/terraform-aws-vpc

Terraform Module to create an AWS VPC network with VPN and configure Peering b/w multiple VPCs

Primary LanguageHCLApache License 2.0Apache-2.0

AWS Network Terraform module

squareops_avatar

SquareOps Technologies Your DevOps Partner for Accelerating cloud journey.


Terraform module to create Networking resources with IPv4 or dual stack IP mode enabled for workload deployment on AWS Cloud.

Usage Example

module "key_pair_vpn" {
  source             = "squareops/keypair/aws"
  environment        = "production"
  key_name           = format("%s-%s-vpn", "production", "skaf")
  ssm_parameter_path = format("%s-%s-vpn", "production", "skaf")
}


module "vpc" {
  source = "squareops/vpc/aws"
  name                                            = "skaf"
  vpc_cidr                                        = "10.0.0.0/16"
  environment                                     = "production"
  ipv6_enabled                                    = true
  create_ipam_pool                                = false
  ipam_enabled                                    = false
  vpc_flow_log_enabled                            = true
  vpn_server_key_pair_name                        = module.key_pair_vpn.key_pair_name
  vpc_availability_zones                          = ["us-east-1a", "us-east-1b"]
  vpn_server_enabled                              = false
  vpc_intra_subnet_enabled                        = true
  auto_assign_public_ip                           = true
  vpc_public_subnet_enabled                       = true
  vpc_private_subnet_enable                       = true
  vpc_one_nat_gateway_per_az                      = true
  vpc_database_subnet_enabled                     = true
  vpn_server_instance_type                        = "t3a.small"
  vpc_public_subnets_counts                       = 2
  vpc_private_subnets_counts                      = 2
  vpc_database_subnets_counts                     = 2
  vpc_intra_subnets_counts                        = 2
  vpc_endpoint_type_private_s3                    = "Gateway"
  vpc_endpoint_type_ecr_dkr                       = "Interface"
  vpc_endpoint_type_ecr_api                       = "Interface"
  vpc_s3_endpoint_enabled                         = true
  vpc_ecr_endpoint_enabled                        = true
  vpc_flow_log_max_aggregation_interval           = 60
  vpc_flow_log_cloudwatch_log_group_skip_destroy  = true
  vpc_flow_log_cloudwatch_log_group_retention_in_days = 90
  vpc_flow_log_cloudwatch_log_group_kms_key_arn   = "arn:aws:kms:us-east-2:222222222222:key/kms_key_arn" #Enter your kms key arn
}

Refer this for more examples.

Important Note

To prevent destruction interruptions, any resources that have been created outside of Terraform and attached to the resources provisioned by Terraform must be deleted before the module is destroyed.

The private key generated by Keypair module will be stored in AWS Systems Manager Parameter Store. For more details refer this

For encrypting vpc flow log cloudwatch log group please use this kms key policy. Change the account id and region.

{
    "Version": "2012-10-17",
    "Id": "allow-cloudwatch-logs-encryption",
    "Statement": [
        {
            "Sid": "AllowRootFullPermissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::12345678:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "AllowCloudWatchLogsEncryption",
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.us-east-2.amazonaws.com"
            },
            "Action": [
                "kms:Encrypt*",
                "kms:Decrypt*",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:Describe*"
            ],
            "Resource": "*"
        }
    ]
}

Network Scenarios

Users need to declare vpc_cidr and subnets are calculated with the help of in-built functions.

This module supports three scenarios to create Network resource on AWS. Each will be explained in brief in the corresponding sections.

  • simple-vpc (default behavior): To create a VPC with public subnets and IGW.

    • vpc_cidr = ""
    • public_subnet_enabled = true
    • auto_assign_public_ip = true

  • vpc-with-private-sub: To create a VPC with public subnets, private subnets, IGW gateway and NAT gateway.

    • vpc_cidr = ""
    • public_subnet_enabled = true
    • private_subnet_enabled = true
    • auto_assign_public_ip = true

  • complete-vpc-with-vpn: To create a VPC with public, private, database and intra subnets along with an IGW and NAT gateway. Jump server/Bastion Host is also configured.

