From 69fe037ec9c79f59e40eb7e8c728593e0e8635ea Mon Sep 17 00:00:00 2001
From: xpk <xpk@headdesk.me>
Date: Thu, 28 Jan 2021 15:04:01 +0800
Subject: [PATCH] NEW: added vpc and subnet code

---
 .../base-network/.terraform.lock.hcl          |  37 +++++
 layers/networking/base-network/main.tf        |  16 +++
 layers/networking/base-network/outputs.tf     |  11 ++
 layers/networking/base-network/provider.tf    |  13 ++
 .../networking/base-network/terraform.tfvars  |   6 +
 layers/networking/base-network/variables.tf   |  22 +++
 modules/networking/vpc_subnets/main.tf        |   1 +
 modules/networking/vpc_subnets/outputs.tf     |  11 ++
 modules/networking/vpc_subnets/variables.tf   |  25 ++++
 modules/networking/vpc_subnets/vpc-flowlog.tf |  67 +++++++++
 modules/networking/vpc_subnets/vpc.tf         | 135 ++++++++++++++++++
 .../cloudtrail_cwlogs/ct-key.tf               |   2 +-
 .../cloudtrail_cwlogs/cw-loggroup.tf          |   2 +-
 13 files changed, 346 insertions(+), 2 deletions(-)
 create mode 100644 layers/networking/base-network/.terraform.lock.hcl
 create mode 100644 layers/networking/base-network/main.tf
 create mode 100644 layers/networking/base-network/outputs.tf
 create mode 100644 layers/networking/base-network/provider.tf
 create mode 100644 layers/networking/base-network/terraform.tfvars
 create mode 100644 layers/networking/base-network/variables.tf
 create mode 100644 modules/networking/vpc_subnets/main.tf
 create mode 100644 modules/networking/vpc_subnets/outputs.tf
 create mode 100644 modules/networking/vpc_subnets/variables.tf
 create mode 100644 modules/networking/vpc_subnets/vpc-flowlog.tf
 create mode 100644 modules/networking/vpc_subnets/vpc.tf

diff --git a/layers/networking/base-network/.terraform.lock.hcl b/layers/networking/base-network/.terraform.lock.hcl
new file mode 100644
index 0000000..1360298
--- /dev/null
+++ b/layers/networking/base-network/.terraform.lock.hcl
@@ -0,0 +1,37 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "3.25.0"
+  constraints = ">= 2.68.0, >= 3.25.0"
+  hashes = [
+    "h1:9bXU5cFO/2DX8z5whaGMA7wcCalKQJZrBm89AuePuEM=",
+    "zh:2d3c65461bc63ec39bce7b5afdbed9a3b4dd5c2c8ee94616ad1866e24cf9b8f0",
+    "zh:2fb2ea6ccac30b909b603e183433737a30c58ec1f9a6a8b5565f0f051490c07a",
+    "zh:31a5f192c8cf29fb677cd639824f9a685578a2564c6b790517db33ea56229045",
+    "zh:437a12cf9a4d7bc92c9bf14ee7e224d5d3545cbd2154ba113ae82c4bb68edc27",
+    "zh:4bbdc3155a5dea90b2d50adfa460b0759c4dd959efaf7f66b2a0385a53b469b2",
+    "zh:63a8cd523ba31358692a34a06e111d88769576ac6d0e5adad8e0b4ae0a2d8882",
+    "zh:c4301ce86e8cb2c464949bb99e729ffe7b0c55eaf34b82ba526bb5039bca36f3",
+    "zh:c97b84861c6c550b8d2feb12d089660fffbf51dc7d660dcc9d54d4a7b3c2c882",
+    "zh:d6a103570e2d5c387b068fac4b88654dfa21d44ca1bdfa4bc8ab94c88effd71a",
+    "zh:f08cf2faf960a8ca374ac860f37c31c88ed2bab460116ac74678e0591babaac5",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/null" {
+  version = "3.0.0"
+  hashes = [
+    "h1:ysHGBhBNkIiJLEpthB/IVCLpA1Qoncp3KbCTFGFZTO0=",
+    "zh:05fb7eab469324c97e9b73a61d2ece6f91de4e9b493e573bfeda0f2077bc3a4c",
+    "zh:1688aa91885a395c4ae67636d411475d0b831e422e005dcf02eedacaafac3bb4",
+    "zh:24a0b1292e3a474f57c483a7a4512d797e041bc9c2fbaac42fe12e86a7fb5a3c",
+    "zh:2fc951bd0d1b9b23427acc93be09b6909d72871e464088171da60fbee4fdde03",
+    "zh:6db825759425599a326385a68acc6be2d9ba0d7d6ef587191d0cdc6daef9ac63",
+    "zh:85985763d02618993c32c294072cc6ec51f1692b803cb506fcfedca9d40eaec9",
+    "zh:a53186599c57058be1509f904da512342cfdc5d808efdaf02dec15f0f3cb039a",
+    "zh:c2e07b49b6efa676bdc7b00c06333ea1792a983a5720f9e2233db27323d2707c",
+    "zh:cdc8fe1096103cf5374751e2e8408ec4abd2eb67d5a1c5151fe2c7ecfd525bef",
