xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

UPD: VPC module now requires cidr ranges to be supplied in root module. Created adconnector module

Browse Source
This commit is contained in:
xpk 2022-12-12 11:18:38 +08:00
parent a79fe1f365
commit 154ee2a0eb
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
5 changed files with 73 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
modules/networking/vpc_subnets/variables.tf
View File

@ -6,11 +6,12 @@ variable "default-tags" {}
variable "aws-region" {} variable "aws-region" {}
locals { locals {
resource-prefix = "${var.environment}-${substr(var.aws-region,0,2)}-${var.customer-name}-${var.project}" resource-prefix = "${var.environment}-${substr(var.aws-region, 0, 2)}-${var.customer-name}-${var.project}"
} }
# VPC variables # VPC variables
variable vpc-cidr {} variable "vpc-cidr" {}
/*
variable number-of-public-subnets-per-az { variable number-of-public-subnets-per-az {
type = number type = number
default = 0 default = 0
@ -19,16 +20,23 @@ variable number-of-private-subnets-per-az {
type = number type = number
default = 0 default = 0
} }
variable create-nat-gateway { */
type = bool variable "create-nat-gateway" {
type = bool
default = false default = false
} }
variable enable-flow-log { variable "enable-flow-log" {
type = bool type = bool
default = true default = true
} }
variable vpcflowlog-retain-days { variable "vpcflowlog-retain-days" {
type = number type = number
default = 90 default = 90
} }
variable vpcflowlog-cwl-loggroup-key-arn {} variable "vpcflowlog-cwl-loggroup-key-arn" {}
variable "private-subnet-cidrs" {}
variable "public-subnet-cidrs" {}
variable "create-free-vpc-endpoints" {
type = bool
default = true
}

