X-Git-Url: http://git.squeep.com/?p=awsible;a=blobdiff_plain;f=infrastructure%2Fmodules%2Ftf_aws_vpc%2Fmain.tf;fp=infrastructure%2Fmodules%2Ftf_aws_vpc%2Fmain.tf;h=4b36310b7aae9a11cf0d357a38721b20df84fea0;hp=0000000000000000000000000000000000000000;hb=8576668075ca95e44481d9c9ed29d7e6af024bdc;hpb=933c48ff1e134168de3aaa2d20e4d43c13d04928

diff --git a/infrastructure/modules/tf_aws_vpc/main.tf b/infrastructure/modules/tf_aws_vpc/main.tf
new file mode 100644
index 0000000..4b36310
--- /dev/null
+++ b/infrastructure/modules/tf_aws_vpc/main.tf
@@ -0,0 +1,239 @@
+resource "aws_vpc_dhcp_options" "default" {
+	count = "${var.enable_domain_name}"
+	domain_name = "ec2.internal ${var.r53_domain_name}"
+	domain_name_servers = ["AmazonProvidedDNS"]
+	tags {
+		Name = "${var.project}-${var.environment}-dhcp_options_set"
+		service = "${var.project}-${var.environment}-dhcp_options_set"
+		project = "${var.project}"
+		environment = "${var.environment}"
+		role = "dhcp_options_set"
+	}
+}
+
+resource "aws_vpc_dhcp_options_association" "default" {
+	count = "${var.enable_domain_name}"
+	vpc_id = "${aws_vpc.default.id}"
+	dhcp_options_id = "${aws_vpc_dhcp_options.default.id}"
+}
+
+resource "aws_vpc" "default" {
+	cidr_block = "${var.cidr}"
+	enable_dns_hostnames = "${var.enable_dns_hostnames}"
+	enable_dns_support = "${var.enable_dns_support}"
+	instance_tenancy = "default"
+	tags {
+		Name = "${var.project}-${var.environment}-vpc"
+		service = "${var.project}-${var.environment}-vpc"
+		project = "${var.project}"
+		environment = "${var.environment}"
+		role = "vpc"
+	}
+}
+
+resource "aws_internet_gateway" "default" {
+	vpc_id = "${aws_vpc.default.id}"
+	tags {
+		Name = "${var.project}-${var.environment}-igw"
+		service = "${var.project}-${var.environment}-igw"
+		project = "${var.project}"
+		environment = "${var.environment}"
+		role = "igw"
+	}
+}
+
+data "aws_vpc_peering_connection" "peer" {
+	count = "${length(var.peering_connection_ids)}"
+	id = "${element(var.peering_connection_ids, count.index)}"
+}
+
+resource "aws_default_route_table" "default" {
+	default_route_table_id = "${aws_vpc.default.default_route_table_id}"
+}
+
+resource "aws_route" "default_gateway" {
+	route_table_id = "${aws_default_route_table.default.id}"
+	destination_cidr_block = "0.0.0.0/0"
+	gateway_id = "${aws_internet_gateway.default.id}"
+}
+
+resource "aws_route" "default_peer" {
+	count = "${length(var.peering_connection_ids)}"
+	route_table_id = "${aws_default_route_table.default.id}"
+	destination_cidr_block = "${element(data.aws_vpc_peering_connection.peer.*.cidr_block, count.index)}"
+	vpc_peering_connection_id = "${element(data.aws_vpc_peering_connection.peer.*.id, count.index)}"
+}
+
+resource "aws_route_table" "public" {
+	vpc_id = "${aws_vpc.default.id}"
+	tags {
+		Name = "${var.project}-${var.environment}-public"
+		service = "${var.project}-${var.environment}-route-table"
+		project = "${var.project}"
+		environment = "${var.environment}"
+		role = "route-table"
+	}
+}
+
+resource "aws_route" "public_gateway" {
+	route_table_id = "${aws_route_table.public.id}"
+	destination_cidr_block = "0.0.0.0/0"
+	gateway_id = "${aws_internet_gateway.default.id}"
+}
+
+resource "aws_route" "public_peer" {
+	count = "${length(var.peering_connection_ids)}"
+	route_table_id = "${aws_route_table.public.id}"
+	destination_cidr_block = "${element(data.aws_vpc_peering_connection.peer.*.cidr_block, count.index)}"
+	vpc_peering_connection_id = "${element(data.aws_vpc_peering_connection.peer.*.id, count.index)}"
+}
+
+resource "aws_subnet" "public" {
+	count = "${length(var.public_azs)}"
+	vpc_id = "${aws_vpc.default.id}"
+	cidr_block = "${cidrsubnet(var.cidr, 8, count.index + var.subnets_offset_public)}"
+	availability_zone = "${element(var.public_azs, count.index)}"
+	tags {
+		Name = "${var.project}-${var.environment}-public-${element(var.public_azs, count.index)}"
+		project = "${var.project}"
+		environment = "${var.environment}"
+		service = "${var.project}-${var.environment}-subnet-public"
+		role = "subnet"
+		zone = "pub"
+	}
+	map_public_ip_on_launch = true
