add full VPC deployment to aws-network-setup

matihost · Nov 19, 2023 · 54a9018 · 54a9018
1 parent 73ec0b1
commit 54a9018
Show file tree

Hide file tree

Showing 11 changed files with 181 additions and 77 deletions.
diff --git a/terraform/aws/aws-alb/module/variables.tf b/terraform/aws/aws-alb/module/variables.tf
@@ -46,6 +46,10 @@ variable "region" {
   description = "Preffered AWS region where resource need to be placed"
 }
 
+variable "aws_tags" {
+  type = map(string)
+  description = "AWS tags"
+}
 
 variable "ec2_instance_profile" {
   default     = ""
@@ -54,6 +58,13 @@ variable "ec2_instance_profile" {
 }
 
 
+variable "vpc_name" {
+  default     = "dev-us-east-1"
+  type        = string
+  description = "VPC Name to place EC2 instances"
+}
+
+
 variable "zones" {
   type = set(string)
   description = "AWS zones for VPC Subnetworks Deployment"

diff --git a/terraform/aws/aws-alb/module/webserver.tf b/terraform/aws/aws-alb/module/webserver.tf
@@ -26,7 +26,9 @@ data "aws_ami" "ubuntu" {
 }
 
 data "aws_vpc" "default" {
-  default = true
+  tags = {
+    Name = var.vpc_name
+  }
 }
 
 data "aws_subnet" "private" {
@@ -43,11 +45,14 @@ data "aws_subnet" "public" {
   for_each = var.zones
   vpc_id            = data.aws_vpc.default.id
   availability_zone = each.key
-  default_for_az    = true
+  tags = {
+    Tier = "public"
+  }
 }
 
 
 data "aws_security_group" "webserver" {
+  vpc_id = data.aws_vpc.default.id
   tags = {
     Name = var.ec2_security_group_name
   }
@@ -112,6 +117,15 @@ resource "aws_autoscaling_group" "webserver" {
 
   # maximum time for Terraform to wait for ASG reach
   wait_for_capacity_timeout = "10m"
+
+  dynamic "tag" {
+    for_each = try(var.aws_tags, map())
+    content {
+      key                 = tag.key
+      propagate_at_launch = true
+      value               = tag.value
+    }
+  }
 }
 
 resource "aws_autoscaling_policy" "webserver" {

diff --git a/terraform/aws/aws-alb/stage/dev/terragrunt.hcl b/terraform/aws/aws-alb/stage/dev/terragrunt.hcl
@@ -14,13 +14,19 @@ terraform {
 
 inputs = {
   env                           = "dev"
+  region                        = "us-east-1"
+  zone                          = "us-east-1a"
   external_access_ip            = local.current_ip
   instance_profile              = "SSM-EC2"
   ec2_instance_type             = "t4g.small" # or t3.micro
   ec2_architecture              = "arm64"     # or x86_64
   ssh_key_id                    = "dev-us-east-1-bastion-ssh"
-  ec2_security_group_name       = "internal_access"
-  public_lb_security_group_name = "http_from_single_computer"
-  aws_tags                      = { Env = "dev" }
-  zones                         = ["us-east-1a", "us-east-1b", "us-east-1c"]
+  ec2_security_group_name       = "dev-ssh-http-from-vpc"
+  public_lb_security_group_name = "dev-http-from-single-external-ip-only"
+  vpc_name                      = "dev-us-east-1"
+  aws_tags = {
+    Env    = "dev"
+    Region = "us-east1"
+  }
+  zones = ["us-east-1a", "us-east-1b", "us-east-1c"]
 }
diff --git a/terraform/aws/aws-alb/stage/terragrunt.hcl b/terraform/aws/aws-alb/stage/terragrunt.hcl
@@ -1,8 +1,6 @@
 locals {
   bucket  = "${local.account}-terraform-state"
   account = "${run_cmd("--terragrunt-quiet", "aws", "sts", "get-caller-identity", "--query", "\"Account\"", "--output", "text")}"
-  region  = "${get_env("AWS_REGION", "us-east-1")}"
-  zone    = "us-east-1a"
 }
 