    • vpc_cidr = ""
    • public_subnet_enabled = true
    • private_subnet_enabled = true
    • database_subnet_enabled = true
    • intra_subnet_enabled = true
    • auto_assign_public_ip = true
    • one_nat_gateway_per_az = true
    • vpn_server_enabled = true
    • vpn_server_instance_type = "t3a.small"
    • vpn_key_pair_name = ""
    • availability_zones = 2
    • flow_log_enabled = true
    • flow_log_max_aggregation_interval = 60
    • flow_log_cloudwatch_log_group_retention_in_days = 90
    • flow_log_cloudwatch_log_group_kms_key_arn = "arn:aws:kms:us-east-2:222222222222:key/kms_key_arn"

  • vpc-peering: VPC peering support is available using submodule vpc_peering. Refer Peering Docs for more information

    • accepter_name = ""
    • accepter_vpc_id = ""
    • accepter_vpc_region = ""
    • requester_name = ""
    • requester_vpc_id = ""
    • requester_vpc_region = ""
    • auto_assign_public_ip = true
    • one_nat_gateway_per_az = true

  • vpc-with-ipv6: To create VPC with IPv6 support, you only need to enable the parameter ipv6_enabled. Rest all the configurations will be taken care by module. Refer for example vpc-with-ipv6 for more information.

    • vpc_cidr = ""
    • public_subnet_enabled = true
    • private_subnet_enabled = true
    • database_subnet_enabled = true
    • intra_subnet_enabled = true
    • auto_assign_public_ip = true
    • ipv6_enabled = true
    • public_subnet_assign_ipv6_address_on_creation = true
    • private_subnet_assign_ipv6_address_on_creation = true
    • database_subnet_assign_ipv6_address_on_creation = true
    • intra_subnet_assign_ipv6_address_on_creation = true

IAM Permissions

The required IAM permissions to create resources from this module can be found here

VPN setup-

We are using Pritunl as VPN. It is using Ubuntu 22.04 image as underlying OS. To configure Pritunl VPN:

  1. Access the Pritunl UI over HTTPS using the public IP of EC2 instance in browser
  2. Retrieve the initial key, user and password for setting up Pritunl from AWS Secrets Manager and log in to Pritunl.
  3. Create a DNS record mapping to the EC2 instance's public IP
  4. After login, in the Initial setup window, add the record created in the 'Lets Encrypt Domain' field.
  5. Pritunl will automatically configure a signed SSL certificate from Lets Encrypt.
  6. Add organization and user to pritunl.
  7. Add server and set port as 10150 which is already allowed from security group while creating instance for VPN server.
  8. Attach organization to the server and Start the server.
  9. Copy or download user profile link or file.
 10. Import the profile in Pritunl client.

CIS COMPLIANCE

Security scanning is graciously provided by Prowler. Prowler is the leading fully hosted, cloud-native solution providing continuous cluster security and compliance.

In this module, we have implemented the following CIS Compliance checks for VPC:

Benchmark Description Status
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 No Security Groups open to 0.0.0.0/0
Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports For all VPCs created using this module
Ensure the default security group of every VPC restricts all traffic For all VPCs created using this module
Ensure VPC flow logging is enabled in all VPCs No Default Security Groups open to 0.0.0.0/0
Ensure IAM instance roles are used for AWS resource access from instances For VPN server created using this module
Ensure EBS volume encryption is enabled For VPN server created using this module

Requirements

Name Version
terraform >= 1.0
aws >= 5.0.0

Providers

Name Version
aws >= 5.0.0

Modules

Name Source Version
vpc terraform-aws-modules/vpc/aws 5.2.0
vpn_server ./modules/vpn n/a

Resources

Name Type
aws_security_group.vpc_endpoints resource
aws_vpc_endpoint.private_ecr_api resource
aws_vpc_endpoint.private_ecr_dkr resource
aws_vpc_endpoint.private_s3 resource
aws_vpc_ipam.ipam resource
aws_vpc_ipam_pool.ipam_pool resource
aws_vpc_ipam_pool_cidr.ipam_pool_cidr resource
aws_availability_zones.available data source
aws_ec2_instance_type.arch data source
aws_route_tables.aws_private_routes data source