+    "zh:dbdef21df0c012b0d08776f3d4f34eb0f2f229adfde07ff252a119e52c0f65b7",
+  ]
+}
diff --git a/layers/networking/base-network/main.tf b/layers/networking/base-network/main.tf
new file mode 100644
index 0000000..ad9b9b2
--- /dev/null
+++ b/layers/networking/base-network/main.tf
@@ -0,0 +1,16 @@
+data aws_caller_identity this {}
+
+module networking-vpc-subnets {
+  source = "../../../modules/networking/vpc_subnets"
+  application = var.application
+  environment = var.environment
+  customer-name = var.customer-name
+  project = var.project
+  default-tags = local.default-tags
+  number-of-private-subnets-per-az = 2
+  number-of-public-subnets-per-az = 1
+  create-nat-gateway = true
+  vpc-cidr = "10.2.0.0/16"
+  aws-region-short = "apne1"
+  aws-region = var.aws-region
+}
\ No newline at end of file
diff --git a/layers/networking/base-network/outputs.tf b/layers/networking/base-network/outputs.tf
new file mode 100644
index 0000000..b2d1176
--- /dev/null
+++ b/layers/networking/base-network/outputs.tf
@@ -0,0 +1,11 @@
+output vpc_id {
+  value = module.networking-vpc-subnets.vpc_id
+}
+
+output public_subnets {
+  value = module.networking-vpc-subnets.public_subnets
+}
+
+output private_subnets {
+  value = module.networking-vpc-subnets.private_subnets
+}
\ No newline at end of file
diff --git a/layers/networking/base-network/provider.tf b/layers/networking/base-network/provider.tf
new file mode 100644
index 0000000..4e906ad
--- /dev/null
+++ b/layers/networking/base-network/provider.tf
@@ -0,0 +1,13 @@
+provider "aws" {
+  region = var.aws-region
+}
+
+terraform {
+  required_version = ">= 0.14"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.25"
+    }
+  }
+}
\ No newline at end of file
diff --git a/layers/networking/base-network/terraform.tfvars b/layers/networking/base-network/terraform.tfvars
new file mode 100644
index 0000000..9f12b0d
--- /dev/null
+++ b/layers/networking/base-network/terraform.tfvars
@@ -0,0 +1,6 @@
+aws-region        = "ap-northeast-1"
+aws-region-short = "apne1"
+customer-name     = "racken"
+environment       = "lab"
+project           = "cleanslate"
+application       = "infra"
\ No newline at end of file
diff --git a/layers/networking/base-network/variables.tf b/layers/networking/base-network/variables.tf
new file mode 100644
index 0000000..b321ef4
--- /dev/null
+++ b/layers/networking/base-network/variables.tf
@@ -0,0 +1,22 @@
+variable "aws-region" {}
+variable "aws-region-short" {}
+variable "customer-name" {}
+variable "environment" {}
+variable "project" {}
+variable "application" {}
+
+locals {
+  default-tags = {
+    ServiceProvider = "RackspaceTechnology"
+    Environment = var.environment
+    Project = var.project
+    Application = var.application
+    TerraformMode = "managed"
+    TerraformDir = trimprefix(path.cwd, "/my/work/xpk-git/")
+    CreatedBy = split(":",data.aws_caller_identity.this.user_id)[1]
+    BuildDate = formatdate("YYYYMMDD", timestamp())
+  }
+  ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
+  resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
+}
+
diff --git a/modules/networking/vpc_subnets/main.tf b/modules/networking/vpc_subnets/main.tf
new file mode 100644
index 0000000..18f3c83
--- /dev/null
+++ b/modules/networking/vpc_subnets/main.tf
@@ -0,0 +1 @@
+data aws_caller_identity this {}
\ No newline at end of file
diff --git a/modules/networking/vpc_subnets/outputs.tf b/modules/networking/vpc_subnets/outputs.tf
new file mode 100644
index 0000000..c7c1972
--- /dev/null
+++ b/modules/networking/vpc_subnets/outputs.tf
@@ -0,0 +1,11 @@
+output vpc_id {
+  value = aws_vpc.vpc.id
+}
+
+output public_subnets {
+  value = aws_subnet.public-subnets.*.cidr_block
+}
+
+output private_subnets {
