Skip to content

Commit e404954

Browse files
MukeshMukesh
Mukesh
authored and
Mukesh
committed
update
1 parent ad6adb2 commit e404954

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

65 files changed

+11271
-108
lines changed

modules/vpc/examples/complete-vpc/README.md

Lines changed: 166 additions & 0 deletions
Large diffs are not rendered by default.

modules/vpc/examples/complete-vpc/main.tf

Lines changed: 250 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,250 @@
1+
provider "aws" {
2+
region = local.region
3+
}
4+
5+
locals {
6+
name = "ex-${replace(basename(path.cwd), "_", "-")}"
7+
region = "eu-west-1"
8+
9+
tags = {
10+
Example = local.name
11+
GithubRepo = "terraform-aws-vpc"
12+
GithubOrg = "terraform-aws-modules"
13+
}
14+
}
15+
16+
################################################################################
17+
# VPC Module
18+
################################################################################
19+
20+
module "vpc" {
21+
source = "../../"
22+
23+
name = local.name
24+
cidr = "10.0.0.0/16"
25+
26+
azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
27+
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
28+
public_subnets = ["10.0.11.0/24", "10.0.12.0/24", "10.0.13.0/24"]
29+
database_subnets = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"]
30+
elasticache_subnets = ["10.0.31.0/24", "10.0.32.0/24", "10.0.33.0/24"]
31+
redshift_subnets = ["10.0.41.0/24", "10.0.42.0/24", "10.0.43.0/24"]
32+
intra_subnets = ["10.0.51.0/24", "10.0.52.0/24", "10.0.53.0/24"]
33+
34+
private_subnet_names = ["Private Subnet One", "Private Subnet Two"]
35+
# public_subnet_names omitted to show default name generation for all three subnets
36+
database_subnet_names = ["DB Subnet One"]
37+
elasticache_subnet_names = ["Elasticache Subnet One", "Elasticache Subnet Two"]
38+
redshift_subnet_names = ["Redshift Subnet One", "Redshift Subnet Two", "Redshift Subnet Three"]
39+
intra_subnet_names = []
40+
41+
create_database_subnet_group = false
42+
43+
manage_default_network_acl = true
44+
default_network_acl_tags = { Name = "${local.name}-default" }
45+
46+
manage_default_route_table = true
47+
default_route_table_tags = { Name = "${local.name}-default" }
48+
49+
manage_default_security_group = true
50+
default_security_group_tags = { Name = "${local.name}-default" }
51+
52+
enable_dns_hostnames = true
53+
enable_dns_support = true
54+
55+
enable_nat_gateway = true
56+
single_nat_gateway = true
57+
58+
customer_gateways = {
59+
IP1 = {
60+
bgp_asn = 65112
61+
ip_address = "1.2.3.4"
62+
device_name = "some_name"
63+
},
64+
IP2 = {
65+
bgp_asn = 65112
66+
ip_address = "5.6.7.8"
67+
}
68+
}
69+
70+
enable_vpn_gateway = true
71+
72+
enable_dhcp_options = true
73+
dhcp_options_domain_name = "service.consul"
74+
dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"]
75+
76+
# VPC Flow Logs (Cloudwatch log group and IAM role will be created)
77+
enable_flow_log = true
78+
create_flow_log_cloudwatch_log_group = true
79+
create_flow_log_cloudwatch_iam_role = true
80+
flow_log_max_aggregation_interval = 60
81+
82+
tags = local.tags
83+
}
84+
85+
################################################################################
86+
# VPC Endpoints Module
87+
################################################################################
88+
89+
module "vpc_endpoints" {
90+
source = "../../modules/vpc-endpoints"
91+
92+
vpc_id = module.vpc.vpc_id
93+
security_group_ids = [data.aws_security_group.default.id]
94+
95+
endpoints = {
96+
s3 = {
97+
service = "s3"
98+
tags = { Name = "s3-vpc-endpoint" }
99+
},
100+
dynamodb = {
101+
service = "dynamodb"
102+
service_type = "Gateway"
103+
route_table_ids = flatten([module.vpc.intra_route_table_ids, module.vpc.private_route_table_ids, module.vpc.public_route_table_ids])
