completed private deploy options
This commit is contained in:
parent
524ad7dcf9
commit
5324244868
|
@ -11,12 +11,12 @@ resource "aws_lb" "alb" {
|
|||
// and the fact that Terraform adds a 26 character random bit to the end.
|
||||
// https://github.com/terraform-providers/terraform-provider-aws/issues/1666
|
||||
name_prefix = "vault-"
|
||||
internal = false
|
||||
internal = var.private_mode
|
||||
load_balancer_type = "application"
|
||||
security_groups = [aws_security_group.load_balancer.id]
|
||||
subnets = aws_subnet.public.*.id
|
||||
idle_timeout = 60
|
||||
ip_address_type = "dualstack"
|
||||
ip_address_type = var.private_mode ? "ipv4" : "dualstack"
|
||||
|
||||
tags = merge(
|
||||
{ "Name" = "${var.main_project_tag}-alb"},
|
||||
|
|
16
variables.tf
16
variables.tf
|
@ -163,4 +163,20 @@ variable "operator_mode" {
|
|||
description = "Enable a NAT Gateway and Bastion for operator access into the Vault Instances."
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
# Private Deploy
|
||||
## Turning this on will make it so that the Vault Deployemnt is only available through VPC peering
|
||||
|
||||
variable "private_mode" {
|
||||
description = "Whether or not the Vault deployment should be private."
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
## A VPC in the SAME AWS Account AND Region as your Vault deployment. It MUST have "enable dns hostnames" active AND it cannot use the same CIDR block as the Vault VPC.
|
||||
variable "peered_vpc_id" {
|
||||
description = "ID of a VPC that can access the Vault VPC and thus access vault privately."
|
||||
type = string
|
||||
default = ""
|
||||
}
|
57
vpc.tf
57
vpc.tf
|
@ -258,3 +258,60 @@ resource "aws_vpc_endpoint" "dynamodb" {
|
|||
|
||||
vpc_endpoint_type = "Gateway"
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# VPC Peering
|
||||
## Enabled in Private Mode only.
|
||||
|
||||
## Data from Peered VPC (AKA the external VPC we're letting in)
|
||||
data "aws_vpc" "peered_vpc" {
|
||||
count = var.private_mode ? 1 : 0
|
||||
|
||||
id = var.peered_vpc_id
|
||||
}
|
||||
|
||||
## Peering Connection
|
||||
resource "aws_vpc_peering_connection" "vault" {
|
||||
count = var.private_mode ? 1 : 0
|
||||
|
||||
peer_vpc_id = var.peered_vpc_id
|
||||
vpc_id = aws_vpc.vault.id
|
||||
auto_accept = true
|
||||
|
||||
accepter {
|
||||
allow_remote_vpc_dns_resolution = true
|
||||
}
|
||||
|
||||
requester {
|
||||
allow_remote_vpc_dns_resolution = true
|
||||
}
|
||||
|
||||
tags = merge(
|
||||
{ "Name" = "${var.main_project_tag}-vpc-peering-connection"},
|
||||
{ "Project" = var.main_project_tag },
|
||||
var.vpc_tags
|
||||
)
|
||||
}
|
||||
|
||||
## Peering Connection for the VAULT Route Table
|
||||
resource "aws_route" "requester_peering_route" {
|
||||
count = var.private_mode ? 1 : 0
|
||||
|
||||
route_table_id = aws_route_table.public.id
|
||||
destination_cidr_block = data.aws_vpc.peered_vpc[0].cidr_block
|
||||
vpc_peering_connection_id = aws_vpc_peering_connection.vault[0].id
|
||||
}
|
||||
|
||||
## Peering Connection for the External VPC Route Table to allow Vault Traffic
|
||||
## Note: this associates it to the external VPC's MAIN ROUTE TABLE. If you want it associated to a different route table, you'll have to do so manually.
|
||||
resource "aws_route" "accepter_peering_route" {
|
||||
count = var.private_mode ? 1 : 0
|
||||
|
||||
route_table_id = data.aws_vpc.peered_vpc[0].main_route_table_id
|
||||
destination_cidr_block = aws_vpc.vault.cidr_block
|
||||
vpc_peering_connection_id = aws_vpc_peering_connection.vault[0].id
|
||||
}
|
Loading…
Reference in New Issue