xpk/terraform-training
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2d43919595
terraform-training/NetworkContentDelivery/Exercise3/main.tf
KF 2d43919595
UPD: Updated exercise3
2024-05-30 18:27:52 +08:00

125 lines
3.0 KiB
HCL
Raw Blame History

data "aws_availability_zones" "available" {}
locals {
PrivataSubnets = cidrsubnets(var.VpcCidr, 8, 8)
}
module "Vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "5.8.1"
name = var.VpcName
cidr = var.VpcCidr
azs = slice(data.aws_availability_zones.available.names, 0, 2)
private_subnets = local.PrivataSubnets
private_subnet_names = [for k, v in local.PrivataSubnets : "${var.VpcName}Private${k}"]
enable_dns_hostnames = true
enable_dns_support = true
enable_nat_gateway = false
enable_dhcp_options = true
dhcp_options_domain_name = "${var.VpcName}.aws"
}
module "VpcEndpoints" {
source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
version = "5.8.1"
vpc_id = module.Vpc.vpc_id
create_security_group = false
endpoints = {
s3 = {
service = "s3"
service_type = "Gateway"
route_table_ids = flatten([
module.Vpc.intra_route_table_ids, module.Vpc.private_route_table_ids, module.Vpc.public_route_table_ids
])
policy = data.aws_iam_policy_document.s3_endpoint_policy.json
tags = { Name = "S3VpcEp" }
},
dynamodb = {
service = "dynamodb"
service_type = "Gateway"
route_table_ids = flatten([
module.Vpc.intra_route_table_ids, module.Vpc.private_route_table_ids, module.Vpc.public_route_table_ids
])
policy = data.aws_iam_policy_document.dynamodb_endpoint_policy.json
tags = { Name = "DynamodbVpcEp" }
}
}
}
data "aws_iam_policy_document" "s3_endpoint_policy" {
statement {
effect = "Deny"
actions = ["s3:*"]
resources = ["*"]
principals {
type = "*"
identifiers = ["*"]
}
condition {
test = "StringNotEquals"
variable = "aws:sourceVpc"
values = [module.Vpc.vpc_id]
}
}
}
data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
statement {
effect = "Deny"
actions = ["dynamodb:*"]
resources = ["*"]
principals {
type = "*"
identifiers = ["*"]
}
condition {
test = "StringNotEquals"
variable = "aws:sourceVpc"
values = [module.Vpc.vpc_id]
}
}
}
resource "null_resource" "CloudflareIps" {
provisioner "local-exec" {
command = "wget -qO CfIps.json https://api.cloudflare.com/client/v4/ips"
}
}
locals {
CfIpJson = jsondecode(file("${path.module}/CfIps.json"))
}
resource "aws_ec2_managed_prefix_list" "pl1" {
name = "CloudflareIpRanges"
address_family = "IPv4"
max_entries = 20
dynamic "entry" {
for_each = local.CfIpJson.result.ipv4_cidrs
content {
cidr = entry.value
description = "Cloudflare IP"
}
}
}
module "CloudflareSg" {
source = "../../Modules/Compute/security_group"
description = "Cloudflare Ip Ranges"
egress = {
}
ingress = {
r1 = "tcp,443,443,${aws_ec2_managed_prefix_list.pl1.id},Cloudflare Prefix List"
}
name = "cloudflare-ips"
vpc-id = module.Vpc.vpc_id
}
Reference in New Issue View Git Blame Copy Permalink