add AWS VPC for all Nimbus hosts

Signed-off-by: Jakub Sokołowski <jakub@status.im>

modules/aws-vpc/main.tf

@@ -0,0 +1,108 @@
+resource "aws_vpc" "main" {
+  cidr_block       = "10.0.0.0/16"
+  instance_tenancy = "default"
+
+  enable_dns_support   = true
+  enable_dns_hostnames = true
+
+  tags = {
+    Name = "vpc-${var.name}-${var.stage}"
+  }
+}
+
+resource "aws_subnet" "main" {
+  vpc_id     = aws_vpc.main.id
+  cidr_block = "10.0.1.0/24"
+
+  /* Needs to be the same as the instances zone */
+  availability_zone = var.zone
+
+  /* Necessary for instances available publicly */
+  map_public_ip_on_launch = true
+
+  tags = {
+    Name = "sn-${var.name}-${var.stage}"
+  }
+}
+
+/* Necessary for internet access */
+resource "aws_internet_gateway" "main" {
+  vpc_id = aws_vpc.main.id
+
+  tags = {
+    Name  = "ig-${var.name}-${var.stage}"
+  }
+}
+
+resource "aws_route_table" "main" {
+  vpc_id = aws_vpc.main.id
+
+  /* Allow internet traffic in */
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.main.id
+  }
+
+  tags = {
+    Name = "rt-${var.name}-${var.stage}"
+  }
+}
+
+resource "aws_route_table_association" "main" {
+  subnet_id      = aws_subnet.main.id
+  route_table_id = aws_route_table.main.id
+}
+
+resource "aws_security_group" "main" {
+  name        = "${var.name}-${var.stage}"
+  description = "Allow inbound traffic for Nimbus fleet"
+  vpc_id      = aws_vpc.main.id
+
+  /* Allow local traffic */
+  ingress {
+    from_port = 0
+    to_port   = 0
+    self      = true
+    protocol  = "-1"
+  }
+  egress {
+    from_port = 0
+    to_port   = 0
+    self      = true
+    protocol  = "-1"
+  }
+
+  /* TCP */
+  dynamic "ingress" {
+    iterator = port
+    for_each = var.open_tcp_ports
+    content {
+      /* Hacky way to handle ranges as strings */
+      from_port = tonumber(
+        length(split("-", port.value)) > 1 ? split("-", port.value)[0] : port.value
+      )
+      to_port = tonumber(
+        length(split("-", port.value)) > 1 ? split("-", port.value)[1] : port.value
+      )
+      protocol  = "tcp"
+      cidr_blocks = ["0.0.0.0/0"]
+    }
+  }
+
+  /* UDP */
+  dynamic "ingress" {
+    iterator = port
+    for_each = var.open_udp_ports
+    content {
+      /* Hacky way to handle ranges as strings */
+      from_port = tonumber(
+        length(split("-", port.value)) > 1 ? split("-", port.value)[0] : port.value
+      )
+      to_port = tonumber(
+        length(split("-", port.value)) > 1 ? split("-", port.value)[1] : port.value
+      )
+      protocol  = "udp"
+      cidr_blocks = ["0.0.0.0/0"]
+    }
+  }
+}

modules/aws-vpc/outputs.tf

@@ -0,0 +1,11 @@
+output "vpc_id" {
+  value = aws_vpc.main.id
+}
+
+output "subnet_id" {
+  value = aws_subnet.main.id
+}
+
+output "secgroup_id" {
+  value = aws_security_group.main.id
+}

modules/aws-vpc/variables.tf

@@ -0,0 +1,33 @@
+/* PLUMBING -------------------------------------*/
+
+variable "zone" {
+  description = "Availability Zone for VPCs and Subnets"
+  type        = string
+  default     = "eu-central-1a"
+}
+
+/* FIREWALL--------------------------------------*/
+
+variable "open_tcp_ports" {
+  description = "List of TCP port ranges to open."
+  type        = list(string)
+  default     = []
+}
+
+variable "open_udp_ports" {
+  description = "List of TCP port ranges to open."
+  type        = list(string)
+  default     = []
+}
+
+/* GENERAL --------------------------------------*/
+
+variable "name" {
+  description = "Name to use for VPC elements"
+  type        = string
+}
+
+variable "stage" {
+  description = "Stage to use for VPC elements"
+  type        = string
+}

nimbus.tf

@@ -1,6 +1,24 @@
-/* RESOURCES ------------------------------------*/
+/* NETWORK --------------------------------------*/
 
-module "nimbus-master" {
+module "nimbus_network" {
+  source = "./modules/aws-vpc"
+
+  name  = "nimbus"
+  stage = "test"
+
+  /* Firewall */
+  open_tcp_ports = [
+    "22",        /* SSH */
+    "80",        /* HTTP */
+    "443",       /* HTTPS */
+    "9000-9010", /* Nimbus ports */
+    "9100-9110", /* Nimbus ports */
+  ]
+}
+
+/* HOSTS ----------------------------------------*/
+
+module "nimbus_master" {
   source = "github.com/status-im/infra-tf-amazon-web-services"
 
   name   = "master"
@@ -22,10 +40,13 @@ module "nimbus-master" {
   ]
 
   /* Plumbing */
+  vpc_id       = module.nimbus_network.vpc_id
+  subnet_id    = module.nimbus_network.subnet_id
+  secgroup_id  = module.nimbus_network.secgroup_id
   keypair_name = aws_key_pair.jakubgs.key_name
 }
 
-module "nimbus-nodes" {
+module "nimbus_nodes" {
   source = "github.com/status-im/infra-tf-amazon-web-services"
 
   name   = "node"
@@ -47,25 +68,28 @@ module "nimbus-nodes" {
   ]
   
   /* Plumbing */
+  vpc_id       = module.nimbus_network.vpc_id
+  subnet_id    = module.nimbus_network.subnet_id
+  secgroup_id  = module.nimbus_network.secgroup_id
   keypair_name = aws_key_pair.jakubgs.key_name
 }
 
 /* DNS ------------------------------------------*/
 
-resource "cloudflare_record" "nimbus-test-stats" {
+resource "cloudflare_record" "nimbus_test_stats" {
   zone_id = local.zones["status.im"]
   name    = "nimbus-test-stats"
   type    = "A"
   proxied = true
-  value   = module.nimbus-master.public_ips[count.index]
-  count   = length(module.nimbus-master.public_ips)
+  value   = module.nimbus_master.public_ips[count.index]
+  count   = length(module.nimbus_master.public_ips)
 }
 
-resource "cloudflare_record" "serenity-testnets" {
+resource "cloudflare_record" "serenity_testnets" {
   zone_id = local.zones["status.im"]
   name    = "serenity-testnets"
   type    = "A"
   proxied = true
-  value   = module.nimbus-master.public_ips[count.index]
-  count   = length(module.nimbus-master.public_ips)
+  value   = module.nimbus_master.public_ips[count.index]
+  count   = length(module.nimbus_master.public_ips)
 }