From 154ee2a0eb18df08c8ea76b5969b20fff4443b1b Mon Sep 17 00:00:00 2001 From: xpk Date: Mon, 12 Dec 2022 11:18:38 +0800 Subject: [PATCH] UPD: VPC module now requires cidr ranges to be supplied in root module. Created adconnector module --- modules/networking/vpc_subnets/variables.tf | 26 +++++++++++------- modules/networking/vpc_subnets/vpc.tf | 27 ++++++++++++------- .../ds-adconnector/main.tf | 18 +++++++++++++ .../ds-adconnector/outputs.tf | 11 ++++++++ .../ds-adconnector/variables.tf | 10 +++++++ 5 files changed, 73 insertions(+), 19 deletions(-) create mode 100644 modules/security_identity_compliance/ds-adconnector/main.tf create mode 100644 modules/security_identity_compliance/ds-adconnector/outputs.tf create mode 100644 modules/security_identity_compliance/ds-adconnector/variables.tf diff --git a/modules/networking/vpc_subnets/variables.tf b/modules/networking/vpc_subnets/variables.tf index 3074239..ecf85a9 100644 --- a/modules/networking/vpc_subnets/variables.tf +++ b/modules/networking/vpc_subnets/variables.tf @@ -6,11 +6,12 @@ variable "default-tags" {} variable "aws-region" {} locals { - resource-prefix = "${var.environment}-${substr(var.aws-region,0,2)}-${var.customer-name}-${var.project}" + resource-prefix = "${var.environment}-${substr(var.aws-region, 0, 2)}-${var.customer-name}-${var.project}" } # VPC variables -variable vpc-cidr {} +variable "vpc-cidr" {} +/* variable number-of-public-subnets-per-az { type = number default = 0 @@ -19,16 +20,23 @@ variable number-of-private-subnets-per-az { type = number default = 0 } -variable create-nat-gateway { - type = bool +*/ +variable "create-nat-gateway" { + type = bool default = false } -variable enable-flow-log { - type = bool +variable "enable-flow-log" { + type = bool default = true } -variable vpcflowlog-retain-days { - type = number +variable "vpcflowlog-retain-days" { + type = number default = 90 } -variable vpcflowlog-cwl-loggroup-key-arn {} \ No newline at end of file +variable "vpcflowlog-cwl-loggroup-key-arn" {} +variable "private-subnet-cidrs" {} +variable "public-subnet-cidrs" {} +variable "create-free-vpc-endpoints" { + type = bool + default = true +} \ No newline at end of file diff --git a/modules/networking/vpc_subnets/vpc.tf b/modules/networking/vpc_subnets/vpc.tf index d488954..fa18d33 100644 --- a/modules/networking/vpc_subnets/vpc.tf +++ b/modules/networking/vpc_subnets/vpc.tf @@ -3,14 +3,16 @@ data "aws_availability_zones" "available-az" { } locals { - subnet_start = cidrsubnets(var.vpc-cidr, 4, 4) + subnet_start = cidrsubnets(var.vpc-cidr, 1, 1) # divide vpc into 2 } resource aws_subnet private-subnets { - count = var.number-of-private-subnets-per-az * length(data.aws_availability_zones.available-az.names) + count = length(var.private-subnet-cidrs) + # count = var.number-of-private-subnets-per-az * length(data.aws_availability_zones.available-az.names) vpc_id = aws_vpc.vpc.id availability_zone = element(data.aws_availability_zones.available-az.names, count.index) - cidr_block = cidrsubnet(local.subnet_start[0], 4, count.index) + # cidr_block = cidrsubnet(local.subnet_start[0], 2, count.index) + cidr_block = var.private-subnet-cidrs[count.index] tags = merge( var.default-tags, { @@ -20,10 +22,12 @@ resource aws_subnet private-subnets { } resource aws_subnet public-subnets { - count = var.number-of-public-subnets-per-az * length(data.aws_availability_zones.available-az.names) + count = length(var.public-subnet-cidrs) + # count = var.number-of-public-subnets-per-az * length(data.aws_availability_zones.available-az.names) vpc_id = aws_vpc.vpc.id availability_zone = element(data.aws_availability_zones.available-az.names, count.index) - cidr_block = cidrsubnet(local.subnet_start[1], 4, count.index) + # cidr_block = cidrsubnet(local.subnet_start[1], 2, count.index) + cidr_block = var.public-subnet-cidrs[count.index] tags = merge( var.default-tags, { @@ -50,7 +54,7 @@ resource "aws_vpc" "vpc" { } resource "aws_internet_gateway" "igw" { - count = var.number-of-public-subnets-per-az > 0 ? 