initial commit of replacement infrastructure automation

[awsible] / infrastructure / modules / vpcaccess-stack / main.tf

diff --git a/infrastructure/modules/vpcaccess-stack/main.tf b/infrastructure/modules/vpcaccess-stack/main.tf
new file mode 100644 (file)
index 0000000..30f4375
--- /dev/null
+++ b/infrastructure/modules/vpcaccess-stack/main.tf
@@ -0,0 +1,94 @@
+resource "aws_eip" "vpn" {
+       count = 1
+       vpc = true
+}
+
+resource "aws_security_group" "vpn" {
+       vpc_id = "${var.vpc_id}"
+       name = "${var.name}-vpn"
+       description = "Allow VPN traffic."
+}
+
+resource "aws_security_group_rule" "vpn-out-all" {
+       security_group_id = "${aws_security_group.vpn.id}"
+       type = "egress"
+       from_port = 0
+       to_port = 0
+       protocol = "all"
+       cidr_blocks = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "vpn-in-user" {
+       security_group_id = "${aws_security_group.vpn.id}"
+       type = "ingress"
+       from_port = 1195
+       to_port = 1195
+       protocol = "tcp"
+       cidr_blocks = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "vpn-in-bridge" {
+       security_group_id = "${aws_security_group.vpn.id}"
+       type = "ingress"
+       from_port = 1194
+       to_port = 1194
+       protocol = "udp"
+       cidr_blocks = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "vpn-in-bastion" {
+       security_group_id = "${aws_security_group.vpn.id}"
+       type = "ingress"
+       from_port = 22
+       to_port = 22
+       protocol = "tcp"
+       cidr_blocks = ["0.0.0.0/0"]
+}
+
+resource "aws_elb" "default" {
+       count = "${var.vpcaccess_elb}"
+       name = "${var.name}-int-elb"
+       subnets = ["${var.subnet_ids}"]
+       internal = true
+       listener {
+               lb_port = 22
+               lb_protocol = "tcp"
+               instance_port = 22
+               instance_protocol = "tcp"
+       }
+       health_check {
+               healthy_threshold = 3
+               unhealthy_threshold = 2
+               interval = 30
+               timeout = 5
+               target = "TCP:1195"
+       }
+       idle_timeout = 600
+       tags {
+               module = "${var.name}"
+               phase = "${var.environment}"
+       }
+}
+
+module "asg-stack" {
+       source = "../modules/tf_aws_asg_stack"
+       vpc_id = "${var.vpc_id}"
+       acct_name = "${var.acct_name}"
+       notification_arns = ["${var.notification_arns}"]
+       module = "${var.name}"
+       phase = "${var.environment}"
+       instance_type = "${var.instance_type}"
+       key_name = "${var.key_name}"
+       public_ips = true
+       subnet_ids = ["${var.subnet_ids}"]
+       iam_policy_arns = ["${var.role_policy_arns}"]
+       security_group_ids = ["${concat(var.security_group_ids, list(aws_security_group.vpn.id))}"]
+       max_size = 1
+       min_size = 0
+       iam_allow_actions = [
+        "ec2:AssociateAddress",
+               "ec2:ModifyInstanceAttribute",
+               "ec2:ModifyNetworkInterfaceAttribute"
+       ]
+       elbs = ["${var.vpcaccess_elb ? aws_elb.default.id : ""}"]
+}