initial commit of replacement infrastructure automation
[awsible] / infrastructure / modules / vpcaccess-stack / main.tf
1 resource "aws_eip" "vpn" {
2 count = 1
3 vpc = true
4 }
5
6 resource "aws_security_group" "vpn" {
7 vpc_id = "${var.vpc_id}"
8 name = "${var.name}-vpn"
9 description = "Allow VPN traffic."
10 }
11
12 resource "aws_security_group_rule" "vpn-out-all" {
13 security_group_id = "${aws_security_group.vpn.id}"
14 type = "egress"
15 from_port = 0
16 to_port = 0
17 protocol = "all"
18 cidr_blocks = ["0.0.0.0/0"]
19 }
20
21 resource "aws_security_group_rule" "vpn-in-user" {
22 security_group_id = "${aws_security_group.vpn.id}"
23 type = "ingress"
24 from_port = 1195
25 to_port = 1195
26 protocol = "tcp"
27 cidr_blocks = ["0.0.0.0/0"]
28 }
29
30 resource "aws_security_group_rule" "vpn-in-bridge" {
31 security_group_id = "${aws_security_group.vpn.id}"
32 type = "ingress"
33 from_port = 1194
34 to_port = 1194
35 protocol = "udp"
36 cidr_blocks = ["0.0.0.0/0"]
37 }
38
39 resource "aws_security_group_rule" "vpn-in-bastion" {
40 security_group_id = "${aws_security_group.vpn.id}"
41 type = "ingress"
42 from_port = 22
43 to_port = 22
44 protocol = "tcp"
45 cidr_blocks = ["0.0.0.0/0"]
46 }
47
48 resource "aws_elb" "default" {
49 count = "${var.vpcaccess_elb}"
50 name = "${var.name}-int-elb"
51 subnets = ["${var.subnet_ids}"]
52 internal = true
53 listener {
54 lb_port = 22
55 lb_protocol = "tcp"
56 instance_port = 22
57 instance_protocol = "tcp"
58 }
59 health_check {
60 healthy_threshold = 3
61 unhealthy_threshold = 2
62 interval = 30
63 timeout = 5
64 target = "TCP:1195"
65 }
66 idle_timeout = 600
67 tags {
68 module = "${var.name}"
69 phase = "${var.environment}"
70 }
71 }
72
73 module "asg-stack" {
74 source = "../modules/tf_aws_asg_stack"
75 vpc_id = "${var.vpc_id}"
76 acct_name = "${var.acct_name}"
77 notification_arns = ["${var.notification_arns}"]
78 module = "${var.name}"
79 phase = "${var.environment}"
80 instance_type = "${var.instance_type}"
81 key_name = "${var.key_name}"
82 public_ips = true
83 subnet_ids = ["${var.subnet_ids}"]
84 iam_policy_arns = ["${var.role_policy_arns}"]
85 security_group_ids = ["${concat(var.security_group_ids, list(aws_security_group.vpn.id))}"]
86 max_size = 1
87 min_size = 0
88 iam_allow_actions = [
89 "ec2:AssociateAddress",
90 "ec2:ModifyInstanceAttribute",
91 "ec2:ModifyNetworkInterfaceAttribute"
92 ]
93 elbs = ["${var.vpcaccess_elb ? aws_elb.default.id : ""}"]
94 }