+  value = aws_subnet.private-subnets.*.cidr_block
+}
diff --git a/modules/networking/vpc_subnets/variables.tf b/modules/networking/vpc_subnets/variables.tf
new file mode 100644
index 0000000..bcff993
--- /dev/null
+++ b/modules/networking/vpc_subnets/variables.tf
@@ -0,0 +1,25 @@
+variable "customer-name" {}
+variable "environment" {}
+variable "project" {}
+variable "application" {}
+variable "default-tags" {}
+variable "aws-region" {}
+variable "aws-region-short" {}
+
+locals {
+  resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
+}
+
+# VPC variables
+variable vpc-cidr {}
+variable number-of-public-subnets-per-az {}
+variable number-of-private-subnets-per-az {}
+variable create-nat-gateway {}
+variable enable-flow-log {
+  type = bool
+  default = true
+}
+variable vpcflowlog-retain-days {
+  type = number
+  default = 90
+}
\ No newline at end of file
diff --git a/modules/networking/vpc_subnets/vpc-flowlog.tf b/modules/networking/vpc_subnets/vpc-flowlog.tf
new file mode 100644
index 0000000..9fc43a1
--- /dev/null
+++ b/modules/networking/vpc_subnets/vpc-flowlog.tf
@@ -0,0 +1,67 @@
+resource "aws_flow_log" "vpc-flowlog" {
+  count = var.enable-flow-log ? 1 : 0
+  iam_role_arn = aws_iam_role.vpcflowlog-role.arn
+  log_destination      = aws_cloudwatch_log_group.vpcflowlog-loggroup[0].arn
+  traffic_type         = "ALL"
+  vpc_id               = aws_vpc.vpc.id
+  tags = merge(
+  var.default-tags,
+  {
+    Name = "${local.resource-prefix}-vpcflowlog"
+  },
+  )
+}
+
+resource "aws_cloudwatch_log_group" "vpcflowlog-loggroup" {
+  count = var.enable-flow-log ? 1 : 0
+
+  name_prefix = "vpcflowlog/${aws_vpc.vpc.id}/"
+  kms_key_id = "arn:aws:kms:${var.aws-region}:${data.aws_caller_identity.this.account_id}:alias/lab-apne1-racken-cleanslate-kmskey-default"
+
+  retention_in_days = var.vpcflowlog-retain-days
+  tags = var.default-tags
+}
+
+resource "aws_iam_role" "vpcflowlog-role" {
+  name = "${local.resource-prefix}-vpcflowlog"
+  path = "/service/"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "vpc-flow-logs.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "vpcflowlog-role-policy" {
+  name = "${local.resource-prefix}-vpcflowlog"
+  role = aws_iam_role.vpcflowlog-role.id
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+        "logs:DescribeLogGroups",
+        "logs:DescribeLogStreams"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
diff --git a/modules/networking/vpc_subnets/vpc.tf b/modules/networking/vpc_subnets/vpc.tf
new file mode 100644
index 0000000..debb286
--- /dev/null
+++ b/modules/networking/vpc_subnets/vpc.tf
@@ -0,0 +1,135 @@
+data "aws_availability_zones" "available-az" {
+  state = "available"
+}
+
+locals {
+  subnet_start = cidrsubnets(var.vpc-cidr, 4, 4)
+}
+
+resource aws_subnet private-subnets {
+  count = var.number-of-private-subnets-per-az * length(data.aws_availability_zones.available-az.names)
+  vpc_id = aws_vpc.vpc.id
+  availability_zone = element(data.aws_availability_zones.available-az.names, count.index)
+  cidr_block = cidrsubnet(local.subnet_start[0], 4, count.index)
+  tags = merge(
+  var.default-tags,
+  {
+    Name = "${local.resource-prefix}-private-${split("-",element(data.aws_availability_zones.available-az.names, count.index))[2]}-${count.index+1}"
+  },
+  )
+}
+
+resource aws_subnet public-subnets {
+  count = var.number-of-public-subnets-per-az * length(data.aws_availability_zones.available-az.names)
+  vpc_id = aws_vpc.vpc.id
+  availability_zone = element(data.aws_availability_zones.available-az.names, count.index)
+  cidr_block = cidrsubnet(local.subnet_start[1], 4, count.index)
+  tags = merge(
+  var.default-tags,
+  {
