From 571583dbc9f6c02aa258435cd061200a15c20204 Mon Sep 17 00:00:00 2001 From: thejsj Date: Wed, 26 Apr 2017 17:08:34 -0700 Subject: [PATCH 1/9] WIP --- main.tf | 10 ++++++++++ vpc-and-subnets/main.tf | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 vpc-and-subnets/main.tf diff --git a/main.tf b/main.tf index 843623f..0a87b8f 100644 --- a/main.tf +++ b/main.tf @@ -2,6 +2,16 @@ provider "aws" { region = "${var.aws_region}" } +module "vpc-and-subnets" { + source = "./vpc-and-subnets" + environment = "${var.environment}" + public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIf2LaAVw5wnc877az6Z4RdgAoRpJSJT+G7KHw+2Rv888PIf9vfTbIf/3uT8wRbhwt8jau3f2rK7AhFIQo4rLYhBYWQ+dUvNKyjpNc5ZZE7jwmtD2JLPI2aPi1ocAmFwIf5l6Gzaxkkko9iFP7hZD8dvHX00+n2m6/RvHUnbC62I1vd7JvGuYVJlhtkRpeEW0f42//l0q+UbIDw/eEs72w2YrO8VUhCE/0kvoZ8dyoz3CxeJqepgihgsOsNehq8YW93COR+Ywh3sRqv009GOuLJC02xtek6dyQwLG2L1pQJTyuvDCSsleB8kp9S9yDLu1Xlwjd/HQS3zqWREJ/ENDb" +} + +module "security-groups" { + source = "./vpc-and-subnets" +} + module "s3" { source = "./s3" domain = "${var.domain}" diff --git a/vpc-and-subnets/main.tf b/vpc-and-subnets/main.tf new file mode 100644 index 0000000..8402853 --- /dev/null +++ b/vpc-and-subnets/main.tf @@ -0,0 +1,36 @@ +variable "environment" {} +variable "public_key" {} + +resource "aws_vpc" "main" { + cidr_block = "10.10.0.0/16" + + tags { + Name = "${var.environment}-main" + } +} + +resource "aws_subnet" "main-subnet" { + vpc_id = "${aws_vpc.main.id}" + cidr_block = "10.10.1.0/24" + map_public_ip_on_launch = true + + tags { + Name = "${var.environment}-main-subnet" + Enviroment = "${var.environment}" + } +} + +resource "aws_subnet" "dock-subnet" { + vpc_id = "${aws_vpc.main.id}" + cidr_block = "10.10.2.0/24" + + tags { + Name = "${var.environment}-dock-subnet" + Enviroment = "${var.environment}" + } +} + +resource "aws_key_pair" "runnable-self-hosted" { + key_name = "runnable-self-hosted-key-pair" + public_key = "${var.public_key}" +} From 5f6561a9e3992977894857cee35b8f2ad59c488d Mon Sep 17 00:00:00 2001 From: thejsj Date: Wed, 26 Apr 2017 21:20:27 -0700 Subject: [PATCH 2/9] Add validated changes --- bastion/main.tf | 0 database/main.tf | 13 -- .../main.tf | 96 ------------- keypair/main.tf | 12 ++ main.tf | 49 +++++-- security-groups/main.tf | 135 ++++++++++++++++++ subnets/main.tf | 44 ++++++ variables.tf | 9 +- vpc-and-subnets/main.tf | 36 ----- vpc/main.tf | 13 ++ 10 files changed, 246 insertions(+), 161 deletions(-) create mode 100644 bastion/main.tf rename {instances-and-security-groups => instances}/main.tf (56%) create mode 100644 keypair/main.tf create mode 100644 security-groups/main.tf create mode 100644 subnets/main.tf delete mode 100644 vpc-and-subnets/main.tf create mode 100644 vpc/main.tf diff --git a/bastion/main.tf b/bastion/main.tf new file mode 100644 index 0000000..e69de29 diff --git a/database/main.tf b/database/main.tf index 748389d..ce32488 100644 --- a/database/main.tf +++ b/database/main.tf @@ -7,19 +7,6 @@ variable "vpc_id" {} variable "main_host_security_group_id" {} variable "instance_class" {} -resource "aws_security_group" "database_sg" { - name = "${var.environment}-database-sg" - description = "Allow inbound traffic from main host to DB port" - vpc_id = "${var.vpc_id}" - - ingress { - from_port = 5432 - to_port = 5432 - protocol = "tcp" - security_groups = ["${var.main_host_security_group_id}"] - } -} - resource "aws_db_instance" "main_postgres_db" { allocated_storage = 10 engine = "postgres" diff --git a/instances-and-security-groups/main.tf b/instances/main.tf similarity index 56% rename from instances-and-security-groups/main.tf rename to instances/main.tf index f3cbd78..04ff30b 100644 --- a/instances-and-security-groups/main.tf +++ b/instances/main.tf @@ -20,102 +20,6 @@ variable "dock_ami" { default = "ami-557dee35" # dock-ami-build-v.0.0.8 } -resource "aws_security_group" "main_host_sg" { - name = "${var.environment}-main-host-sg" - description = "Allow all inbound traffic on all traffic over port 80" - vpc_id = "${var.vpc_id}" - - ingress { - from_port = 80 - to_port = 65535 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - security_groups = ["${var.bastion_sg_id}"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } -} - -resource "aws_security_group" "dock_sg" { - name = "${var.environment}-dock-sg" - description = "Allow all traffic from main host and between docks" - vpc_id = "${var.vpc_id}" - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - security_groups = ["${var.bastion_sg_id}"] - } - - ingress { - from_port = 32768 - to_port = 65535 - protocol = "tcp" - security_groups = ["${aws_security_group.main_host_sg.id}"] - } - - ingress { - from_port = 8200 - to_port = 8201 - protocol = "tcp" - security_groups = ["${aws_security_group.main_host_sg.id}"] - } - - ingress { - from_port = 4242 - to_port = 4242 - protocol = "tcp" - security_groups = ["${aws_security_group.main_host_sg.id}"] - } - - ingress { - from_port = 29006 - to_port = 29007 - protocol = "tcp" - security_groups = ["${aws_security_group.main_host_sg.id}"] - } - - ingress { - from_port = 3100 - to_port = 3100 - protocol = "tcp" - security_groups = ["${aws_security_group.main_host_sg.id}"] - } - - ingress { - from_port = 6783 - to_port = 6783 - protocol = "tcp" - self = true - } - - ingress { - from_port = 6783 - to_port = 6783 - protocol = "udp" - self = true - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } -} - resource "aws_instance" "main-instance" { ami = "${var.main_host_ami}" instance_type = "${var.main_host_instance_type}" diff --git a/keypair/main.tf b/keypair/main.tf new file mode 100644 index 0000000..f44de21 --- /dev/null +++ b/keypair/main.tf @@ -0,0 +1,12 @@ +variable "public_key" {} +variable "enviroment" {} + +resource "aws_key_pair" "main_key" { + key_name = "${var.environment}-key-pair" + public_key = "${var.public_key}" +} + +output "key_pair_name" { + value = "aws_key_pair.main_key.name" +} + diff --git a/main.tf b/main.tf index 0a87b8f..003f93c 100644 --- a/main.tf +++ b/main.tf @@ -2,14 +2,27 @@ provider "aws" { region = "${var.aws_region}" } -module "vpc-and-subnets" { - source = "./vpc-and-subnets" +module "key_pair" { + source = "./keypair" environment = "${var.environment}" - public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIf2LaAVw5wnc877az6Z4RdgAoRpJSJT+G7KHw+2Rv888PIf9vfTbIf/3uT8wRbhwt8jau3f2rK7AhFIQo4rLYhBYWQ+dUvNKyjpNc5ZZE7jwmtD2JLPI2aPi1ocAmFwIf5l6Gzaxkkko9iFP7hZD8dvHX00+n2m6/RvHUnbC62I1vd7JvGuYVJlhtkRpeEW0f42//l0q+UbIDw/eEs72w2YrO8VUhCE/0kvoZ8dyoz3CxeJqepgihgsOsNehq8YW93COR+Ywh3sRqv009GOuLJC02xtek6dyQwLG2L1pQJTyuvDCSsleB8kp9S9yDLu1Xlwjd/HQS3zqWREJ/ENDb" + public_key = "${var.public_key}" } -module "security-groups" { - source = "./vpc-and-subnets" +module "vpc" { + source = "./vpc" + environment = "${var.environment}" +} + +module "subnets" { + source = "./subnets" + environment = "${var.environment}" + vpc_id = "${module.vpc.main_vpc_id}" +} + +module "security_groups" { + source = "./security-groups" + environment = "${var.environment}" + vpc_id = "${module.vpc.main_vpc_id}" } module "s3" { @@ -19,17 +32,23 @@ module "s3" { force_destroy = "${var.force_destroy_s3_buckets}" } -module "instances-and-security-groups" { - source = "./instances-and-security-groups" +module "bastion" { + source = "./bastion" + environment = "${var.environment}" + vpc_id = "${module.vpc.main_vpc_id}" +} + +module "instances" { + source = "./instances" environment = "${var.environment}" - vpc_id = "${var.main_host_vpc_id}" - main_host_subnet_id = "${var.main_host_subnet_id}" - dock_subnet_id = "${var.dock_subnet_id}" + vpc_id = "${module.vpc.main_vpc_id}" + main_host_subnet_id = "${module.subnets.main_subnet_id}" + dock_subnet_id = "${module.subnets.dock_subnet_id}" private_ip = "${var.main_host_private_ip}" github_org_id = "${var.github_org_id}" lc_user_data_file_location = "${var.lc_user_data_file_location}" - key_name = "${var.key_name}" - bastion_sg_id = "${var.bastion_sg_id}" + key_name = "${module.key_pair.key_pair_name}" + bastion_sg_id = "${module.subnets.bastion_sg_id}" main_host_instance_type = "${var.main_host_instance_type}" dock_instance_type = "${var.dock_instance_type}" } @@ -40,8 +59,8 @@ module "database" { username = "${var.db_username}" password = "${var.db_password}" port = "${var.db_port}" - subnet_group_name = "${var.db_subnet_group_name}" - main_host_security_group_id = "${module.instances-and-security-groups.main_security_group_id}" - vpc_id = "${var.main_host_vpc_id}" + subnet_group_name = "${module.subnets.database_subnet_group_name}" + main_host_security_group_id = "${module.security_groups.main_security_group_id}" + vpc_id = "${module.vpc.main_vpc_id}" instance_class = "${var.db_instance_class}" } diff --git a/security-groups/main.tf b/security-groups/main.tf new file mode 100644 index 0000000..f90bf3d --- /dev/null +++ b/security-groups/main.tf @@ -0,0 +1,135 @@ +variable "environment" {} +variable "vpc_id" {} + +resource "aws_security_group" "bastion_sg" { + name = "${var.environment}-bastion-sg" + description = "Allow ssh access through this box" + vpc_id = "${var.vpc_id}" + + # TODO: Set ingress/egress +} + +resource "aws_security_group" "main_host_sg" { + name = "${var.environment}-main-host-sg" + description = "Allow all inbound traffic on all traffic over port 80" + vpc_id = "${var.vpc_id}" + + ingress { + from_port = 80 + to_port = 65535 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + security_groups = ["${aws_security_group.bastion_sg.id}"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_security_group" "dock_sg" { + name = "${var.environment}-dock-sg" + description = "Allow all traffic from main host and between docks" + vpc_id = "${var.vpc_id}" + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + security_groups = ["${aws_security_group.bastion_sg.id}"] + } + + ingress { + from_port = 32768 + to_port = 65535 + protocol = "tcp" + security_groups = ["${aws_security_group.main_host_sg.id}"] + } + + ingress { + from_port = 8200 + to_port = 8201 + protocol = "tcp" + security_groups = ["${aws_security_group.main_host_sg.id}"] + } + + ingress { + from_port = 4242 + to_port = 4242 + protocol = "tcp" + security_groups = ["${aws_security_group.main_host_sg.id}"] + } + + ingress { + from_port = 29006 + to_port = 29007 + protocol = "tcp" + security_groups = ["${aws_security_group.main_host_sg.id}"] + } + + ingress { + from_port = 3100 + to_port = 3100 + protocol = "tcp" + security_groups = ["${aws_security_group.main_host_sg.id}"] + } + + ingress { + from_port = 6783 + to_port = 6783 + protocol = "tcp" + self = true + } + + ingress { + from_port = 6783 + to_port = 6783 + protocol = "udp" + self = true + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_security_group" "database_sg" { + name = "${var.environment}-database-sg" + description = "Allow inbound traffic from main host to DB port" + vpc_id = "${var.vpc_id}" + + ingress { + from_port = 5432 + to_port = 5432 + protocol = "tcp" + security_groups = ["${aws_security_group.main_host_sg.id}"] + } +} + +output "bastion_sg_id" { + value = "${aws_security_group.bastion_sg.id}" +} + +output "main_sg_id" { + value = "${aws_security_group.main_host_sg.id}" +} + +output "db_sg_id" { + value = "${aws_security_group.database_sg.id}" +} + +output "dock_sg_id" { + value = "${aws_security_group.dock_sg.id}" +} diff --git a/subnets/main.tf b/subnets/main.tf new file mode 100644 index 0000000..a44cd19 --- /dev/null +++ b/subnets/main.tf @@ -0,0 +1,44 @@ +variable "environment" {} + +resource "aws_subnet" "main_subnet" { + vpc_id = "${aws_vpc.main.id}" + cidr_block = "10.10.1.0/24" + map_public_ip_on_launch = true + + tags { + Name = "${var.environment}-main-subnet" + Enviroment = "${var.environment}" + } +} + +resource "aws_subnet" "dock_subnet" { + vpc_id = "${aws_vpc.main.id}" + cidr_block = "10.10.2.0/24" + + tags { + Name = "${var.environment}-dock-subnet" + Enviroment = "${var.environment}" + } +} + +resource "aws_db_subnet_group" "database_subnet_group" { + name = "${var.enviroment}-database-subnet-group" + subnet_ids = ["${aws_subnet.main-subnet"] + + tags { + Name = "${var.enviroment}-database-subnet-group" + Enviroment = "${var.enviroment}" + } +} + +output "main_subnet_id" { + value = "${aws_subnet.main_subnet.id}" +} + +output "dock_subnet_id" { + value = "${aws_subnet.dock_subnet.id}" +} + +output "database_subnet_group_name" { + value = "${aws_subnet.database_subnet_group.name}" +} diff --git a/variables.tf b/variables.tf index 6005f5d..f14f131 100644 --- a/variables.tf +++ b/variables.tf @@ -18,12 +18,19 @@ variable "domain" { type = "string" } +# Key Pair + +variable "public_key" { + description = "Public key for key which will be used for sshing into instances through bastion" + type = "string" +} + # S3 Buckets variable "force_destroy_s3_buckets" { description = "Forces destroy of S3 buckets and deletes all their content. Default to false. Use this only when tearing down an environment. Before running `terraform destroy`, `terraform apply` must be run to updates buckets." type = "string" - default = "false" # https://www.terraform.io/docs/configuration/variables.html#booleans + default = "true" # https://www.terraform.io/docs/configuration/variables.html#booleans } # Databases diff --git a/vpc-and-subnets/main.tf b/vpc-and-subnets/main.tf deleted file mode 100644 index 8402853..0000000 --- a/vpc-and-subnets/main.tf +++ /dev/null @@ -1,36 +0,0 @@ -variable "environment" {} -variable "public_key" {} - -resource "aws_vpc" "main" { - cidr_block = "10.10.0.0/16" - - tags { - Name = "${var.environment}-main" - } -} - -resource "aws_subnet" "main-subnet" { - vpc_id = "${aws_vpc.main.id}" - cidr_block = "10.10.1.0/24" - map_public_ip_on_launch = true - - tags { - Name = "${var.environment}-main-subnet" - Enviroment = "${var.environment}" - } -} - -resource "aws_subnet" "dock-subnet" { - vpc_id = "${aws_vpc.main.id}" - cidr_block = "10.10.2.0/24" - - tags { - Name = "${var.environment}-dock-subnet" - Enviroment = "${var.environment}" - } -} - -resource "aws_key_pair" "runnable-self-hosted" { - key_name = "runnable-self-hosted-key-pair" - public_key = "${var.public_key}" -} diff --git a/vpc/main.tf b/vpc/main.tf new file mode 100644 index 0000000..780df19 --- /dev/null +++ b/vpc/main.tf @@ -0,0 +1,13 @@ +variable "environment" {} + +resource "aws_vpc" "main" { + cidr_block = "10.10.0.0/16" + + tags { + Name = "${var.environment}-main" + } +} + +output "main_vpc_id" { + value = "${aws_vpc.main.id}" +} From 7eac388c2401c3b2a1d5a3d6f34e9603731bd4a4 Mon Sep 17 00:00:00 2001 From: thejsj Date: Wed, 26 Apr 2017 21:22:20 -0700 Subject: [PATCH 3/9] Remove unsued variables --- environments/runnable-on-prem.example.tfvars | 7 ----- variables.tf | 30 -------------------- 2 files changed, 37 deletions(-) diff --git a/environments/runnable-on-prem.example.tfvars b/environments/runnable-on-prem.example.tfvars index 8aea5f0..9454ce1 100644 --- a/environments/runnable-on-prem.example.tfvars +++ b/environments/runnable-on-prem.example.tfvars @@ -2,14 +2,7 @@ domain = "" db_username = "" # Must start with a letter db_password = "" -db_subnet_group_name = "" -main_host_vpc_id = "" -main_host_subnet_id = "" -main_host_private_ip = "10.4.0.100" -dock_subnet_id = "" github_org_id = "" -key_name = "" lc_user_data_file_location = "~/dock-runnable-on-prem.sh" -bastion_sg_id = "" environment = "runnable-on-prem" aws_region = "us-west-2" diff --git a/variables.tf b/variables.tf index f14f131..6171557 100644 --- a/variables.tf +++ b/variables.tf @@ -51,11 +51,6 @@ variable "db_port" { type = "string" } -variable "db_subnet_group_name" { - description = "Subnet in which database will be created" - type = "string" -} - variable "db_instance_class" { description = "Type of instance that will be used for database" type = "string" @@ -64,21 +59,6 @@ variable "db_instance_class" { # EC2 Instances -variable "main_host_vpc_id" { - description = "VPC in which security groups and instance for main host will be created." - type = "string" -} - -variable "main_host_subnet_id" { - description = "Subnet in which main host EC2 instance will be created. Subnet must be part of VPC in `main_host_vpc_id`" - type = "string" -} - -variable "bastion_sg_id" { - description = "Security group id for bastion instance" - type = "string" -} - variable "main_host_private_ip" { description = "Private IP address in VPC for main-host. This is important because ip address is encoded in launch configuration for docks." default = "10.4.0.100" @@ -91,11 +71,6 @@ variable "main_host_instance_type" { default = "m4.2xlarge" } -variable "dock_subnet_id" { - description = "Subnet in which dock EC2 instance will be created. Subnet must be part of VPC in `main_host_vpc_id`" - type = "string" -} - variable "dock_instance_type" { description = "Type of instance that will be used for all docks" type = "string" @@ -111,8 +86,3 @@ variable "lc_user_data_file_location" { description = "Location for file generated for launch configuration. This file needs to have correct IPs, ports, and files" type = "string" } - -variable "key_name" { - description = "Name of ssh key to be used for accessing all instances" - type = "string" -} From a7ed20141a95b70c879ac02d1b97211bc3d23361 Mon Sep 17 00:00:00 2001 From: thejsj Date: Wed, 26 Apr 2017 21:25:33 -0700 Subject: [PATCH 4/9] Fix database module --- database/main.tf | 5 ++--- main.tf | 17 ++++++++--------- variables.tf | 1 - 3 files changed, 10 insertions(+), 13 deletions(-) diff --git a/database/main.tf b/database/main.tf index ce32488..0ddd7f6 100644 --- a/database/main.tf +++ b/database/main.tf @@ -3,8 +3,7 @@ variable "username" {} variable "password" {} variable "port" {} variable "subnet_group_name" {} -variable "vpc_id" {} -variable "main_host_security_group_id" {} +variable "security_group_id" {} variable "instance_class" {} resource "aws_db_instance" "main_postgres_db" { @@ -17,6 +16,6 @@ resource "aws_db_instance" "main_postgres_db" { password = "${var.password}" port = "${var.port}" db_subnet_group_name = "${var.subnet_group_name}" - vpc_security_group_ids = ["${aws_security_group.database_sg.id}"] + vpc_security_group_ids = ["${var.security_group_id}"] skip_final_snapshot = true } diff --git a/main.tf b/main.tf index 003f93c..40aff8e 100644 --- a/main.tf +++ b/main.tf @@ -54,13 +54,12 @@ module "instances" { } module "database" { - source = "./database" - environment = "${var.environment}" - username = "${var.db_username}" - password = "${var.db_password}" - port = "${var.db_port}" - subnet_group_name = "${module.subnets.database_subnet_group_name}" - main_host_security_group_id = "${module.security_groups.main_security_group_id}" - vpc_id = "${module.vpc.main_vpc_id}" - instance_class = "${var.db_instance_class}" + source = "./database" + environment = "${var.environment}" + username = "${var.db_username}" + password = "${var.db_password}" + port = "${var.db_port}" + subnet_group_name = "${module.subnets.database_subnet_group_name}" + security_group_id = "${module.security_groups.db_sg_id}" + instance_class = "${var.db_instance_class}" } diff --git a/variables.tf b/variables.tf index 6171557..dc980e3 100644 --- a/variables.tf +++ b/variables.tf @@ -1,6 +1,5 @@ # General - variable "aws_region" { description = "AWS region to launch servers." default = "us-west-2" From ab66805e6f38d7a10765b78cf3662a1c4b50eaab Mon Sep 17 00:00:00 2001 From: thejsj Date: Wed, 26 Apr 2017 21:29:00 -0700 Subject: [PATCH 5/9] Fix instance module --- instances/main.tf | 16 ++++++---------- main.tf | 4 ++-- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/instances/main.tf b/instances/main.tf index 04ff30b..0885fc2 100644 --- a/instances/main.tf +++ b/instances/main.tf @@ -1,5 +1,4 @@ variable "environment" {} -variable "vpc_id" {} variable "main_host_subnet_id" {} variable "main_host_instance_type" {} variable "dock_subnet_id" {} @@ -8,7 +7,8 @@ variable "private_ip" {} variable "github_org_id" {} variable "lc_user_data_file_location" {} variable "key_name" {} -variable "bastion_sg_id" {} +variable "main_sg_id" {} +variable "dock_sg_id" {} # Changing AMI forces new resource and will delete all everything in main host # Ovewrite this variable with previous AMI if update is pushed @@ -20,12 +20,12 @@ variable "dock_ami" { default = "ami-557dee35" # dock-ami-build-v.0.0.8 } -resource "aws_instance" "main-instance" { +resource "aws_instance" "main_instance" { ami = "${var.main_host_ami}" instance_type = "${var.main_host_instance_type}" associate_public_ip_address = true private_ip = "${var.private_ip}" - vpc_security_group_ids = ["${aws_security_group.main_host_sg.id}"] + vpc_security_group_ids = ["${var.main_sg_id}"] subnet_id = "${var.main_host_subnet_id}" key_name = "${var.key_name}" @@ -40,7 +40,7 @@ resource "aws_launch_configuration" "dock_lc" { instance_type = "${var.dock_instance_type}" user_data = "${file("${var.lc_user_data_file_location}")}" key_name = "${var.key_name}" - security_groups = ["${aws_security_group.dock_sg.id}"] + security_groups = ["${var.dock_sg_id}"] root_block_device { volume_size = 10 @@ -57,7 +57,7 @@ resource "aws_launch_configuration" "dock_lc" { } } -resource "aws_autoscaling_group" "dock-auto-scaling-group" { +resource "aws_autoscaling_group" "dock_auto_scaling_group" { name = "asg-${var.environment}-${var.github_org_id}" max_size = 30 min_size = 2 @@ -83,7 +83,3 @@ resource "aws_autoscaling_group" "dock-auto-scaling-group" { propagate_at_launch = true } } - -output "main_security_group_id" { - value = "${aws_security_group.main_host_sg.id}" -} diff --git a/main.tf b/main.tf index 40aff8e..8e35486 100644 --- a/main.tf +++ b/main.tf @@ -41,16 +41,16 @@ module "bastion" { module "instances" { source = "./instances" environment = "${var.environment}" - vpc_id = "${module.vpc.main_vpc_id}" main_host_subnet_id = "${module.subnets.main_subnet_id}" dock_subnet_id = "${module.subnets.dock_subnet_id}" private_ip = "${var.main_host_private_ip}" github_org_id = "${var.github_org_id}" lc_user_data_file_location = "${var.lc_user_data_file_location}" key_name = "${module.key_pair.key_pair_name}" - bastion_sg_id = "${module.subnets.bastion_sg_id}" main_host_instance_type = "${var.main_host_instance_type}" dock_instance_type = "${var.dock_instance_type}" + main_sg_id = "${module.security_groups.main_sg_id}" + dock_sg_id = "${module.security_groups.dock_sg_id}" } module "database" { From bd769739b20210c5a67f44d592f416f28546eb37 Mon Sep 17 00:00:00 2001 From: thejsj Date: Wed, 26 Apr 2017 21:36:20 -0700 Subject: [PATCH 6/9] Start adding bastion --- bastion/main.tf | 19 +++++++++++++++++++ main.tf | 14 +++++++++++--- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/bastion/main.tf b/bastion/main.tf index e69de29..9a96335 100644 --- a/bastion/main.tf +++ b/bastion/main.tf @@ -0,0 +1,19 @@ +variable "environment" {} +variable "ami" {} +variable "subnet_id" {} +variable "instance_type" {} +variable "key_name" {} +variable "sg_id" {} + +resource "aws_instance" "bastion_instance" { + ami = "${var.ami}" + instance_type = "${var.instance_type}" + associate_public_ip_address = true + vpc_security_group_ids = ["${var.sg_id}"] + subnet_id = "${var.subnet_id}" + key_name = "${var.key_name}" + + tags { + Name = "${var.environment}-bastion" + } +} diff --git a/main.tf b/main.tf index 8e35486..24de929 100644 --- a/main.tf +++ b/main.tf @@ -14,12 +14,14 @@ module "vpc" { } module "subnets" { + # TODO: Add subnet for bastion? source = "./subnets" environment = "${var.environment}" vpc_id = "${module.vpc.main_vpc_id}" } module "security_groups" { + # TODO: Add