-
Notifications
You must be signed in to change notification settings - Fork 38
/
main.tf
83 lines (69 loc) · 3.12 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
locals {
is_arm = can(regex("[a-zA-Z]+\\d+g[a-z]*\\..+", var.instance_type))
ami_id = var.ami_id != null ? var.ami_id : data.aws_ami.main[0].id
cwagent_param_arn = var.use_cloudwatch_agent ? var.cloudwatch_agent_configuration_param_arn != null ? var.cloudwatch_agent_configuration_param_arn : aws_ssm_parameter.cloudwatch_agent_config[0].arn : null
cwagent_param_name = var.use_cloudwatch_agent ? var.cloudwatch_agent_configuration_param_arn != null ? split("/", data.aws_arn.ssm_param[0].resource)[1] : aws_ssm_parameter.cloudwatch_agent_config[0].name : null
security_groups = concat(var.use_default_security_group ? [aws_security_group.main.id] : [], var.additional_security_group_ids)
}
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
data "aws_vpc" "main" {
id = var.vpc_id
}
resource "aws_security_group" "main" {
#checkov:skip=CKV_AWS_24:False positive from Checkov, ingress CIDR blocks on port 22 default to "[]"
name = var.name
description = "Used in ${var.name} instance of fck-nat in subnet ${var.subnet_id}"
vpc_id = data.aws_vpc.main.id
ingress {
description = "Unrestricted ingress from within VPC"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = data.aws_vpc.main.cidr_block_associations[*].cidr_block
}
dynamic "ingress" {
for_each = var.use_ssh && (length(var.ssh_cidr_blocks.ipv4) > 0 || length(var.ssh_cidr_blocks.ipv6) > 0) ? [1] : [] #
content {
description = "SSH access"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = var.ssh_cidr_blocks.ipv4
ipv6_cidr_blocks = var.ssh_cidr_blocks.ipv6
}
}
egress {
description = "Unrestricted egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
tags = merge({ Name = var.name }, var.tags)
}
resource "aws_network_interface" "main" {
description = "${var.name} static private ENI"
subnet_id = var.subnet_id
security_groups = [aws_security_group.main.id]
source_dest_check = false
tags = merge({ Name = var.name }, var.tags)
}
resource "aws_route" "main" {
for_each = var.update_route_tables || var.update_route_table ? merge(var.route_tables_ids, var.route_table_id != null ? { RESERVED_FKC_NAT = var.route_table_id } : {}) : {}
route_table_id = each.value
destination_cidr_block = "0.0.0.0/0"
network_interface_id = aws_network_interface.main.id
}
resource "aws_ssm_parameter" "cloudwatch_agent_config" {
count = var.use_cloudwatch_agent && var.cloudwatch_agent_configuration_param_arn == null ? 1 : 0
name = "${var.name}-cloudwatch-agent-config"
key_id = var.kms_key_id
type = "SecureString"
value = templatefile("${path.module}/templates/cwagent.json", {
METRICS_COLLECTION_INTERVAL = var.cloudwatch_agent_configuration.collection_interval,
METRICS_NAMESPACE = var.cloudwatch_agent_configuration.namespace
METRICS_ENDPOINT_OVERRIDE = var.cloudwatch_agent_configuration.endpoint_override
})
}