+    Name = "${local.resource-prefix}-public-${split("-",element(data.aws_availability_zones.available-az.names, count.index))[2]}-${count.index+1}"
+  },
+  )
+}
+
+resource "aws_vpc" "vpc" {
+  cidr_block           = var.vpc-cidr
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  tags = merge(
+  var.default-tags,
+  {
+    Name = "${local.resource-prefix}-vpc"
+  },
+  )
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_internet_gateway" "igw" {
+  count = var.number-of-public-subnets-per-az > 0 ? 1 : 0
+  vpc_id = aws_vpc.vpc.id
+
+  tags = merge(
+  var.default-tags,
+  {
+    Name = "${local.resource-prefix}-igw"
+  },
+  )
+}
+
+resource "aws_eip" "ngw-eip" {
+  count = var.create-nat-gateway ? 1 : 0
+  vpc = true
+  tags = var.default-tags
+  depends_on = [aws_internet_gateway.igw]
+}
+
+resource "aws_nat_gateway" "ngw" {
+  count = var.create-nat-gateway ? 1 : 0
+  allocation_id = aws_eip.ngw-eip[0].id
+  subnet_id     = aws_subnet.public-subnets[0].id
+
+  tags = merge(
+  var.default-tags,
+  {
+    Name = "${local.resource-prefix}-ngw"
+  },
+  )
+
+  depends_on = [aws_internet_gateway.igw]
+}
+
+resource aws_route_table public-route-table {
+  count = var.number-of-public-subnets-per-az > 0 ? 1 : 0
+  vpc_id = aws_vpc.vpc.id
+  tags = merge(
+  var.default-tags,
+  {
+    Name = "${local.resource-prefix}-publicroutetable"
+  },
+  )
+}
+
+resource aws_route_table private-route-table {
+  count = var.number-of-private-subnets-per-az > 0 ? 1 : 0
+  vpc_id = aws_vpc.vpc.id
+  tags = merge(
+  var.default-tags,
+  {
+    Name = "${local.resource-prefix}-privateroutetable"
+  },
+  )
+}
+
+resource "aws_route" "public-routes" {
+  count = var.number-of-public-subnets-per-az > 0 ? 1 : 0
+
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = aws_internet_gateway.igw[0].id
+  route_table_id         = aws_route_table.public-route-table[0].id
+}
+
+resource "aws_route" "private-routes" {
+  count = var.number-of-private-subnets-per-az > 0 ? 1 : 0
+
+  destination_cidr_block = "0.0.0.0/0"
+  nat_gateway_id         = aws_nat_gateway.ngw[0].id
+  route_table_id         = aws_route_table.private-route-table[0].id
+}
+
+resource "aws_route_table_association" "public_route_association" {
+  count = length(aws_subnet.public-subnets)
+  route_table_id = aws_route_table.public-route-table[0].id
+  subnet_id      = aws_subnet.public-subnets[count.index].id
+}
+
+resource "aws_route_table_association" "private_route_association" {
+  count = length(aws_subnet.private-subnets)
+
+  route_table_id = aws_route_table.private-route-table[0].id
+  subnet_id      = aws_subnet.private-subnets[count.index].id
+}
diff --git a/modules/security_identity_compliance/cloudtrail_cwlogs/ct-key.tf b/modules/security_identity_compliance/cloudtrail_cwlogs/ct-key.tf
index 305eb40..a33c139 100644
--- a/modules/security_identity_compliance/cloudtrail_cwlogs/ct-key.tf
+++ b/modules/security_identity_compliance/cloudtrail_cwlogs/ct-key.tf
@@ -5,7 +5,7 @@ resource "aws_kms_key" "ctbucket-key" {
 }
 
 resource "aws_kms_alias" ctbucket-key-aliaas {
-  name = "alias/${local.resource-prefix}-ctkey-alias"
+  name = "alias/${local.resource-prefix}-kmskey-default"
   target_key_id = aws_kms_key.ctbucket-key.key_id
 }
 
diff --git a/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf b/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf
index 25a9924..47fdc4b 100644
--- a/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf
+++ b/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf
@@ -1,5 +1,5 @@
 resource "aws_cloudwatch_log_group" "ct-cwl" {
-  name = "${local.resource-prefix}-cwl-001"
+  name_prefix = "cloudtrail/"
   retention_in_days = var.cloudtrail-retain-days
   kms_key_id = aws_kms_key.ctbucket-key.arn
   tags  = var.default-tags