bastion instance and actually associate subnets to the route tables
This commit is contained in:
parent
074dab50a8
commit
2087b9fd0c
|
@ -0,0 +1,18 @@
|
|||
# Bastion Server
|
||||
# Only active if operator mode is turned on. Use this to SSH into
|
||||
|
||||
resource "aws_instance" "bastion" {
|
||||
count = var.operator_mode ? 1 : 0
|
||||
|
||||
ami = var.use_lastest_ami ? data.aws_ssm_parameter.latest_ami.value : "ami-0323c3dd2da7fb37d"
|
||||
instance_type = "t2.micro"
|
||||
key_name = var.ec2_key_pair_name
|
||||
vpc_security_group_ids = [aws_security_group.bastion.id]
|
||||
subnet_id = aws_subnet.public[0].id
|
||||
associate_public_ip_address = true
|
||||
|
||||
tags = merge(
|
||||
{ "Name" = "${var.main_project_tag}-bastion"},
|
||||
{ "Project" = var.main_project_tag }
|
||||
)
|
||||
}
|
|
@ -0,0 +1,5 @@
|
|||
# EC2 Data
|
||||
|
||||
data "aws_ssm_parameter" "latest_ami" {
|
||||
name = "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2"
|
||||
}
|
15
variables.tf
15
variables.tf
|
@ -82,6 +82,21 @@ variable "dynamodb_table_name" {
|
|||
default = "vault_storage"
|
||||
}
|
||||
|
||||
# EC2 - General
|
||||
|
||||
variable "ec2_key_pair_name" {
|
||||
description = "Name of an existing EC2 Key Pair that exists in the same region as your vault deployment. Needs to be made separately."
|
||||
type = string
|
||||
}
|
||||
|
||||
# EC2 - Bastion
|
||||
|
||||
variable "use_lastest_ami" {
|
||||
description = "Whether or not to use the latest version of Amazon Linux 2. Defaults to false and uses a version that is known to work with this deployment."
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
# SSL Certificate for HTTPS Access
|
||||
|
||||
variable "domain_name" {
|
||||
|
|
24
vpc.tf
24
vpc.tf
|
@ -185,6 +185,30 @@ resource "aws_subnet" "private" {
|
|||
|
||||
|
||||
|
||||
# Route Table Associations
|
||||
|
||||
## Public Subnet Route Associations
|
||||
resource "aws_route_table_association" "public" {
|
||||
count = var.vpc_public_subnet_count
|
||||
|
||||
subnet_id = element(aws_subnet.public.*.id, count.index)
|
||||
route_table_id = aws_route_table.public.id
|
||||
}
|
||||
|
||||
## Private Subnet Route Associations
|
||||
resource "aws_route_table_association" "private" {
|
||||
count = var.vpc_private_subnet_count
|
||||
|
||||
subnet_id = element(aws_subnet.private.*.id, count.index)
|
||||
route_table_id = aws_route_table.private.id
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# VPC Endpoints
|
||||
// Make safe calls to KMS and DynamoDB without leaving the VPC. Because #awsthings. C'mon. This should be default without these things.
|
||||
|
||||
|
|
Loading…
Reference in New Issue