reorganize variables, add outputs, add license, add variable examples

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Johnathan Cole Morrison
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

outputs.tf

@@ -28,3 +28,17 @@ resource "local_file" "vault_credentials" {
 output "load_balancer_dns" {
   value = aws_lb.alb.dns_name
 }
+
+# VPC Values
+
+output "vpc_id" {
+  value = aws_vpc.vault.id
+}
+
+output "vpc_ipv4_cidr" {
+  value = aws_vpc.vault.cidr_block
+}
+
+output "vpc_ipv6_cidr" {
+  value = aws_vpc.vault.ipv6_cidr_block
+}

terraform.tfvars.example

@@ -0,0 +1,30 @@
+### REQUIRED VARIABLES
+
+# The domain name, without protocol or trailing paths, for which you've provisioned an SSL/TLS certificate via AWS Certificate Manager.
+domain_name = "secrets.domain.com"
+
+# The name of an existing `.pem` "EC2 Key Pair" that is in the same AWS Account and Region of the Vault deployment.
+ec2_key_pair_name = "vault_key_pair"
+
+### OPTIONAL VARIABLES
+
+# If you didn't create a named AWS profile, omit this.  Defaults to "default".
+# aws_profile = "non_default_profile"
+
+# If you want to scope allowed traffic to specific CIDR blocks.
+# allowed_traffic_cidr_blocks = ["0.0.0.0/0"] # default value
+
+# If you want to scope allowed traffic to specific IPv6 CIDR blocks.
+# allowed_traffic_cidr_blocks_ipv6 = ["::/0"] # default value
+
+### PRIVATE MODE - Restrict Traffic to other AWS VPCs.
+
+# Flag to deploy the project as private.  Defaults to false.
+# private_mode = true
+
+# ID of VPCs that can access the Vault Deployment's VPC and, as a result, the Vault endpoint.
+# peered_vpc_ids = ["EXTERNAL_VPC_ID_1", "EXTERNAL_VPC_ID_2"]
+
+### OPERATOR MODE - LEAVE THIS AS TRUE FOR FIRST TIME DEPLOYS.  Defaults to true.
+
+# operator_mode = true

variables.tf

@@ -1,3 +1,21 @@
+# REQUIRED VARIABLES
+
+# SSL Certificate for HTTPS Access
+
+variable "domain_name" {
+  description = "Domain name for which you've provisioned an SSL certificate via AWS Certificate Manager.  Example: secrets.examples.com.  Do not include the protocol (i.e. https://)."
+  type = string
+}
+
+# EC2 - General
+
+variable "ec2_key_pair_name" {
+  description = "Name of an existing EC2 Key Pair that exists in the same region as your vault deployment.  Needs to be made separately."
+  type = string
+}
+
+# OPTIONAL VARIABLES
+
 # Organization
 
 variable "main_project_tag" {
@@ -15,7 +33,7 @@ variable "aws_profile" {
 }
 
 variable "aws_default_region" {
-  description = "The default region to deploy vault."
+  description = "The default AWS region to deploy the Vault infrastructure to."
   type = string
   default = "us-east-1"
 }
@@ -28,134 +46,6 @@ variable "vault_version" {
   default = "1.4.0"
 }
 
-# AWS VPC
-
-variable "vpc_cidr" {
-  description = "Cidr block for the VPC.  Using a /16 or /20 Subnet Mask is recommended."
-  type = string
-  default = "10.255.0.0/20"
-}
-
-variable "vpc_instance_tenancy" {
-  description = "Tenancy for instances launched into the VPC"
-  type = string
-  default = "default"
-}
-
-variable "vpc_enable_dns_support" {
-  description = "Whether the DNS resolution is supported.  Required as True for VPC endpoint usage."
-  type = bool
-  default = true
-}
-
-variable "vpc_enable_dns_hostnames" {
-  description = "Whether instances with public IP addresses get corresponding public DNS hostnames.  Required as True for VPC endpoint usage."
-  type = bool
-  default = true
-}
-
-variable "vpc_tags" {
-  description = "Additional tags to add to the VPC and its resources."
-  type = map(string)
-  default = {}
-}
-
-# VPC Subnets
-
-variable "vpc_public_subnet_count" {
-  description = "The number of public subnets to create.  Cannot exceed the number of AZs in your selected region.  2 is more than enough."
-  type = number
-  default = 2
-}
-
-variable "vpc_private_subnet_count" {
-  description = "The number of private subnets to create.  Cannot exceed the number of AZs in your selected region."
-  type = number
-  default = 2
-}
-
-# KMS
-
-variable "kms_tags" {
-  description = "Tags for the KMS key used to seal and unseal the Vault."
-  type = map(string)
-  default = {}
-}
-
-# DynamoDB
-
-variable "dynamodb_table_name" {
-  description = "Name of the DynamoDB Table used for the Vault Storage Backend."
-  type = string
-  default = "vault_storage"
-}
-
-# EC2 - General
-
-variable "ec2_key_pair_name" {
-  description = "Name of an existing EC2 Key Pair that exists in the same region as your vault deployment.  Needs to be made separately."
-  type = string
-}
-
-# EC2 - Bastion
-
-variable "use_lastest_ami" {
-  description = "Whether or not to use the latest version of Amazon Linux 2.  Defaults to false and uses a version that is known to work with this deployment."
-  type = bool
-  default = false
-}
-
-# EC2 - Vault Instance Launch Template
-
-variable "vault_instance_type" {
-  description = "The EC2 instance size of the vault instances."
-  type = string
-  default = "t2.micro"
-}
-
-# EC2 - Vault Instance AutoScaling Group
-
-variable "vault_instance_count" {
-  description = "The number of EC2 instances to launch as vault instances.  Should be no less than 2."
-  type = number
-  default = 2
-}
-
-# SSL Certificate for HTTPS Access
-
-variable "domain_name" {
-  description = "Domain name for which you've provisioned an SSL certificate via AWS Certificate Manager.  Example: secrets.examples.com.  Do not include the protocol (i.e. https://)."
-  type = string
-}
-
-# Allowed Traffic
-## What IP Address ranges (via CIDR) are allowed to access your vault?
-
-variable "allowed_traffic_cidr_blocks" {
-  description = "List of CIDR blocks allowed to access your vault.  Defaults to EVERYWHERE.  You should probably limit this to your organization IP or VPC CIDR."
-  type = list(string)
-  default = ["0.0.0.0/0"]
-}
-
-variable "allowed_traffic_cidr_blocks_ipv6" {
-  description = "List of IPv6 CIDR blocks allowed to access your vault.  Defaults to EVERYWHERE.  Set to an empty list if not required."
-  type = list(string)
-  default = ["::/0"]
-}
-
-## What IP Address range can access your bastion server?
-variable "allowed_bastion_cidr_blocks" {
-  description = "List of CIDR blocks allowed to access your Bastion.  Defaults to EVERYWHERE.  You should probably limit this to your organization IP or VPC CIDR."
-  type = list(string)
-  default = ["0.0.0.0/0"]
-}
-
-variable "allowed_bastion_cidr_blocks_ipv6" {
-  description = "List of CIDR blocks allowed to access your Bastion.  Defaults to none."
-  type = list(string)
-  default = []
-}
-
 # Operator Mode
 ## Turning this on will enable NAT and Bastion to access the Vault Instances
 