27
modules/networking/vpc_subnets/vpc.tf
View File

@ -3,14 +3,16 @@ data "aws_availability_zones" "available-az" {
} }
locals { locals {
subnet_start = cidrsubnets(var.vpc-cidr, 4, 4) subnet_start = cidrsubnets(var.vpc-cidr, 1, 1) # divide vpc into 2
} }
resource aws_subnet private-subnets { resource aws_subnet private-subnets {
count = var.number-of-private-subnets-per-az * length(data.aws_availability_zones.available-az.names) count = length(var.private-subnet-cidrs)
# count = var.number-of-private-subnets-per-az * length(data.aws_availability_zones.available-az.names)
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
availability_zone = element(data.aws_availability_zones.available-az.names, count.index) availability_zone = element(data.aws_availability_zones.available-az.names, count.index)
cidr_block = cidrsubnet(local.subnet_start[0], 4, count.index) # cidr_block = cidrsubnet(local.subnet_start[0], 2, count.index)
cidr_block = var.private-subnet-cidrs[count.index]
tags = merge( tags = merge(
var.default-tags, var.default-tags,
{ {
@ -20,10 +22,12 @@ resource aws_subnet private-subnets {
} }
resource aws_subnet public-subnets { resource aws_subnet public-subnets {
count = var.number-of-public-subnets-per-az * length(data.aws_availability_zones.available-az.names) count = length(var.public-subnet-cidrs)
# count = var.number-of-public-subnets-per-az * length(data.aws_availability_zones.available-az.names)
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
availability_zone = element(data.aws_availability_zones.available-az.names, count.index) availability_zone = element(data.aws_availability_zones.available-az.names, count.index)
cidr_block = cidrsubnet(local.subnet_start[1], 4, count.index) # cidr_block = cidrsubnet(local.subnet_start[1], 2, count.index)
cidr_block = var.public-subnet-cidrs[count.index]
tags = merge( tags = merge(
var.default-tags, var.default-tags,
{ {
@ -50,7 +54,7 @@ resource "aws_vpc" "vpc" {
} }
resource "aws_internet_gateway" "igw" { resource "aws_internet_gateway" "igw" {
count = var.number-of-public-subnets-per-az > 0 ? 1 : 0 count = length(var.public-subnet-cidrs) > 0 ? 1 : 0
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
tags = merge( tags = merge(
@ -84,7 +88,7 @@ resource "aws_nat_gateway" "ngw" {
} }
resource aws_route_table public-route-table { resource aws_route_table public-route-table {
count = var.number-of-public-subnets-per-az > 0 ? 1 : 0 count = length(var.public-subnet-cidrs) > 0 ? 1 : 0
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
tags = merge( tags = merge(
var.default-tags, var.default-tags,
@ -95,7 +99,7 @@ resource aws_route_table public-route-table {
} }
resource aws_route_table private-route-table { resource aws_route_table private-route-table {
count = var.number-of-private-subnets-per-az > 0 ? 1 : 0 count = length(var.private-subnet-cidrs) > 0 ? 1 : 0
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
tags = merge( tags = merge(
var.default-tags, var.default-tags,
@ -106,7 +110,7 @@ resource aws_route_table private-route-table {
} }
resource "aws_route" "public-routes" { resource "aws_route" "public-routes" {
count = var.number-of-public-subnets-per-az > 0 ? 1 : 0 count = length(var.public-subnet-cidrs) > 0 ? 1 : 0
destination_cidr_block = "0.0.0.0/0" destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.igw[0].id gateway_id = aws_internet_gateway.igw[0].id
@ -114,7 +118,7 @@ resource "aws_route" "public-routes" {
} }
resource "aws_route" "private-routes" { resource "aws_route" "private-routes" {
count = var.number-of-private-subnets-per-az > 0 ? 1 : 0 count = length(var.private-subnet-cidrs) > 0 && var.create-nat-gateway ? 1 : 0
destination_cidr_block = "0.0.0.0/0" destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.ngw[0].id nat_gateway_id = aws_nat_gateway.ngw[0].id
@ -145,12 +149,14 @@ resource "aws_default_security_group" default-sg {
self = true self = true
from_port = 0 from_port = 0
to_port = 0 to_port = 0
description = "Allow traffic coming from this SG"
} }
egress { egress {
from_port = 0 from_port = 0
protocol = -1 protocol = -1
to_port = 0 to_port = 0
self = true self = true
description = "Allow traffic going to this SG"
} }
tags = merge( tags = merge(
var.default-tags, var.default-tags,
@ -162,6 +168,7 @@ resource "aws_default_security_group" default-sg {
# Enable gateway endpoints which are free # Enable gateway endpoints which are free
module vpc-ep { module vpc-ep {
count = var.create-free-vpc-endpoints ? 1 : 0
source = "../vpc-endpoints" source = "../vpc-endpoints"
default-tags = var.default-tags default-tags = var.default-tags

18
modules/security_identity_compliance/ds-adconnector/main.tf Normal file
View File

@ -0,0 +1,18 @@
resource "aws_directory_service_directory" "connector" {
name = var.adc-domainname
alias = var.adc-alias # required by enable-sso
enable_sso = var.adc-enable-sso
password = var.adc-service-account-password
size = var.adc-size
type = "ADConnector"
description = "ADConnector"
tags = var.default-tags
connect_settings {
customer_dns_ips = var.adc-dns-ips
customer_username = var.adc-service-account-username
subnet_ids = var.adc-subnet-ids
vpc_id = var.adc-vpc-id
}
}

11
modules/security_identity_compliance/ds-adconnector/outputs.tf Normal file
View File

@ -0,0 +1,11 @@
output directory-id {
value = aws_directory_service_directory.connector.id
}
output security-group-id {
value = aws_directory_service_directory.connector.security_group_id
}
output connect-settings {
value = aws_directory_service_directory.connector.connect_settings
}

10
modules/security_identity_compliance/ds-adconnector/variables.tf Normal file
View File

@ -0,0 +1,10 @@
variable "adc-domainname" {}
variable "adc-service-account-password" {}
variable "adc-size" {}
variable "adc-dns-ips" {}
variable "adc-service-account-username" {}
variable "adc-subnet-ids" {}
variable "adc-vpc-id" {}
variable "adc-alias" {}
variable "adc-enable-sso" {}
variable "default-tags" {}