc\_public\_subnet\_enabled) | Set true to enable public subnets | `bool` | `false` | no | +| [vpc\_public\_subnets\_counts](#input\_vpc\_public\_subnets\_counts) | List of counts for public subnets | `number` | `1` | no | | [vpc\_s3\_endpoint\_enabled](#input\_vpc\_s3\_endpoint\_enabled) | Set to true if you want to enable vpc S3 endpoints | `bool` | `false` | no | -| [vpn\_key\_pair\_name](#input\_vpn\_key\_pair\_name) | Specify the name of AWS Keypair to be used for VPN Server | `string` | `""` | no | +| [vpn\_gateway\_enabled](#input\_vpn\_gateway\_enabled) | Whether to enable vpn Gateway | `bool` | `false` | no | | [vpn\_server\_enabled](#input\_vpn\_server\_enabled) | Set to true if you want to deploy VPN Gateway resource and attach it to the VPC | `bool` | `false` | no | | [vpn\_server\_instance\_type](#input\_vpn\_server\_instance\_type) | EC2 instance Type for VPN Server, Only amd64 based instance type are supported eg. t2.medium, t3.micro, c5a.large etc. | `string` | `"t3a.small"` | no | +| [vpn\_server\_key\_pair\_name](#input\_vpn\_server\_key\_pair\_name) | Specify the name of AWS Keypair to be used for VPN Server | `string` | `""` | no | ## Outputs | Name | Description | |------|-------------| | [database\_subnets](#output\_database\_subnets) | List of IDs of database subnets | -| [intra\_subnets](#output\_intra\_subnets) | List of IDs of Intra subnets | -| [ipv6\_vpc\_cidr\_block](#output\_ipv6\_vpc\_cidr\_block) | The IPv6 CIDR block | -| [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets | -| [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets | -| [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | IPV4 CIDR Block for this VPC | +| [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | AWS Region | | [vpc\_id](#output\_vpc\_id) | The ID of the VPC | -| [vpc\_ipv6\_association\_id](#output\_vpc\_ipv6\_association\_id) | The association ID for the IPv6 CIDR block | -| [vpc\_secondary\_cidr\_blocks](#output\_vpc\_secondary\_cidr\_blocks) | List of secondary CIDR blocks of the VPC | -| [vpn\_host\_public\_ip](#output\_vpn\_host\_public\_ip) | IP Address of VPN Server | +| [vpc\_intra\_subnets](#output\_vpc\_intra\_subnets) | List of IDs of Intra subnets | +| [vpc\_private\_subnets](#output\_vpc\_private\_subnets) | List of IDs of private subnets | +| [vpc\_public\_subnets](#output\_vpc\_public\_subnets) | List of IDs of public subnets | +| [vpn\_host\_public\_ip](#output\_vpn\_host\_public\_ip) | IP Adress of VPN Server | | [vpn\_security\_group](#output\_vpn\_security\_group) | Security Group ID of VPN Server | diff --git a/examples/complete-vpc-with-vpn/README.md b/examples/complete-vpc-with-vpn/README.md index 62cdb53..957e4cd 100644 --- a/examples/complete-vpc-with-vpn/README.md +++ b/examples/complete-vpc-with-vpn/README.md @@ -52,12 +52,11 @@ No inputs. | Name | Description | |------|-------------| | [database\_subnets](#output\_database\_subnets) | List of IDs of database subnets | -| [intra\_subnets](#output\_intra\_subnets) | List of IDs of Intra subnets | -| [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets | -| [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets | -| [region](#output\_region) | AWS Region | | [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | AWS Region | | [vpc\_id](#output\_vpc\_id) | The ID of the VPC | +| [vpc\_intra\_subnets](#output\_vpc\_intra\_subnets) | List of IDs of Intra subnets | +| [vpc\_private\_subnets](#output\_vpc\_private\_subnets) | List of IDs of private subnets | +| [vpc\_public\_subnets](#output\_vpc\_public\_subnets) | List of IDs of public subnets | | [vpn\_host\_public\_ip](#output\_vpn\_host\_public\_ip) | IP Adress of VPN Server | | [vpn\_security\_group](#output\_vpn\_security\_group) | Security Group ID of VPN Server | diff --git a/examples/complete-vpc-with-vpn/main.tf b/examples/complete-vpc-with-vpn/main.tf index dd00290..b69b8d3 100644 --- a/examples/complete-vpc-with-vpn/main.tf +++ b/examples/complete-vpc-with-vpn/main.tf @@ -5,12 +5,12 @@ locals { environment = "prod" kms_user = null vpc_cidr = "10.10.0.0/16" - vpc_availability_zones = ["ap-northeast-1a", "ap-northeast-1b"] + vpc_availability_zones = ["ap-northeast-1a", "ap-northeast-1c"] kms_deletion_window_in_days = 7 enable_key_rotation = false is_enabled = true - vpc_flow_log_enabled = true - vpn_server_enabled = false + vpc_flow_log_enabled = false + vpn_server_enabled = true vpc_intra_subnet_enabled = true vpc_public_subnet_enabled = true auto_assign_public_ip = true diff --git a/examples/complete-vpc-with-vpn/outputs.tf b/examples/complete-vpc-with-vpn/outputs.tf index f4e210f..3ef89c5 100644 --- a/examples/complete-vpc-with-vpn/outputs.tf +++ b/examples/complete-vpc-with-vpn/outputs.tf @@ -1,8 +1,3 @@ -output "region" { - description = "AWS Region" - value = local.region -} - output "vpc_id" { description = "The ID of the VPC" value = module.vpc.vpc_id @@ -13,14 +8,14 @@ output "vpc_cidr_block" { value = module.vpc.vpc_cidr_block } -output "public_subnets" { +output "vpc_public_subnets" { description = "List of IDs of public subnets" - value = module.vpc.public_subnets + value = module.vpc.vpc_public_subnets } -output "private_subnets" { +output "vpc_private_subnets" { description = "List of IDs of private subnets" - value = module.vpc.private_subnets + value = module.vpc.vpc_private_subnets } output "database_subnets" { @@ -28,9 +23,9 @@ output "database_subnets" { value = module.vpc.database_subnets } -output "intra_subnets" { +output "vpc_intra_subnets" { description = "List of IDs of Intra subnets" - value = module.vpc.intra_subnets + value = module.vpc.vpc_intra_subnets } output "vpn_host_public_ip" { @@ -41,4 +36,4 @@ output "vpn_host_public_ip" { output "vpn_security_group" { description = "Security Group ID of VPN Server" value = module.vpc.vpn_security_group -} +} diff --git a/examples/complete-vpc-with-vpn/providers.tf b/examples/complete-vpc-with-vpn/providers.tf index 2d14d27..7a8138f 100644 --- a/examples/complete-vpc-with-vpn/providers.tf +++ b/examples/complete-vpc-with-vpn/providers.tf @@ -1,5 +1,5 @@ provider "aws" { - region = local.region + region = local.aws_region default_tags { tags = local.additional_aws_tags } diff --git a/examples/multi-account-vpc-peering/main.tf b/examples/multi-account-vpc-peering/main.tf index 94731b2..870a18a 100644 --- a/examples/multi-account-vpc-peering/main.tf +++ b/examples/multi-account-vpc-peering/main.tf @@ -22,4 +22,4 @@ module "vpc_peering" { vpc_peering_multi_account_enabled = true vpc_peering_requester_aws_profile = "peer" vpc_peering_accepter_aws_profile = "accepter" -} \ No newline at end of file +} diff --git a/examples/multi-account-vpc-peering/provider.tf b/examples/multi-account-vpc-peering/provider.tf index aa69792..110abbb 100644 --- a/examples/multi-account-vpc-peering/provider.tf +++ b/examples/multi-account-vpc-peering/provider.tf @@ -14,4 +14,4 @@ provider "aws" { default_tags { tags = local.additional_tags } -} \ No newline at end of file +} diff --git a/main.tf b/main.tf index 7eb1885..1351adf 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,5 @@ locals { - azs = length(var.vpc_availability_zones) + azs = length(var.vpc_availability_zones) # public subnets cidr public_subnets_native = var.vpc_public_subnet_enabled ? length(var.vpc_public_subnet_cidrs) > 0 ? var.vpc_public_subnet_cidrs : [for netnum in range(0, var.vpc_public_subnets_counts) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] secondary_public_subnets = var.vpc_public_subnet_enabled && var.secondry_cidr_enabled ? [ @@ -7,7 +7,7 @@ locals { for netnum in range(0, var.vpc_public_subnets_counts) : cidrsubnet(cidr_block, 8, netnum) ] ] : [] - vpc_public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets)) + vpc_public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets)) # intra subnets cidr intra_subnets_native = var.vpc_intra_subnet_enabled ? length(var.vpc_intra_subnet_cidrs) > 0 ? var.vpc_intra_subnet_cidrs : [for netnum in range(var.vpc_intra_subnets_counts * 3, var.vpc_intra_subnets_counts * 4) : cidrsubnet(var.vpc_cidr, 4, netnum)] : [] @@ -16,8 +16,8 @@ locals { for netnum in range(var.vpc_intra_subnets_counts * 3, var.vpc_intra_subnets_counts * 4) : cidrsubnet(cidr_block, 8, netnum) ] ] : [] - vpc_intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets)) - + vpc_intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets)) + # private subnets cidr private_subnets_native = var.vpc_private_subnet_enabled ? length(var.vpc_private_subnet_cidrs) > 0 ? var.vpc_private_subnet_cidrs : [for netnum in range(var.vpc_private_subnets_counts * 4, var.vpc_private_subnets_counts * 5) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] secondary_private_subnets = var.vpc_private_subnet_enabled && var.secondry_cidr_enabled ? [ @@ -25,8 +25,8 @@ locals { for netnum in range(var.vpc_private_subnets_counts, var.vpc_private_subnets_counts * 2) : cidrsubnet(cidr_block, 4, netnum) ] ] : [] - vpc_private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets)) - + vpc_private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets)) + # database subnets cidr database_subnets_native = var.vpc_database_subnet_enabled ? length(var.vpc_database_subnet_cidrs) > 0 ? var.vpc_database_subnet_cidrs : [for netnum in range(var.vpc_database_subnets_counts * 2, var.vpc_database_subnets_counts * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : [] secondary_database_subnets = var.vpc_database_subnet_enabled && var.secondry_cidr_enabled ? [ @@ -34,8 +34,8 @@ locals { for netnum in range(var.vpc_database_subnets_counts * 2, var.vpc_database_subnets_counts * 3) : cidrsubnet(cidr_block, 8, netnum) ] ] : [] - vpc_database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets)) - vpc_single_nat_gateway = var.vpc_one_nat_gateway_per_az == true ? false : true + vpc_database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets)) + vpc_single_nat_gateway = var.vpc_one_nat_gateway_per_az == true ? false : true create_database_subnet_route_table = var.vpc_database_subnet_enabled create_flow_log_cloudwatch_log_group = var.vpc_flow_log_enabled == true || var.vpc_flow_log_cloudwatch_log_group_skip_destroy == true ? true : false is_supported_arch = data.aws_ec2_instance_type.arch.supported_architectures[0] == "arm64" ? false : true # for VPN Instance @@ -65,7 +65,6 @@ data "aws_availability_zones" "available" {} data "aws_ec2_instance_type" "arch" { instance_type = var.vpn_server_instance_type } - module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "5.2.0" @@ -269,12 +268,12 @@ resource "aws_security_group" "vpc_endpoints" { } # private links for ECR.dkr -resource "aws_vpc_endpoint" "private-ecr_dkr" { +resource "aws_vpc_endpoint" "private_ecr_dkr" { count = var.vpc_ecr_endpoint_enabled ? 1 : 0 depends_on = [data.aws_route_tables.aws_private_routes] vpc_id = module.vpc.vpc_id service_name = "com.amazonaws.${var.aws_region}.ecr.dkr" - subnet_ids = module.vpc.private_subnets + subnet_ids = [module.vpc.private_subnets[count.index]] security_group_ids = [aws_security_group.vpc_endpoints[0].id] vpc_endpoint_type = var.vpc_endpoint_type_ecr_dkr private_dns_enabled = true @@ -297,11 +296,11 @@ POLICY # private links for ECR.api -resource "aws_vpc_endpoint" "private-ecr_api" { +resource "aws_vpc_endpoint" "private_ecr_api" { count = var.vpc_ecr_endpoint_enabled ? 1 : 0 depends_on = [data.aws_route_tables.aws_private_routes] vpc_id = module.vpc.vpc_id - subnet_ids = module.vpc.private_subnets + subnet_ids = [module.vpc.private_subnets[count.index]] service_name = "com.amazonaws.${var.aws_region}.ecr.api" vpc_endpoint_type = var.vpc_endpoint_type_ecr_api private_dns_enabled = true diff --git a/modules/vpc_peering/README.md b/modules/vpc_peering/README.md index 6afdfd8..cdadc87 100644 --- a/modules/vpc_peering/README.md +++ b/modules/vpc_peering/README.md @@ -47,6 +47,7 @@ No modules. | [aws_vpc_peering_connection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection) | resource | | [aws_vpc_peering_connection_accepter.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection_accepter) | resource | | [aws_vpc_peering_connection_options.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection_options) | resource | +| [aws_caller_identity.accepter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_route_tables.accepter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source | | [aws_route_tables.requester](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source | | [aws_vpc.accepter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | @@ -56,13 +57,16 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [accepter\_name](#input\_accepter\_name) | Assign a meaningful name or label to the VPC Accepter. This aids in distinguishing the Accepter VPC within the VPC peering connection. | `string` | `""` | no | -| [accepter\_vpc\_id](#input\_accepter\_vpc\_id) | Specify the unique identifier of the VPC that will act as the Acceptor in the VPC peering connection. | `string` | `""` | no | -| [accepter\_vpc\_region](#input\_accepter\_vpc\_region) | Provide the AWS region where the Acceptor VPC is located. This helps in identifying the correct region for establishing the VPC peering connection. | `string` | `""` | no | -| [peering\_enabled](#input\_peering\_enabled) | Set this variable to true if you want to create the VPC peering connection. Set it to false if you want to skip the creation process. | `bool` | `true` | no | -| [requester\_name](#input\_requester\_name) | Provide a descriptive name or label for the VPC Requester. This helps identify and differentiate the Requester VPC in the peering connection. | `string` | `""` | no | -| [requester\_vpc\_id](#input\_requester\_vpc\_id) | Specify the unique identifier of the VPC that will act as the Reqester in the VPC peering connection. | `string` | `""` | no | -| [requester\_vpc\_region](#input\_requester\_vpc\_region) | Specify the AWS region where the Requester VPC resides. It ensures the correct region is used for setting up the VPC peering. | `string` | `""` | no | +| [vpc\_peering\_accepter\_aws\_profile](#input\_vpc\_peering\_accepter\_aws\_profile) | Provide the AWS profile where the accepter VPC is located. | `string` | `""` | no | +| [vpc\_peering\_accepter\_name](#input\_vpc\_peering\_accepter\_name) | Assign a meaningful name or label to the VPC Accepter. This aids in distinguishing the Accepter VPC within the VPC peering connection. | `string` | `""` | no | +| [vpc\_peering\_accepter\_vpc\_id](#input\_vpc\_peering\_accepter\_vpc\_id) | Specify the unique identifier of the VPC that will act as the Acceptor in the VPC peering connection. | `string` | `""` | no | +| [vpc\_peering\_accepter\_vpc\_region](#input\_vpc\_peering\_accepter\_vpc\_region) | Provide the AWS region where the Acceptor VPC is located. This helps in identifying the correct region for establishing the VPC peering connection. | `string` | `""` | no | +| [vpc\_peering\_enabled](#input\_vpc\_peering\_enabled) | Set this variable to true if you want to create the VPC peering connection. Set it to false if you want to skip the creation process. | `bool` | `true` | no | +| [vpc\_peering\_multi\_account\_enabled](#input\_vpc\_peering\_multi\_account\_enabled) | Set this variable to true if you want to create the VPC peering connection between reagions. Set it to false if you want to skip the creation process. | `bool` | `true` | no | +| [vpc\_peering\_requester\_aws\_profile](#input\_vpc\_peering\_requester\_aws\_profile) | Provide the AWS profile where the requester VPC is located. | `string` | `""` | no | +| [vpc\_peering\_requester\_name](#input\_vpc\_peering\_requester\_name) | Provide a descriptive name or label for the VPC Requester. This helps identify and differentiate the Requester VPC in the peering connection. | `string` | `""` | no | +| [vpc\_peering\_requester\_vpc\_id](#input\_vpc\_peering\_requester\_vpc\_id) | Specify the unique identifier of the VPC that will act as the Reqester in the VPC peering connection. | `string` | `""` | no | +| [vpc\_peering\_requester\_vpc\_region](#input\_vpc\_peering\_requester\_vpc\_region) | Specify the AWS region where the Requester VPC resides. It ensures the correct region is used for setting up the VPC peering. | `string` | `""` | no | ## Outputs diff --git a/modules/vpc_peering/main.tf b/modules/vpc_peering/main.tf index 2023b60..62b36c7 100644 --- a/modules/vpc_peering/main.tf +++ b/modules/vpc_peering/main.tf @@ -48,7 +48,7 @@ resource "aws_vpc_peering_connection" "this" { peer_owner_id = var.vpc_peering_multi_account_enabled ? data.aws_caller_identity.accepter.id : null provider = aws.peer tags = { - Name = format("%s-%s-%s", var.requester_name, "to", var.accepter_name) + Name = format("%s-%s-%s", var.vpc_peering_requester_name, "to", var.vpc_peering_accepter_name) } } @@ -59,7 +59,7 @@ resource "aws_vpc_peering_connection_accepter" "this" { vpc_peering_connection_id = aws_vpc_peering_connection.this[0].id auto_accept = true tags = { - Name = format("%s-%s-%s", var.requester_name, "to", var.accepter_name) + Name = format("%s-%s-%s", var.vpc_peering_requester_name, "to", var.vpc_peering_accepter_name) } } @@ -90,4 +90,4 @@ resource "aws_route" "accepter" { destination_cidr_block = data.aws_vpc.requester.cidr_block vpc_peering_connection_id = var.vpc_peering_enabled ? aws_vpc_peering_connection.this[0].id : null provider = aws.accepter -} \ No newline at end of file +} diff --git a/modules/vpc_peering/variables.tf b/modules/vpc_peering/variables.tf index 12d7b5f..9639515 100644 --- a/modules/vpc_peering/variables.tf +++ b/modules/vpc_peering/variables.tf @@ -22,13 +22,13 @@ variable "vpc_peering_requester_vpc_region" { default = "" } -variable "requester_name" { +variable "vpc_peering_requester_name" { type = string description = "Provide a descriptive name or label for the VPC Requester. This helps identify and differentiate the Requester VPC in the peering connection." default = "" } -variable "accepter_name" { +variable "vpc_peering_accepter_name" { type = string description = "Assign a meaningful name or label to the VPC Accepter. This aids in distinguishing the Accepter VPC within the VPC peering connection." default = "" @@ -56,4 +56,4 @@ variable "vpc_peering_accepter_aws_profile" { type = string description = "Provide the AWS profile where the accepter VPC is located." default = "" -} \ No newline at end of file +} diff --git a/modules/vpn/README.md b/modules/vpn/README.md index bf0d988..ee3dbbb 100644 --- a/modules/vpn/README.md +++ b/modules/vpn/README.md @@ -33,22 +33,22 @@ Refer [this](https://pritunl.com/) for more information. | Name | Source | Version | |------|--------|---------| -| [security\_group\_vpn](#module\_security\_group\_vpn) | terraform-aws-modules/security-group/aws | 4.13.0 | -| [vpn\_server](#module\_vpn\_server) | terraform-aws-modules/ec2-instance/aws | 4.1.4 | +| [security\_group\_vpn](#module\_security\_group\_vpn) | terraform-aws-modules/security-group/aws | 5.1.0 | +| [vpn\_server](#module\_vpn\_server) | terraform-aws-modules/ec2-instance/aws | 5.6.0 | ## Resources | Name | Type | |------|------| | [aws_eip.vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource | -| [aws_iam_instance_profile.vpn_SSM](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | +| [aws_iam_instance_profile.vpn_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | | [aws_iam_role.vpn_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.SSMManagedInstanceCore_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.SecretsManagerReadWrite_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_ssm_association.ssm_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_association) | resource | -| [aws_ssm_document.ssm_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_document) | resource | -| [null_resource.delete_secret](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | -| [time_sleep.wait_3_min](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [aws_ssm_association.vpn_ssm_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_association) | resource | +| [aws_ssm_document.vpn_ssm_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_document) | resource | +| [null_resource.vpn_delete_secret](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [time_sleep.vpn_wait_3_min](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [aws_ami.ubuntu_20_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_iam_policy.SSMManagedInstanceCore](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | | [aws_iam_policy.SecretsManagerReadWrite](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | diff --git a/modules/vpn/main.tf b/modules/vpn/main.tf index 473138e..3a7af8a 100644 --- a/modules/vpn/main.tf +++ b/modules/vpn/main.tf @@ -5,7 +5,7 @@ resource "aws_eip" "vpn" { module "security_group_vpn" { source = "terraform-aws-modules/security-group/aws" - version = "4.13.0" + version = "5.1.0" create = true name = format("%s-%s-%s", var.environment, var.name, "vpn-sg") description = "vpn server security group" @@ -83,7 +83,7 @@ data "aws_region" "current" {} module "vpn_server" { source = "terraform-aws-modules/ec2-instance/aws" - version = "4.1.4" + version = "5.6.0" name = format("%s-%s-%s", var.environment, var.name, "vpn-ec2-instance") ami = data.aws_ami.ubuntu_20_ami.image_id instance_type = var.vpn_server_instance_type @@ -92,7 +92,7 @@ module "vpn_server" { associate_public_ip_address = true vpc_security_group_ids = [module.security_group_vpn.security_group_id] user_data = join("", data.template_file.pritunl[*].rendered) - iam_instance_profile = join("", aws_iam_instance_profile.vpn_SSM[*].name) + iam_instance_profile = join("", aws_iam_instance_profile.vpn_ssm[*].name) root_block_device = [ @@ -141,12 +141,12 @@ resource "aws_iam_role_policy_attachment" "SSMManagedInstanceCore_attachment" { policy_arn = data.aws_iam_policy.SSMManagedInstanceCore.arn } -resource "aws_iam_instance_profile" "vpn_SSM" { +resource "aws_iam_instance_profile" "vpn_ssm" { name = format("%s-%s-%s", var.environment, var.name, "vpnEC2InstanceProfile") role = join("", aws_iam_role.vpn_role[*].name) } -resource "time_sleep" "wait_3_min" { +resource "time_sleep" "vpn_wait_3_min" { depends_on = [module.vpn_server] create_duration = "3m" } @@ -160,18 +160,18 @@ resource "aws_iam_role_policy_attachment" "SecretsManagerReadWrite_attachment" { policy_arn = data.aws_iam_policy.SecretsManagerReadWrite.arn } -resource "aws_ssm_association" "ssm_association" { - name = aws_ssm_document.ssm_document.name - depends_on = [time_sleep.wait_3_min] +resource "aws_ssm_association" "vpn_ssm_association" { + name = aws_ssm_document.vpn_ssm_document.name + depends_on = [time_sleep.vpn_wait_3_min] targets { key = "InstanceIds" values = [module.vpn_server.id] } } -resource "aws_ssm_document" "ssm_document" { +resource "aws_ssm_document" "vpn_ssm_document" { name = format("%s-%s-%s", var.environment, var.name, "ssm_document_create_secret") - depends_on = [time_sleep.wait_3_min] + depends_on = [time_sleep.vpn_wait_3_min] document_type = "Command" content = < 0 ? module.vpc.public_subnets : null } output "vpc_private_subnets" { description = "List of IDs of private subnets" - value = module.vpc.vpc_private_subnets + value = length(module.vpc.private_subnets) > 0 ? module.vpc.private_subnets : null } output "database_subnets" { description = "List of IDs of database subnets" - value = module.vpc.database_subnets + value = length(module.vpc.database_subnets) > 0 ? module.vpc.database_subnets : null } output "vpc_intra_subnets" { description = "List of IDs of Intra subnets" - value = module.vpc.vpc_intra_subnets + value = length(module.vpc.intra_subnets) > 0 ? module.vpc.intra_subnets : null } output "vpn_host_public_ip" { description = "IP Adress of VPN Server" - value = module.vpc.vpn_host_public_ip + value = var.vpn_server_enabled ? module.vpn_server[0].vpn_host_public_ip : null } output "vpn_security_group" { description = "Security Group ID of VPN Server" - value = module.vpc.vpn_security_group + value = var.vpn_server_enabled ? module.vpn_server[0].vpn_security_group : null } diff --git a/providers.tf b/providers.tf index 7a8138f..8bee283 100644 --- a/providers.tf +++ b/providers.tf @@ -1,6 +1,6 @@ -provider "aws" { - region = local.aws_region - default_tags { - tags = local.additional_aws_tags - } -} +# provider "aws" { +# region = local.aws_region +# default_tags { +# tags = local.additional_aws_tags +# } +# } diff --git a/variables.tf b/variables.tf index 72650fa..64b6b20 100644 --- a/variables.tf +++ b/variables.tf @@ -1,11 +1,7 @@ -variable "additional_tags" { +variable "additional_aws_tags" { description = "Additional tags to be applied to AWS resources" type = map(string) - default = { - Owner = "organization_name" - Expires = "Never" - Department = "Engineering" - } + default = {} } variable "aws_region" { @@ -393,4 +389,4 @@ variable "vpc_default_security_group_egress" { description = "List of maps of egress rules to set on the default security group" type = list(map(string)) default = [] -} \ No newline at end of file +} From 053ba9573da6bcd96baa29155b154ea0de643ca2 Mon Sep 17 00:00:00 2001 From: rachit89 Date: Tue, 2 Apr 2024 13:20:17 +0530 Subject: [PATCH 15/41] Changes made in variables. --- README.md | 31 +++++++++++++++++++------------ modules/vpc_peering/README.md | 8 ++++---- modules/vpc_peering/main.tf | 18 +++++++++--------- modules/vpc_peering/variables.tf | 8 ++++---- modules/vpn/README.md | 6 +++--- modules/vpn/main.tf | 10 ++++------ modules/vpn/variables.tf | 9 +++++++-- providers.tf | 6 ------ 8 files changed, 50 insertions(+), 46 deletions(-) delete mode 100644 providers.tf diff --git a/README.md b/README.md index f98aca1..a47a2d9 100644 --- a/README.md +++ b/README.md @@ -29,23 +29,30 @@ module "vpc" { ipv6_enabled = true create_ipam_pool = false ipam_enabled = false - flow_log_enabled = true - vpn_key_pair_name = module.key_pair_vpn.key_pair_name - availability_zones = ["us-east-1a", "us-east-1b"] + vpc_flow_log_enabled = true + vpn_server_key_pair_name = module.key_pair_vpn.key_pair_name + vpc_availability_zones = ["us-east-1a", "us-east-1b"] vpn_server_enabled = false - intra_subnet_enabled = true + vpc_intra_subnet_enabled = true auto_assign_public_ip = true - public_subnet_enabled = true - private_subnet_enabled = true - one_nat_gateway_per_az = true - database_subnet_enabled = true + vpc_public_subnet_enabled = true + vpc_private_subnet_enable = true + vpc_one_nat_gateway_per_az = true + vpc_database_subnet_enabled = true vpn_server_instance_type = "t3a.small" + vpc_public_subnets_counts = 2 + vpc_private_subnets_counts = 2 + vpc_database_subnets_counts = 2 + vpc_intra_subnets_counts = 2 + vpc_endpoint_type_private_s3 = "Gateway" + vpc_endpoint_type_ecr_dkr = "Interface" + vpc_endpoint_type_ecr_api = "Interface" vpc_s3_endpoint_enabled = true vpc_ecr_endpoint_enabled = true - flow_log_max_aggregation_interval = 60 - flow_log_cloudwatch_log_group_skip_destroy = true - flow_log_cloudwatch_log_group_retention_in_days = 90 - flow_log_cloudwatch_log_group_kms_key_arn = "arn:aws:kms:us-east-2:222222222222:key/kms_key_arn" #Enter your kms key arn + vpc_flow_log_max_aggregation_interval = 60 + vpc_flow_log_cloudwatch_log_group_skip_destroy = true + vpc_flow_log_cloudwatch_log_group_retention_in_days = 90 + vpc_flow_log_cloudwatch_log_group_kms_key_arn = "arn:aws:kms:us-east-2:222222222222:key/kms_key_arn" #Enter your kms key arn } ``` Refer [this](https://github.com/squareops/terraform-aws-vpc/tree/main/examples) for more examples. diff --git a/modules/vpc_peering/README.md b/modules/vpc_peering/README.md index cdadc87..5555ad6 100644 --- a/modules/vpc_peering/README.md +++ b/modules/vpc_peering/README.md @@ -58,15 +58,15 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [vpc\_peering\_accepter\_aws\_profile](#input\_vpc\_peering\_accepter\_aws\_profile) | Provide the AWS profile where the accepter VPC is located. | `string` | `""` | no | +| [vpc\_peering\_accepter\_id](#input\_vpc\_peering\_accepter\_id) | Specify the unique identifier of the VPC that will act as the Acceptor in the VPC peering connection. | `string` | `""` | no | | [vpc\_peering\_accepter\_name](#input\_vpc\_peering\_accepter\_name) | Assign a meaningful name or label to the VPC Accepter. This aids in distinguishing the Accepter VPC within the VPC peering connection. | `string` | `""` | no | -| [vpc\_peering\_accepter\_vpc\_id](#input\_vpc\_peering\_accepter\_vpc\_id) | Specify the unique identifier of the VPC that will act as the Acceptor in the VPC peering connection. | `string` | `""` | no | -| [vpc\_peering\_accepter\_vpc\_region](#input\_vpc\_peering\_accepter\_vpc\_region) | Provide the AWS region where the Acceptor VPC is located. This helps in identifying the correct region for establishing the VPC peering connection. | `string` | `""` | no | +| [vpc\_peering\_accepter\_region](#input\_vpc\_peering\_accepter\_region) | Provide the AWS region where the Acceptor VPC is located. This helps in identifying the correct region for establishing the VPC peering connection. | `string` | `""` | no | | [vpc\_peering\_enabled](#input\_vpc\_peering\_enabled) | Set this variable to true if you want to create the VPC peering connection. Set it to false if you want to skip the creation process. | `bool` | `true` | no | | [vpc\_peering\_multi\_account\_enabled](#input\_vpc\_peering\_multi\_account\_enabled) | Set this variable to true if you want to create the VPC peering connection between reagions. Set it to false if you want to skip the creation process. | `bool` | `true` | no | | [vpc\_peering\_requester\_aws\_profile](#input\_vpc\_peering\_requester\_aws\_profile) | Provide the AWS profile where the requester VPC is located. | `string` | `""` | no | +| [vpc\_peering\_requester\_id](#input\_vpc\_peering\_requester\_id) | Specify the unique identifier of the VPC that will act as the Reqester in the VPC peering connection. | `string` | `""` | no | | [vpc\_peering\_requester\_name](#input\_vpc\_peering\_requester\_name) | Provide a descriptive name or label for the VPC Requester. This helps identify and differentiate the Requester VPC in the peering connection. | `string` | `""` | no | -| [vpc\_peering\_requester\_vpc\_id](#input\_vpc\_peering\_requester\_vpc\_id) | Specify the unique identifier of the VPC that will act as the Reqester in the VPC peering connection. | `string` | `""` | no | -| [vpc\_peering\_requester\_vpc\_region](#input\_vpc\_peering\_requester\_vpc\_region) | Specify the AWS region where the Requester VPC resides. It ensures the correct region is used for setting up the VPC peering. | `string` | `""` | no | +| [vpc\_peering\_requester\_region](#input\_vpc\_peering\_requester\_region) | Specify the AWS region where the Requester VPC resides. It ensures the correct region is used for setting up the VPC peering. | `string` | `""` | no | ## Outputs diff --git a/modules/vpc_peering/main.tf b/modules/vpc_peering/main.tf index 62b36c7..2387a42 100644 --- a/modules/vpc_peering/main.tf +++ b/modules/vpc_peering/main.tf @@ -5,33 +5,33 @@ locals { provider "aws" { alias = "peer" - region = var.vpc_peering_requester_vpc_region + region = var.vpc_peering_requester_region profile = var.vpc_peering_multi_account_enabled ? var.vpc_peering_requester_aws_profile : "default" } provider "aws" { alias = "accepter" - region = var.vpc_peering_accepter_vpc_region + region = var.vpc_peering_accepter_region profile = var.vpc_peering_multi_account_enabled ? var.vpc_peering_accepter_aws_profile : "default" } data "aws_vpc" "accepter" { - id = var.vpc_peering_accepter_vpc_id + id = var.vpc_peering_accepter_id provider = aws.accepter } data "aws_route_tables" "accepter" { - vpc_id = var.vpc_peering_accepter_vpc_id + vpc_id = var.vpc_peering_accepter_id provider = aws.accepter } data "aws_vpc" "requester" { - id = var.vpc_peering_requester_vpc_id + id = var.vpc_peering_requester_id provider = aws.peer } data "aws_route_tables" "requester" { - vpc_id = var.vpc_peering_requester_vpc_id + vpc_id = var.vpc_peering_requester_id provider = aws.peer } @@ -41,9 +41,9 @@ data "aws_caller_identity" "accepter" { resource "aws_vpc_peering_connection" "this" { count = var.vpc_peering_enabled ? 1 : 0 - vpc_id = var.vpc_peering_requester_vpc_id - peer_vpc_id = var.vpc_peering_accepter_vpc_id - peer_region = var.vpc_peering_multi_account_enabled ? var.vpc_peering_accepter_vpc_region : null + vpc_id = var.vpc_peering_requester_id + peer_vpc_id = var.vpc_peering_accepter_id + peer_region = var.vpc_peering_multi_account_enabled ? var.vpc_peering_accepter_region : null auto_accept = false peer_owner_id = var.vpc_peering_multi_account_enabled ? data.aws_caller_identity.accepter.id : null provider = aws.peer diff --git a/modules/vpc_peering/variables.tf b/modules/vpc_peering/variables.tf index 9639515..b3424f8 100644 --- a/modules/vpc_peering/variables.tf +++ b/modules/vpc_peering/variables.tf @@ -1,22 +1,22 @@ -variable "vpc_peering_accepter_vpc_id" { +variable "vpc_peering_accepter_id" { type = string description = "Specify the unique identifier of the VPC that will act as the Acceptor in the VPC peering connection." default = "" } -variable "vpc_peering_accepter_vpc_region" { +variable "vpc_peering_accepter_region" { type = string description = "Provide the AWS region where the Acceptor VPC is located. This helps in identifying the correct region for establishing the VPC peering connection." default = "" } -variable "vpc_peering_requester_vpc_id" { +variable "vpc_peering_requester_id" { type = string description = "Specify the unique identifier of the VPC that will act as the Reqester in the VPC peering connection." default = "" } -variable "vpc_peering_requester_vpc_region" { +variable "vpc_peering_requester_region" { type = string description = "Specify the AWS region where the Requester VPC resides. It ensures the correct region is used for setting up the VPC peering." default = "" diff --git a/modules/vpn/README.md b/modules/vpn/README.md index ee3dbbb..8a3e54f 100644 --- a/modules/vpn/README.md +++ b/modules/vpn/README.md @@ -52,19 +52,19 @@ Refer [this](https://pritunl.com/) for more information. | [aws_ami.ubuntu_20_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_iam_policy.SSMManagedInstanceCore](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | | [aws_iam_policy.SecretsManagerReadWrite](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [template_file.pritunl](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [aws\_region](#input\_aws\_region) | Name of the AWS region where S3 bucket is to be created. | `string` | `""` | no | | [environment](#input\_environment) | Specify the environment indentifier for the VPC | `string` | `""` | no | | [name](#input\_name) | Specify the name of the VPC | `string` | `""` | no | -| [public\_subnet](#input\_public\_subnet) | The