diff --git a/examples/typical/.off/README.md b/examples/typical/.off/README.md new file mode 100644 index 0000000..24843cc --- /dev/null +++ b/examples/typical/.off/README.md @@ -0,0 +1,29 @@ +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws.do2-govcloud\_west\_vpc3-dev](#provider\_aws.do2-govcloud\_west\_vpc3-dev) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [do2-govcloud\_west\_vpc3-dev](#module\_do2-govcloud\_west\_vpc3-dev) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//peer | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_vpc.do2-govcloud_west_vpc3-dev](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +No inputs. + +## Outputs + +No outputs. diff --git a/examples/typical/.off/credentials.do2-govcloud_vpc3-dev.tf b/examples/typical/.off/credentials.do2-govcloud_vpc3-dev.tf new file mode 100644 index 0000000..2e551ac --- /dev/null +++ b/examples/typical/.off/credentials.do2-govcloud_vpc3-dev.tf @@ -0,0 +1,19 @@ +#--- +# peer to 107.. us-gov-west-1 vpc3-dev +#--- +provider "aws" { + alias = "do2-govcloud_west_vpc3-dev" + region = "us-gov-west-1" + profile = "107742151971-do2-govcloud" +} + +# #--- +# # peer to 107.. us-gov-east-1 vpc3-dev +# # only need this peer set up in one place (current to west) +# #--- +# provider "aws" { +# alias = "do2-govcloud_east_vpc3-dev" +# region = "us-gov-east-1" +# profile = "107742151971-do2-govcloud" +# } +# diff --git a/examples/typical/.off/peers.do2-govcloud_vpc3-dev.tf b/examples/typical/.off/peers.do2-govcloud_vpc3-dev.tf new file mode 100644 index 0000000..2e24be1 --- /dev/null +++ b/examples/typical/.off/peers.do2-govcloud_vpc3-dev.tf @@ -0,0 +1,46 @@ +#--- +# current (us-gov-east-1) to us-gov-west-1 +# only need this peer set up in one place (current to west) +#--- +data "aws_vpc" "do2-govcloud_west_vpc3-dev" { + provider = aws.do2-govcloud_west_vpc3-dev + filter { + name = "tag:Name" + values = [var.peer_settings["do2-govcloud_west_vpc3-dev"].peer_name] + } +} + +module "do2-govcloud_west_vpc3-dev" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//peer" + providers = { + aws.self = aws + aws.peer = aws.do2-govcloud_west_vpc3-dev + } + + ## self + vpc_id = local.vpc_id + vpc_name = var.vpc_name + vpc_cidr_block = var.vpc_cidr_block + vpc_index = var.vpc_index + vpc_short_name = var.vpc_short_name + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + rule_number = var.peer_settings["do2-govcloud_west_vpc3-dev"].rule_number + tags = {} + + ## peer + peer_vpc_id = data.aws_vpc.do2-govcloud_west_vpc3-dev.id + peer_vpc_name = var.peer_settings["do2-govcloud_west_vpc3-dev"].vpc_name + peer_vpc_index = var.peer_settings["do2-govcloud_west_vpc3-dev"].vpc_index + peer_vpc_short_name = var.peer_settings["do2-govcloud_west_vpc3-dev"].vpc_short_name + peer_vpc_full_name = var.peer_settings["do2-govcloud_west_vpc3-dev"].peer_name + peer_rule_number = var.peer_settings["do2-govcloud_west_vpc3-dev"].rule_number + peer_network_acl_filter = [ + format("nacl-*%v", var.peer_settings["do2-govcloud_west_vpc3-dev"].peer_name), + format("nacl-%v-private", var.peer_settings["do2-govcloud_west_vpc3-dev"].peer_name), + ] + peer_route_table_filter = [ + format("route-%v", var.peer_settings["do2-govcloud_west_vpc3-dev"].peer_name), + format("route-%v-private-*", var.peer_settings["do2-govcloud_west_vpc3-dev"].peer_name), + ] +} diff --git a/examples/typical/.terraform-docs.yml b/examples/typical/.terraform-docs.yml new file mode 100644 index 0000000..8391b9d --- /dev/null +++ b/examples/typical/.terraform-docs.yml @@ -0,0 +1,44 @@ +formatter: markdown table + +header-from: main.tf +footer-from: "" + +sections: +## hide: [] + show: + - data-sources + - header + - footer + - inputs + - modules + - outputs + - providers + - requirements + - resources + +output: + file: README.md + mode: inject + template: |- + + {{ .Content }} + + +## output-values: +## enabled: false +## from: "" +## +## sort: +## enabled: true +## by: name +## +## settings: +## anchor: true +## color: true +## default: true +## description: false +## escape: true +## indent: 2 +## required: true +## sensitive: true +## type: true diff --git a/examples/typical/README.md b/examples/typical/README.md new file mode 100644 index 0000000..a5ca437 --- /dev/null +++ b/examples/typical/README.md @@ -0,0 +1,87 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [aws.peer\_main\_east](#provider\_aws.peer\_main\_east) | n/a | +| [aws.peer\_main\_west](#provider\_aws.peer\_main\_west) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [base-security-groups](#module\_base-security-groups) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//security-groups | n/a | +| [flowlogs](#module\_flowlogs) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//flowlogs | n/a | +| [nacls](#module\_nacls) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacls | n/a | +| [nacls\_endpoints](#module\_nacls\_endpoints) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules | n/a | +| [nacls\_enterprise](#module\_nacls\_enterprise) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules | n/a | +| [nacls\_public\_nat](#module\_nacls\_public\_nat) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules | n/a | +| [nacls\_public\_vpc](#module\_nacls\_public\_vpc) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules | n/a | +| [peer\_services\_main\_east](#module\_peer\_services\_main\_east) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//peer | n/a | +| [peer\_services\_main\_west](#module\_peer\_services\_main\_west) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//peer | n/a | +| [routing](#module\_routing) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//routing | n/a | +| [sg\_web](#module\_sg\_web) | git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//web | n/a | +| [subnets](#module\_subnets) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//subnets | n/a | +| [vpc](#module\_vpc) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc | n/a | +| [vpce\_autoscaling](#module\_vpce\_autoscaling) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint | n/a | +| [vpce\_ec2](#module\_vpce\_ec2) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint | n/a | +| [vpce\_ecr\_api](#module\_vpce\_ecr\_api) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint | n/a | +| [vpce\_ecr\_dkr](#module\_vpce\_ecr\_dkr) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint | n/a | +| [vpce\_ecs](#module\_vpce\_ecs) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint | n/a | +| [vpce\_elasticfilesystem](#module\_vpce\_elasticfilesystem) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint | n/a | +| [vpce\_elasticloadbalancing](#module\_vpce\_elasticloadbalancing) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint | n/a | +| [vpce\_kms](#module\_vpce\_kms) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint | n/a | +| [vpce\_logs](#module\_vpce\_logs) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint | n/a | +| [vpce\_secretsmanager](#module\_vpce\_secretsmanager) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint | n/a | +| [vpce\_ssm](#module\_vpce\_ssm) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint | n/a | +| [vpce\_sts](#module\_vpce\_sts) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint | n/a | +| [vpn](#module\_vpn) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpn | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_availability_zone.zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zone) | data source | +| [aws_availability_zones.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +| [aws_subnet_ids.endpoint_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | +| [aws_vpc.service_main_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | +| [aws_vpc.service_main_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [peer\_settings](#input\_peer\_settings) | VPC Peering NACL settings to additional VPCs | 
map(object(
    {
      peer_name      = string
      region         = string
      vpc_index      = number
      vpc_name       = string
      vpc_short_name = string
      rule_number    = number
    }
  ))
| `{}` | no | +| [private\_subnets](#input\_private\_subnets) | List of objects with private subnet information to be created | 
list(object({
    base_cidr = string
    label     = string
    bits      = number
    private   = bool
    tags      = map(string)
    #      subnets     = list(string)
    #      labels      = list(string)
    #      availability_zones = list(string)
  }))
| `[]` | no | +| [public\_subnets](#input\_public\_subnets) | List of objects with public subnet information to be created | 
list(object({
    base_cidr = string
    label     = string
    bits      = number
    private   = bool
    tags      = map(string)
    #      subnets     = list(string)
    #      labels      = list(string)
    #      availability_zones = list(string)
  }))
| `[]` | no | +| [services\_peer\_settings](#input\_services\_peer\_settings) | VPC Peering NACL settings to main enterprise govcloud | 
map(object(
    {
      peer_name   = string
      region      = string
      rule_number = number
    }
  ))
