Terraform module that creates VPC resources in AWS
These types of resources are supported:
- AWS VPC
- AWS VPC - IPV4 CIDR Block Association
- AWS Internet Gateway
- AWS Route Table
- AWS Route
- AWS Route Table Association
- AWS Subnet
- AWS EIP
- AWS NAT Gateway
- AWS DB Subnet Group
- AWS Lauch Configuration
- AWS Autoscaling Group
- AWS Security Group
- AWS ElastiCache Subnet Group
What to install to use the module locally
$ brew install terraform$ brew install awscliHave programmatic access to Eve's AWS account (currently Production)
Export your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY of the AWS account you want to upload the CSV reports to.
OR
Ensure your credentials are in your ~/.aws/credentials file.
If they're not, you can add them by doing:
$ aws configure
AWS Access Key ID []: <enter-aws-access-key>
AWS Secret Access Key []: <enter-aws-secret-key>
Default region name []: <enter-region-id> # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions
Default output format []: <leave-blank>You can then check your CLI is using the correct credentials by doing:
$ aws sts get-caller-identityprovider "aws" {
region = "eu-west-1"
}
module "example_aws_networking" {
source = "git::ssh://git@gitlab.com/evesleep/infrastructure/terraform-modules/vpc.git"
name = "example_aws_networking"
vpc_cidr = "10.0.0.0/16"
public_subnets = ["10.0.128.0/20", "10.0.144.0/20"]
private_subnets = ["10.0.0.0/19", "10.0.32.0/19"]
create_database_subnet_group = false
azs = ["eu-west-1a", "eu-west-1b"]
enable_public_nat_gateway = true
enable_private_nat_gateway = true
key_pair_name = "test"
tags {
Application = "Dev Networking"
CreatedBy = "Terraform"
Environment = "Dev"
}
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| name | Name to be used on all the resources as identifier | string | - | no |
| tags | A mapping of tags to assign to the networking resources | map | {} | no |
| vpc_cidr | The CIDR block for the VPC | string | - | yes |
| vpc_enable_dns_support | A boolean flag to enable/disable DNS support in the VPC | bool | true | no |
| vpc_enable_dns_hostnames | A boolean flag to enable/disable DNS hostnames in the VPC | bool | false | no |
| vpc_assign_generated_ipv6_cidr_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | bool | false | no |
| vpc_secondary_cidr_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list(string) | [] | no |
| public_subnets | A list of public subnets inside the VPC | list(string) | [] | no |
| private_subnets | A list of private subnets inside the VPC | list(string) | [] | no |
| one_nat_gateway_per_az | Should be true if you want only one NAT Gateway per availability zone. Requires var.azs to be set, and the number of public_subnets created to be greater than or equal to the number of availability zones specified in var.azs |
bool | false | no |
| create_database_subnet_group | Controls if database subnet group should be created | bool | true | no |
| create_elastiache_subnet_group | Controls if the elasticache subnet group should be created | bool | true | no |
| azs | A list of availability zones in the region | list(string) | [] | false |
| enable_public_nat_gateway | Should be true if you want to provision NAT Gateways for each of your public networks | bool | false | no |
| enable_private_nat_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | bool | false | no |
| single_private_nat_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | bool | false | no |
| map_public_ip_on_launch | Specify true to indicate that instances launched into the subnet should be assigned a public IP address | boolg | false | no |
| bastion_instance_type | The size of instance to launch | string | t2.micro | no |
| autoscaling_min_size | The minimum size of the auto scale group | number | 1 | no |
| autoscaling_max_size | The maximum size of the auto scale group | number | 2 | no |
| key_pair_name | The name of the key pair to attach to instances | string | - | yes |
| autoscaling_desired_size | The number of Amazon EC2 instances that should be running in the group | number | 1 | no |
| account_id | AWS Account ID to grab Hardened AMI from | string | "651854267583" | no |
| Name | Description |
|---|---|
| vpc_id | The ID of the VPC |
| vpc_arn | Amazon Resource Name (ARN) of VPC |
| internet_gateway_id | The ID of the Internet Gateway |
| public_subnet_id | The ID(s) of the public subnet(s) |
| private_subnet_id | The ID(s) of the private subnet(s) |
| nat_gateway_gateway_id | The ID(s) of the NAT Gateway(s) |
| eip_public_ip | Contains the public IP address |
| bastion_sg_id | The ID of the bastion security group |
| elasticache_subnet_group | The name of the elasticache subnet group |
| database_subnet_group | The name of the database subnet group |
| bastion_ip | The EIP address attached to the Bastion Host |
When a commit is made to the repo - the Gitlab pipeline is triggered and does a terraform validate and format on the Hashicorp Configuration Language (HCL).
- Replace user_data script with an Ansible playbook