sg for bastion source = "./security-groups" environment = "${var.environment}" vpc_id = "${module.vpc.main_vpc_id}" @@ -32,10 +34,16 @@ module "s3" { force_destroy = "${var.force_destroy_s3_buckets}" } +# NOTE: This should all work expect for bastion module "bastion" { - source = "./bastion" - environment = "${var.environment}" - vpc_id = "${module.vpc.main_vpc_id}" + source = "./bastion" + environment = "${var.environment}" + vpc_id = "${module.vpc.main_vpc_id}" + sg_id = "${module.security_groups.bastion_sg_id}" + ami = "" # TODO: get ami + subnet = "" # TODO: should this be diff than main subnet? + instance_type = "" # TODO: should be small + key_name = "${module.key_pair.key_pair_name}" } module "instances" { From 6f3cc2c14cdb57787393449e51236219ce6b4b73 Mon Sep 17 00:00:00 2001 From: thejsj Date: Thu, 27 Apr 2017 21:21:59 -0700 Subject: [PATCH 7/9] Add fixes --- bastion/main.tf | 1 + environments/runnable-on-prem.example.tfvars | 3 ++- keypair/main.tf | 2 +- main.tf | 3 ++- subnets/main.tf | 20 +++++++++++--------- 5 files changed, 17 insertions(+), 12 deletions(-) diff --git a/bastion/main.tf b/bastion/main.tf index 9a96335..e474ad7 100644 --- a/bastion/main.tf +++ b/bastion/main.tf @@ -4,6 +4,7 @@ variable "subnet_id" {} variable "instance_type" {} variable "key_name" {} variable "sg_id" {} +variable "vpc_id" {} resource "aws_instance" "bastion_instance" { ami = "${var.ami}" diff --git a/environments/runnable-on-prem.example.tfvars b/environments/runnable-on-prem.example.tfvars index 9454ce1..fb59ae6 100644 --- a/environments/runnable-on-prem.example.tfvars +++ b/environments/runnable-on-prem.example.tfvars @@ -1,8 +1,9 @@ # All variables in this document should match domain = "" +github_org_id = "" +public_key = "" db_username = "" # Must start with a letter db_password = "" -github_org_id = "" lc_user_data_file_location = "~/dock-runnable-on-prem.sh" environment = "runnable-on-prem" aws_region = "us-west-2" diff --git a/keypair/main.tf b/keypair/main.tf index f44de21..c02e3ed 100644 --- a/keypair/main.tf +++ b/keypair/main.tf @@ -1,5 +1,5 @@ variable "public_key" {} -variable "enviroment" {} +variable "environment" {} resource "aws_key_pair" "main_key" { key_name = "${var.environment}-key-pair" diff --git a/main.tf b/main.tf index 24de929..44d69ab 100644 --- a/main.tf +++ b/main.tf @@ -35,6 +35,7 @@ module "s3" { } # NOTE: This should all work expect for bastion +/* module "bastion" { source = "./bastion" environment = "${var.environment}" @@ -44,7 +45,7 @@ module "bastion" { subnet = "" # TODO: should this be diff than main subnet? instance_type = "" # TODO: should be small key_name = "${module.key_pair.key_pair_name}" -} +}*/ module "instances" { source = "./instances" diff --git a/subnets/main.tf b/subnets/main.tf index a44cd19..60037a8 100644 --- a/subnets/main.tf +++ b/subnets/main.tf @@ -1,33 +1,35 @@ variable "environment" {} +variable "vpc_id" {} resource "aws_subnet" "main_subnet" { - vpc_id = "${aws_vpc.main.id}" + vpc_id = "${var.vpc_id}" cidr_block = "10.10.1.0/24" map_public_ip_on_launch = true tags { Name = "${var.environment}-main-subnet" - Enviroment = "${var.environment}" + Environment = "${var.environment}" } } resource "aws_subnet" "dock_subnet" { - vpc_id = "${aws_vpc.main.id}" + vpc_id = "${var.vpc_id}" cidr_block = "10.10.2.0/24" tags { Name = "${var.environment}-dock-subnet" - Enviroment = "${var.environment}" + Environment = "${var.environment}" } } resource "aws_db_subnet_group" "database_subnet_group" { - name = "${var.enviroment}-database-subnet-group" - subnet_ids = ["${aws_subnet.main-subnet"] + name = "${var.environment}-database-subnet-group" + # NOTE: What subnets should this have? + subnet_ids = ["${aws_subnet.main_subnet.id}", "${aws_subnet.dock_subnet.id}"] tags { - Name = "${var.enviroment}-database-subnet-group" - Enviroment = "${var.enviroment}" + Name = "${var.environment}-database-subnet-group" + Environment = "${var.environment}" } } @@ -40,5 +42,5 @@ output "dock_subnet_id" { } output "database_subnet_group_name" { - value = "${aws_subnet.database_subnet_group.name}" + value = "${aws_db_subnet_group.database_subnet_group.name}" } From d9d7b97444535ff7a099eaa790553e05a2f24392 Mon Sep 17 00:00:00 2001 From: thejsj Date: Mon, 1 May 2017 09:53:12 -0700 Subject: [PATCH 8/9] WIP: Adding VPC, subnets, route tables, etc --- bastion/main.tf | 11 +++++----- keypair/main.tf | 2 +- main.tf | 46 ++++++++++++++++++++++++++++------------- security-groups/main.tf | 15 +++++++++++++- subnets/main.tf | 21 +++++++++++++++++-- vpc/main.tf | 33 ++++++++++++++++++++++++++++- 6 files changed, 103 insertions(+), 25 deletions(-) diff --git a/bastion/main.tf b/bastion/main.tf index e474ad7..625ce2d 100644 --- a/bastion/main.tf +++ b/bastion/main.tf @@ -1,19 +1,18 @@ variable "environment" {} -variable "ami" {} variable "subnet_id" {} -variable "instance_type" {} variable "key_name" {} variable "sg_id" {} -variable "vpc_id" {} resource "aws_instance" "bastion_instance" { - ami = "${var.ami}" - instance_type = "${var.instance_type}" - associate_public_ip_address = true + ami = "ami-5189a661" + instance_type = "t2.micro" vpc_security_group_ids = ["${var.sg_id}"] subnet_id = "${var.subnet_id}" key_name = "${var.key_name}" + associate_public_ip_address = true + source_dest_check = false + tags { Name = "${var.environment}-bastion" } diff --git a/keypair/main.tf b/keypair/main.tf index c02e3ed..225f297 100644 --- a/keypair/main.tf +++ b/keypair/main.tf @@ -7,6 +7,6 @@ resource "aws_key_pair" "main_key" { } output "key_pair_name" { - value = "aws_key_pair.main_key.name" + value = "${aws_key_pair.main_key.key_name}" } diff --git a/main.tf b/main.tf index 44d69ab..98bbdd1 100644 --- a/main.tf +++ b/main.tf @@ -15,38 +15,36 @@ module "vpc" { module "subnets" { # TODO: Add subnet for bastion? - source = "./subnets" - environment = "${var.environment}" - vpc_id = "${module.vpc.main_vpc_id}" + source = "./subnets" + environment = "${var.environment}" + region = "${var.aws_region}" + vpc_id = "${module.vpc.main_vpc_id}" + public_route_table_id = "${module.vpc.public_route_table_id}" } module "security_groups" { - # TODO: Add sg for bastion source = "./security-groups" environment = "${var.environment}" vpc_id = "${module.vpc.main_vpc_id}" } -module "s3" { +/*module "s3" { source = "./s3" domain = "${var.domain}" environment = "${var.environment}" force_destroy = "${var.force_destroy_s3_buckets}" -} +}*/ # NOTE: This should all work expect for bastion -/* module "bastion" { source = "./bastion" environment = "${var.environment}" - vpc_id = "${module.vpc.main_vpc_id}" sg_id = "${module.security_groups.bastion_sg_id}" - ami = "" # TODO: get ami - subnet = "" # TODO: should this be diff than main subnet? - instance_type = "" # TODO: should be small + subnet_id = "${module.subnets.main_subnet_id}" key_name = "${module.key_pair.key_pair_name}" -}*/ +} +/* module "instances" { source = "./instances" environment = "${var.environment}" @@ -60,9 +58,9 @@ module "instances" { dock_instance_type = "${var.dock_instance_type}" main_sg_id = "${module.security_groups.main_sg_id}" dock_sg_id = "${module.security_groups.dock_sg_id}" -} +}*/ -module "database" { +/*module "database" { source = "./database" environment = "${var.environment}" username = "${var.db_username}" @@ -71,4 +69,24 @@ module "database" { subnet_group_name = "${module.subnets.database_subnet_group_name}" security_group_id = "${module.security_groups.db_sg_id}" instance_class = "${var.db_instance_class}" +}*/ + +output "environment" { + value = "${var.environment}" +} + +output "vpc_id" { + value = "${module.vpc.main_vpc_id}" +} + +output "public_route_table_id" { + value = "${module.vpc.public_route_table_id}" +} + +output "database_subnet_group_name" { + value = "${module.subnets.database_subnet_group_name}" +} + +output "key_pair_name" { + value = "${module.key_pair.key_pair_name}" } diff --git a/security-groups/main.tf b/security-groups/main.tf index f90bf3d..a5334c2 100644 --- a/security-groups/main.tf +++ b/security-groups/main.tf @@ -6,7 +6,20 @@ resource "aws_security_group" "bastion_sg" { description = "Allow ssh access through this box" vpc_id = "${var.vpc_id}" - # TODO: Set ingress/egress + ingress = { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + self = false + } + + egress { + from_port = 0 + to_port = 0 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } } resource "aws_security_group" "main_host_sg" { diff --git a/subnets/main.tf b/subnets/main.tf index 60037a8..b85a946 100644 --- a/subnets/main.tf +++ b/subnets/main.tf @@ -1,25 +1,37 @@ variable "environment" {} variable "vpc_id" {} +variable "region" {} +variable "public_route_table_id" {} resource "aws_subnet" "main_subnet" { vpc_id = "${var.vpc_id}" cidr_block = "10.10.1.0/24" map_public_ip_on_launch = true + availability_zone = "${var.region}a" tags { Name = "${var.environment}-main-subnet" Environment = "${var.environment}" } + + lifecycle { + create_before_destroy = true + } } resource "aws_subnet" "dock_subnet" { - vpc_id = "${var.vpc_id}" - cidr_block = "10.10.2.0/24" + vpc_id = "${var.vpc_id}" + cidr_block = "10.10.2.0/24" + availability_zone = "${var.region}b" tags { Name = "${var.environment}-dock-subnet" Environment = "${var.environment}" } + + lifecycle { + create_before_destroy = true + } } resource "aws_db_subnet_group" "database_subnet_group" { @@ -33,6 +45,11 @@ resource "aws_db_subnet_group" "database_subnet_group" { } } +resource "aws_route_table_association" "public" { + subnet_id = "${aws_subnet.main_subnet.id}" + route_table_id = "${var.public_route_table_id}" +} + output "main_subnet_id" { value = "${aws_subnet.main_subnet.id}" } diff --git a/vpc/main.tf b/vpc/main.tf index 780df19..21d16c4 100644 --- a/vpc/main.tf +++ b/vpc/main.tf @@ -1,13 +1,44 @@ variable "environment" {} resource "aws_vpc" "main" { - cidr_block = "10.10.0.0/16" + cidr_block = "10.10.0.0/16" + enable_dns_hostnames = true tags { Name = "${var.environment}-main" } } +resource "aws_internet_gateway" "main" { + vpc_id = "${aws_vpc.main.id}" + + tags { + Name = "${var.environment}-main-ig" + } +} + +resource "aws_route_table" "main" { + vpc_id = "${aws_vpc.main.id}" + + route { + ipv6_cidr_block = "::/0" + gateway_id = "${aws_internet_gateway.main.id}" + } + + tags { + Name = "${var.environment}-main-route-table" + } +} + +resource "aws_main_route_table_association" "main_route_table" { + vpc_id = "${aws_vpc.main.id}" + route_table_id = "${aws_route_table.main.id}" +} + output "main_vpc_id" { value = "${aws_vpc.main.id}" } + +output "public_route_table_id" { + value = "${aws_route_table.main.id}" +} From c41ca53df711bf3d22abbafbe260d24338b3a431 Mon Sep 17 00:00:00 2001 From: thejsj Date: Wed, 10 May 2017 14:47:11 -0700 Subject: [PATCH 9/9] Add output and minor fixes --- main.tf | 37 +++++++++++++++++++++++++++---------- security-groups/main.tf | 2 +- variables.tf | 2 +- vpc/main.tf | 2 +- 4 files changed, 30 insertions(+), 13 deletions(-) diff --git a/main.tf b/main.tf index 98bbdd1..d9cf6e5 100644 --- a/main.tf +++ b/main.tf @@ -14,7 +14,6 @@ module "vpc" { } module "subnets" { - # TODO: Add subnet for bastion? source = "./subnets" environment = "${var.environment}" region = "${var.aws_region}" @@ -28,14 +27,13 @@ module "security_groups" { vpc_id = "${module.vpc.main_vpc_id}" } -/*module "s3" { +module "s3" { source = "./s3" domain = "${var.domain}" environment = "${var.environment}" force_destroy = "${var.force_destroy_s3_buckets}" -}*/ +} -# NOTE: This should all work expect for bastion module "bastion" { source = "./bastion" environment = "${var.environment}" @@ -44,7 +42,6 @@ module "bastion" { key_name = "${module.key_pair.key_pair_name}" } -/* module "instances" { source = "./instances" environment = "${var.environment}" @@ -58,9 +55,9 @@ module "instances" { dock_instance_type = "${var.dock_instance_type}" main_sg_id = "${module.security_groups.main_sg_id}" dock_sg_id = "${module.security_groups.dock_sg_id}" -}*/ +} -/*module "database" { +module "database" { source = "./database" environment = "${var.environment}" username = "${var.db_username}" @@ -69,7 +66,7 @@ module "instances" { subnet_group_name = "${module.subnets.database_subnet_group_name}" security_group_id = "${module.security_groups.db_sg_id}" instance_class = "${var.db_instance_class}" -}*/ +} output "environment" { value = "${var.environment}" @@ -79,8 +76,12 @@ output "vpc_id" { value = "${module.vpc.main_vpc_id}" } -output "public_route_table_id" { - value = "${module.vpc.public_route_table_id}" +output "main_host_subnet_id" { + value = "${module.subnets.main_subnet_id}" +} + +output "dock_subnet_id" { + value = "${module.subnets.dock_subnet_id}" } output "database_subnet_group_name" { @@ -90,3 +91,19 @@ output "database_subnet_group_name" { output "key_pair_name" { value = "${module.key_pair.key_pair_name}" } + +output "aws_region" { + value = "${var.aws_region}" +} + +output "postgres_user" { + value = "${var.db_username}" +} + +output "postgres_password" { + value = "${var.db_password}" +} + +output "main_host_private_ip" { + value = "${var.main_host_private_ip}" +} diff --git a/security-groups/main.tf b/security-groups/main.tf index a5334c2..9e5013e 100644 --- a/security-groups/main.tf +++ b/security-groups/main.tf @@ -17,7 +17,7 @@ resource "aws_security_group" "bastion_sg" { egress { from_port = 0 to_port = 0 - protocol = "tcp" + protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } diff --git a/variables.tf b/variables.tf index dc980e3..7013980 100644 --- a/variables.tf +++ b/variables.tf @@ -60,7 +60,7 @@ variable "db_instance_class" { variable "main_host_private_ip" { description = "Private IP address in VPC for main-host. This is important because ip address is encoded in launch configuration for docks." - default = "10.4.0.100" + default = "10.10.1.100" type = "string" } diff --git a/vpc/main.tf b/vpc/main.tf index 21d16c4..15274a1 100644 --- a/vpc/main.tf +++ b/vpc/main.tf @@ -21,7 +21,7 @@ resource "aws_route_table" "main" { vpc_id = "${aws_vpc.main.id}" route { - ipv6_cidr_block = "::/0" + cidr_block = "0.0.0.0/0" gateway_id = "${aws_internet_gateway.main.id}" }