diff --git a/.gitignore b/.gitignore index 32e3639..1f9ab44 100644 --- a/.gitignore +++ b/.gitignore @@ -32,6 +32,7 @@ bin/ .terraform *.tfstate *.tfstate.backup +*.tfstate.*.* .idea .terraform.lock.hcl terraform-training.iml diff --git a/NetworkContentDelivery/Exercise3/README.md b/NetworkContentDelivery/Exercise3/README.md index b9043bc..6a29baa 100644 --- a/NetworkContentDelivery/Exercise3/README.md +++ b/NetworkContentDelivery/Exercise3/README.md @@ -11,11 +11,13 @@ | Name | Version | |------|---------| | aws | 5.51.1 | +| null | 3.2.2 | ## Modules | Name | Source | Version | |------|--------|---------| +| CloudflareSg | ../../Modules/Compute/security_group | n/a | | Vpc | terraform-aws-modules/vpc/aws | 5.8.1 | | VpcEndpoints | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | 5.8.1 | @@ -23,6 +25,8 @@ | Name | Type | |------|------| +| [aws_ec2_managed_prefix_list.pl1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_managed_prefix_list) | resource | +| [null_resource.CloudflareIps](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | | [aws_iam_policy_document.dynamodb_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.s3_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -31,7 +35,6 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| PrivateSubnets | List of private subnets | `list(string)` | n/a | yes | | VpcCidr | VPC CIDR | `string` | n/a | yes | | VpcName | Name of VPC | `string` | n/a | yes | @@ -39,8 +42,10 @@ | Name | Description | |------|-------------| -| VpcCidr | n/a | -| VpcId | n/a | +| CloudflareSg | Cloudflare security group id | +| PrivateSubnetCidrs | Private subnet CIDRs | +| VpcCidr | Vpc CIDR | +| VpcId | Vpc ID | | last-updated | n/a | --- diff --git a/NetworkContentDelivery/Exercise3/main.tf b/NetworkContentDelivery/Exercise3/main.tf index 8c5a430..c6ecaa8 100644 --- a/NetworkContentDelivery/Exercise3/main.tf +++ b/NetworkContentDelivery/Exercise3/main.tf @@ -1,5 +1,9 @@ data "aws_availability_zones" "available" {} +locals { + PrivataSubnets = cidrsubnets(var.VpcCidr, 8, 8) +} + module "Vpc" { source = "terraform-aws-modules/vpc/aws" version = "5.8.1" @@ -8,8 +12,8 @@ module "Vpc" { cidr = var.VpcCidr azs = slice(data.aws_availability_zones.available.names, 0, 2) - private_subnets = var.PrivateSubnets - private_subnet_names = ["${var.VpcName}Private1", "${var.VpcName}Private2"] + private_subnets = local.PrivataSubnets + private_subnet_names = [for k, v in local.PrivataSubnets : "${var.VpcName}Private${k}"] enable_dns_hostnames = true enable_dns_support = true enable_nat_gateway = false @@ -83,4 +87,39 @@ data "aws_iam_policy_document" "dynamodb_endpoint_policy" { values = [module.Vpc.vpc_id] } } +} + +resource "null_resource" "CloudflareIps" { + provisioner "local-exec" { + command = "wget -qO CfIps.json https://api.cloudflare.com/client/v4/ips" + } +} + +locals { + CfIpJson = jsondecode(file("${path.module}/CfIps.json")) +} + +resource "aws_ec2_managed_prefix_list" "pl1" { + name = "CloudflareIpRanges" + address_family = "IPv4" + max_entries = 20 + dynamic "entry" { + for_each = local.CfIpJson.result.ipv4_cidrs + content { + cidr = entry.value + description = "Cloudflare IP" + } + } +} + +module "CloudflareSg" { + source = "../../Modules/Compute/security_group" + description = "Cloudflare Ip Ranges" + egress = { + } + ingress = { + r1 = "tcp,443,443,${aws_ec2_managed_prefix_list.pl1.id},Cloudflare Prefix List" + } + name = "cloudflare-ips" + vpc-id = module.Vpc.vpc_id } \ No newline at end of file diff --git a/NetworkContentDelivery/Exercise3/outputs.tf b/NetworkContentDelivery/Exercise3/outputs.tf index e61effc..be0091e 100644 --- a/NetworkContentDelivery/Exercise3/outputs.tf +++ b/NetworkContentDelivery/Exercise3/outputs.tf @@ -1,7 +1,19 @@ output "VpcId" { - value = module.Vpc.vpc_id + value = module.Vpc.vpc_id + description = "Vpc ID" } output "VpcCidr" { - value = module.Vpc.vpc_cidr_block + value = module.Vpc.vpc_cidr_block + description = "Vpc CIDR" +} + +output "PrivateSubnetCidrs" { + value = module.Vpc.private_subnets_cidr_blocks + description = "Private subnet CIDRs" +} + +output "CloudflareSg" { + value = module.CloudflareSg.id + description = "Cloudflare security group id" } \ No newline at end of file diff --git a/NetworkContentDelivery/Exercise3/terraform.tfvars b/NetworkContentDelivery/Exercise3/terraform.tfvars index 52542bb..6cdffea 100644 --- a/NetworkContentDelivery/Exercise3/terraform.tfvars +++ b/NetworkContentDelivery/Exercise3/terraform.tfvars @@ -1,3 +1,2 @@ VpcName = "TrainingVpc" -VpcCidr = "192.168.0.0/16" -PrivateSubnets = ["192.168.100.0/24", "192.168.101.0/24"] \ No newline at end of file +VpcCidr = "192.168.0.0/16" \ No newline at end of file diff --git a/NetworkContentDelivery/Exercise3/variables.tf b/NetworkContentDelivery/Exercise3/variables.tf index 8745fed..a0afeb5 100644 --- a/NetworkContentDelivery/Exercise3/variables.tf +++ b/NetworkContentDelivery/Exercise3/variables.tf @@ -6,9 +6,4 @@ variable "VpcName" { variable "VpcCidr" { type = string description = "VPC CIDR" -} - -variable "PrivateSubnets" { - type = list(string) - description = "List of private subnets" } \ No newline at end of file