| `{}` | no | +| [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | VPC CIDR Block | `string` | n/a | yes | +| [vpc\_enable\_awsdns](#input\_vpc\_enable\_awsdns) | Enable AWS DNS on the VPC | `bool` | `false` | no | +| [vpc\_enable\_igw](#input\_vpc\_enable\_igw) | Enable AWS Internet Gateway (IGW) on the VPC (true \| false[x]) | `bool` | `false` | no | +| [vpc\_enable\_nat](#input\_vpc\_enable\_nat) | Enable AWS NAT Gateway on the VPC (true \| false[x]) | `bool` | `false` | no | +| [vpc\_enable\_vpn](#input\_vpc\_enable\_vpn) | Enable AWS VPN Configuration on the VPC (true[x] \| false) | `bool` | `true` | no | +| [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (common, shared, dev, stage, ite, prod) | `string` | `""` | no | +| [vpc\_index](#input\_vpc\_index) | VPC index number. This used for NACL rule number caculations. | `number` | n/a | yes | +| [vpc\_name](#input\_vpc\_name) | VPC Name including environment (if necessary), excluding vpc{N} | `string` | n/a | yes | +| [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component, vpc{index} | `string` | n/a | yes | +| [vpn\_settings](#input\_vpn\_settings) | VPN Connection details array of site, bgp\_asn\_id and ip\_address | 
list(object(
    {
      site       = string
      bgp_asn_id = number
      ip_address = string
    }
  ))
| `[]` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [private\_subnets\_ids](#output\_private\_subnets\_ids) | Resulting private subnets list of objects: subnet, label, availability\_zone, id | +| [public\_subnets\_ids](#output\_public\_subnets\_ids) | Resulting public subnets list of objects: subnet, label, availability\_zone, id | +| [security\_groups](#output\_security\_groups) | Security Group map(object{name, id, arn}) | +| [sg\_web\_id](#output\_sg\_web\_id) | Common Web security group | +| [vpc\_arn](#output\_vpc\_arn) | VPC ARN | +| [vpc\_id](#output\_vpc\_id) | VPC ID | +| [vpc\_info](#output\_vpc\_info) | VPC info | +| [vpn\_labels](#output\_vpn\_labels) | VPN Label for Description field of Endpoint device (Cisco ASR) | +| [vpn\_tunnel\_endpoints](#output\_vpn\_tunnel\_endpoints) | VPN Tunnel Endpoint IP Addresses | + \ No newline at end of file diff --git a/examples/typical/apps/.terraform-docs.yml b/examples/typical/apps/.terraform-docs.yml new file mode 100644 index 0000000..8391b9d --- /dev/null +++ b/examples/typical/apps/.terraform-docs.yml @@ -0,0 +1,44 @@ +formatter: markdown table + +header-from: main.tf +footer-from: "" + +sections: +## hide: [] + show: + - data-sources + - header + - footer + - inputs + - modules + - outputs + - providers + - requirements + - resources + +output: + file: README.md + mode: inject + template: |- + + {{ .Content }} + + +## output-values: +## enabled: false +## from: "" +## +## sort: +## enabled: true +## by: name +## +## settings: +## anchor: true +## color: true +## default: true +## description: false +## escape: true +## indent: 2 +## required: true +## sensitive: true +## type: true diff --git a/examples/typical/apps/README.md b/examples/typical/apps/README.md new file mode 100644 index 0000000..ef2fa69 --- /dev/null +++ b/examples/typical/apps/README.md @@ -0,0 +1,25 @@ + +## Requirements + +No requirements. + +## Providers + +No providers. + +## Modules + +No modules. + +## Resources + +No resources. + +## Inputs + +No inputs. + +## Outputs + +No outputs. + \ No newline at end of file diff --git a/examples/typical/apps/dns/.terraform-docs.yml b/examples/typical/apps/dns/.terraform-docs.yml new file mode 100644 index 0000000..8391b9d --- /dev/null +++ b/examples/typical/apps/dns/.terraform-docs.yml @@ -0,0 +1,44 @@ +formatter: markdown table + +header-from: main.tf +footer-from: "" + +sections: +## hide: [] + show: + - data-sources + - header + - footer + - inputs + - modules + - outputs + - providers + - requirements + - resources + +output: + file: README.md + mode: inject + template: |- + + {{ .Content }} + + +## output-values: +## enabled: false +## from: "" +## +## sort: +## enabled: true +## by: name +## +## settings: +## anchor: true +## color: true +## default: true +## description: false +## escape: true +## indent: 2 +## required: true +## sensitive: true +## type: true diff --git a/examples/typical/apps/dns/README.md b/examples/typical/apps/dns/README.md new file mode 100644 index 0000000..7c83e0a --- /dev/null +++ b/examples/typical/apps/dns/README.md @@ -0,0 +1,66 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [external](#provider\_external) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_log_group.dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_route53_record.inbound_a](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route53_record.inbound_ptr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route53_record.outbound_a](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route53_record.outbound_ptr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route53_resolver_endpoint.inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_endpoint) | resource | +| [aws_route53_resolver_endpoint.outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_endpoint) | resource | +| [aws_route53_resolver_query_log_config.dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_query_log_config) | resource | +| [aws_route53_resolver_query_log_config_association.dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_query_log_config_association) | resource | +| [aws_route53_resolver_rule.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule) | resource | +| [aws_route53_resolver_rule.amazon](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule) | resource | +| [aws_route53_resolver_rule.reverse](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule) | resource | +| [aws_route53_resolver_rule_association.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource | +| [aws_route53_resolver_rule_association.amazon](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource | +| [aws_route53_resolver_rule_association.reverse](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource | +| [aws_route53_zone.domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource | +| [aws_route53_zone.ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource | +| [aws_security_group.sg1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_subnet.endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | +| [aws_subnet_ids.endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | +| [external_external.inbound_sorted](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source | +| [external_external.outbound_sorted](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [application\_tags](#input\_application\_tags) | Default application tags to be used on non-infrastructure resources | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [all\_zones](#output\_all\_zones) | DNS zone list | +| [domain\_zone\_id](#output\_domain\_zone\_id) | DICE development DNS Zone ID | +| [domain\_zone\_ns](#output\_domain\_zone\_ns) | DICE development DNS Zone Nameservers | +| [inbound\_dns](#output\_inbound\_dns) | DNS entries for inbound DNS resolver | +| [inbound\_dns\_map](#output\_inbound\_dns\_map) | DNS entries for inbound DNS resolver name and IP only | +| [outbound\_dns](#output\_outbound\_dns) | DNS entries for outbound DNS resolver | +| [ptr\_zone\_id](#output\_ptr\_zone\_id) | DICE development DNS PTR Zone IDs | +| [ptr\_zone\_info](#output\_ptr\_zone\_info) | DICE development DNS PTR Zone Info | +| [ptr\_zone\_ns](#output\_ptr\_zone\_ns) | DICE development DNS PTR Zone Nameservers | +| [resolver\_endpoint\_info](#output\_resolver\_endpoint\_info) | DNS Resolver Endpoint Information | +| [sg\_sg1\_arn](#output\_sg\_sg1\_arn) | DNS Seurity group ARN | +| [sg\_sg1\_id](#output\_sg\_sg1\_id) | DNS Seurity group ID | + \ No newline at end of file diff --git a/examples/typical/apps/dns/endpoints.tf b/examples/typical/apps/dns/endpoints.tf new file mode 100644 index 0000000..6977733 --- /dev/null +++ b/examples/typical/apps/dns/endpoints.tf @@ -0,0 +1,110 @@ +locals { + subnet_info = { for k, v in data.aws_subnet.endpoints : k => v } + endpoint_info = { + inbound = { + name = aws_route53_resolver_endpoint.inbound.name + ip_addresses = [for x in aws_route53_resolver_endpoint.inbound.ip_address : x.ip] + subnet_ids = tolist(data.aws_subnet_ids.endpoints.ids) + subnet_cidrs = [for k, v in data.aws_subnet.endpoints : v.cidr_block] + subnet_names = [for k, v in data.aws_subnet.endpoints : v.tags["Name"]] + } + outbound = { + name = aws_route53_resolver_endpoint.outbound.name + ip_addresses = [for x in aws_route53_resolver_endpoint.outbound.ip_address : x.ip] + subnet_ids = tolist(data.aws_subnet_ids.endpoints.ids) + subnet_cidrs = [for k, v in data.aws_subnet.endpoints : v.cidr_block] + subnet_names = [for k, v in data.aws_subnet.endpoints : v.tags["Name"]] + } + } + endpoint_inbound_sorted = split(",", data.external.inbound_sorted.result.ip_addresses_sorted) + endpoint_outbound_sorted = split(",", data.external.outbound_sorted.result.ip_addresses_sorted) +} + +data "aws_subnet_ids" "endpoints" { + vpc_id = local.vpc_id + filter { + name = "tag:Name" + values = ["*-endpoints-*"] + } +} + +data "aws_subnet" "endpoints" { + for_each = toset(data.aws_subnet_ids.endpoints.ids) + id = each.key +} + + +# if possible, need to do this before other vpc endpoints are defined +# dns inbound subnet+4, outbound subnet+5 +# right now, use some random address +resource "aws_route53_resolver_endpoint" "inbound" { + name = "inbound" + direction = "INBOUND" + + security_group_ids = [aws_security_group.sg1.id] + + dynamic "ip_address" { + for_each = data.aws_subnet.endpoints + iterator = ip + content { + subnet_id = ip.value.id + } + } + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + tomap({ "Name" = "route53-inbound-dns" }), + ) +} + +resource "aws_route53_resolver_endpoint" "outbound" { + name = "outbound" + direction = "OUTBOUND" + + security_group_ids = [aws_security_group.sg1.id] + + dynamic "ip_address" { + for_each = data.aws_subnet.endpoints + iterator = ip + content { + subnet_id = ip.value.id + } + } + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + tomap({ "Name" = "route53-inbound-dns" }), + ) +} + +data "external" "inbound_sorted" { + program = ["python", "${path.root}/sort-ip.py"] + query = { + ip_addresses = join(",", local.endpoint_info["inbound"].ip_addresses) + } +} + +data "external" "outbound_sorted" { + program = ["python", "${path.root}/sort-ip.py"] + query = { + ip_addresses = join(",", local.endpoint_info["outbound"].ip_addresses) + } +} + +output "resolver_endpoint_info" { + description = "DNS Resolver Endpoint Information" + value = { + inbound = merge( + local.endpoint_info["inbound"], + tomap({ "ip_addresses_sorted" = local.endpoint_inbound_sorted }), + ), + outbound = merge( + local.endpoint_info["outbound"], + tomap({ "ip_addresses_sorted" = local.endpoint_outbound_sorted }), + ), + } +} diff --git a/examples/typical/apps/dns/iam.tf b/examples/typical/apps/dns/iam.tf new file mode 100644 index 0000000..c911e74 --- /dev/null +++ b/examples/typical/apps/dns/iam.tf @@ -0,0 +1,9 @@ +# route53:GetHosted* +# route53:ListHosted* +# route53:Get* +# route53:List* +# * +# +# route53:ChangeResourceRecordSets +# route53:ListResourceRecordSets +# arn:aws:route53:::hostedzone/ID diff --git a/examples/typical/apps/dns/locals.tf b/examples/typical/apps/dns/locals.tf new file mode 100644 index 0000000..60decda --- /dev/null +++ b/examples/typical/apps/dns/locals.tf @@ -0,0 +1,13 @@ +locals { + base_tags = { + "boc:created_by" = "terraform" + } +} + +locals { + vpc_info = data.terraform_remote_state.vpc_east_vpc4.outputs.vpc_info + vpc_id = local.vpc_info["vpc_id"] + domain_name = local.vpc_info["vpc_domain_name"] + dns_servers = local.vpc_info["vpc_dns_servers"] + vpc_short_name = local.vpc_info["vpc_short_name"] +} diff --git a/examples/typical/apps/dns/logging.tf b/examples/typical/apps/dns/logging.tf new file mode 100644 index 0000000..5c58022 --- /dev/null +++ b/examples/typical/apps/dns/logging.tf @@ -0,0 +1,50 @@ +resource "aws_route53_resolver_query_log_config" "dns" { + name = "dns-logging" + destination_arn = aws_cloudwatch_log_group.dns.arn + + tags = merge( + local.base_tags, + local.common_tags, + # var.application_tags, + tomap({ "Name" = format("dns-logging-%v-%v", local.region, local.vpc_short_name) }), + ) +} + +resource "aws_route53_resolver_query_log_config_association" "dns" { + resolver_query_log_config_id = aws_route53_resolver_query_log_config.dns.id + resource_id = local.vpc_id +} + +resource "aws_cloudwatch_log_group" "dns" { + name = format("%v%v-%v-%v-%v", "lg-", "dns", var.account_alias, local.region, local.vpc_short_name) + retention_in_days = 90 + + tags = merge( + local.base_tags, + local.common_tags, + # var.application_tags, + tomap({ "Name" = format("dns-logging-%v-%v", local.region, local.vpc_short_name) }), + ) +} + +## # from aws-vpc-setup/flowlog, need to adapt +## resource "aws_kinesis_stream" "flowlog" { +## name = local.flowlog_stream_name +## shard_count = 1 +## retention_period = 48 +## shard_level_metrics = ["IncomingBytes", "OutgoingBytes", "IncomingRecords", "OutgoingRecords"] +## tags = merge( +## local.base_tags, +## var.tags, +## tomap({ "Name" = local.flowlog_stream_name }), +## ) +## } +## +## resource "aws_cloudwatch_log_subscription_filter" "flowlog" { +## name = local.flowlog_stream_name +## role_arn = var.flowlog_role_arn +## log_group_name = aws_cloudwatch_log_group.flowlog.name +## destination_arn = aws_kinesis_stream.flowlog.arn +## filter_pattern = "[action=*]" +## distribution = "ByLogStream" +## } diff --git a/examples/typical/apps/dns/records.tf b/examples/typical/apps/dns/records.tf new file mode 100644 index 0000000..1395062 --- /dev/null +++ b/examples/typical/apps/dns/records.tf @@ -0,0 +1,77 @@ +## resource "aws_route53_record" "test" { +## zone_id = aws_route53_zone.domain_zone.zone_id +## name = format("%v.%v","test",local.domain_name) +## type = "TXT" +## ttl = "900" +## records = ["test"] +## } + +# endpoint addresses + +locals { + inbound_dns = { for x in range(0, length(local.endpoint_inbound_sorted)) : x => { + index = x + name = format("ns-in-%v.%v", x, local.domain_name) + ip = local.endpoint_inbound_sorted[x] + ptr = format("%v.in-addr.arpa", join(".", reverse(split(".", local.endpoint_inbound_sorted[x])))) + ptr_zone_id = aws_route53_zone.ptr_zone[format("%v.0/24", join(".", slice(split(".", local.endpoint_inbound_sorted[x]), 0, 3)))].id + ptr_zone_name = format("%v.in-addr.arpa", join(".", slice(reverse(split(".", local.endpoint_inbound_sorted[x])), 0, 3))) + } } + outbound_dns = { for x in range(0, length(local.endpoint_outbound_sorted)) : x => { + index = x + name = format("ns-out-%v.%v", x, local.domain_name) + ip = local.endpoint_outbound_sorted[x] + ptr = format("%v.in-addr.arpa", join(".", reverse(split(".", local.endpoint_outbound_sorted[x])))) + ptr_zone_id = aws_route53_zone.ptr_zone[format("%v.0/24", join(".", slice(split(".", local.endpoint_outbound_sorted[x]), 0, 3)))].id + ptr_zone_name = format("%v.in-addr.arpa", join(".", slice(reverse(split(".", local.endpoint_outbound_sorted[x])), 0, 3))) + } } +} + +resource "aws_route53_record" "inbound_a" { + for_each = local.inbound_dns + zone_id = aws_route53_zone.domain_zone.zone_id + name = each.value.name + type = "A" + ttl = "900" + records = [each.value.ip] +} +resource "aws_route53_record" "inbound_ptr" { + for_each = local.inbound_dns + zone_id = each.value.ptr_zone_id + name = split(".", each.value.ptr)[0] + type = "PTR" + ttl = "900" + records = [each.value.name] +} + +resource "aws_route53_record" "outbound_a" { + for_each = local.outbound_dns + zone_id = aws_route53_zone.domain_zone.zone_id + name = each.value.name + type = "A" + ttl = "900" + records = [each.value.ip] +} +resource "aws_route53_record" "outbound_ptr" { + for_each = local.outbound_dns + zone_id = each.value.ptr_zone_id + name = split(".", each.value.ptr)[0] + type = "PTR" + ttl = "900" + records = [each.value.name] +} + +output "inbound_dns" { + description = "DNS entries for inbound DNS resolver" + value = local.inbound_dns +} + +output "outbound_dns" { + description = "DNS entries for outbound DNS resolver" + value = local.outbound_dns +} + +output "inbound_dns_map" { + description = "DNS entries for inbound DNS resolver name and IP only" + value = { for k, v in local.inbound_dns : v.name => v.ip } +} diff --git a/examples/typical/apps/dns/region.tf b/examples/typical/apps/dns/region.tf new file mode 100644 index 0000000..f617506 --- /dev/null +++ b/examples/typical/apps/dns/region.tf @@ -0,0 +1,3 @@ +locals { + region = var.region +} diff --git a/examples/typical/apps/dns/resolver.tf b/examples/typical/apps/dns/resolver.tf new file mode 100644 index 0000000..4da7253 --- /dev/null +++ b/examples/typical/apps/dns/resolver.tf @@ -0,0 +1,115 @@ +locals { + forward_zones = [ + "census.gov", + "2020census.gov", + "my2020census.gov", + "luca-appeals.gov", + # xd.gov + # cep.gov + # opportunity.gov + ] + reverse_zones = flatten([ + "10.in-addr.arpa", + "168.192.in-addr.arpa", + "129.148.in-addr.arpa", + [for x in range(16, 32) : format("%v.172.in-addr.arpa", x)], + ]) +} + +# resource "aws_route53_resolver_rule" "forward" { +# for_each = toset(local.forward_zones) +# domain_name = each.key +# name = replace(each.key,".","-") +# rule_type = "FORWARD" +# resolver_endpoint_id = aws_route53_resolver_endpoint.outbound.id +# +# dynamic "target_ip" { +# for_each = toset(local.dns_servers) +# iterator = ip +# content { +# ip = ip.key +# } +# } +# +# tags = merge( +# local.base_tags, +# local.common_tags, +# # var.application_tags, +# tomap({"Name"=format("forward-%v",each.key)}), +# ) +# } + +resource "aws_route53_resolver_rule" "reverse" { + for_each = toset(local.reverse_zones) + domain_name = each.key + name = replace(each.key, ".", "-") + rule_type = "FORWARD" + resolver_endpoint_id = aws_route53_resolver_endpoint.outbound.id + + dynamic "target_ip" { + for_each = toset(local.dns_servers) + iterator = ip + content { + ip = ip.key + } + } + + tags = merge( + local.base_tags, + local.common_tags, + # var.application_tags, + tomap({ "Name" = format("reverse-%v", each.key) }), + ) +} + +resource "aws_route53_resolver_rule" "all" { + domain_name = "." + name = "forward-all-onprem" + rule_type = "FORWARD" + resolver_endpoint_id = aws_route53_resolver_endpoint.outbound.id + + dynamic "target_ip" { + for_each = toset(local.dns_servers) + iterator = ip + content { + ip = ip.key + } + } + + tags = merge( + local.base_tags, + local.common_tags, + # var.application_tags, + tomap({ "Name" = "forward-all-onprem" }), + ) +} + +resource "aws_route53_resolver_rule" "amazon" { + domain_name = "amazonaws.com" + name = "aws" + rule_type = "SYSTEM" + + tags = merge( + local.base_tags, + local.common_tags, + # var.application_tags, + tomap({ "Name" = "amazonaws.com" }), + ) +} + +resource "aws_route53_resolver_rule_association" "all" { + resolver_rule_id = aws_route53_resolver_rule.all.id + vpc_id = local.vpc_id +} + +resource "aws_route53_resolver_rule_association" "amazon" { + resolver_rule_id = aws_route53_resolver_rule.amazon.id + vpc_id = local.vpc_id +} + +resource "aws_route53_resolver_rule_association" "reverse" { + for_each = toset(local.reverse_zones) + resolver_rule_id = aws_route53_resolver_rule.reverse[each.key].id + vpc_id = local.vpc_id +} + diff --git a/examples/typical/apps/dns/sg-dns.tf b/examples/typical/apps/dns/sg-dns.tf new file mode 100644 index 0000000..98889ee --- /dev/null +++ b/examples/typical/apps/dns/sg-dns.tf @@ -0,0 +1,55 @@ +locals { + sg1_description = "sg-inf-dns" + sg1_short_description = "DNS" + sg1_name = "inf-dns" + sg1_all_networks = ["0.0.0.0/0"] + sg1_dns_servers = ["148.129.127.22/32", "148.129.191.22/32"] + + sg1_ports = [ + [53, 53, "udp", "DNS", local.sg1_all_networks], + [53, 53, "tcp", "DNS", local.sg1_all_networks], + ] +} + +resource "aws_security_group" "sg1" { + name = local.sg1_name + description = local.sg1_description + vpc_id = local.vpc_id + + dynamic "ingress" { + for_each = local.sg1_ports + iterator = p + content { + description = "${local.sg1_short_description}: ${p.value[3]}" + from_port = p.value[0] + to_port = p.value[1] + protocol = p.value[2] + cidr_blocks = p.value[4] + } + } + + egress { + description = "${local.sg1_short_description}: All" + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = local.sg1_all_networks + } + + tags = merge( + local.base_tags, + local.common_tags, + # var.application_tags, + tomap({ "Name" = local.sg1_description }), + ) +} + +output "sg_sg1_arn" { + description = "DNS Seurity group ARN" + value = aws_security_group.sg1.arn +} + +output "sg_sg1_id" { + description = "DNS Seurity group ID" + value = aws_security_group.sg1.id +} diff --git a/examples/typical/apps/dns/sort-ip.py b/examples/typical/apps/dns/sort-ip.py new file mode 100755 index 0000000..293f723 --- /dev/null +++ b/examples/typical/apps/dns/sort-ip.py @@ -0,0 +1,19 @@ +#!/bin/env python + +import json +import sys +import ipaddress + +r=0 +outdata={'ip_addresses_sorted':''} +try: + indata=json.load(sys.stdin) + ipa=indata['ip_addresses'].split(',') + ips=sorted(ipa,key=ipaddress.ip_address) + outdata['ip_addresses_sorted']=','.join(ips) + print(json.dumps(outdata)) +except: + sys.stderr.write("unable to parse input address\n") + r=1 + +sys.exit(r) diff --git a/examples/typical/apps/dns/tf-run.data b/examples/typical/apps/dns/tf-run.data new file mode 100644 index 0000000..aded045 --- /dev/null +++ b/examples/typical/apps/dns/tf-run.data @@ -0,0 +1,7 @@ +COMMAND tf-directory-setup.py -l none -f +COMMAND tf-init -upgrade +COMMAND mv records.tf records.tf.later +ALL +COMMAND mv records.tf.later records.tf +ALL +COMMAND tf-directory-setup.py -l s3 diff --git a/examples/typical/apps/dns/variables.application_tags.tf b/examples/typical/apps/dns/variables.application_tags.tf new file mode 100644 index 0000000..a510cbf --- /dev/null +++ b/examples/typical/apps/dns/variables.application_tags.tf @@ -0,0 +1,8 @@ +# include this link to bring in the variable +# include the link to the .tfvars to bring in the values + +variable "application_tags" { + description = "Default application tags to be used on non-infrastructure resources" + type = map(string) + default = {} +} diff --git a/examples/typical/apps/dns/zones.tf b/examples/typical/apps/dns/zones.tf new file mode 100644 index 0000000..85e05db --- /dev/null +++ b/examples/typical/apps/dns/zones.tf @@ -0,0 +1,104 @@ +locals { + # calculate set of /24 blocks for PTR subnets from cidr bock size + vpc_cidr_block = local.vpc_info["vpc_cidr_block"] + bits = tonumber(split("/", local.vpc_cidr_block)[1]) + split_bits = 24 - local.bits + _ptr_zones = local.split_bits > 0 ? { for x in range(0, pow(2, local.split_bits)) : x => cidrsubnet(local.vpc_cidr_block, local.split_bits, x) } : {} + ptr_zones = { for x, s in local._ptr_zones : s => { + index = x + cidr = s + octets = split(".", split("/", s)[0]) + bits = tonumber(split("/", s)[1]) + ptr_zone = format("%v.in-addr.arpa", join(".", reverse(slice(split(".", split("/", s)[0]), 0, 3)))) + } + } +} + +#--- +# domain (forward) zone +#--- +resource "aws_route53_zone" "domain_zone" { + name = local.domain_name + comment = "DICE development DNS Zone" + force_destroy = false + + vpc { + vpc_id = local.vpc_id + vpc_region = local.region + } + + # lifecycle { + # ignore_changes + # } + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + tomap({ "Name" = local.domain_name }), + ) +} +#resource "aws_route53_zone_association" "dns_zone" { } + +output "domain_zone_id" { + description = "DICE development DNS Zone ID" + value = aws_route53_zone.domain_zone.zone_id +} + +output "domain_zone_ns" { + description = "DICE development DNS Zone Nameservers" + value = aws_route53_zone.domain_zone.name_servers +} + +#--- +# ptr (reverse) zones +#--- +resource "aws_route53_zone" "ptr_zone" { + for_each = local.ptr_zones + + name = each.value.ptr_zone + comment = format("DICE development DNS PTR Zone %v (%v)", each.value.ptr_zone, each.value.cidr) + force_destroy = false + + vpc { + vpc_id = local.vpc_id + vpc_region = local.region + } + + # lifecycle { + # ignore_changes + # } + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + tomap({ "Name" = each.value.ptr_zone }), + ) +} + + +output "ptr_zone_id" { + description = "DICE development DNS PTR Zone IDs" + value = { for x, s in local.ptr_zones : x => aws_route53_zone.ptr_zone[x].zone_id } +} + +output "ptr_zone_ns" { + description = "DICE development DNS PTR Zone Nameservers" + value = { for x, s in local.ptr_zones : x => aws_route53_zone.ptr_zone[x].name_servers } +} + +output "ptr_zone_info" { + description = "DICE development DNS PTR Zone Info" + value = { for x, s in local.ptr_zones : x => { + cidr = s.cidr + ptr_zone = s.ptr_zone + zone_id = aws_route53_zone.ptr_zone[x].zone_id + name_servers = aws_route53_zone.ptr_zone[x].name_servers + } } +} + +output "all_zones" { + description = "DNS zone list" + value = flatten(concat([local.domain_name], [for x, s in local.ptr_zones : s.ptr_zone])) +} diff --git a/examples/typical/apps/region.tf b/examples/typical/apps/region.tf new file mode 100644 index 0000000..f617506 --- /dev/null +++ b/examples/typical/apps/region.tf @@ -0,0 +1,3 @@ +locals { + region = var.region +} diff --git a/examples/typical/apps/test-instances/.gitignore b/examples/typical/apps/test-instances/.gitignore new file mode 100644 index 0000000..2dc10bf --- /dev/null +++ b/examples/typical/apps/test-instances/.gitignore @@ -0,0 +1 @@ +setup/inf-ec2-keypair diff --git a/examples/typical/apps/test-instances/.terraform-docs.yml b/examples/typical/apps/test-instances/.terraform-docs.yml new file mode 100644 index 0000000..8391b9d --- /dev/null +++ b/examples/typical/apps/test-instances/.terraform-docs.yml @@ -0,0 +1,44 @@ +formatter: markdown table + +header-from: main.tf +footer-from: "" + +sections: +## hide: [] + show: + - data-sources + - header + - footer + - inputs + - modules + - outputs + - providers + - requirements + - resources + +output: + file: README.md + mode: inject + template: |- + + {{ .Content }} + + +## output-values: +## enabled: false +## from: "" +## +## sort: +## enabled: true +## by: name +## +## settings: +## anchor: true +## color: true +## default: true +## description: false +## escape: true +## indent: 2 +## required: true +## sensitive: true +## type: true diff --git a/examples/typical/apps/test-instances/README.20210928.1 b/examples/typical/apps/test-instances/README.20210928.1 new file mode 100644 index 0000000..f0d6d1f --- /dev/null +++ b/examples/typical/apps/test-instances/README.20210928.1 @@ -0,0 +1,101 @@ + 860 2021/08/11 09:50:48rm -rf */.terraform .terraform-docs.yml + 861 2021/08/11 09:50:55cp ../eks-test1/.terraform-docs.yml . + 881 2021/08/11 09:52:03rm -rf terraform.tfstate* + 892 2021/08/11 09:52:37rm -tf terraform.tfstate* + 895 2021/08/11 09:52:53rm -rf terraform.tfstate* + 902 2021/08/11 09:53:38for f in aws-auth cert-manager efs sample-alb sample-elb sample-nlb; do pushd $f; ln -s ../remote_state.applications_apps-adsd-eks_vpc_east-1_vpc4_apps_eks-test2.tf .; popd; done + 912 2021/08/11 09:54:25rm -rf terraform.tfstate* + 916 2021/08/11 12:17:25grep -A5 dynamic ~/terraform/terraform-modules/aws-vpc-setup/*/*tf + 917 2021/08/11 12:17:37grep -A5 dynamic ~/terraform/terraform-modules/aws-inf-setup/*/*tf + 919 2021/08/11 14:37:57cd terraform/ + 972 2021/08/11 15:49:50git commit -m'add retire grant for ecr' . + 978 2021/08/11 15:51:49cd terraform/079788916859-do2-cat_apps-adsd-eks/ + 1004 2021/09/01 08:26:43cd terraform + 1017 2021/09/01 11:01:42git commit -m'add configs for eks networking with 100.64.0.0/21 as the bock for test3' . + 1019 2021/09/01 11:02:00git commit -m'add configs for eks networking with 100.64.0.0/21 as the bock for test3' . + 1021 2021/09/01 11:02:30gh pr create --title 'add custom networking cidr 100.64.0.0/21 for eks test3 cluster' + 1091 2021/09/02 11:56:56cd terraform/ + 1118 2021/09/02 16:13:56cd terraform/079788916859-do2-cat_apps-adsd-eks/ + 1126 2021/09/02 16:57:03ls ~/terraform/*699* + 1127 2021/09/02 16:57:04ls ~/terraform/*699* -d + 1129 2021/09/02 17:11:07cd terraform/ + 1142 2021/09/02 17:16:49git commit -m'remove eks cluster tag for test3 from secondary cidr subnets and back on primary' -a + 1146 2021/09/02 17:17:23git commit -m'remove eks cluster tag for test3 from secondary