VPC Subnet ID to launch in | `string` | `""` | no | +| [public\_subnet\_ids](#input\_public\_subnet\_ids) | The VPC Subnet ID to launch in | `string` | `""` | no | | [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block of the Default VPC | `string` | `"10.0.0.0/16"` | no | | [vpc\_id](#input\_vpc\_id) | The ID of the VPC | `string` | `""` | no | -| [vpn\_key\_pair](#input\_vpn\_key\_pair) | Specify the name of AWS Keypair to be used for VPN Server | `string` | `""` | no | +| [vpn\_key\_pair\_name](#input\_vpn\_key\_pair\_name) | Specify the name of AWS Keypair to be used for VPN Server | `string` | `""` | no | | [vpn\_server\_instance\_type](#input\_vpn\_server\_instance\_type) | EC2 instance Type for VPN Server, Only amd64 based instance type are supported eg. t2.medium, t3.micro, c5a.large etc. | `string` | `"t3a.small"` | no | ## Outputs diff --git a/modules/vpn/main.tf b/modules/vpn/main.tf index 3a7af8a..813d7fd 100644 --- a/modules/vpn/main.tf +++ b/modules/vpn/main.tf @@ -79,16 +79,14 @@ data "template_file" "pritunl" { template = file("${path.module}/scripts/pritunl-vpn.sh") } -data "aws_region" "current" {} - module "vpn_server" { source = "terraform-aws-modules/ec2-instance/aws" version = "5.6.0" name = format("%s-%s-%s", var.environment, var.name, "vpn-ec2-instance") ami = data.aws_ami.ubuntu_20_ami.image_id instance_type = var.vpn_server_instance_type - subnet_id = var.public_subnet - key_name = var.vpn_key_pair + subnet_id = var.public_subnet_ids + key_name = var.vpn_key_pair_name associate_public_ip_address = true vpc_security_group_ids = [module.security_group_vpn.security_group_id] user_data = join("", data.template_file.pritunl[*].rendered) @@ -195,7 +193,7 @@ resource "aws_ssm_document" "vpn_ssm_document" { "PASSWORD=$(sudo pritunl default-password | grep password | awk '{ print $2 }' | tail -n1)", "sleep 60", "VPN_HOST=${aws_eip.vpn.public_ip}", - "aws secretsmanager create-secret --region ${data.aws_region.current.name} --name ${var.environment}-${var.name}-vpnp --secret-string \"{\\\"user\\\": \\\"pritunl\\\", \\\"password\\\": $PASSWORD, \\\"setup-key\\\": \\\"$SETUPKEY\\\", \\\"vpn_host\\\": \\\"$VPN_HOST\\\"}\"" + "aws secretsmanager create-secret --region ${var.aws_region} --name ${var.environment}-${var.name}-vpnp --secret-string \"{\\\"user\\\": \\\"pritunl\\\", \\\"password\\\": $PASSWORD, \\\"setup-key\\\": \\\"$SETUPKEY\\\", \\\"vpn_host\\\": \\\"$VPN_HOST\\\"}\"" ] } } @@ -208,7 +206,7 @@ resource "null_resource" "vpn_delete_secret" { triggers = { environment = var.environment name = var.name - region = data.aws_region.current.name + region = var.aws_region } provisioner "local-exec" { when = destroy diff --git a/modules/vpn/variables.tf b/modules/vpn/variables.tf index 8ca03c6..1350422 100644 --- a/modules/vpn/variables.tf +++ b/modules/vpn/variables.tf @@ -1,3 +1,8 @@ +variable "aws_region" { + description = "Name of the AWS region where S3 bucket is to be created." + default = "" + type = string +} variable "vpn_server_instance_type" { description = "EC2 instance Type for VPN Server, Only amd64 based instance type are supported eg. t2.medium, t3.micro, c5a.large etc. " @@ -17,7 +22,7 @@ variable "name" { type = string } -variable "public_subnet" { +variable "public_subnet_ids" { description = "The VPC Subnet ID to launch in" default = "" type = string @@ -35,7 +40,7 @@ variable "vpc_id" { type = string } -variable "vpn_key_pair" { +variable "vpn_key_pair_name" { description = "Specify the name of AWS Keypair to be used for VPN Server" default = "" type = string diff --git a/providers.tf b/providers.tf deleted file mode 100644 index 8bee283..0000000 --- a/providers.tf +++ /dev/null @@ -1,6 +0,0 @@ -# provider "aws" { -# region = local.aws_region -# default_tags { -# tags = local.additional_aws_tags -# } -# } From 7f5d87ee1ef30a2b5df366db17912562edf2261d Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Fri, 5 Apr 2024 14:15:21 +0530 Subject: [PATCH 16/41] Update variables.tf --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index c9e617c..089c945 100644 --- a/variables.tf +++ b/variables.tf @@ -3,7 +3,7 @@ variable "additional_aws_tags" { description = "Additional tags to be applied to AWS resources" type = map(string) default = {} -======= + variable "additional_tags" { description = "Additional tags to be applied to AWS resources" type = map(string) From 0db6178653cf4669cc4e4be049ee38621fe1f434 Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Fri, 5 Apr 2024 14:16:34 +0530 Subject: [PATCH 17/41] Update variables.tf --- variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/variables.tf b/variables.tf index 089c945..26e78e8 100644 --- a/variables.tf +++ b/variables.tf @@ -3,6 +3,7 @@ variable "additional_aws_tags" { description = "Additional tags to be applied to AWS resources" type = map(string) default = {} +} variable "additional_tags" { description = "Additional tags to be applied to AWS resources" From dcc438d50bc73eae21131279f85eb31f1c0b7ad0 Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Thu, 11 Apr 2024 09:14:45 +0530 Subject: [PATCH 18/41] Update main.tf --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 1351adf..ec95aa5 100644 --- a/main.tf +++ b/main.tf @@ -188,8 +188,8 @@ module "vpn_server" { vpc_id = module.vpc.vpc_id vpc_cidr = var.vpc_cidr environment = var.environment - vpn_key_pair = var.vpn_server_key_pair_name - public_subnet = module.vpc.public_subnets[0] + vpn_key_pair_name = var.vpn_server_key_pair_name + public_subnet_ids = module.vpc.public_subnets[0] vpn_server_instance_type = var.vpn_server_instance_type } From e68791bf5399b887545439f66e43f45698b871f1 Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Thu, 18 Apr 2024 11:14:59 +0530 Subject: [PATCH 19/41] Update main.tf for security group for ecr api endpoint --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index ec95aa5..4d5de8f 100644 --- a/main.tf +++ b/main.tf @@ -302,6 +302,7 @@ resource "aws_vpc_endpoint" "private_ecr_api" { vpc_id = module.vpc.vpc_id subnet_ids = [module.vpc.private_subnets[count.index]] service_name = "com.amazonaws.${var.aws_region}.ecr.api" + security_group_ids = [aws_security_group.vpc_endpoints[0].id] vpc_endpoint_type = var.vpc_endpoint_type_ecr_api private_dns_enabled = true policy = < Date: Thu, 18 Apr 2024 13:51:29 +0530 Subject: [PATCH 20/41] Update main.tf --- main.tf | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 4d5de8f..ed6efdc 100644 --- a/main.tf +++ b/main.tf @@ -305,18 +305,27 @@ resource "aws_vpc_endpoint" "private_ecr_api" { security_group_ids = [aws_security_group.vpc_endpoints[0].id] vpc_endpoint_type = var.vpc_endpoint_type_ecr_api private_dns_enabled = true - policy = < Date: Thu, 18 Apr 2024 14:14:09 +0530 Subject: [PATCH 21/41] Update variables.tf --- variables.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/variables.tf b/variables.tf index 26e78e8..e2b2848 100644 --- a/variables.tf +++ b/variables.tf @@ -402,3 +402,8 @@ variable "vpc_default_security_group_egress" { type = list(map(string)) default = [] } + +variable "worker_iam_role_name" { + description = "Name of the worker IAM role" + default = "" +} From 740128afe751d059869f1cf96eb2777a330d9e0e Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Thu, 18 Apr 2024 14:14:52 +0530 Subject: [PATCH 22/41] Update main.tf --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index ed6efdc..f2f35ac 100644 --- a/main.tf +++ b/main.tf @@ -312,7 +312,7 @@ resource "aws_vpc_endpoint" "private_ecr_api" { { "Sid": "AllowPull", "Principal": { - "AWS": "arn:aws:iam::${var.aws_account_id}:role/${module.eks.worker_iam_role_name}" + "AWS": "arn:aws:iam::${var.aws_account_id}:role/${var.worker_iam_role_name}" }, "Action": [ "ecr:BatchGetImage", From 99eff278f16b75c3d0dcf794589d3622930e22fc Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Thu, 18 Apr 2024 14:51:52 +0530 Subject: [PATCH 23/41] Update main.tf --- main.tf | 47 +++++++++++++++++++++++------------------------ 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/main.tf b/main.tf index f2f35ac..cb958a7 100644 --- a/main.tf +++ b/main.tf @@ -293,38 +293,37 @@ POLICY Name = "${var.environment}-${var.name}-ecr-dkr-endpoint" } } +data "aws_iam_policy_document" "private_ecr_api" { + statement { + effect = "Deny" + actions = ["*"] + resources = ["*"] + + principals { + type = "*" + identifiers = ["*"] + } + + condition { + test = "StringNotEquals" + variable = "aws:SourceVpc" + values = [module.vpc.vpc_id] + } + } +} # private links for ECR.api resource "aws_vpc_endpoint" "private_ecr_api" { count = var.vpc_ecr_endpoint_enabled ? 1 : 0 depends_on = [data.aws_route_tables.aws_private_routes] vpc_id = module.vpc.vpc_id - subnet_ids = [module.vpc.private_subnets[count.index]] - service_name = "com.amazonaws.