ugoenyioha/hub-and-spoke-with-shared-services-vpc-terraform

Terraform repository that shows how to create a Shared Services VPC (VPC endpoints and Route 53 Resolver Endpoints) in an Hub and Spoke Architecture with AWS Transit Gateway.

AWS Hub and Spoke Architecture with Shared Services VPC - Terraform Sample

This repository contains terraform code to deploy a sample AWS Hub and Spoke architecture with Shared Services VPC, with the following centralized services:

• Managing EC2 instances using AWS Sytems Manager - ssm, ssmmessages and ec2messages VPC Endpoints.
• Amazon S3 access (the IAM role created for the EC2 instances allows READ ONLY access). If you want to change it, check the code in the compute module
• Hybrid DNS, both inbound and outbound Route 53 Resolver Endpoints are created.

The resources deployed and the architectural pattern they follow is purely for demonstration/testing purposes.

Prerequisites

• An AWS account with an IAM user with the appropriate permissions
• Terraform installed

Code Principles:

• Writing DRY (Do No Repeat Yourself) code using a modular design pattern

Usage

• Clone the repository
• Edit the variables.tf file in the project root directory. This file contains the variables that are used to configure the VPCs to create, and Hybrid DNS configuration needed to work with your environment.
• To change the configuration about the Security Groups and VPC endpoints to create, edit the locals.tf file in the project root directory
• Initialize Terraform using terraform init
• Deploy the template using terraform apply

Note The default number of Availability Zones to use in the Spoke VPCs is 1. For the Shared Services VPC, the default (and minimum) number of AZs to use is 2 - due to configuration requirements for Route 53 Resolver Endpoints. To follow best practices, each resource - EC2 instance, VPC endpoints, and Route 53 Resolver Endpoints - will be created in each Availability Zone. Keep this in mind to avoid extra costs unless you are happy to deploy more resources and accept additional costs.

Deployment

Centralizing VPC Endpoints

• To centralize the SSM access for the instances created in the Spoke VPCs, 3 VPC endpoints are created with "Private DNS" option disabled: ssm, ssmmessages, and ec2messages. 3 Private Hosted Zones are created and associated with all the VPCs created (Spoke VPCs and Shared Services VPC) to allow DNS resolution.
• The fourth VPC endpoint created is to access Amazon S3. As indicated before, the EC2 instance roles only have read permission.
• Amazon S3 interface endpoints do not support the private DNS feature. However, thanks to the use of Private Hosted Zones, you can access S3 without having to use the VPC endpoint DNS name all the time. Two resource records are created within the S3 PHZ: one for the apex of the domain, and the second as a wildcard to allow all records within this domain to be resolved to the VPC endpoint. One example you can use to test the access to S3 is the following one: aws s3 --region {aws_region} ls s3://

Hybrid DNS

Both Amazon Route 53 Inbound and Outbound Resolver Endpoints are created. The configuration applied in the variables.tf file is not valid (example values). To use the example with your real-environment, please change the following variables:

• on_premises_cidr: Indicate the CIDR block of your on-premises location to allow DNS traffic in the Inbound Endpoints. This value is added in the Security Group attached to that endpoint.
• forwarding_rules: Add correct values of the DNS domains and DNS servers (target IPs) in your on-premises location. This values are used by the Outbound Endpoints to forward DNS queries from AWS to your on-premises DNS servers.

Target Architecture

References

• AWS Reference Architecture - Hybrid DNS Resolution with Amazon Route 53 Resolver Endpoints
• AWS Whitepaper - Building a Scalable and Secure Multi-VPC AWS Network Infrastructure
• AWS Documentation - AWS PrivateLink for Amazon S3 interface endpoints
• AWS Blogs - Secure hybrid access to Amazon S3 using AWS PrivateLink

Cleanup

Remember to clean up after your work is complete. You can do that by doing terraform destroy.

Note that this command will delete all the resources previously created by Terraform.

