git.squeep.com Git - awsible/blob - infrastructure/modules/tf_aws_vpc/main.tf

   1 resource "aws_vpc_dhcp_options" "default" {
   2         count = "${var.enable_domain_name}"
   3         domain_name = "ec2.internal ${var.r53_domain_name}"
   4         domain_name_servers = ["AmazonProvidedDNS"]
   5         tags {
   6                 Name = "${var.project}-${var.environment}-dhcp_options_set"
   7                 service = "${var.project}-${var.environment}-dhcp_options_set"
   8                 project = "${var.project}"
   9                 environment = "${var.environment}"
  10                 role = "dhcp_options_set"
  11         }
  12 }
  13
  14 resource "aws_vpc_dhcp_options_association" "default" {
  15         count = "${var.enable_domain_name}"
  16         vpc_id = "${aws_vpc.default.id}"
  17         dhcp_options_id = "${aws_vpc_dhcp_options.default.id}"
  18 }
  19
  20 resource "aws_vpc" "default" {
  21         cidr_block = "${var.cidr}"
  22         enable_dns_hostnames = "${var.enable_dns_hostnames}"
  23         enable_dns_support = "${var.enable_dns_support}"
  24         instance_tenancy = "default"
  25         tags {
  26                 Name = "${var.project}-${var.environment}-vpc"
  27                 service = "${var.project}-${var.environment}-vpc"
  28                 project = "${var.project}"
  29                 environment = "${var.environment}"
  30                 role = "vpc"
  31         }
  32 }
  33
  34 resource "aws_internet_gateway" "default" {
  35         vpc_id = "${aws_vpc.default.id}"
  36         tags {
  37                 Name = "${var.project}-${var.environment}-igw"
  38                 service = "${var.project}-${var.environment}-igw"
  39                 project = "${var.project}"
  40                 environment = "${var.environment}"
  41                 role = "igw"
  42         }
  43 }
  44
  45 data "aws_vpc_peering_connection" "peer" {
  46         count = "${length(var.peering_connection_ids)}"
  47         id = "${element(var.peering_connection_ids, count.index)}"
  48 }
  49
  50 resource "aws_default_route_table" "default" {
  51         default_route_table_id = "${aws_vpc.default.default_route_table_id}"
  52 }
  53
  54 resource "aws_route" "default_gateway" {
  55         route_table_id = "${aws_default_route_table.default.id}"
  56         destination_cidr_block = "0.0.0.0/0"
  57         gateway_id = "${aws_internet_gateway.default.id}"
  58 }
  59
  60 resource "aws_route" "default_peer" {
  61         count = "${length(var.peering_connection_ids)}"
  62         route_table_id = "${aws_default_route_table.default.id}"
  63         destination_cidr_block = "${element(data.aws_vpc_peering_connection.peer.*.cidr_block, count.index)}"
  64         vpc_peering_connection_id = "${element(data.aws_vpc_peering_connection.peer.*.id, count.index)}"
  65 }
  66
  67 resource "aws_route_table" "public" {
  68         vpc_id = "${aws_vpc.default.id}"
  69         tags {
  70                 Name = "${var.project}-${var.environment}-public"
  71                 service = "${var.project}-${var.environment}-route-table"
  72                 project = "${var.project}"
  73                 environment = "${var.environment}"
  74                 role = "route-table"
  75         }
  76 }
  77
  78 resource "aws_route" "public_gateway" {
  79         route_table_id = "${aws_route_table.public.id}"
  80         destination_cidr_block = "0.0.0.0/0"
  81         gateway_id = "${aws_internet_gateway.default.id}"
  82 }
  83
  84 resource "aws_route" "public_peer" {
  85         count = "${length(var.peering_connection_ids)}"
  86         route_table_id = "${aws_route_table.public.id}"
  87         destination_cidr_block = "${element(data.aws_vpc_peering_connection.peer.*.cidr_block, count.index)}"
  88         vpc_peering_connection_id = "${element(data.aws_vpc_peering_connection.peer.*.id, count.index)}"
  89 }
  90
  91 resource "aws_subnet" "public" {
  92         count = "${length(var.public_azs)}"
  93         vpc_id = "${aws_vpc.default.id}"
  94         cidr_block = "${cidrsubnet(var.cidr, 8, count.index + var.subnets_offset_public)}"
  95         availability_zone = "${element(var.public_azs, count.index)}"
  96         tags {
  97                 Name = "${var.project}-${var.environment}-public-${element(var.public_azs, count.index)}"
  98                 project = "${var.project}"
  99                 environment = "${var.environment}"
 100                 service = "${var.project}-${var.environment}-subnet-public"
 101                 role = "subnet"
 102                 zone = "pub"
 103         }
 104         map_public_ip_on_launch = true
 105 }
 106
 107 resource "aws_route_table_association" "public" {
 108         count = "${length(var.public_azs)}"
 109         subnet_id = "${element(aws_subnet.public.*.id, count.index)}"
 110         route_table_id =  "${element(aws_route_table.public.*.id, count.index)}"
 111 }
 112
 113 resource "aws_subnet" "private" {
 114         count = "${length(var.private_azs)}"
 115         vpc_id = "${aws_vpc.default.id}"