+}
+
+resource "aws_route_table_association" "public" {
+	count = "${length(var.public_azs)}"
+	subnet_id = "${element(aws_subnet.public.*.id, count.index)}"
+	route_table_id =  "${element(aws_route_table.public.*.id, count.index)}"
+}
+
+resource "aws_subnet" "private" {
+	count = "${length(var.private_azs)}"
+	vpc_id = "${aws_vpc.default.id}"
+	cidr_block = "${cidrsubnet(var.cidr, 8, count.index + var.subnets_offset_private)}"
+	availability_zone = "${element(var.private_azs, count.index)}"
+	tags {
+		Name = "${var.project}-${var.environment}-private-${element(var.private_azs, count.index)}"
+		project = "${var.project}"
+		environment = "${var.environment}"
+		service = "${var.project}-${var.environment}-subnet-private"
+		role = "subnet"
+		zone = "priv"
+	}
+	map_public_ip_on_launch = false
+}
+
+resource "aws_route_table_association" "private" {
+	count = "${length(var.private_azs)}"
+	subnet_id = "${element(aws_subnet.private.*.id, count.index)}"
+	route_table_id = "${element(aws_route_table.private.*.id, count.index)}"
+}
+
+resource "aws_route_table" "private" {
+	count = "${length(var.private_azs)}"
+	vpc_id = "${aws_vpc.default.id}"
+	tags {
+		Name = "${var.project}-${var.environment}-private${format("%02d", count.index + 1)}"
+		project = "${var.project}"
+		environment = "${var.environment}"
+		service = "${var.project}-${var.environment}-route-table-private"
+		role = "route-table"
+	}
+}
+
+resource "aws_route" "private_gateway" {
+	count = "${length(var.private_azs)}"
+	route_table_id = "${element(aws_route_table.private.*.id, count.index)}"
+	destination_cidr_block = "0.0.0.0/0"
+	nat_gateway_id = "${element(aws_nat_gateway.default.*.id, count.index)}"
+}
+
+resource "aws_route" "private_peer" {
+	count = "${length(var.peering_connection_ids) * length(var.private_azs)}"
+	route_table_id = "${element(aws_route_table.private.*.id, count.index / length(var.private_azs))}"
+	destination_cidr_block = "${element(data.aws_vpc_peering_connection.peer.*.cidr_block, count.index % length(var.private_azs))}"
+	vpc_peering_connection_id = "${element(data.aws_vpc_peering_connection.peer.*.id, count.index % length(var.private_azs))}"
+}
+
+resource "aws_eip" "nat" {
+	count = "${length(var.private_azs)}"
+	vpc = true
+}
+
+resource "aws_nat_gateway" "default" {
+	count = "${length(var.private_azs)}"
+	allocation_id = "${element(aws_eip.nat.*.id, count.index)}"
+	subnet_id = "${element(aws_subnet.public.*.id, count.index)}"
+}
+
+data "aws_iam_policy_document" "base" {
+	statement {
+		sid = "aws-read"
+		resources = ["*"]
+		actions = [
+			"autoscaling:Describe*",
+			"cloudwatch:ListMetrics",
+			"cloudwatch:GetMetricsStatistics",
+			"cloudwatch:Describe*",
+			"ec2:Describe*",
+			"elasticloadbalancing:Describe*",
+			"logs:CreateLogGroup",
+			"logs:CreateLogStream",
+			"logs:Describe*",
+			"logs:PutLogEvents",
+			"logs:PutMetricFilter"
+		]
+	}
+}
+
+resource "aws_iam_policy" "base" {
+	name = "base-policy"
+	path = "/"
+	description = "base-policy"
+	policy = "${data.aws_iam_policy_document.base.json}"
+}
+
+resource "aws_security_group" "general-access" {
+	name = "general-access"
+	description = "Allow all ICMP and intra-vpc SSH traffic"
+	vpc_id = "${aws_vpc.default.id}"
+}
+
+resource "aws_security_group_rule" "ga_out_all" {
+	security_group_id = "${aws_security_group.general-access.id}"
+	type = "egress"
+	from_port = 0
+	to_port = 0
+	protocol = "all"
+	cidr_blocks = ["0.0.0.0/0"]
+	lifecycle {
+		create_before_destroy = true
+	}
+}
+
+resource "aws_security_group_rule" "ga_in_icmp" {
+	security_group_id = "${aws_security_group.general-access.id}"
+	type = "ingress"
+	from_port = -1
+	to_port = -1
+	protocol = "icmp"
+	cidr_blocks = ["0.0.0.0/0"]
+	lifecycle {
+		create_before_destroy = true
+	}
+}
+
+resource "aws_security_group_rule" "ga_in_ssh" {
+	security_group_id = "${aws_security_group.general-access.id}"
+	type = "ingress"
+	from_port = 22
+	to_port = 22
+	protocol = "tcp"
+	cidr_blocks = ["${concat(list(var.cidr), var.ssh_allowed_cidr)}"]
+	lifecycle {
+		create_before_destroy = true
+	}
+}