---

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

---

Requirements

Name	Version
terraform	>= 1.3.0
aws	>= 3.73.0
awscc	>= 0.15.0

Providers

Name	Version
aws	4.38.0

Modules

Name	Source	Version
compute	./modules/compute	n/a
endpoint_record	./modules/route53_record	n/a
shared_services_vpc	aws-ia/vpc/aws	= 3.0.1
spoke_vpcs	aws-ia/vpc/aws	= 3.0.1

Resources

Name	Type
aws_ec2_transit_gateway.tgw	resource
aws_ec2_transit_gateway_route_table.shared_services_vpc_tgw_rt	resource
aws_ec2_transit_gateway_route_table.spoke_vpc_tgw_rt	resource
aws_ec2_transit_gateway_route_table_association.shared_services_vpc_tgw_rt_assoc	resource
aws_ec2_transit_gateway_route_table_association.spoke_vpc_tgw_rt_assoc	resource
aws_ec2_transit_gateway_route_table_propagation.centralized_to_spoke_rt_propagation	resource
aws_ec2_transit_gateway_route_table_propagation.spokes_to_centralized_rt_propagation	resource
aws_iam_instance_profile.ec2_instance_profile	resource
aws_iam_policy_attachment.s3_readonly_policy_attachment	resource
aws_iam_policy_attachment.ssm_iam_role_policy_attachment	resource
aws_iam_role.role_ec2	resource
aws_iam_role.vpc_flowlogs_role	resource
aws_iam_role_policy.vpc_flowlogs_role_policy	resource
aws_kms_key.log_key	resource
aws_route53_resolver_endpoint.inbound_endpoint	resource
aws_route53_resolver_endpoint.outbound_endpoint	resource
aws_route53_resolver_rule.forwarding_rule	resource
aws_route53_zone.private_hosted_zone	resource
aws_security_group.endpoints_vpc_sg	resource
aws_vpc_endpoint.endpoint	resource
aws_caller_identity.current	data source
aws_iam_policy_document.policy_document	data source
aws_iam_policy_document.policy_kms_logs_document	data source
aws_iam_policy_document.policy_role_document	data source
aws_iam_policy_document.policy_rolepolicy_document	data source

Inputs

Name	Description	Type	Default	Required
aws_region	AWS Region to create the environment.	string	"eu-west-2"	no
forwarding_rules	Forwarding rules to on-premises DNS servers.	map(any)	{ "example-domain": { "domain_name": "example.com", "rule_type": "FORWARD", "target_ip": [ "1.1.1.1", "2.2.2.2" ] }, "test-domain": { "domain_name": "test.es", "rule_type": "FORWARD", "target_ip": [ "1.1.1.1" ] } }	no
identifier	Project Name, used as identifer when creating resources.	string	"hubspoke-shared-services"	no
on_premises_cidr	On-premises CIDR block.	string	"192.168.0.0/16"	no
vpcs	VPCs to create.	any	{ "shared-services-vpc": { "cidr_block": "10.0.50.0/24", "flow_log_config": { "log_destination_type": "cloud-watch-logs", "retention_in_days": 7 }, "number_azs": 2, "r53_endpoint_subnets": [ "10.0.50.48/28", "10.0.50.64/28", "10.0.50.80/28" ], "tgw_subnets": [ "10.0.50.96/28", "10.0.50.112/28", "10.0.50.128/28" ], "type": "shared-services", "vpc_endpoint_subnets": [ "10.0.50.0/28", "10.0.50.16/28", "10.0.50.32/28" ] }, "spoke-vpc-1": { "cidr_block": "10.0.0.0/24", "flow_log_config": { "log_destination_type": "cloud-watch-logs", "retention_in_days": 7 }, "instance_type": "t2.micro", "number_azs": 1, "tgw_subnets": [ "10.0.0.192/28", "10.0.0.208/28", "10.0.0.224/28" ], "type": "spoke", "workload_subnets": [ "10.0.0.0/26", "10.0.0.64/26", "10.0.0.128/26" ] }, "spoke-vpc-2": { "cidr_block": "10.0.1.0/24", "flow_log_config": { "log_destination_type": "cloud-watch-logs", "retention_in_days": 7 }, "instance_type": "t2.micro", "number_azs": 1, "tgw_subnets": [ "10.0.1.192/28", "10.0.1.208/28", "10.0.1.224/28" ], "type": "spoke", "workload_subnets": [ "10.0.1.0/26", "10.0.1.64/26", "10.0.1.128/26" ] } }	no

Outputs

Name	Description
ec2_instances	Instances created in each Spoke VPC.
private_hosted_zones	Private Hosted Zones.
route53_resolver_endpoints	Route 53 Resolver Endpoints.
transit_gateway	Transit Gateway resources.
vpc_endpoints	VPC endpoints created.
vpcs	VPCs created.