104+
policy = data.aws_iam_policy_document.dynamodb_endpoint_policy.json
105+
tags = { Name = "dynamodb-vpc-endpoint" }
106+
},
107+
ssm = {
108+
service = "ssm"
109+
private_dns_enabled = true
110+
subnet_ids = module.vpc.private_subnets
111+
security_group_ids = [aws_security_group.vpc_tls.id]
112+
},
113+
ssmmessages = {
114+
service = "ssmmessages"
115+
private_dns_enabled = true
116+
subnet_ids = module.vpc.private_subnets
117+
},
118+
lambda = {
119+
service = "lambda"
120+
private_dns_enabled = true
121+
subnet_ids = module.vpc.private_subnets
122+
},
123+
ecs = {
124+
service = "ecs"
125+
private_dns_enabled = true
126+
subnet_ids = module.vpc.private_subnets
127+
},
128+
ecs_telemetry = {
129+
create = false
130+
service = "ecs-telemetry"
131+
private_dns_enabled = true
132+
subnet_ids = module.vpc.private_subnets
133+
},
134+
ec2 = {
135+
service = "ec2"
136+
private_dns_enabled = true
137+
subnet_ids = module.vpc.private_subnets
138+
security_group_ids = [aws_security_group.vpc_tls.id]
139+
},
140+
ec2messages = {
141+
service = "ec2messages"
142+
private_dns_enabled = true
143+
subnet_ids = module.vpc.private_subnets
144+
},
145+
ecr_api = {
146+
service = "ecr.api"
147+
private_dns_enabled = true
148+
subnet_ids = module.vpc.private_subnets
149+
policy = data.aws_iam_policy_document.generic_endpoint_policy.json
150+
},
151+
ecr_dkr = {
152+
service = "ecr.dkr"
153+
private_dns_enabled = true
154+
subnet_ids = module.vpc.private_subnets
155+
policy = data.aws_iam_policy_document.generic_endpoint_policy.json
156+
},
157+
kms = {
158+
service = "kms"
159+
private_dns_enabled = true
160+
subnet_ids = module.vpc.private_subnets
161+
security_group_ids = [aws_security_group.vpc_tls.id]
162+
},
163+
codedeploy = {
164+
service = "codedeploy"
165+
private_dns_enabled = true
166+
subnet_ids = module.vpc.private_subnets
167+
},
168+
codedeploy_commands_secure = {
169+
service = "codedeploy-commands-secure"
170+
private_dns_enabled = true
171+
subnet_ids = module.vpc.private_subnets
172+
},
173+
}
174+
175+
tags = merge(local.tags, {
176+
Project = "Secret"
177+
Endpoint = "true"
178+
})
179+
}
180+
181+
module "vpc_endpoints_nocreate" {
182+
source = "../../modules/vpc-endpoints"
183+
184+
create = false
185+
}
186+
187+
################################################################################
188+
# Supporting Resources
189+
################################################################################
190+
191+
data "aws_security_group" "default" {
192+
name = "default"
193+
vpc_id = module.vpc.vpc_id
194+
}
195+
196+
data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
197+
statement {
198+
effect = "Deny"
199+
actions = ["dynamodb:*"]
200+
resources = ["*"]
201+
202+
principals {
203+
type = "*"
204+
identifiers = ["*"]
205+
}
206+
207+
condition {
208+
test = "StringNotEquals"
209+
variable = "aws:sourceVpce"
210+
211+
values = [module.vpc.vpc_id]
212+
}
213+
}
214+
}
215+
216+
data "aws_iam_policy_document" "generic_endpoint_policy" {
217+
statement {
218+
effect = "Deny"
219+
actions = ["*"]
220+
resources = ["*"]
221+
222+
principals {
223+
type = "*"
224+
identifiers = ["*"]
225+
}
226+
227+
condition {
228+
test = "StringNotEquals"
229+
variable = "aws:SourceVpc"
230+
231+
values = [module.vpc.vpc_id]
232+
}
233+
}
234+
}
235+
236+
resource "aws_security_group" "vpc_tls" {
237+
name_prefix = "${local.name}-vpc_tls"
238+
description = "Allow TLS inbound traffic"
239+
vpc_id = module.vpc.vpc_id
240+
241+
ingress {
242+
description = "TLS from VPC"
243+
from_port = 443
244+
to_port = 443
245+
protocol = "tcp"
246+
cidr_blocks = [module.vpc.vpc_cidr_block]
247+
}
248+
249+
tags = local.tags
250+
}

0 commit comments

Comments
 (0)