Inputs

Name Description Type Default Required
additional_aws_tags Additional tags to be applied to AWS resources map(string) {} no
auto_assign_public_ip Specify true to indicate that instances launched into the subnet should be assigned a public IP address. bool false no
aws_account_id Account ID of the AWS Account. string "1234567890" no
aws_region Name of the AWS region where VPC is to be created. string "" no
database_nat_gateway_route_enabled Nat Gateway route to be created for internet access to database subnets bool false no
database_subnet_assign_ipv6_address_on_creation Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch bool null no
database_subnet_group_enabled Whether create database subnet groups bool false no
default_network_acl_ingress List of maps of ingress rules to set on the Default Network ACL list(map(string)) 
[
  {
    "action": "deny",
    "cidr_block": "0.0.0.0/0",
    "from_port": 22,
    "protocol": "tcp",
    "rule_no": 98,
    "to_port": 22
  },
  {
    "action": "deny",
    "cidr_block": "0.0.0.0/0",
    "from_port": 3389,
    "protocol": "tcp",
    "rule_no": 99,
    "to_port": 3389
  },
  {
    "action": "allow",
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_no": 100,
    "to_port": 0
  },
  {
    "action": "allow",
    "from_port": 0,
    "ipv6_cidr_block": "::/0",
    "protocol": "-1",
    "rule_no": 101,
    "to_port": 0
  }
]
 no
dns_hostnames_enabled Whether to enable DNS hostnames bool true no
environment Specify the environment indentifier for the VPC string "" no
existing_ipam_managed_cidr The existing IPAM pool CIDR string "" no
intra_subnet_assign_ipv6_address_on_creation Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch bool null no
ipam_address_family The address family for the VPC (ipv4 or ipv6) string "ipv4" no
ipam_enabled Whether enable IPAM managed VPC or not bool false no
ipam_pool_enabled Whether create new IPAM pool bool true no
ipam_pool_id The existing IPAM pool id if any string null no
ipv4_netmask_length The netmask length for IPAM managed VPC number 16 no
ipv6_enabled Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. bool false no
ipv6_only Enable it for deploying native IPv6 network bool false no
manage_vpc_default_security_group Should be true to manage Default Security group of vpc bool true no
name Specify the name of the VPC string "" no
private_subnet_assign_ipv6_address_on_creation Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch bool null no
public_subnet_assign_ipv6_address_on_creation Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch bool null no
secondary_cidr_blocks List of the secondary CIDR blocks which can be at most 5 list(string) [] no
secondry_cidr_enabled Whether enable secondary CIDR with VPC bool false no
vpc_availability_zones Number of Availability Zone to be used by VPC Subnets. list(any) [] no
vpc_cidr The CIDR block of the VPC string "10.0.0.0/16" no
vpc_database_subnet_cidrs Database Tier subnet CIDRs to be created list(any) [] no
vpc_database_subnet_enabled Set true to enable database subnets bool false no
vpc_database_subnets_counts List of counts for database subnets number 1 no
vpc_default_security_group_egress List of maps of egress rules to set on the default security group list(map(string)) [] no
vpc_default_security_group_ingress List of maps of ingress rules to set on the default security group list(map(string)) [] no
vpc_ecr_endpoint_enabled Set to true if you want to enable vpc ecr endpoints bool false no
vpc_endpoint_type_ecr_api The type of VPC endpoint for ECR api string "Interface" no
vpc_endpoint_type_ecr_dkr The type of VPC endpoint for ECR Docker string "Interface" no
vpc_endpoint_type_private_s3 The type of VPC endpoint for ECR Docker string "Gateway" no
vpc_flow_log_cloudwatch_log_group_kms_key_arn The ARN of the KMS Key to use when encrypting log data for VPC flow logs string null no
vpc_flow_log_cloudwatch_log_group_retention_in_days Specifies the number of days you want to retain log events in the specified log group for VPC flow logs. number null no
vpc_flow_log_cloudwatch_log_group_skip_destroy Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state bool false no
vpc_flow_log_destination_type Type of flow log destination. Can be s3 or cloud-watch-logs string "cloud-watch-logs" no
vpc_flow_log_enabled Whether or not to enable VPC Flow Logs bool false no
vpc_flow_log_max_aggregation_interval The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: 60 seconds or 600 seconds. number 60 no
vpc_flow_log_traffic_type The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL string "ALL" no
vpc_intra_subnet_cidrs A list of intra subnets CIDR to be created list(any) [] no
vpc_intra_subnet_enabled Set true to enable intra subnets bool false no
vpc_intra_subnets_counts List of counts for intra subnets number 1 no
vpc_manage_default_network_acl Should be true to manage Default Network ACL bool true no
vpc_one_nat_gateway_per_az Set to true if a NAT Gateway is required per availability zone for Private Subnet Tier bool false no
vpc_private_subnet_cidrs A list of private subnets CIDR to be created inside the VPC list(any) [] no
vpc_private_subnet_enabled Set true to enable private subnets bool false no
vpc_private_subnets_counts List of counts for private subnets number 1 no
vpc_public_subnet_cidrs A list of public subnets CIDR to be created inside the VPC list(any) [] no
vpc_public_subnet_enabled Set true to enable public subnets bool false no
vpc_public_subnets_counts List of counts for public subnets number 1 no
vpc_s3_endpoint_enabled Set to true if you want to enable vpc S3 endpoints bool false no
vpn_gateway_enabled Whether to enable vpn Gateway bool false no
vpn_server_enabled Set to true if you want to deploy VPN Gateway resource and attach it to the VPC bool false no
vpn_server_instance_type EC2 instance Type for VPN Server, Only amd64 based instance type are supported eg. t2.medium, t3.micro, c5a.large etc. string "t3a.small" no
vpn_server_key_pair_name Specify the name of AWS Keypair to be used for VPN Server string "" no

