2020-04-10 02:37:14 +00:00
# VPC
resource " aws_vpc " " vault " {
cidr_block = var . vpc_cidr
instance_tenancy = var . vpc_instance_tenancy
enable_dns_support = var . vpc_enable_dns_support
enable_dns_hostnames = var . vpc_enable_dns_hostnames
2020-04-10 22:40:24 +00:00
assign_generated_ipv6_cidr_block = true
2020-04-10 02:37:14 +00:00
tags = merge (
{ " Name " = " ${ var . main_project_tag } -vpc " } ,
{ " Project " = var . main_project_tag } ,
var . vpc_tags
)
}
# Gateways
## Internet Gateway
resource " aws_internet_gateway " " igw " {
vpc_id = aws_vpc . vault . id
tags = merge (
{ " Name " = " ${ var . main_project_tag } -igw " } ,
{ " Project " = var . main_project_tag } ,
var . vpc_tags
)
}
2020-04-10 22:40:24 +00:00
## Egress Only Gateway (IPv6)
resource " aws_egress_only_internet_gateway " " eigw " {
vpc_id = aws_vpc . vault . id
}
2020-04-10 02:37:14 +00:00
## NAT Gateway
#### The NAT Elastic IP
resource " aws_eip " " nat " {
count = var . operator_mode ? 1 : 0
vpc = true
tags = merge (
{ " Name " = " ${ var . main_project_tag } -nat-eip " } ,
{ " Project " = var . main_project_tag } ,
var . vpc_tags
)
depends_on = [ aws_internet_gateway . igw ]
}
#### The NAT Gateway
resource " aws_nat_gateway " " nat " {
count = var . operator_mode ? 1 : 0
2020-04-10 22:34:32 +00:00
allocation_id = aws_eip . nat [ 0 ] . id // same as aws_eip.nat.0.id
2020-04-10 02:37:14 +00:00
subnet_id = aws_subnet . public . 0 . id
tags = merge (
{ " Name " = " ${ var . main_project_tag } -nat " } ,
{ " Project " = var . main_project_tag } ,
var . vpc_tags
)
depends_on = [
aws_internet_gateway . igw ,
aws_eip . nat
]
}
# Route Tables
2020-04-10 03:40:35 +00:00
// NOTE: Routing to the VPC's CIDR is allowed by default, so no route is needed
2020-04-10 02:37:14 +00:00
## Public Route Table
resource " aws_route_table " " public " {
vpc_id = aws_vpc . vault . id
tags = merge (
{ " Name " = " ${ var . main_project_tag } -public-rtb " } ,
{ " Project " = var . main_project_tag } ,
var . vpc_tags
)
}
#### Public routes
resource " aws_route " " public_internet_access " {
route_table_id = aws_route_table . public . id
destination_cidr_block = " 0.0.0.0/0 "
gateway_id = aws_internet_gateway . igw . id
}
## Private Route Table
resource " aws_route_table " " private " {
vpc_id = aws_vpc . vault . id
tags = merge (
{ " Name " = " ${ var . main_project_tag } -private-rtb " } ,
{ " Project " = var . main_project_tag } ,
var . vpc_tags
)
}
#### Private Routes
resource " aws_route " " private_internet_access " {
count = var . operator_mode ? 1 : 0
route_table_id = aws_route_table . private . id
destination_cidr_block = " 0.0.0.0/0 "
nat_gateway_id = aws_nat_gateway . nat [ 0 ] . id
}
2020-04-14 20:12:25 +00:00
resource " aws_route " " private_internet_access_ipv6 " {
count = var . operator_mode ? 1 : 0
route_table_id = aws_route_table . private . id
destination_ipv6_cidr_block = " ::/0 "
egress_only_gateway_id = aws_egress_only_internet_gateway . eigw . id
}
2020-04-10 02:37:14 +00:00
# Subnets
## Public Subnets
resource " aws_subnet " " public " {
count = var . vpc_public_subnet_count
vpc_id = aws_vpc . vault . id
cidr_block = cidrsubnet ( aws_vpc . vault . cidr_block , 4 , count . index )
availability_zone = data . aws_availability_zones . available . names [ count . index ]
map_public_ip_on_launch = true
2020-04-10 22:40:24 +00:00
ipv6_cidr_block = cidrsubnet ( aws_vpc . vault . ipv6_cidr_block , 8 , count . index )
assign_ipv6_address_on_creation = true
2020-04-10 02:37:14 +00:00
tags = merge (
{ " Name " = " ${ var . main_project_tag } -public- ${ data . aws_availability_zones . available . names [ count . index ] } " } ,
{ " Project " = var . main_project_tag } ,
var . vpc_tags
)
}
## Private Subnets
resource " aws_subnet " " private " {
count = var . vpc_private_subnet_count
vpc_id = aws_vpc . vault . id
2020-04-10 03:40:35 +00:00
// Increment the netnum by the number of public subnets to avoid overlap
2020-04-10 02:37:14 +00:00
cidr_block = cidrsubnet ( aws_vpc . vault . cidr_block , 4 , count . index + var . vpc_public_subnet_count )
availability_zone = data . aws_availability_zones . available . names [ count . index ]
tags = merge (
{ " Name " = " ${ var . main_project_tag } -private- ${ data . aws_availability_zones . available . names [ count . index ] } " } ,
{ " Project " = var . main_project_tag } ,
var . vpc_tags
)
}
2020-04-11 01:21:07 +00:00
# Route Table Associations
## Public Subnet Route Associations
resource " aws_route_table_association " " public " {
count = var . vpc_public_subnet_count
subnet_id = element ( aws_subnet . public . * . id , count . index )
route_table_id = aws_route_table . public . id
}
## Private Subnet Route Associations
resource " aws_route_table_association " " private " {
count = var . vpc_private_subnet_count
subnet_id = element ( aws_subnet . private . * . id , count . index )
route_table_id = aws_route_table . private . id
}
2020-04-10 02:37:14 +00:00
# VPC Endpoints
2020-04-10 03:40:35 +00:00
// Make safe calls to KMS and DynamoDB without leaving the VPC. Because #awsthings. C'mon. This should be default without these things.