cidr subnets and back on primary' -a + 1152 2021/09/03 14:25:51terraform + 1155 2021/09/03 14:25:59cd terraform/ + 1182 2021/09/07 15:29:29pushd ~/terraform/079788916859-do2-cat + 1188 2021/09/08 11:31:00cd terraform/ + 1196 2021/09/08 17:07:46cd terraform/079788916859-do2-cat + 1233 2021/09/09 15:47:39ls ~/terraform/079788916859-do2-cat_apps-adsd-eks/vpc/east-1/vpc4/apps/eks-test3./ + 1234 2021/09/09 15:47:42ls ~/terraform/079788916859-do2-cat_apps-adsd-eks/vpc/east-1/vpc4/apps/eks-test3. + 1235 2021/09/09 15:47:44ls ~/terraform/079788916859-do2-cat_apps-adsd-eks/vpc/east-1/vpc4/apps/eks-test3 + 1236 2021/09/09 15:47:48ls ~/terraform/079788916859-do2-cat_apps-adsd-eks/vpc/east-1/vpc4/apps/eks-test3/./ + 1237 2021/09/09 15:47:50ls ~/terraform/079788916859-do2-cat_apps-adsd-eks/vpc/east-1/vpc4/apps/eks-test3/./ . + 1238 2021/09/09 15:47:56rsycn -avRWH ~/terraform/079788916859-do2-cat_apps-adsd-eks/vpc/east-1/vpc4/apps/eks-test3/./ . + 1239 2021/09/09 15:48:22rsync -avRWH ~/terraform/079788916859-do2-cat_apps-adsd-eks/vpc/east-1/vpc4/apps/eks-test3/./ . + 1250 2021/09/09 15:49:31cp ~/terraform/079788916859-do2-cat_apps-adsd-eks/vpc//east-1/vpc4/apps/eks-test3/prefixes.tf . + 1252 2021/09/09 15:49:41cp ~/terraform/079788916859-do2-cat_apps-adsd-eks/vpc//east-1/vpc4/apps/eks-test3/version.tf . + 1254 2021/09/09 15:49:52cp ~/terraform/079788916859-do2-cat_apps-adsd-eks/vpc//east-1/vpc4/apps/eks-test3/variables.vpc.auto.tfvars . + 1255 2021/09/09 15:49:58rm -rf .terraform logs + 1284 2021/09/09 15:52:58#cp ~/terraform/079788916859-do2-cat_apps-adsd-eks//vpc//east-1/vpc4/apps/eks-test3/efs/kubeconfig.tf . + 1286 2021/09/09 15:53:01cp ~/terraform/079788916859-do2-cat_apps-adsd-eks//vpc//east-1/vpc4/apps/eks-test3/efs/kubeconfig.tf . + 1308 2021/09/09 15:59:21terraform vali + 1309 2021/09/09 15:59:23terraform validate + 1312 2021/09/09 15:59:52terraform validate + 1331 2021/09/09 16:02:57pushd ~/terraform/079788916859-do2-cat_apps-adsd-eks/vpc/east-1/vpc4/ + 1344 2021/09/09 16:04:37cp ~/terraform/079788916859-do2-cat_apps-adsd-eks/vpc/east-1/vpc4/apps/eks-test3/eni_config.tmpl . + 1358 2021/09/09 16:09:42rm -f .terraform/ ../.terraform + 1363 2021/09/09 16:09:56rm -rf .terraform/ + 1365 2021/09/09 16:09:59rm -rf .terraform + 1371 2021/09/09 16:11:06gh pr create --title 'setup very basic code for eks for ditd-gups' + 1387 2021/09/10 10:03:40cd terraform/079788916859-do2-cat_apps-adsd-eks/ + 1401 2021/09/13 17:18:11cd terraform/079788916859-do2-cat + 1437 2021/09/15 09:10:52cd terraform/ + 1459 2021/09/15 14:00:47ccd terraform/ + 1460 2021/09/15 14:00:48cd terraform/ + 1471 2021/09/15 14:01:32vi ~/terraform/terraform-modules/aws-common-security-groups/web/*tf + 1493 2021/09/15 14:51:30git commit -m'add ingress_networks for use of secondary cidr' . + 1496 2021/09/15 14:54:50cd terraform/ + 1501 2021/09/16 14:39:18cd terraform/079788916859-do2-cat + 1516 2021/09/17 11:12:19cd terraform/ + 1563 2021/09/20 10:32:20cd terraform/ + 1579 2021/09/21 15:31:01cd terraform/ + 1602 2021/09/22 15:28:51terraform + 1603 2021/09/22 15:28:53cd terraform/ + 1627 2021/09/22 15:30:04rm -rf .terraform log + 1647 2021/09/22 15:31:26rm -rf .terraform/ logs/ + 1648 2021/09/22 15:31:32rm -rf terraform.tfstate* + 1684 2021/09/22 15:38:48which terraform + 1685 2021/09/22 15:38:52terraform -version + 1701 2021/09/22 15:47:39terraform console + 1708 2021/09/24 08:40:41ls -al ~/terraform/079788916859-do2-cat + 1709 2021/09/24 08:40:43ls -al ~/terraform/079788916859-do2-cat/applications/ + 1710 2021/09/24 08:40:48ls -al ~/terraform/079788916859-do2-cat/applications/README.md + 1711 2021/09/24 08:40:50cat -al ~/terraform/079788916859-do2-cat/applications/README.md + 1712 2021/09/24 08:40:51cat ~/terraform/079788916859-do2-cat/applications/README.md + 1726 2021/09/24 10:50:39for f in $(cat test-ips.txt ); do echo "# $f"; pinc -c 5 -w 10 $f; done + 1727 2021/09/24 10:50:59for f in $(gat test-ips.txt ); do echo "# $f"; pinc -c 5 -w 10 $f; done + 1728 2021/09/24 10:51:11for f in $(cat test-ips.txt ); do echo "# $f"; ping -c 5 -w 10 $f; done | tee ping.$(date +%s).log + 1733 2021/09/24 11:32:03for f in $(gat test-ips.txt ); do echo "# $f"; SSH_AUTH_SOCK="" ssh -O StrictHostKeyChecking=false -i setup/vpc3-test-ec2-keypair e2-user@$f "hostname -f;date;/sbin/ifconfig|grep 10.188"; done + 1734 2021/09/24 11:32:10for f in $(cat test-ips.txt ); do echo "# $f"; SSH_AUTH_SOCK="" ssh -O StrictHostKeyChecking=false -i setup/vpc3-test-ec2-keypair e2-user@$f "hostname -f;date;/sbin/ifconfig|grep 10.188"; done + 1735 2021/09/24 11:32:27for f in $(cat test-ips.txt ); do echo "# $f"; SSH_AUTH_SOCK="" ssh -O StrictHostKeyChecking=false -i setup/vpc3-test-ec2-keypair e2-user@$f "hostname -f"; done + 1736 2021/09/24 11:32:37for f in $(cat test-ips.txt ); do echo "# $f"; SSH_AUTH_SOCK="" ssh -o StrictHostKeyChecking=false -i setup/vpc3-test-ec2-keypair e2-user@$f "hostname -f"; done + 1738 2021/09/24 11:33:27for f in $(cat test-ips.txt ); do echo "# $f"; SSH_AUTH_SOCK="" ssh -o StrictHostKeyChecking=false -o IdentityFile=setup/vpc3-test-ec2-keypair e2-user@$f "hostname -f"; done + 1739 2021/09/24 11:33:33for f in $(cat test-ips.txt ); do echo "# $f"; SSH_AUTH_SOCK="" ssh -o StrictHostKeyChecking=false -o IdentityFile=setup/vpc3-test-ec2-keypair -v e2-user@$f "hostname -f"; done + 1783 2021/09/24 12:32:09for f in $(cat test-ips.txt ); do echo "# $f"; ping -c 5 -w 10 $f; done | tee ping.$(date +%s).log + 1786 2021/09/24 12:32:56for f in $(cat test-ips.txt ); do echo "# $f"; ping -c 5 -w 10 $f; done | tee ping.$(date +%s).log + 1788 2021/09/24 12:34:16for f in $(cat test-ips.txt ); do echo "# $f"; SSH_AUTH_SOCK="" ssh -o StrictHostKeyChecking=false -o IdentityFile=setup/vpc3-test-ec2-keypair -v e2-user@$f "hostname -f"; done + 1793 2021/09/24 12:44:41for f in $(cat test-ips.txt ); do echo "# $f"; timeout 60 ping $f > ping.1.$f.log 2>&1 &; done + 1794 2021/09/24 12:44:49for f in $(cat test-ips.txt ); do echo "# $f"; timeout 60 ping $f > ping.1.$f.log 2>&1 & ; done + 1795 2021/09/24 12:44:53for f in $(cat test-ips.txt ); do echo "# $f"; timeout 60 ping $f > ping.1.$f.log 2>&1 & done + 1801 2021/09/24 13:50:49for f in $(cat test-ips.txt ); do echo "# $f"; SSH_AUTH_SOCK="" ssh -o StrictHostKeyChecking=false -o IdentityFile=setup/vpc3-test-ec2-keypair -v e2-user@$f "hostname -f"; done + 1802 2021/09/24 13:50:59for f in $(cat test-ips.txt ); do echo "# $f"; SSH_AUTH_SOCK="" timeout 10 ssh -o StrictHostKeyChecking=false -o IdentityFile=setup/vpc3-test-ec2-keypair -v e2-user@$f "hostname -f"; done + 1803 2021/09/24 13:51:08for f in $(cat test-ips.txt ); do echo "# $f"; SSH_AUTH_SOCK="" timeout 5 ssh -o StrictHostKeyChecking=false -o IdentityFile=setup/vpc3-test-ec2-keypair -v e2-user@$f "hostname -f"; done + 1805 2021/09/24 15:46:05for f in $(cat test-ips.txt ); do echo "# $f"; ping -c 5 -w 10 $f > ping.2.$f.log 2>&1 & done + 1808 2021/09/24 15:46:50for f in $(cat test-ips.txt ); do echo "# $f"; SSH_AUTH_SOCK="" timeout 15 ssh -o StrictHostKeyChecking=false -o IdentityFile=setup/vpc3-test-ec2-keypair -v e2-user@$f "hostname -f"; done + 1814 2021/09/28 10:25:52history|grep for + 1817 2021/09/28 10:26:22for f in $(cat test-ips.txt ); do echo "# $f"; SSH_AUTH_SOCK="" timeout 15 ssh -o StrictHostKeyChecking=false -o IdentityFile=setup/vpc3-test-ec2-keypair -v ec2-user@$f "hostname -f"; done + 1818 2021/09/28 10:26:34for f in $(cat test-ips.txt ); do echo "# $f"; SSH_AUTH_SOCK="" timeout 15 ssh -o StrictHostKeyChecking=false -o IdentityFile=setup/vpc3-test-ec2-keypair ec2-user@$f "hostname -f"; done + 1821 2021/09/28 14:50:34history|grpe for + 1822 2021/09/28 14:50:37history|grep for + 1823 2021/09/28 14:50:43history|grep for > README.20210928.1 diff --git a/examples/typical/apps/test-instances/README.md b/examples/typical/apps/test-instances/README.md new file mode 100644 index 0000000..085d2a2 --- /dev/null +++ b/examples/typical/apps/test-instances/README.md @@ -0,0 +1,37 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [null](#provider\_null) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_instance.test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource | +| [aws_key_pair.keypair](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource | +| [null_resource.generate_keypair](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_ami.test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_security_groups.test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_groups) | data source | + +## Inputs + +No inputs. + +## Outputs + +| Name | Description | +|------|-------------| +| [keypair](#output\_keypair) | EC2 keypair for test instances | +| [test\_instances](#output\_test\_instances) | Details about test instances | + \ No newline at end of file diff --git a/examples/typical/apps/test-instances/ec2-keypair.tf b/examples/typical/apps/test-instances/ec2-keypair.tf new file mode 100644 index 0000000..ea9d6e4 --- /dev/null +++ b/examples/typical/apps/test-instances/ec2-keypair.tf @@ -0,0 +1,39 @@ +#--- +# ec2 keypairs +#--- +locals { + keypair_name = format("%v-test-ec2-keypair", local.vpc_short_name) +} + +# two-step process to create +# terraform apply -target=null_resource.generate_keypair +# terraform apply +# when done, add to git +# cd setup +# echo *-keypair >> .gitignore +# git-secret add *-ec2-keypair +# git-secret hide +# git add *-ec2-keypair.{pub,secret} +# git commit -m'add ec2-keypair: *-ec2-keypair' *-ec2-keypair.