${var.aws_region}.ecr.api" - security_group_ids = [aws_security_group.vpc_endpoints[0].id] - vpc_endpoint_type = var.vpc_endpoint_type_ecr_api + subnet_ids = module.vpc.private_subnets + service_name = "com.amazonaws.${var.region}.ecr.api" + vpc_endpoint_type = "Interface" private_dns_enabled = true - - policy = < Date: Thu, 18 Apr 2024 15:04:35 +0530 Subject: [PATCH 24/41] Update main.tf --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index cb958a7..d91a546 100644 --- a/main.tf +++ b/main.tf @@ -318,8 +318,8 @@ resource "aws_vpc_endpoint" "private_ecr_api" { count = var.vpc_ecr_endpoint_enabled ? 1 : 0 depends_on = [data.aws_route_tables.aws_private_routes] vpc_id = module.vpc.vpc_id - subnet_ids = module.vpc.private_subnets - service_name = "com.amazonaws.${var.region}.ecr.api" + subnet_ids = [module.vpc.vpc_private_subnets[count.index]] + service_name = "com.amazonaws.${var.aws_region}.ecr.api" vpc_endpoint_type = "Interface" private_dns_enabled = true policy = data.aws_iam_policy_document.private_ecr_api.json From 42d1cb0577035ac3f19ecb1375c49de97726bf29 Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Thu, 18 Apr 2024 15:07:17 +0530 Subject: [PATCH 25/41] Update main.tf --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index d91a546..00801a2 100644 --- a/main.tf +++ b/main.tf @@ -273,7 +273,7 @@ resource "aws_vpc_endpoint" "private_ecr_dkr" { depends_on = [data.aws_route_tables.aws_private_routes] vpc_id = module.vpc.vpc_id service_name = "com.amazonaws.${var.aws_region}.ecr.dkr" - subnet_ids = [module.vpc.private_subnets[count.index]] + subnet_ids = module.vpc.private_subnets security_group_ids = [aws_security_group.vpc_endpoints[0].id] vpc_endpoint_type = var.vpc_endpoint_type_ecr_dkr private_dns_enabled = true From 5d60b41b41ae55643bd11bf63ba9cae51bb7a5ca Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Thu, 18 Apr 2024 15:09:21 +0530 Subject: [PATCH 26/41] Update main.tf --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 00801a2..9e168a7 100644 --- a/main.tf +++ b/main.tf @@ -318,7 +318,7 @@ resource "aws_vpc_endpoint" "private_ecr_api" { count = var.vpc_ecr_endpoint_enabled ? 1 : 0 depends_on = [data.aws_route_tables.aws_private_routes] vpc_id = module.vpc.vpc_id - subnet_ids = [module.vpc.vpc_private_subnets[count.index]] + subnet_ids = module.vpc.private_subnets service_name = "com.amazonaws.${var.aws_region}.ecr.api" vpc_endpoint_type = "Interface" private_dns_enabled = true From 5717f70343460f30be13c23d3852a4698d6122b6 Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Thu, 18 Apr 2024 15:32:11 +0530 Subject: [PATCH 27/41] Update main.tf --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 9e168a7..98c932b 100644 --- a/main.tf +++ b/main.tf @@ -320,6 +320,7 @@ resource "aws_vpc_endpoint" "private_ecr_api" { vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets service_name = "com.amazonaws.${var.aws_region}.ecr.api" + security_group_ids = [aws_security_group.vpc_endpoints[0].id] vpc_endpoint_type = "Interface" private_dns_enabled = true policy = data.aws_iam_policy_document.private_ecr_api.json From fa17483a11f3a2c6ad0303e0d39ac460d46b238e Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Thu, 18 Apr 2024 17:03:30 +0530 Subject: [PATCH 28/41] Update main.tf --- main.tf | 37 +++++++++++++++++-------------------- 1 file changed, 17 insertions(+), 20 deletions(-) diff --git a/main.tf b/main.tf index 98c932b..e9c0822 100644 --- a/main.tf +++ b/main.tf @@ -293,25 +293,7 @@ POLICY Name = "${var.environment}-${var.name}-ecr-dkr-endpoint" } } -data "aws_iam_policy_document" "private_ecr_api" { - statement { - effect = "Deny" - actions = ["*"] - resources = ["*"] - - principals { - type = "*" - identifiers = ["*"] - } - - condition { - test = "StringNotEquals" - variable = "aws:SourceVpc" - values = [module.vpc.vpc_id] - } - } -} # private links for ECR.api resource "aws_vpc_endpoint" "private_ecr_api" { @@ -323,8 +305,23 @@ resource "aws_vpc_endpoint" "private_ecr_api" { security_group_ids = [aws_security_group.vpc_endpoints[0].id] vpc_endpoint_type = "Interface" private_dns_enabled = true - policy = data.aws_iam_policy_document.private_ecr_api.json - + + policy = jsonencode({ + "Statement": [ + { + "Principal": { + "AWS": "arn:aws:iam::${var.aws_account_id}:role/${var.worker_iam_role_name}" + }, + "Action": [ + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer", + "ecr:GetAuthorizationToken" + ], + "Effect": "Allow", + "Resource": "*" + } + ] + }) tags = { Name = "${var.environment}-${var.name}-ecr-api-endpoint" From 74a1c5c808bf2e22ded7dc5089791dabc7827d10 Mon Sep 17 00:00:00 2001 From: rachit89 Date: Mon, 22 Apr 2024 11:29:30 +0530 Subject: [PATCH 29/41] Updated --- .gitignore | 0 .pre-commit-config.yaml | 0 .tflint.hcl | 0 IAM.md | 0 LICENSE | 0 README.md | 0 compliance.md | 0 examples/complete-vpc-with-vpn/README.md | 0 examples/complete-vpc-with-vpn/main.tf | 0 examples/complete-vpc-with-vpn/outputs.tf | 0 examples/complete-vpc-with-vpn/providers.tf | 0 examples/ipam-managed-vpc/README.md | 0 examples/ipam-managed-vpc/main.tf | 0 examples/ipam-managed-vpc/output.tf | 0 examples/ipam-managed-vpc/providers.tf | 0 examples/multi-account-vpc-peering/main.tf | 0 examples/multi-account-vpc-peering/output.tf | 0 examples/multi-account-vpc-peering/provider.tf | 0 examples/simple-vpc/README.md | 0 examples/simple-vpc/main.tf | 0 examples/simple-vpc/output.tf | 0 examples/simple-vpc/providers.tf | 0 examples/vpc-dualstack/README.md | 0 examples/vpc-dualstack/main.tf | 0 examples/vpc-dualstack/outputs.tf | 0 examples/vpc-dualstack/providers.tf | 0 examples/vpc-native-ipv6/README.md | 0 examples/vpc-native-ipv6/main.tf | 0 examples/vpc-native-ipv6/outputs.tf | 0 examples/vpc-native-ipv6/providers.tf | 0 examples/vpc-with-peering/README.md | 0 examples/vpc-with-peering/main.tf | 0 examples/vpc-with-peering/output.tf | 0 examples/vpc-with-peering/provider.tf | 0 examples/vpc-with-peering/vpc-requester-accepter/main.tf | 0 examples/vpc-with-peering/vpc-requester-accepter/providers.tf | 0 examples/vpc-with-private-subnet/README.md | 0 examples/vpc-with-private-subnet/main.tf | 0 examples/vpc-with-private-subnet/outputs.tf | 0 examples/vpc-with-private-subnet/providers.tf | 0 examples/vpc-with-secondary-cidr/README.md | 0 examples/vpc-with-secondary-cidr/main.tf | 0 examples/vpc-with-secondary-cidr/outputs.tf | 0 examples/vpc-with-secondary-cidr/providers.tf | 0 main.tf | 0 modules/vpc_peering/README.md | 0 modules/vpc_peering/main.tf | 0 modules/vpc_peering/outputs.tf | 0 modules/vpc_peering/variables.tf | 0 modules/vpc_peering/versions.tf | 0 modules/vpn/README.md | 0 modules/vpn/main.tf | 0 modules/vpn/outputs.tf | 0 modules/vpn/scripts/pritunl-vpn.sh | 0 modules/vpn/variables.tf | 0 modules/vpn/versions.tf | 0 outputs.tf | 0 providers.tf | 0 tfsec.yaml | 0 variables.tf | 0 versions.tf | 0 61 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 .gitignore mode change 100644 => 100755 .pre-commit-config.yaml mode change 100644 => 100755 .tflint.hcl mode change 100644 => 100755 IAM.md mode change 100644 => 100755 LICENSE mode change 100644 => 100755 README.md mode change 100644 => 100755 compliance.md mode change 100644 => 100755 examples/complete-vpc-with-vpn/README.md mode change 100644 => 100755 examples/complete-vpc-with-vpn/main.tf mode change 100644 => 100755 examples/complete-vpc-with-vpn/outputs.tf mode change 100644 => 100755 examples/complete-vpc-with-vpn/providers.tf mode change 100644 => 100755 examples/ipam-managed-vpc/README.md mode change 100644 => 100755 examples/ipam-managed-vpc/main.tf mode change 100644 => 100755 examples/ipam-managed-vpc/output.tf mode change 100644 => 100755 examples/ipam-managed-vpc/providers.tf mode change 100644 => 100755 examples/multi-account-vpc-peering/main.tf mode change 100644 => 100755 examples/multi-account-vpc-peering/output.tf mode change 100644 => 100755 examples/multi-account-vpc-peering/provider.tf mode change 100644 => 100755 examples/simple-vpc/README.md mode change 100644 => 100755 examples/simple-vpc/main.tf mode change 100644 => 100755 examples/simple-vpc/output.tf mode change 100644 => 100755 examples/simple-vpc/providers.tf mode change 100644 => 100755 examples/vpc-dualstack/README.md mode change 100644 => 100755 examples/vpc-dualstack/main.tf mode change 100644 => 100755 examples/vpc-dualstack/outputs.tf mode change 100644 => 100755 examples/vpc-dualstack/providers.tf mode change 100644 => 100755 examples/vpc-native-ipv6/README.md mode change 100644 => 100755 examples/vpc-native-ipv6/main.tf mode change 100644 => 100755 examples/vpc-native-ipv6/outputs.tf mode change 100644 => 100755 examples/vpc-native-ipv6/providers.tf mode change 