infra-nimbus/modules/aws-vpc/main.tf

121 lines
2.8 KiB
HCL

/* The VPN allows us to limit certain traffic to just local network */
resource "aws_vpc" "main" {
cidr_block = var.vpc_cidr_block
instance_tenancy = "default"
enable_dns_support = true
enable_dns_hostnames = true
tags = {
Name = "vpc-${var.name}-${var.stage}"
}
}
/* A VPN can't exist by itself, a subnet is necessary to add instances */
resource "aws_subnet" "main" {
vpc_id = aws_vpc.main.id
cidr_block = var.subnet_cidr_block
/* Needs to be the same as the instances zone */
availability_zone = var.zone
/* Necessary for instances available publicly */
map_public_ip_on_launch = true
tags = {
Name = "sn-${var.name}-${var.stage}"
}
}
/* Necessary for internet access */
resource "aws_internet_gateway" "main" {
vpc_id = aws_vpc.main.id
tags = {
Name = "ig-${var.name}-${var.stage}"
}
}
/* Adds rule for accessing internet via the Gateway */
resource "aws_route_table" "main" {
vpc_id = aws_vpc.main.id
/* Allow internet traffic in */
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.main.id
}
tags = {
Name = "rt-${var.name}-${var.stage}"
}
}
/* Add the route to Gateway to the Subnet */
resource "aws_route_table_association" "main" {
subnet_id = aws_subnet.main.id
route_table_id = aws_route_table.main.id
}
/* Open the necessary ports to the outside */
resource "aws_security_group" "main" {
name = "${var.name}-${var.stage}"
description = "Allow inbound traffic for Nimbus fleet"
vpc_id = aws_vpc.main.id
/* Allow local incoming traffic, necessary for logging */
ingress {
from_port = 0
to_port = 0
self = true
protocol = "-1"
}
/* Allowing ALL outgoing */
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
/* TCP */
dynamic "ingress" {
iterator = port
for_each = var.open_tcp_ports
content {
/* Hacky way to handle ranges as strings */
from_port = tonumber(
length(split("-", port.value)) > 1 ? split("-", port.value)[0] : port.value
)
to_port = tonumber(
length(split("-", port.value)) > 1 ? split("-", port.value)[1] : port.value
)
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
/* UDP */
dynamic "ingress" {
iterator = port
for_each = var.open_udp_ports
content {
/* Hacky way to handle ranges as strings */
from_port = tonumber(
length(split("-", port.value)) > 1 ? split("-", port.value)[0] : port.value
)
to_port = tonumber(
length(split("-", port.value)) > 1 ? split("-", port.value)[1] : port.value
)
protocol = "udp"
cidr_blocks = ["0.0.0.0/0"]
}
}
/* Without this aws_route_table is not created in time */
depends_on = [
aws_route_table_association.main
]
}