@@ -180,3 +70,106 @@ variable "peered_vpc_ids" {
   type = list(string)
   default = []
 }
+
+# Allowed Traffic
+## What IP Address ranges (via CIDR) are allowed to access your vault?
+
+variable "allowed_traffic_cidr_blocks" {
+  description = "List of CIDR blocks allowed to send requests to your vault endpoint.  Defaults to EVERYWHERE.  You should probably limit this to your organization IP or VPC CIDR."
+  type = list(string)
+  default = ["0.0.0.0/0"]
+}
+
+variable "allowed_traffic_cidr_blocks_ipv6" {
+  description = "List of IPv6 CIDR blocks allowed to send requests to your vault endpoint.  Defaults to EVERYWHERE.  Set to an empty list if not required."
+  type = list(string)
+  default = ["::/0"]
+}
+
+## What IP Address range can access your bastion server?
+variable "allowed_bastion_cidr_blocks" {
+  description = "List of CIDR blocks allowed to access your Bastion.  Defaults to EVERYWHERE.  You should probably limit this to your organization IP or VPC CIDR."
+  type = list(string)
+  default = ["0.0.0.0/0"]
+}
+
+variable "allowed_bastion_cidr_blocks_ipv6" {
+  description = "List of CIDR blocks allowed to access your Bastion.  Defaults to none."
+  type = list(string)
+  default = []
+}
+
+# AWS VPC
+
+variable "vpc_cidr" {
+  description = "Cidr block for the VPC.  Using a /16 or /20 Subnet Mask is recommended."
+  type = string
+  default = "10.255.0.0/20"
+}
+
+variable "vpc_instance_tenancy" {
+  description = "Tenancy for instances launched into the VPC."
+  type = string
+  default = "default"
+}
+
+variable "vpc_tags" {
+  description = "Additional tags to add to the VPC and its resources."
+  type = map(string)
+  default = {}
+}
+
+# VPC Subnets
+
+variable "vpc_public_subnet_count" {
+  description = "The number of public subnets to create.  Cannot exceed the number of AZs in your selected region.  2 is more than enough."
+  type = number
+  default = 2
+}
+
+variable "vpc_private_subnet_count" {
+  description = "The number of private subnets to create.  Cannot exceed the number of AZs in your selected region."
+  type = number
+  default = 2
+}
+
+# EC2 - Vault Instance Launch Template
+
+variable "vault_instance_type" {
+  description = "The EC2 instance size of the vault instances."
+  type = string
+  default = "t2.micro"
+}
+
+# EC2 - Vault Instance AutoScaling Group
+
+variable "vault_instance_count" {
+  description = "The number of EC2 instances to launch as vault instances.  Should be no less than 2."
+  type = number
+  default = 2
+}
+
+
+# EC2 - AMI
+
+variable "use_lastest_ami" {
+  description = "Whether or not to use the latest version of Amazon Linux 2.  Defaults to false and uses a version that is known to work with this deployment."
+  type = bool
+  default = false
+}
+
+# DynamoDB
+
+variable "dynamodb_table_name" {
+  description = "Name of the DynamoDB Table used for the Vault Storage Backend."
+  type = string
+  default = "vault_storage"
+}
+
+# KMS
+
+variable "kms_tags" {
+  description = "Tags for the KMS key used to seal and unseal the Vault."
+  type = map(string)
+  default = {}
+}

vpc.tf

@@ -2,8 +2,8 @@
 resource "aws_vpc" "vault" {
   cidr_block = var.vpc_cidr
   instance_tenancy = var.vpc_instance_tenancy
-  enable_dns_support = var.vpc_enable_dns_support
-  enable_dns_hostnames = var.vpc_enable_dns_hostnames
+  enable_dns_support = true
+  enable_dns_hostnames = true # required for VPC peering.
   assign_generated_ipv6_cidr_block = true
 
   tags = merge(