git.squeep.com Git - awsible/blob - infrastructure/modules/vpcaccess-stack/main.tf

   1 resource "aws_eip" "vpn" {
   2         count = 1
   3         vpc = true
   4 }
   5
   6 resource "aws_security_group" "vpn" {
   7         vpc_id = "${var.vpc_id}"
   8         name = "${var.name}-vpn"
   9         description = "Allow VPN traffic."
  10 }
  11
  12 resource "aws_security_group_rule" "vpn-out-all" {
  13         security_group_id = "${aws_security_group.vpn.id}"
  14         type = "egress"
  15         from_port = 0
  16         to_port = 0
  17         protocol = "all"
  18         cidr_blocks = ["0.0.0.0/0"]
  19 }
  20
  21 resource "aws_security_group_rule" "vpn-in-user" {
  22         security_group_id = "${aws_security_group.vpn.id}"
  23         type = "ingress"
  24         from_port = 1195
  25         to_port = 1195
  26         protocol = "tcp"
  27         cidr_blocks = ["0.0.0.0/0"]
  28 }
  29
  30 resource "aws_security_group_rule" "vpn-in-bridge" {
  31         security_group_id = "${aws_security_group.vpn.id}"
  32         type = "ingress"
  33         from_port = 1194
  34         to_port = 1194
  35         protocol = "udp"
  36         cidr_blocks = ["0.0.0.0/0"]
  37 }
  38
  39 resource "aws_security_group_rule" "vpn-in-bastion" {
  40         security_group_id = "${aws_security_group.vpn.id}"
  41         type = "ingress"
  42         from_port = 22
  43         to_port = 22
  44         protocol = "tcp"
  45         cidr_blocks = ["0.0.0.0/0"]
  46 }
  47
  48 resource "aws_elb" "default" {
  49         count = "${var.vpcaccess_elb}"
  50         name = "${var.name}-int-elb"
  51         subnets = ["${var.subnet_ids}"]
  52         internal = true
  53         listener {
  54                 lb_port = 22
  55                 lb_protocol = "tcp"
  56                 instance_port = 22
  57                 instance_protocol = "tcp"
  58         }
  59         health_check {
  60                 healthy_threshold = 3
  61                 unhealthy_threshold = 2
  62                 interval = 30
  63                 timeout = 5
  64                 target = "TCP:1195"
  65         }
  66         idle_timeout = 600
  67         tags {
  68                 module = "${var.name}"
  69                 phase = "${var.environment}"
  70         }
  71 }
  72
  73 module "asg-stack" {
  74         source = "../modules/tf_aws_asg_stack"
  75         vpc_id = "${var.vpc_id}"
  76         acct_name = "${var.acct_name}"
  77         notification_arns = ["${var.notification_arns}"]
  78         module = "${var.name}"
  79         phase = "${var.environment}"
  80         instance_type = "${var.instance_type}"
  81         key_name = "${var.key_name}"
  82         public_ips = true
  83         subnet_ids = ["${var.subnet_ids}"]
  84         iam_policy_arns = ["${var.role_policy_arns}"]
  85         security_group_ids = ["${concat(var.security_group_ids, list(aws_security_group.vpn.id))}"]
  86         max_size = 1
  87         min_size = 0
  88         iam_allow_actions = [
  89         "ec2:AssociateAddress",
  90                 "ec2:ModifyInstanceAttribute",
  91                 "ec2:ModifyNetworkInterfaceAttribute"
  92         ]
  93         elbs = ["${var.vpcaccess_elb ? aws_elb.default.id : ""}"]
  94 }