{pub,secret} .gitignore + +resource "null_resource" "generate_keypair" { + provisioner "local-exec" { + command = "test -d setup || mkdir setup" + } + provisioner "local-exec" { + working_dir = "./setup" + # command = "ssh-keygen -f ${local.keypair_name} -N '' -t dsa -b 1024 -C '${local.keypair_name}@${var.vpc_domain_name}'" + command = "ssh-keygen -f ${local.keypair_name} -N '' -t rsa -b 2048 -C '${local.keypair_name}@${var.vpc_domain_name}'" + } +} + +resource "aws_key_pair" "keypair" { + key_name = local.keypair_name + public_key = file("setup/${local.keypair_name}.pub") + depends_on = [null_resource.generate_keypair] +} + +output "keypair" { + description = "EC2 keypair for test instances" + value = aws_key_pair.keypair.key_name +} diff --git a/examples/typical/apps/test-instances/ec2.tf b/examples/typical/apps/test-instances/ec2.tf new file mode 100644 index 0000000..ff07165 --- /dev/null +++ b/examples/typical/apps/test-instances/ec2.tf @@ -0,0 +1,115 @@ +data "aws_ami" "test" { + # executable_users = ["self"] + most_recent = true + owners = ["self", "amazon", "aws-marketplace"] + # owners = [ "045324592363" ,"amazon"] + + filter { + name = "description" + values = ["Amazon Linux 2*"] + } + filter { + name = "root-device-type" + values = ["ebs"] + } + filter { + name = "virtualization-type" + values = ["hvm"] + } + filter { + name = "architecture" + values = ["x86_64"] + } +} + +data "aws_security_groups" "test" { + filter { + name = "vpc-id" + values = [local.vpc_id] + } + filter { + name = "group-name" + values = ["*linux*"] + } +} + +locals { + vpc_short_name = data.terraform_remote_state.vpc_east_vpc3.outputs.vpc_info["vpc_short_name"] + + private_subnets_ids = data.terraform_remote_state.vpc_east_vpc3.outputs.private_subnets_ids + private_subnets_id_map = { for v in data.terraform_remote_state.vpc_east_vpc3.outputs.private_subnets_ids : v.label => v } + vpc_id = data.terraform_remote_state.vpc_east_vpc3.outputs.vpc_id + security_groups = tolist(data.aws_security_groups.test.ids) + + ami = data.aws_ami.test.id + instance_type = "t3.nano" + key_name = local.keypair_name + root_volume_size = 50 + + my_subnet_id = "subnet-02f7a7960321abec0" + my_ami = "ami-01deaf79b0a2fb6dc" + my_instance_type = "t3.medium" + my_availability_zone = "us-gov-east-1a" + +} + +resource "aws_instance" "test" { + # for_each = { "apps-1a" = local.my_subnet_id } + for_each = local.private_subnets_id_map + + # ami = local.my_ami + ami = local.ami + instance_type = local.my_instance_type + # availability_zone = local.my_availability_zone + availability_zone = each.value.availability_zone + key_name = local.key_name + # subnet_id = each.value + subnet_id = each.value.id + vpc_security_group_ids = local.security_groups + + root_block_device { + encrypted = true + # kms_key_id = var.kms_key_id + volume_type = "gp2" + volume_size = local.root_volume_size > 0 ? local.root_volume_size : 30 + delete_on_termination = true + } + + volume_tags = merge( + local.common_tags, + tomap({ "Name" = format("v-ebs-%v-test-%v:%v", local.vpc_short_name, each.value.label, "/") }), + ) + tags = merge( + local.common_tags, + tomap({ "Name" = format("%v-test-%v", local.vpc_short_name, each.value.label) }), + ) +} + +output "test_instances" { + description = "Details about test instances" + value = { for k, v in aws_instance.test : k => { + name = k + id = v.id + ip_address = v.private_ip + subnet_id = v.subnet_id + # subnet_label = local.private_subnets_id_map[v.subnet_id]["label"] + # subnet = local.private_subnets_id_map[v.subnet_id]["subnet"] + } } +} + +#--- +# variables +#--- +## ../../outputs.common.tf:output "caller_account_id" { +## ../../outputs.common.tf:output "account_caller_arn" { +## ../../outputs.common.tf:output "account_caller_arn_partition" { +## ../../outputs.common.tf:output "profile" { +## ../../outputs.common.tf:output "region" { +## ../../outputs.common.tf:output "vpc_full_name" { +## ../../outputs.subnets.tf:output "public_subnets_ids" { +## ../../outputs.subnets.tf:output "private_subnets_ids" { +## ../../outputs.tf:output "vpc_id" { +## ../../outputs.tf:output "vpc_arn" { +## ../../outputs.tf:output "vpc_info" { +## ../../outputs.tf:output "vpn_tunnel_endpoints" { +## ../../outputs.tf:output "vpn_labels" { diff --git a/examples/typical/apps/test-instances/locals.tf b/examples/typical/apps/test-instances/locals.tf new file mode 100644 index 0000000..b7b1696 --- /dev/null +++ b/examples/typical/apps/test-instances/locals.tf @@ -0,0 +1,4 @@ +locals { + region = var.region +} + diff --git a/examples/typical/apps/test-instances/show-tunnel-status.sh b/examples/typical/apps/test-instances/show-tunnel-status.sh new file mode 100755 index 0000000..09011b9 --- /dev/null +++ b/examples/typical/apps/test-instances/show-tunnel-status.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +PROFILE=$1 +if [ -z $PROFILE ] +then + echo "* missing profile" + exit 1 +fi + +VPC=$2 +if [ -z $VPC ] +then + VPC="*vpc3*" +fi + +aws --profile $PROFILE ec2 describe-vpn-connections --filters Name=tag:Name,Values="*vpc3*" --output text|grep -iE "VGW|TAG.*Name|customer.*cgw-" diff --git a/examples/typical/apps/test-instances/test-ips.txt b/examples/typical/apps/test-instances/test-ips.txt new file mode 100644 index 0000000..40ee729 --- /dev/null +++ b/examples/typical/apps/test-instances/test-ips.txt @@ -0,0 +1,15 @@ +10.188.33.132 +10.188.33.62 +10.188.33.82 +10.188.34.167 +10.188.34.98 +10.188.35.9 +10.188.38.251 +10.188.38.51 +10.188.39.44 +10.188.40.193 +10.188.41.200 +10.188.42.124 +10.188.49.116 +10.188.50.11 +10.188.52.82 diff --git a/examples/typical/apps/test-instances/test-ping.sh b/examples/typical/apps/test-instances/test-ping.sh new file mode 100755 index 0000000..53b8273 --- /dev/null +++ b/examples/typical/apps/test-instances/test-ping.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +DURATION=$1 +if [ -z $DURATION ] +then + DURATION=15 +fi +COUNT=$(( $DURATION * 60 )) +if [ $COUNT == 0 ] +then + COUNT=60 +fi + +STAMP=$(date "+%Y%m%d.%s") +start=$(date +%s) + +echo "* running ping with count=$COUNT at $(date) start=$start" + +TIMEOUT=$(( $COUNT * 2 )) + +for f in $(cat test-ips.txt) +do + echo " * host $f" + ping -c $COUNT -w $TIMEOUT $f > ping.$f.$STAMP.log 2>&1 & +done + +end=$(date +%s) +elapsed=$(( $end - $start )) + +echo "* done running ping with count=$COUNT at $(date) start=$start end=$end elapsed=$elapsed" diff --git a/examples/typical/apps/test-instances/test-ssh.sh b/examples/typical/apps/test-instances/test-ssh.sh new file mode 100755 index 0000000..d44daa5 --- /dev/null +++ b/examples/typical/apps/test-instances/test-ssh.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +DURATION=$1 +if [ -z $DURATION ] +then + DURATION=5 +fi + +STAMP=$(date "+%Y%m%d.%s") +start=$(date +%s) + +TIMEOUT=$DURATION + +KEYPAIR=$(ls setup/*-keypair) +echo "* running ssh timeout=$TIMEOUT with keypair=$KEYPAIR at $(date) start=$start" + +count=1 +for f in $(cat test-ips.txt) +do + echo " * $count host $f" + SSH_AUTH_SOCK="" timeout $TIMEOUT ssh -o StrictHostKeyChecking=false -o IdentityFile=$KEYPAIR ec2-user@$f "hostname -f; date +%s" + count=$(( $count + 1 )) +done + +end=$(date +%s) +elapsed=$(( $end - $start )) + +echo "* done running ssh at $(date) count=$count start=$start end=$end elapsed=$elapsed" diff --git a/examples/typical/credentials.peers.tf b/examples/typical/credentials.peers.tf new file mode 100644 index 0000000..b190673 --- /dev/null +++ b/examples/typical/credentials.peers.tf @@ -0,0 +1,18 @@ +#--- +# peer to 107.. us-gov-west-1 services +#--- +provider "aws" { + alias = "peer_main_west" + region = "us-gov-west-1" + profile = "107742151971-do2-govcloud" +} + +#--- +# peer to 107.. us-gov-east-1 services +#--- +provider "aws" { + alias = "peer_main_east" + region = "us-gov-east-1" + profile = "107742151971-do2-govcloud" +} + diff --git a/examples/typical/data.tf b/examples/typical/data.tf new file mode 100644 index 0000000..cb626c2 --- /dev/null +++ b/examples/typical/data.tf @@ -0,0 +1,9 @@ +data "aws_availability_zones" "zones" { + state = "available" +} + +data "aws_availability_zone" "zone" { + for_each = toset(data.aws_availability_zones.zones.names) + state = "available" + name = each.key +} diff --git a/examples/typical/flowlogs.tf b/examples/typical/flowlogs.tf new file mode 100644 index 0000000..8734339 --- /dev/null +++ b/examples/typical/flowlogs.tf @@ -0,0 +1,14 @@ +module "flowlogs" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//flowlogs" + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + account_alias = var.account_alias + + flowlog_bucket_arn = data.terraform_remote_state.infrastructure_east.outputs.flowlogs_arn + flowlog_role_arn = data.terraform_remote_state.common.outputs.role_flowlogs_arn + + vpc_name = var.vpc_name + vpc_short_name = var.vpc_short_name + + tags = local.tags +} diff --git a/examples/typical/get-s3-stats.sh b/examples/typical/get-s3-stats.sh new file mode 100644 index 0000000..9fe6e13 --- /dev/null +++ b/examples/typical/get-s3-stats.