100644 => 100755 examples/vpc-with-peering/README.md mode change 100644 => 100755 examples/vpc-with-peering/main.tf mode change 100644 => 100755 examples/vpc-with-peering/output.tf mode change 100644 => 100755 examples/vpc-with-peering/provider.tf mode change 100644 => 100755 examples/vpc-with-peering/vpc-requester-accepter/main.tf mode change 100644 => 100755 examples/vpc-with-peering/vpc-requester-accepter/providers.tf mode change 100644 => 100755 examples/vpc-with-private-subnet/README.md mode change 100644 => 100755 examples/vpc-with-private-subnet/main.tf mode change 100644 => 100755 examples/vpc-with-private-subnet/outputs.tf mode change 100644 => 100755 examples/vpc-with-private-subnet/providers.tf mode change 100644 => 100755 examples/vpc-with-secondary-cidr/README.md mode change 100644 => 100755 examples/vpc-with-secondary-cidr/main.tf mode change 100644 => 100755 examples/vpc-with-secondary-cidr/outputs.tf mode change 100644 => 100755 examples/vpc-with-secondary-cidr/providers.tf mode change 100644 => 100755 main.tf mode change 100644 => 100755 modules/vpc_peering/README.md mode change 100644 => 100755 modules/vpc_peering/main.tf mode change 100644 => 100755 modules/vpc_peering/outputs.tf mode change 100644 => 100755 modules/vpc_peering/variables.tf mode change 100644 => 100755 modules/vpc_peering/versions.tf mode change 100644 => 100755 modules/vpn/README.md mode change 100644 => 100755 modules/vpn/main.tf mode change 100644 => 100755 modules/vpn/outputs.tf mode change 100644 => 100755 modules/vpn/scripts/pritunl-vpn.sh mode change 100644 => 100755 modules/vpn/variables.tf mode change 100644 => 100755 modules/vpn/versions.tf mode change 100644 => 100755 outputs.tf mode change 100644 => 100755 providers.tf mode change 100644 => 100755 tfsec.yaml mode change 100644 => 100755 variables.tf mode change 100644 => 100755 versions.tf diff --git a/.gitignore b/.gitignore old mode 100644 new mode 100755 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml old mode 100644 new mode 100755 diff --git a/.tflint.hcl b/.tflint.hcl old mode 100644 new mode 100755 diff --git a/IAM.md b/IAM.md old mode 100644 new mode 100755 diff --git a/LICENSE b/LICENSE old mode 100644 new mode 100755 diff --git a/README.md b/README.md old mode 100644 new mode 100755 diff --git a/compliance.md b/compliance.md old mode 100644 new mode 100755 diff --git a/examples/complete-vpc-with-vpn/README.md b/examples/complete-vpc-with-vpn/README.md old mode 100644 new mode 100755 diff --git a/examples/complete-vpc-with-vpn/main.tf b/examples/complete-vpc-with-vpn/main.tf old mode 100644 new mode 100755 diff --git a/examples/complete-vpc-with-vpn/outputs.tf b/examples/complete-vpc-with-vpn/outputs.tf old mode 100644 new mode 100755 diff --git a/examples/complete-vpc-with-vpn/providers.tf b/examples/complete-vpc-with-vpn/providers.tf old mode 100644 new mode 100755 diff --git a/examples/ipam-managed-vpc/README.md b/examples/ipam-managed-vpc/README.md old mode 100644 new mode 100755 diff --git a/examples/ipam-managed-vpc/main.tf b/examples/ipam-managed-vpc/main.tf old mode 100644 new mode 100755 diff --git a/examples/ipam-managed-vpc/output.tf b/examples/ipam-managed-vpc/output.tf old mode 100644 new mode 100755 diff --git a/examples/ipam-managed-vpc/providers.tf b/examples/ipam-managed-vpc/providers.tf old mode 100644 new mode 100755 diff --git a/examples/multi-account-vpc-peering/main.tf b/examples/multi-account-vpc-peering/main.tf old mode 100644 new mode 100755 diff --git a/examples/multi-account-vpc-peering/output.tf b/examples/multi-account-vpc-peering/output.tf old mode 100644 new mode 100755 diff --git a/examples/multi-account-vpc-peering/provider.tf b/examples/multi-account-vpc-peering/provider.tf old mode 100644 new mode 100755 diff --git a/examples/simple-vpc/README.md b/examples/simple-vpc/README.md old mode 100644 new mode 100755 diff --git a/examples/simple-vpc/main.tf b/examples/simple-vpc/main.tf old mode 100644 new mode 100755 diff --git a/examples/simple-vpc/output.tf b/examples/simple-vpc/output.tf old mode 100644 new mode 100755 diff --git a/examples/simple-vpc/providers.tf b/examples/simple-vpc/providers.tf old mode 100644 new mode 100755 diff --git a/examples/vpc-dualstack/README.md b/examples/vpc-dualstack/README.md old mode 100644 new mode 100755 diff --git a/examples/vpc-dualstack/main.tf b/examples/vpc-dualstack/main.tf old mode 100644 new mode 100755 diff --git a/examples/vpc-dualstack/outputs.tf b/examples/vpc-dualstack/outputs.tf old mode 100644 new mode 100755 diff --git a/examples/vpc-dualstack/providers.tf b/examples/vpc-dualstack/providers.tf old mode 100644 new mode 100755 diff --git a/examples/vpc-native-ipv6/README.md b/examples/vpc-native-ipv6/README.md old mode 100644 new mode 100755 diff --git a/examples/vpc-native-ipv6/main.tf b/examples/vpc-native-ipv6/main.tf old mode 100644 new mode 100755 diff --git a/examples/vpc-native-ipv6/outputs.tf b/examples/vpc-native-ipv6/outputs.tf old mode 100644 new mode 100755 diff --git a/examples/vpc-native-ipv6/providers.tf b/examples/vpc-native-ipv6/providers.tf old mode 100644 new mode 100755 diff --git a/examples/vpc-with-peering/README.md b/examples/vpc-with-peering/README.md old mode 100644 new mode 100755 diff --git a/examples/vpc-with-peering/main.tf b/examples/vpc-with-peering/main.tf old mode 100644 new mode 100755 diff --git a/examples/vpc-with-peering/output.tf b/examples/vpc-with-peering/output.tf old mode 100644 new mode 100755 diff --git a/examples/vpc-with-peering/provider.tf b/examples/vpc-with-peering/provider.tf old mode 100644 new mode 100755 diff --git a/examples/vpc-with-peering/vpc-requester-accepter/main.tf b/examples/vpc-with-peering/vpc-requester-accepter/main.tf old mode 100644 new mode 100755 diff --git a/examples/vpc-with-peering/vpc-requester-accepter/providers.tf b/examples/vpc-with-peering/vpc-requester-accepter/providers.tf old mode 100644 new mode 100755 diff --git a/examples/vpc-with-private-subnet/README.md b/examples/vpc-with-private-subnet/README.md old mode 100644 new mode 100755 diff --git a/examples/vpc-with-private-subnet/main.tf b/examples/vpc-with-private-subnet/main.tf old mode 100644 new mode 100755 diff --git a/examples/vpc-with-private-subnet/outputs.tf b/examples/vpc-with-private-subnet/outputs.tf old mode 100644 new mode 100755 diff --git a/examples/vpc-with-private-subnet/providers.tf b/examples/vpc-with-private-subnet/providers.tf old mode 100644 new mode 100755 diff --git a/examples/vpc-with-secondary-cidr/README.md b/examples/vpc-with-secondary-cidr/README.md old mode 100644 new mode 100755 diff --git a/examples/vpc-with-secondary-cidr/main.tf b/examples/vpc-with-secondary-cidr/main.tf old mode 100644 new mode 100755 diff --git a/examples/vpc-with-secondary-cidr/outputs.tf b/examples/vpc-with-secondary-cidr/outputs.tf old mode 100644 new mode 100755 diff --git a/examples/vpc-with-secondary-cidr/providers.tf b/examples/vpc-with-secondary-cidr/providers.tf old mode 100644 new mode 100755 diff --git a/main.tf b/main.tf old mode 100644 new mode 100755 diff --git a/modules/vpc_peering/README.md b/modules/vpc_peering/README.md old mode 100644 new mode 100755 diff --git a/modules/vpc_peering/main.tf b/modules/vpc_peering/main.tf old mode 100644 new mode 100755 diff --git a/modules/vpc_peering/outputs.tf b/modules/vpc_peering/outputs.tf old mode 100644 new mode 100755 diff --git a/modules/vpc_peering/variables.tf b/modules/vpc_peering/variables.tf old mode 100644 new mode 100755 diff --git a/modules/vpc_peering/versions.tf b/modules/vpc_peering/versions.tf old mode 100644 new mode 100755 diff --git a/modules/vpn/README.md b/modules/vpn/README.md old mode 100644 new mode 100755 diff --git a/modules/vpn/main.tf b/modules/vpn/main.tf old mode 100644 new mode 100755 diff --git a/modules/vpn/outputs.tf b/modules/vpn/outputs.tf old mode 100644 new mode 100755 diff --git a/modules/vpn/scripts/pritunl-vpn.sh b/modules/vpn/scripts/pritunl-vpn.sh old mode 100644 new mode 100755 diff --git a/modules/vpn/variables.tf b/modules/vpn/variables.tf old mode 100644 new mode 100755 diff --git a/modules/vpn/versions.tf b/modules/vpn/versions.tf old mode 100644 new mode 100755 diff --git a/outputs.tf b/outputs.tf old mode 100644 new mode 100755 diff --git a/providers.tf b/providers.tf old mode 100644 new mode 100755 diff --git a/tfsec.yaml b/tfsec.yaml old mode 100644 new mode 100755 diff --git a/variables.tf b/variables.tf old mode 100644 new mode 100755 diff --git a/versions.tf b/versions.tf old mode 100644 new mode 100755 From 520760bb743d12bf34a14983324d85394d37c080 Mon Sep 17 00:00:00 2001 From: rachit89 Date: Mon, 22 Apr 2024 13:53:41 +0530 Subject: [PATCH 30/41] Updated provider.tf for variable. --- examples/vpc-with-peering/provider.