 116         cidr_block = "${cidrsubnet(var.cidr, 8, count.index + var.subnets_offset_private)}"
 117         availability_zone = "${element(var.private_azs, count.index)}"
 118         tags {
 119                 Name = "${var.project}-${var.environment}-private-${element(var.private_azs, count.index)}"
 120                 project = "${var.project}"
 121                 environment = "${var.environment}"
 122                 service = "${var.project}-${var.environment}-subnet-private"
 123                 role = "subnet"
 124                 zone = "priv"
 125         }
 126         map_public_ip_on_launch = false
 127 }
 128
 129 resource "aws_route_table_association" "private" {
 130         count = "${length(var.private_azs)}"
 131         subnet_id = "${element(aws_subnet.private.*.id, count.index)}"
 132         route_table_id = "${element(aws_route_table.private.*.id, count.index)}"
 133 }
 134
 135 resource "aws_route_table" "private" {
 136         count = "${length(var.private_azs)}"
 137         vpc_id = "${aws_vpc.default.id}"
 138         tags {
 139                 Name = "${var.project}-${var.environment}-private${format("%02d", count.index + 1)}"
 140                 project = "${var.project}"
 141                 environment = "${var.environment}"
 142                 service = "${var.project}-${var.environment}-route-table-private"
 143                 role = "route-table"
 144         }
 145 }
 146
 147 resource "aws_route" "private_gateway" {
 148         count = "${length(var.private_azs)}"
 149         route_table_id = "${element(aws_route_table.private.*.id, count.index)}"
 150         destination_cidr_block = "0.0.0.0/0"
 151         nat_gateway_id = "${element(aws_nat_gateway.default.*.id, count.index)}"
 152 }
 153
 154 resource "aws_route" "private_peer" {
 155         count = "${length(var.peering_connection_ids) * length(var.private_azs)}"
 156         route_table_id = "${element(aws_route_table.private.*.id, count.index / length(var.private_azs))}"
 157         destination_cidr_block = "${element(data.aws_vpc_peering_connection.peer.*.cidr_block, count.index % length(var.private_azs))}"
 158         vpc_peering_connection_id = "${element(data.aws_vpc_peering_connection.peer.*.id, count.index % length(var.private_azs))}"
 159 }
 160
 161 resource "aws_eip" "nat" {
 162         count = "${length(var.private_azs)}"
 163         vpc = true
 164 }
 165
 166 resource "aws_nat_gateway" "default" {
 167         count = "${length(var.private_azs)}"
 168         allocation_id = "${element(aws_eip.nat.*.id, count.index)}"
 169         subnet_id = "${element(aws_subnet.public.*.id, count.index)}"
 170 }
 171
 172 data "aws_iam_policy_document" "base" {
 173         statement {
 174                 sid = "aws-read"
 175                 resources = ["*"]
 176                 actions = [
 177                         "autoscaling:Describe*",
 178                         "cloudwatch:ListMetrics",
 179                         "cloudwatch:GetMetricsStatistics",
 180                         "cloudwatch:Describe*",
 181                         "ec2:Describe*",
 182                         "elasticloadbalancing:Describe*",
 183                         "logs:CreateLogGroup",
 184                         "logs:CreateLogStream",
 185                         "logs:Describe*",
 186                         "logs:PutLogEvents",
 187                         "logs:PutMetricFilter"
 188                 ]
 189         }
 190 }
 191
 192 resource "aws_iam_policy" "base" {
 193         name = "base-policy"
 194         path = "/"
 195         description = "base-policy"
 196         policy = "${data.aws_iam_policy_document.base.json}"
 197 }
 198
 199 resource "aws_security_group" "general-access" {
 200         name = "general-access"
 201         description = "Allow all ICMP and intra-vpc SSH traffic"
 202         vpc_id = "${aws_vpc.default.id}"
 203 }
 204
 205 resource "aws_security_group_rule" "ga_out_all" {
 206         security_group_id = "${aws_security_group.general-access.id}"
 207         type = "egress"
 208         from_port = 0
 209         to_port = 0
 210         protocol = "all"
 211         cidr_blocks = ["0.0.0.0/0"]
 212         lifecycle {
 213                 create_before_destroy = true
 214         }
 215 }
 216
 217 resource "aws_security_group_rule" "ga_in_icmp" {
 218         security_group_id = "${aws_security_group.general-access.id}"
 219         type = "ingress"
 220         from_port = -1
 221         to_port = -1
 222         protocol = "icmp"
 223         cidr_blocks = ["0.0.0.0/0"]
 224         lifecycle {
 225                 create_before_destroy = true
 226         }
 227 }
 228
 229 resource "aws_security_group_rule" "ga_in_ssh" {
 230         security_group_id = "${aws_security_group.general-access.id}"
 231         type = "ingress"
 232         from_port = 22
 233         to_port = 22
 234         protocol = "tcp"
 235         cidr_blocks = ["${concat(list(var.cidr), var.ssh_allowed_cidr)}"]
 236         lifecycle {
 237                 create_before_destroy = true
 238         }
 239 }