 remote_state {
@@ -14,7 +12,7 @@ remote_state {
   config = {
     bucket = local.bucket
     key    = "${basename(abspath("${get_parent_terragrunt_dir()}/.."))}/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/terraform.tfstate"
-    region = local.region
+    region = "us-east-1"
     # TODO play with it... maybe not in free tier
     # encrypt        = true
     # dynamodb_table = "my-lock-table"
@@ -26,10 +24,6 @@ generate "provider" {
   path      = "provider.tf"
   if_exists = "overwrite_terragrunt"
   contents  = <<EOF
-variable "aws_tags" {
-   type = map
-}
-
 provider "aws" {
   region  = var.region
   default_tags {
@@ -51,6 +45,4 @@ terraform {
 
 inputs = {
   account = local.account
-  region  = local.region
-  zone    = local.zone
 }
diff --git a/terraform/aws/aws-network-setup/module/bastion.tf b/terraform/aws/aws-network-setup/module/bastion.tf
@@ -27,11 +27,13 @@ data "aws_ami" "ubuntu" {
 }
 
 resource "aws_security_group" "bastion_access" {
-  name        = "${local.prefix}-bastion-access"
+  name        = "${local.prefix}-ssh-from-single-external-ip-only"
   description = "Allow SSH access only from single computer"
 
+  vpc_id = aws_vpc.main.id
+
   tags = {
-    Name = "bastion_access"
+    Name = "${local.prefix}-ssh-from-single-external-ip-only"
   }
 
   ingress {
@@ -53,26 +55,35 @@ resource "aws_security_group" "bastion_access" {
 }
 
 resource "aws_security_group" "internal_access" {
-  name        = "${local.prefix}-internal_access"
-  description = "Allow HTTP & SSH access from internal VPC only"
+  name        = "${local.prefix}-ssh-http-from-vpc"
+  description = "Allow HTTP(s) & SSH access from internal VPC only"
+
+  vpc_id = aws_vpc.main.id
 
   tags = {
-    Name = "internal_access"
+    Name = "${local.prefix}-ssh-http-from-vpc"
   }
 
   ingress {
     description = "HTTP from default VPC"
     from_port   = 80
     to_port     = 80
     protocol    = "tcp"
-    cidr_blocks = [data.aws_vpc.default.cidr_block]
+    cidr_blocks = [aws_vpc.main.cidr_block]
+  }
+  ingress {
+    description = "HTTPS from default VPC"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = [aws_vpc.main.cidr_block]
   }
   ingress {
     description = "SSH from default VPC"
     from_port   = 22
     to_port     = 22
     protocol    = "tcp"
-    cidr_blocks = [data.aws_vpc.default.cidr_block]
+    cidr_blocks = [aws_vpc.main.cidr_block]
   }
 
   # Terraform removed default egress ALLOW_ALL rule
@@ -89,7 +100,7 @@ resource "aws_security_group" "internal_access" {
 resource "aws_instance" "bastion_vm" {
   ami                    = data.aws_ami.ubuntu.id
   instance_type          = var.ec2_instance_type
-  subnet_id              = data.aws_subnet.default[var.zone].id
+  subnet_id              = aws_subnet.public[var.zone].id
   key_name               = aws_key_pair.vm_key.key_name
   vpc_security_group_ids = [aws_security_group.bastion_access.id, aws_security_group.internal_access.id]
   user_data = templatefile("${path.module}/bastion.cloud-init.tpl", {
@@ -100,6 +111,8 @@ resource "aws_instance" "bastion_vm" {
   tags = {
     Name = "${local.prefix}-${var.region}-bastion"
   }
+
+  depends_on = [ aws_default_route_table.main ]
 }
 
 output "bastion_id" {