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/vpc-with-peering/provider.tf b/examples/vpc-with-peering/provider.tf index 369af88..a60af51 100755 --- a/examples/vpc-with-peering/provider.tf +++ b/examples/vpc-with-peering/provider.tf @@ -1,5 +1,5 @@ provider "aws" { - region = local.region + region = local.accepter_region default_tags { tags = local.additional_tags } From 34602e057f5e4c2785df4b60477200108ea68b06 Mon Sep 17 00:00:00 2001 From: rachit89 Date: Mon, 22 Apr 2024 14:05:37 +0530 Subject: [PATCH 31/41] updated --- variables.tf | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/variables.tf b/variables.tf index b172267..ff9bff7 100755 --- a/variables.tf +++ b/variables.tf @@ -34,36 +34,30 @@ variable "vpc_cidr" { type = string } -variable "vpc_availability_zones" { - description = "Number of Availability Zone to be used by VPC Subnets." variable "vpc_availability_zones" { description = "Number of Availability Zone to be used by VPC Subnets." default = [] type = list(any) } -variable "vpc_public_subnet_enabled" { variable "vpc_public_subnet_enabled" { description = "Set true to enable public subnets" default = false type = bool } -variable "vpc_public_subnet_cidrs" { variable "vpc_public_subnet_cidrs" { description = "A list of public subnets CIDR to be created inside the VPC" default = [] type = list(any) } -variable "vpc_private_subnet_enabled" { variable "vpc_private_subnet_enabled" { description = "Set true to enable private subnets" default = false type = bool } -variable "vpc_private_subnet_cidrs" { variable "vpc_private_subnet_cidrs" { description = "A list of private subnets CIDR to be created inside the VPC" default = [] @@ -82,14 +76,12 @@ variable "vpc_database_subnet_cidrs" { type = list(any) } -variable "vpc_intra_subnet_enabled" { variable "vpc_intra_subnet_enabled" { description = "Set true to enable intra subnets" default = false type = bool } -variable "vpc_intra_subnet_cidrs" { variable "vpc_intra_subnet_cidrs" { description = "A list of intra subnets CIDR to be created" default = [] @@ -154,28 +146,24 @@ variable "default_network_acl_ingress" { ] } -variable "vpc_one_nat_gateway_per_az" { variable "vpc_one_nat_gateway_per_az" { description = "Set to true if a NAT Gateway is required per availability zone for Private Subnet Tier" default = false type = bool } -variable "vpc_flow_log_enabled" { variable "vpc_flow_log_enabled" { description = "Whether or not to enable VPC Flow Logs" type = bool default = false } -variable "vpc_flow_log_cloudwatch_log_group_retention_in_days" { variable "vpc_flow_log_cloudwatch_log_group_retention_in_days" { description = "Specifies the number of days you want to retain log events in the specified log group for VPC flow logs." type = number default = null } -variable "vpc_flow_log_max_aggregation_interval" { variable "vpc_flow_log_max_aggregation_interval" { description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds." type = number @@ -242,7 +230,6 @@ variable "secondry_cidr_enabled" { type = bool } -variable "database_subnet_group_enabled" { variable "database_subnet_group_enabled" { description = "Whether create database subnet groups" default = false @@ -279,7 +266,6 @@ variable "existing_ipam_managed_cidr" { type = string } -variable "vpc_flow_log_cloudwatch_log_group_skip_destroy" { variable "vpc_flow_log_cloudwatch_log_group_skip_destroy" { description = " Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state" type = bool From 20a6df87f1f1f9a245c429ce29129d31a5138d52 Mon Sep 17 00:00:00 2001 From: rachit89 Date: Mon, 22 Apr 2024 14:07:23 +0530 Subject: [PATCH 32/41] updated --- providers.tf | 6 ------ 1 file changed, 6 deletions(-) delete mode 100755 providers.tf diff --git a/providers.tf b/providers.tf deleted file mode 100755 index 8bee283..0000000 --- a/providers.tf +++ /dev/null @@ -1,6 +0,0 @@ -# provider "aws" { -# region = local.aws_region -# default_tags { -# tags = local.additional_aws_tags -# } -# } From 19d358ebc6af18609141ae6cde5d0edc7cfaf470 Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Mon, 22 Apr 2024 17:39:28 +0530 Subject: [PATCH 33/41] Update main.tf --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 76522a9..fcee12d 100755 --- a/main.tf +++ b/main.tf @@ -70,7 +70,7 @@ module "vpc" { version = "5.2.0" name = format("%s-%s-vpc", var.environment, var.name) cidr = var.vpc_cidr # CIDR FOR VPC - azs = var.availability_zones + azs = var.vpc_availability_zones use_ipam_pool = var.ipam_enabled ? true : false ipv4_ipam_pool_id = var.ipam_enabled && var.ipam_pool_enabled ? aws_vpc_ipam_pool.ipam_pool[0].id : null ipv4_netmask_length = var.ipam_enabled ? var.ipv4_netmask_length : null From 81143e91c2e714c9c3a674f87cec10f4ed702611 Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Tue, 23 Apr 2024 10:05:13 +0530 Subject: [PATCH 34/41] Update main.tf --- main.tf | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/main.tf b/main.tf index 1351adf..11ec921 100755 --- a/main.tf +++ b/main.tf @@ -304,18 +304,23 @@ resource "aws_vpc_endpoint" "private_ecr_api" { service_name = "com.amazonaws.${var.aws_region}.ecr.api" vpc_endpoint_type = var.vpc_endpoint_type_ecr_api private_dns_enabled = true - policy = < Date: Tue, 23 Apr 2024 12:47:27 +0530 Subject: [PATCH 35/41] Update README.md --- README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a47a2d9..92eb989 100755 --- a/README.md +++ b/README.md @@ -1,8 +1,13 @@ # AWS Network Terraform module ![squareops_avatar] + + + + Shows an illustrated sun in light mode and a moon with stars in dark mode. + -[squareops_avatar]: https://squareops.com/wp-content/uploads/2022/12/squareops-logo.png +### [squareops_avatar]: https://squareops.com/wp-content/uploads/2022/12/squareops-logo.png ### [SquareOps Technologies](https://squareops.com/) Your DevOps Partner for Accelerating cloud journey. From 0aa1f05ed1603fb299cdc0ce20b6efb5e3024ad4 Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Tue, 23 Apr 2024 12:49:12 +0530 Subject: [PATCH 36/41] Update README.md From 06000f295b913af31cddc62238c357e07d806b6c Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Tue, 23 Apr 2024 12:51:45 +0530 Subject: [PATCH 37/41] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 92eb989..f51afe0 100755 --- a/README.md +++ b/README.md @@ -4,10 +4,10 @@ - Shows an illustrated sun in light mode and a moon with stars in dark mode. + Shows an illustrated sun in light mode and a moon with stars in dark mode. -### [squareops_avatar]: https://squareops.com/wp-content/uploads/2022/12/squareops-logo.png +# [squareops_avatar]: https://squareops.com/wp-content/uploads/2022/12/squareops-logo.png ### [SquareOps Technologies](https://squareops.com/) Your DevOps Partner for Accelerating cloud journey. From 77ea3b9f8a232d22a0a244d7bf85d46c7ca95cae Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Tue, 23 Apr 2024 13:37:45 +0530 Subject: [PATCH 38/41] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f51afe0..265ee1e 100755 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ - Shows an illustrated sun in light mode and a moon with stars in dark mode. +Shows an illustrated sun in light mode and a moon with stars in dark mode. # [squareops_avatar]: https://squareops.com/wp-content/uploads/2022/12/squareops-logo.png From 95eb23ccc76ea19a04a83254d1812530d89f52b6 Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Tue, 23 Apr 2024 13:56:16 +0530 Subject: [PATCH 39/41] Update README.md --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 265ee1e..d807679 100755 --- a/README.md +++ b/README.md @@ -1,14 +1,13 @@ # AWS Network Terraform module ![squareops_avatar] + -Shows an illustrated sun in light mode and a moon with stars in dark mode. + -# [squareops_avatar]: https://squareops.com/wp-content/uploads/2022/12/squareops-logo.png - ### [SquareOps Technologies](https://squareops.com/) Your DevOps Partner for Accelerating cloud journey.
From 2799dcada93f64b714c4fe2d517d217653893e44 Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Tue, 23 Apr 2024 17:08:22 +0530 Subject: [PATCH 40/41] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index d807679..c44d6bc 100755 --- a/README.md +++ b/README.md @@ -3,9 +3,9 @@ ![squareops_avatar] - - - + + + ### [SquareOps Technologies](https://squareops.com/) Your DevOps Partner for Accelerating cloud journey. From 08d505b63022ea04be3b07255a5f4fb0fea517db Mon Sep 17 00:00:00 2001 From: rachit89 <115970922+rachit89@users.noreply.github.com> Date: Tue, 23 Apr 2024 17:21:51 +0530 Subject: [PATCH 41/41] Update README.md --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index c44d6bc..1e263ca 100755 --- a/README.md +++ b/README.md @@ -1,7 +1,5 @@ # AWS Network Terraform module -![squareops_avatar] -