Outputs

Name Description
database_subnets List of IDs of database subnets
vpc_cidr_block AWS Region
vpc_id The ID of the VPC
vpc_intra_subnets List of IDs of Intra subnets
vpc_private_subnets List of IDs of private subnets
vpc_public_subnets List of IDs of public subnets
vpn_host_public_ip IP Adress of VPN Server
vpn_security_group Security Group ID of VPN Server

Contribute & Issue Report

To report an issue with a project:

  1. Check the repository's issue tracker on GitHub
  2. Search to check if the issue has already been reported
  3. If you can't find an answer to your question in the documentation or issue tracker, you can ask a question by creating a new issue. Make sure to provide enough context and details.

License

Apache License, Version 2.0, January 2004 (https://www.apache.org/licenses/LICENSE-2.0)

Support Us

To support our GitHub project by liking it, you can follow these steps:

  1. Visit the repository: Navigate to the GitHub repository

  2. Click the "Star" button: On the repository page, you'll see a "Star" button in the upper right corner. Clicking on it will star the repository, indicating your support for the project.

  3. Optionally, you can also leave a comment on the repository or open an issue to give feedback or suggest changes.

Staring a repository on GitHub is a simple way to show your support and appreciation for the project. It also helps to increase the visibility of the project and make it more discoverable to others.

Who we are

We believe that the key to success in the digital age is the ability to deliver value quickly and reliably. That’s why we offer a comprehensive range of DevOps & Cloud services designed to help your organization optimize its systems & Processes for speed and agility.

  1. We are an AWS Advanced consulting partner which reflects our deep expertise in AWS Cloud and helping 100+ clients over the last 5 years.
  2. Expertise in Kubernetes and overall container solution helps companies expedite their journey by 10X.
  3. Infrastructure Automation is a key component to the success of our Clients and our Expertise helps deliver the same in the shortest time.
  4. DevSecOps as a service to implement security within the overall DevOps process and helping companies deploy securely and at speed.
  5. Platform engineering which supports scalable,Cost efficient infrastructure that supports rapid development, testing, and deployment.
  6. 24*7 SRE service to help you Monitor the state of your infrastructure and eradicate any issue within the SLA.

We provide support on all of our projects, no matter how small or large they may be.

To find more information about our company, visit squareops.com, follow us on Linkedin, or fill out a job application. If you have any questions or would like assistance with your cloud strategy and implementation, please don't hesitate to contact us.