From d8952e4c83ffe647ec1090675540aea8b1224071 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Soko=C5=82owski?= Date: Mon, 18 May 2020 17:11:39 +0200 Subject: [PATCH] extract aws-vpc role to separate repo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://github.com/status-im/infra-tf-aws-vpc Signed-off-by: Jakub SokoĊ‚owski --- modules/aws-vpc/main.tf | 120 ----------------------------------- modules/aws-vpc/outputs.tf | 11 ---- modules/aws-vpc/variables.tf | 47 -------------- nimbus.tf | 2 +- 4 files changed, 1 insertion(+), 179 deletions(-) delete mode 100644 modules/aws-vpc/main.tf delete mode 100644 modules/aws-vpc/outputs.tf delete mode 100644 modules/aws-vpc/variables.tf diff --git a/modules/aws-vpc/main.tf b/modules/aws-vpc/main.tf deleted file mode 100644 index 09bf132..0000000 --- a/modules/aws-vpc/main.tf +++ /dev/null @@ -1,120 +0,0 @@ -/* The VPN allows us to limit certain traffic to just local network */ -resource "aws_vpc" "main" { - cidr_block = var.vpc_cidr_block - instance_tenancy = "default" - - enable_dns_support = true - enable_dns_hostnames = true - - tags = { - Name = "vpc-${var.name}-${var.stage}" - } -} - -/* A VPN can't exist by itself, a subnet is necessary to add instances */ -resource "aws_subnet" "main" { - vpc_id = aws_vpc.main.id - cidr_block = var.subnet_cidr_block - - /* Needs to be the same as the instances zone */ - availability_zone = var.zone - - /* Necessary for instances available publicly */ - map_public_ip_on_launch = true - - tags = { - Name = "sn-${var.name}-${var.stage}" - } -} - -/* Necessary for internet access */ -resource "aws_internet_gateway" "main" { - vpc_id = aws_vpc.main.id - - tags = { - Name = "ig-${var.name}-${var.stage}" - } -} - -/* Adds rule for accessing internet via the Gateway */ -resource "aws_route_table" "main" { - vpc_id = aws_vpc.main.id - - /* Allow internet traffic in */ - route { - cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.main.id - } - - tags = { - Name = "rt-${var.name}-${var.stage}" - } -} - -/* Add the route to Gateway to the Subnet */ -resource "aws_route_table_association" "main" { - subnet_id = aws_subnet.main.id - route_table_id = aws_route_table.main.id -} - -/* Open the necessary ports to the outside */ -resource "aws_security_group" "main" { - name = "${var.name}-${var.stage}" - description = "Allow inbound traffic for Nimbus fleet" - vpc_id = aws_vpc.main.id - - /* Allow local incoming traffic, necessary for logging */ - ingress { - from_port = 0 - to_port = 0 - self = true - protocol = "-1" - } - - /* Allowing ALL outgoing */ - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - - /* TCP */ - dynamic "ingress" { - iterator = port - for_each = var.open_tcp_ports - content { - /* Hacky way to handle ranges as strings */ - from_port = tonumber( - length(split("-", port.value)) > 1 ? split("-", port.value)[0] : port.value - ) - to_port = tonumber( - length(split("-", port.value)) > 1 ? split("-", port.value)[1] : port.value - ) - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - } - - /* UDP */ - dynamic "ingress" { - iterator = port - for_each = var.open_udp_ports - content { - /* Hacky way to handle ranges as strings */ - from_port = tonumber( - length(split("-", port.value)) > 1 ? split("-", port.value)[0] : port.value - ) - to_port = tonumber( - length(split("-", port.value)) > 1 ? split("-", port.value)[1] : port.value - ) - protocol = "udp" - cidr_blocks = ["0.0.0.0/0"] - } - } - - /* Without this aws_route_table is not created in time */ - depends_on = [ - aws_route_table_association.main - ] -} diff --git a/modules/aws-vpc/outputs.tf b/modules/aws-vpc/outputs.tf deleted file mode 100644 index 6352f57..0000000 --- a/modules/aws-vpc/outputs.tf +++ /dev/null @@ -1,11 +0,0 @@ -output "vpc_id" { - value = aws_vpc.main.id -} - -output "subnet_id" { - value = aws_subnet.main.id -} - -output "secgroup_id" { - value = aws_security_group.main.id -} diff --git a/modules/aws-vpc/variables.tf b/modules/aws-vpc/variables.tf deleted file mode 100644 index 363333f..0000000 --- a/modules/aws-vpc/variables.tf +++ /dev/null @@ -1,47 +0,0 @@ -/* PLUMBING -------------------------------------*/ - -variable "zone" { - description = "Availability Zone for VPCs and Subnets" - type = string - default = "eu-central-1a" -} - -variable "vpc_cidr_block" { - description = "IPv4 address space from Classless Inter-Domain Routing for VPC." - type = string - default = "172.20.0.0/16" - # WARNING: We can't use 10.0.0.0/8 here because Tinc VPN already does. - # Details: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html -} - -variable "subnet_cidr_block" { - description = "Subnet of the VPC CIDR block address space." - type = string - default = "172.20.1.0/24" -} - -/* FIREWALL--------------------------------------*/ - -variable "open_tcp_ports" { - description = "List of TCP port ranges to open." - type = list(string) - default = [] -} - -variable "open_udp_ports" { - description = "List of TCP port ranges to open." - type = list(string) - default = [] -} - -/* GENERAL --------------------------------------*/ - -variable "name" { - description = "Name to use for VPC elements" - type = string -} - -variable "stage" { - description = "Stage to use for VPC elements" - type = string -} diff --git a/nimbus.tf b/nimbus.tf index f436fa7..e221475 100644 --- a/nimbus.tf +++ b/nimbus.tf @@ -8,7 +8,7 @@ locals { } module "nimbus_network" { - source = "./modules/aws-vpc" + source = "github.com/status-im/infra-tf-aws-vpc" name = "nimbus" stage = "test"