## KMS Endpoint
data " aws_vpc_endpoint_service " " kms " {
service = " kms "
}
#### To get the required data, if you're confused, just output the above KMS data source. It has all the details.
resource " aws_vpc_endpoint " " kms " {
service_name = data . aws_vpc_endpoint_service . kms . service_name
vpc_id = aws_vpc . vault . id
private_dns_enabled = true
// Can also be done with "aws_vpc_endpoint_subnet_association"
subnet_ids = aws_subnet . private . * . id
2020-04-14 01:31:14 +00:00
security_group_ids = [ aws_security_group . kms_endpoint . id ]
2020-04-10 03:40:35 +00:00
tags = merge (
{ " Name " = " ${ var . main_project_tag } -kms-endpoint " } ,
{ " Project " = var . main_project_tag } ,
var . vpc_tags
)
vpc_endpoint_type = " Interface " // KMS is indeed an interface type
}
## DynamoDB Endpoint
data " aws_vpc_endpoint_service " " dynamodb " {
service = " dynamodb "
}
resource " aws_vpc_endpoint " " dynamodb " {
service_name = data . aws_vpc_endpoint_service . dynamodb . service_name
vpc_id = aws_vpc . vault . id
// Can also be done with "aws_vpc_endpoint_route_table_association"
route_table_ids = [ aws_route_table . private . id ]
tags = merge (
{ " Name " = " ${ var . main_project_tag } -dynamodb-endpoint " } ,
{ " Project " = var . main_project_tag } ,
var . vpc_tags
)
vpc_endpoint_type = " Gateway "
}
2020-04-14 23:13:50 +00:00
# VPC Peering
## Enabled in Private Mode only.
## Data from Peered VPC (AKA the external VPC we're letting in)
data " aws_vpc " " peered_vpc " {
count = var . private_mode ? 1 : 0
id = var . peered_vpc_id
}
## Peering Connection
resource " aws_vpc_peering_connection " " vault " {
count = var . private_mode ? 1 : 0
peer_vpc_id = var . peered_vpc_id
vpc_id = aws_vpc . vault . id
auto_accept = true
accepter {
allow_remote_vpc_dns_resolution = true
}
requester {
allow_remote_vpc_dns_resolution = true
}
tags = merge (
{ " Name " = " ${ var . main_project_tag } -vpc-peering-connection " } ,
{ " Project " = var . main_project_tag } ,
var . vpc_tags
)
}
## Peering Connection for the VAULT Route Table
resource " aws_route " " requester_peering_route " {
count = var . private_mode ? 1 : 0
route_table_id = aws_route_table . public . id
destination_cidr_block = data . aws_vpc . peered_vpc [ 0 ] . cidr_block
vpc_peering_connection_id = aws_vpc_peering_connection . vault [ 0 ] . id
}
## Peering Connection for the External VPC Route Table to allow Vault Traffic
## Note: this associates it to the external VPC's MAIN ROUTE TABLE. If you want it associated to a different route table, you'll have to do so manually.
resource " aws_route " " accepter_peering_route " {
count = var . private_mode ? 1 : 0
route_table_id = data . aws_vpc . peered_vpc [ 0 ] . main_route_table_id
destination_cidr_block = aws_vpc . vault . cidr_block
vpc_peering_connection_id = aws_vpc_peering_connection . vault [ 0 ] . id
}