1 : 0 + count = length(var.public-subnet-cidrs) > 0 ? 1 : 0 vpc_id = aws_vpc.vpc.id tags = merge( @@ -84,7 +88,7 @@ resource "aws_nat_gateway" "ngw" { } resource aws_route_table public-route-table { - count = var.number-of-public-subnets-per-az > 0 ? 1 : 0 + count = length(var.public-subnet-cidrs) > 0 ? 1 : 0 vpc_id = aws_vpc.vpc.id tags = merge( var.default-tags, @@ -95,7 +99,7 @@ resource aws_route_table public-route-table { } resource aws_route_table private-route-table { - count = var.number-of-private-subnets-per-az > 0 ? 1 : 0 + count = length(var.private-subnet-cidrs) > 0 ? 1 : 0 vpc_id = aws_vpc.vpc.id tags = merge( var.default-tags, @@ -106,7 +110,7 @@ resource aws_route_table private-route-table { } resource "aws_route" "public-routes" { - count = var.number-of-public-subnets-per-az > 0 ? 1 : 0 + count = length(var.public-subnet-cidrs) > 0 ? 1 : 0 destination_cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.igw[0].id @@ -114,7 +118,7 @@ resource "aws_route" "public-routes" { } resource "aws_route" "private-routes" { - count = var.number-of-private-subnets-per-az > 0 ? 1 : 0 + count = length(var.private-subnet-cidrs) > 0 && var.create-nat-gateway ? 1 : 0 destination_cidr_block = "0.0.0.0/0" nat_gateway_id = aws_nat_gateway.ngw[0].id @@ -145,12 +149,14 @@ resource "aws_default_security_group" default-sg { self = true from_port = 0 to_port = 0 + description = "Allow traffic coming from this SG" } egress { from_port = 0 protocol = -1 to_port = 0 self = true + description = "Allow traffic going to this SG" } tags = merge( var.default-tags, @@ -162,6 +168,7 @@ resource "aws_default_security_group" default-sg { # Enable gateway endpoints which are free module vpc-ep { + count = var.create-free-vpc-endpoints ? 1 : 0 source = "../vpc-endpoints" default-tags = var.default-tags diff --git a/modules/security_identity_compliance/ds-adconnector/main.tf b/modules/security_identity_compliance/ds-adconnector/main.tf new file mode 100644 index 0000000..a113523 --- /dev/null +++ b/modules/security_identity_compliance/ds-adconnector/main.tf @@ -0,0 +1,18 @@ + +resource "aws_directory_service_directory" "connector" { + name = var.adc-domainname + alias = var.adc-alias # required by enable-sso + enable_sso = var.adc-enable-sso + password = var.adc-service-account-password + size = var.adc-size + type = "ADConnector" + description = "ADConnector" + tags = var.default-tags + + connect_settings { + customer_dns_ips = var.adc-dns-ips + customer_username = var.adc-service-account-username + subnet_ids = var.adc-subnet-ids + vpc_id = var.adc-vpc-id + } +} diff --git a/modules/security_identity_compliance/ds-adconnector/outputs.tf b/modules/security_identity_compliance/ds-adconnector/outputs.tf new file mode 100644 index 0000000..6289d15 --- /dev/null +++ b/modules/security_identity_compliance/ds-adconnector/outputs.tf @@ -0,0 +1,11 @@ +output directory-id { + value = aws_directory_service_directory.connector.id +} + +output security-group-id { + value = aws_directory_service_directory.connector.security_group_id +} + +output connect-settings { + value = aws_directory_service_directory.connector.connect_settings +} \ No newline at end of file diff --git a/modules/security_identity_compliance/ds-adconnector/variables.tf b/modules/security_identity_compliance/ds-adconnector/variables.tf new file mode 100644 index 0000000..8716492 --- /dev/null +++ b/modules/security_identity_compliance/ds-adconnector/variables.tf @@ -0,0 +1,10 @@ +variable "adc-domainname" {} +variable "adc-service-account-password" {} +variable "adc-size" {} +variable "adc-dns-ips" {} +variable "adc-service-account-username" {} +variable "adc-subnet-ids" {} +variable "adc-vpc-id" {} +variable "adc-alias" {} +variable "adc-enable-sso" {} +variable "default-tags" {} \ No newline at end of file