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +bucket=$1 +profile=$2 +region=$3 +now=$(date +%s) +echo "# bucket $bucket" +aws --profile $profile cloudwatch get-metric-statistics --namespace AWS/S3 --start-time "$(echo "$now - 86400" | bc)" --end-time "$now" --period 86400 --statistics Average --region $region --metric-name BucketSizeBytes --dimensions Name=BucketName,Value="$bucket" Name=StorageType,Value=StandardStorage --output text diff --git a/examples/typical/nacls.tf b/examples/typical/nacls.tf new file mode 100644 index 0000000..cd3a168 --- /dev/null +++ b/examples/typical/nacls.tf @@ -0,0 +1,87 @@ +module "nacls" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacls" + vpc_id = module.vpc.vpc_id + public_subnets_ids = module.subnets.public_subnets_ids + private_subnets_ids = module.subnets.private_subnets_ids + vpc_full_name = var.vpc_full_name + vpc_name = var.vpc_name + vpc_short_name = var.vpc_short_name + tags = local.tags +} + +module "nacls_enterprise" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules" + network_acl_id = module.nacls.private_network_acl_id + + rule_description = "Enterprise plus VPC" + rule_definitions = {} + named_cidr_blocks = ["enterprise", "vpc", "other"] + merge_cidr_blocks = { + "vpc" = [var.vpc_cidr_block], + "other" = [] + } + rules = ["all_inbound", "all_outbound"] + rule_number = 1000 + rule_increment = 10 + + tags = local.tags +} + +#--- +# endpoints +#--- +module "nacls_endpoints" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules" + network_acl_id = module.nacls.private_network_acl_id + + rule_description = "VPC Gateway Endpoints" + rule_definitions = {} + named_cidr_blocks = ["other"] + merge_cidr_blocks = { + "other" = concat(module.routing.vpc_endpoint_s3_cidr_blocks, module.routing.vpc_endpoint_dynamodb_cidr_blocks) + } + rules = ["ephemeral_inbound", "https_outbound"] + rule_number = 4000 + rule_increment = 5 + + tags = local.tags +} + +#--- +# public +#--- +module "nacls_public_vpc" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules" + network_acl_id = module.nacls.public_network_acl_id + + rule_description = "Public subnet VPC Rules" + rule_definitions = {} + named_cidr_blocks = var.vpc_enable_igw && var.vpc_enable_nat ? ["vpc"] : [] + merge_cidr_blocks = { "vpc" = [var.vpc_cidr_block] } + rules = var.vpc_enable_igw && var.vpc_enable_nat ? ["http_inbound", "https_inbound", "ephemeral_outbound"] : [] + rule_number = 3000 + rule_increment = 10 + + tags = local.tags +} + +## output "nacls_public_vpc_info" { +## description = "NACLs info for public VPC access" +## value = module.nacls_public_vpc.info +## # value = local.enable_igw && local.enable_nat ? module.nacls_public_vpc.info : {} +## } + +module "nacls_public_nat" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules" + network_acl_id = module.nacls.public_network_acl_id + + rule_description = "Public subnet NAT Rules" + rule_definitions = {} + named_cidr_blocks = var.vpc_enable_igw && var.vpc_enable_nat ? ["all"] : [] + merge_cidr_blocks = {} + rules = var.vpc_enable_igw && var.vpc_enable_nat ? ["http_outbound", "https_outbound", "ephemeral_inbound"] : [] + rule_number = module.nacls_public_vpc.info.next_rule_number + rule_increment = 10 + + tags = local.tags +} diff --git a/examples/typical/outputs.subnets.tf b/examples/typical/outputs.subnets.tf new file mode 100644 index 0000000..c1f4a43 --- /dev/null +++ b/examples/typical/outputs.subnets.tf @@ -0,0 +1,9 @@ +output "public_subnets_ids" { + description = "Resulting public subnets list of objects: subnet, label, availability_zone, id" + value = module.subnets.public_subnets_ids +} + +output "private_subnets_ids" { + description = "Resulting private subnets list of objects: subnet, label, availability_zone, id" + value = module.subnets.private_subnets_ids +} diff --git a/examples/typical/outputs.tf b/examples/typical/outputs.tf new file mode 100644 index 0000000..1e49471 --- /dev/null +++ b/examples/typical/outputs.tf @@ -0,0 +1,43 @@ +output "vpc_id" { + description = "VPC ID" + value = module.vpc.vpc_id +} + +output "vpc_arn" { + description = "VPC ARN" + value = module.vpc.vpc_arn +} + +output "vpc_info" { + description = "VPC info" + value = { + "vpc_id" = module.vpc.vpc_id + "vpc_cidr_block" = var.vpc_cidr_block + "vpc_arn" = module.vpc.vpc_arn + "vpc_name" = var.vpc_name + "vpc_short_name" = var.vpc_short_name + "vpc_full_name" = var.vpc_full_name + "vpc_environment" = var.vpc_environment + "vpc_domain_name" = var.vpc_domain_name + "vpc_dns_servers" = var.vpc_dns_servers + "s3_endpoint_id" = module.routing.vpc_endpoint_s3_id + "dynamodb_endpoint_id" = module.routing.vpc_endpoint_dynamodb_id + "s3_endpoint_cidr_blocks" = module.routing.vpc_endpoint_s3_cidr_blocks + "dynamodb_endpoint_cidr_blocks" = module.routing.vpc_endpoint_dynamodb_cidr_blocks + } +} + +output "vpn_tunnel_endpoints" { + description = "VPN Tunnel Endpoint IP Addresses" + value = module.vpn.vpn_tunnel_endpoints +} + +output "vpn_labels" { + description = "VPN Label for Description field of Endpoint device (Cisco ASR)" + value = module.vpn.vpn_labels +} + +output "security_groups" { + description = "Security Group map(object{name, id, arn})" + value = module.base-security-groups.security_groups +} diff --git a/examples/typical/peers.tf b/examples/typical/peers.tf new file mode 100644 index 0000000..11c2453 --- /dev/null +++ b/examples/typical/peers.tf @@ -0,0 +1,76 @@ +#--- +# us-gov-west-1 +#--- +data "aws_vpc" "service_main_west" { + provider = aws.peer_main_west + filter { + name = "tag:Name" + # values = [local.peer_name] + values = [var.services_peer_settings["west"].peer_name] + } +} + +module "peer_services_main_west" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//peer" + providers = { + aws.self = aws + aws.peer = aws.peer_main_west + } + + ## self + vpc_id = local.vpc_id + vpc_name = var.vpc_name + vpc_cidr_block = var.vpc_cidr_block + vpc_index = var.vpc_index + vpc_short_name = var.vpc_short_name + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + rule_number = var.services_peer_settings["west"].rule_number + var.vpc_index - 1 + tags = {} + + ## peer + peer_vpc_id = data.aws_vpc.service_main_west.id + peer_vpc_name = "services" + peer_vpc_index = 1 + peer_vpc_short_name = "vpc1" + peer_vpc_full_name = var.services_peer_settings["west"].peer_name + peer_rule_number = var.services_peer_settings["west"].rule_number + var.vpc_index - 1 +} + +#--- +# us-gov-east-1 +#--- +data "aws_vpc" "service_main_east" { + provider = aws.peer_main_east + filter { + name = "tag:Name" + values = [var.services_peer_settings["east"].peer_name] + } +} + +module "peer_services_main_east" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//peer" + providers = { + aws.self = aws + aws.peer = aws.peer_main_east + } + + ## self + vpc_id = local.vpc_id + vpc_name = var.vpc_name + vpc_cidr_block = var.vpc_cidr_block + vpc_index = var.vpc_index + vpc_short_name = var.vpc_short_name + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + rule_number = var.services_peer_settings["east"].rule_number + var.vpc_index - 1 + tags = {} + + ## peer + peer_vpc_id = data.aws_vpc.service_main_east.id + peer_vpc_name = "services" + peer_vpc_index = 1 + peer_vpc_short_name = "vpc1" + peer_vpc_full_name = var.services_peer_settings["west"].peer_name + peer_rule_number = var.services_peer_settings["east"].rule_number + var.vpc_index - 1 +} diff --git a/examples/typical/region.tf b/examples/typical/region.tf new file mode 100644 index 0000000..b7b1696 --- /dev/null +++ b/examples/typical/region.tf @@ -0,0 +1,4 @@ +locals { + region = var.region +} + diff --git a/examples/typical/remote_state.yml b/examples/typical/remote_state.yml new file mode 100644 index 0000000..c79df05 --- /dev/null +++ b/examples/typical/remote_state.yml @@ -0,0 +1,9 @@ +directory: "vpc/east/vpc4" +profile: "107742151971-do2-govcloud" +bucket: "inf-tfstate-107742151971" +bucket_region: "us-gov-west-1" +region: "us-gov-east-1" +regions: ["us-gov-east-1"] +account_id: "107742151971" +account_alias: "do2-govcloud" +aws_environment: "gov" diff --git a/examples/typical/sg-web.tf b/examples/typical/sg-web.tf new file mode 100644 index 0000000..e78e17c --- /dev/null +++ b/examples/typical/sg-web.tf @@ -0,0 +1,9 @@ +module "sg_web" { + source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//web" + vpc_id = module.vpc.vpc_id +} + +output "sg_web_id" { + description = "Common Web security group" + value = module.sg_web.this_security_group_id +} diff --git a/examples/typical/tf-run.data b/examples/typical/tf-run.data new file mode 100644 index 0000000..d44e13d --- /dev/null +++ b/examples/typical/tf-run.data @@ -0,0 +1,17 @@ +COMMAND tf-directory-setup.py -l none -f +COMMAND tf-init -upgrade +module.vpc module.subnets +COMMAND tf-directory-setup.py -l s3 +module.routing +module.vpn +COMMENT link remote states +COMMAND ln -sf ../../../common/remote_state.common.tf +COMMENT ln -sf ../../../infrastructure/{short-region}/remote_state.infrastructure_{short-region}.tf +STOP make sure the appropriate infrastructure_{region}.tf is linked +module.flowlogs +module.base-security-groups +module.sg_web +module.nacls module.nacls_enterprise module.nacls_endpoints module.nacls_public_vpc module.nacls_public_nat +STOP make sure peer configurations are setup properly +module.peer_services_main_west module.peer_services_main_east +ALL diff --git a/examples/typical/variables.subnets.auto.tfvars.example b/examples/typical/variables.subnets.auto.tfvars.example new file mode 100644 index 0000000..baee339 --- /dev/null +++ b/examples/typical/variables.subnets.auto.tfvars.example @@ -0,0 +1,17 @@ +public_subnets = [ + { base_cidr = "10.197.96.0/24", label = "public", bits = 2, private = false, tags = {} }, +] +private_subnets = [ + { base_cidr = "10.197.97.0/24", label = "endpoints", bits = 2, private = true, tags = {} }, + { base_cidr = "10.197.98.0/23", label = "db", bits = 2, private = true, tags = {} }, + { base_cidr = "10.197.100.0/22", label = "web", bits = 2, private = true, tags = {} }, + { base_cidr = "10.197.104.0/22", label = "apps", bits = 2, private = true, tags = {} }, + { base_cidr = "10.197.108.0/23", label = "private-lb", bits = 2, private = true, + tags = { } + }, + # { base_cidr = "10.197.110.0/23", label = "(free)", bits = 2, private = true, tags = {} }, + { base_cidr = "10.197.112.0/21", label = "container", bits = 2, private = true, + tags = { } + }, + # { base_cidr = "10.197.120.0/21", label = "(free)", bits = 2, private = true, tags = {} }, +] diff --git a/examples/typical/variables.subnets.tf b/examples/typical/variables.subnets.tf new file mode 100644 index 0000000..bca5c2f --- /dev/null +++ b/examples/typical/variables.subnets.tf @@ -0,0 +1,30 @@ +# from aws-vpc-setup/subnets +variable "public_subnets" { + description = "List of objects with public subnet information to be created" + type = list(object({ + base_cidr = string + label = string + bits = number + private = bool + tags = map(string) + # subnets = list(string) + # labels = list(string) + # availability_zones = list(string) + })) + default = [] +} + +variable "private_subnets" { + description = "List of objects with private subnet information to be created" + type = list(object({ + base_cidr = string + label = string + bits = number + private = bool + tags = map(string) + # subnets = list(string) + # labels = list(string) + # availability_zones = list(string) + })) + default = [] +} diff --git a/examples/typical/variables.vpc.auto.tfvars.example b/examples/typical/variables.vpc.auto.tfvars.example new file mode 100644 index 0000000..57a534b --- /dev/null +++ b/examples/typical/variables.vpc.auto.tfvars.example @@ -0,0 +1,47 @@ +vpc_name = "test" +vpc_cidr_block = "10.197.96.0/19" +vpc_index = "4" +vpc_short_name = "vpc4" +vpc_full_name = "vpc4-test" +vpc_environment = "test" +vpc_domain_name = "test.csp1.census.gov" +vpc_dns_servers = ["148.129.127.22", "148.129.191.22"] +vpc_ntp_servers = ["148.129.127.23", "148.129.191.23"] +vpc_enable_igw = false +vpc_enable_nat = false +vpc_enable_vpn = true +vpc_enable_awsdns = true + +vpn_settings = [ + { site = "hq", "bgp_asn_id" = 65510, "ip_address" = "148.129.160.15" }, + { site = "bcc", "bgp_asn_id" = 65511, "ip_address" = "148.129.90.15" }, +] + +# this allows for up to 10 vpcs to peer with west/east services +services_peer_settings = { + "west" = { peer_name = "vpc1-services", region = "us-gov-west-1", rule_number = 2210 } + "east" = { peer_name = "vpc1-services", region = "us-gov-east-1", rule_number = 2260 } +} + +peer_settings = { } +## peer_settings = { +## # do2-govcloud west vpc3-dev -> east vpc3-dev +## # peer +## "do2-govcloud_west_vpc3-dev" = { +## peer_name = "vpc3-edite-dev" +## region = "us-gov-west-1" +## vpc_name = "edite-dev" +## vpc_short_name = "vpc3" +## vpc_index = 3 +## rule_number = 600 +## } +## # self, not reallly needed +## # "do2-govcloud_east_vpc3-dev" = { +## # peer_name = "vpc3-dev" +## # region = "us-gov-east-1" +## # vpc_name = "dev" +## # vpc_short_name = "vpc3" +## # vpc_index = 3 +## # rule_number = 600 +## # } +## } diff --git a/examples/typical/variables.vpc.tf b/examples/typical/variables.vpc.tf new file mode 100644 index 0000000..2750e8b --- /dev/null +++ b/examples/typical/variables.vpc.tf @@ -0,0 +1,88 @@ +variable "vpc_name" { + description = "VPC Name including environment (if necessary), excluding vpc{N}" + type = string +} + +variable "vpc_index" { + description = "VPC index number. This used for NACL rule number caculations." + type = number +} + +variable "vpc_cidr_block" { + description = "VPC CIDR Block" + type = string +} + +variable "vpc_short_name" { + description = "VPC short name component, vpc{index}" + type = string +} + +variable "vpc_environment" { + description = "VPC environment purpose (common, shared, dev, stage, ite, prod)" + type = string + default = "" +} + +variable "vpc_enable_igw" { + description = "Enable AWS Internet Gateway (IGW) on the VPC (true | false[x])" + type = bool + default = false +} + +variable "vpc_enable_nat" { + description = "Enable AWS NAT Gateway on the VPC (true | false[x])" + type = bool + default = false +} + +variable "vpc_enable_vpn" { + description = "Enable AWS VPN Configuration on the VPC (true[x] | false)" + type = bool + default = true +} + +variable "vpc_enable_awsdns" { + description = "Enable AWS DNS on the VPC" + type = bool + default = false +} + +variable "vpn_settings" { + description = "VPN Connection details array of site, bgp_asn_id and ip_address" + type = list(object( + { + site = string + bgp_asn_id = number + ip_address = string + } + )) + default = [] +} + +variable "services_peer_settings" { + description = "VPC Peering NACL settings to main enterprise govcloud" + type = map(object( + { + peer_name = string + region = string + rule_number = number + } + )) + default = {} +} + +variable "peer_settings" { + description = "VPC Peering NACL settings to additional VPCs" + type = map(object( + { + peer_name = string + region = string + vpc_index = number + vpc_name = string + vpc_short_name = string + rule_number = number + } + )) + default = {} +} diff --git a/examples/typical/vpc-endpoints.tf b/examples/typical/vpc-endpoints.tf new file mode 100644 index 0000000..f0a36b6 --- /dev/null +++ b/examples/typical/vpc-endpoints.tf @@ -0,0 +1,243 @@ +# dynamodb and s3 gateway endpoints defined in vpc module + +# select here where label starts with app- +# private_subnets_ids = data.terraform_remote_state.vpc_east_vpc3.outputs.private_subnets_ids +# or use data + +# some help from here: https://dev.to/danquack/private-fargate-deployment-with-vpc-endpoints-1h0p + +locals { + security_group_ids = [module.sg_web.this_security_group_id] + + # currently this list doesn't do anything, but it's mostly to track what is in place here. A future + # revision of the vpc endpoints module will allow this as a for_each (tf 0.13+) + # keep in alphabetical order in the list and the file + + vpc_endpoints = [ + "autoscaling", + "ec2", + "ecr.api", + "ecr.dkr", + "ecs", + "elasticfilesystem", + "elasticloadbalancing", + "kms", + "logs", + "secretsmanager", + "ssm", + "sts", + ] +} + +data "aws_subnet_ids" "endpoint_subnets" { + vpc_id = local.vpc_id + filter { + name = "tag:Name" + values = ["*-endpoints-*"] + } +} + + +module "vpce_autoscaling" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint" + + service = "autoscaling" + subnet_ids = tolist(data.aws_subnet_ids.endpoint_subnets.ids) + security_group_ids = local.security_group_ids + + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + + tags = merge( + local.common_tags, + local.tags, + ) +} + +module "vpce_ec2" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint" + + service = "ec2" + subnet_ids = tolist(data.aws_subnet_ids.endpoint_subnets.ids) + security_group_ids = local.security_group_ids + + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + + tags = merge( + local.common_tags, + local.tags, + ) +} + +module "vpce_ecr_api" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint" + + service = "ecr.api" + subnet_ids = tolist(data.aws_subnet_ids.endpoint_subnets.ids) + security_group_ids = local.security_group_ids + + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + + tags = merge( + local.common_tags, + local.tags, + ) +} + +module "vpce_ecr_dkr" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint" + + service = "ecr.dkr" + subnet_ids = tolist(data.aws_subnet_ids.endpoint_subnets.ids) + security_group_ids = local.security_group_ids + + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + + tags = merge( + local.common_tags, + local.tags, + ) +} + +module "vpce_ecs" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint" + + service = "ecs" + subnet_ids = tolist(data.aws_subnet_ids.endpoint_subnets.ids) + security_group_ids = local.security_group_ids + + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + + tags = merge( + local.common_tags, + local.tags, + ) +} + +module "vpce_elasticfilesystem" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint" + + service = "elasticfilesystem" + subnet_ids = tolist(data.aws_subnet_ids.endpoint_subnets.ids) + security_group_ids = local.security_group_ids + + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + + tags = merge( + local.common_tags, + local.tags, + ) +} + +module "vpce_elasticloadbalancing" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint" + + service = "elasticloadbalancing" + subnet_ids = tolist(data.aws_subnet_ids.endpoint_subnets.ids) + security_group_ids = local.security_group_ids + + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + + tags = merge( + local.common_tags, + local.tags, + ) +} + +module "vpce_kms" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint" + + service = "kms" + subnet_ids = tolist(data.aws_subnet_ids.endpoint_subnets.ids) + security_group_ids = local.security_group_ids + + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + + tags = merge( + local.common_tags, + local.tags, + ) +} + +module "vpce_logs" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint" + + service = "logs" + subnet_ids = tolist(data.aws_subnet_ids.endpoint_subnets.ids) + security_group_ids = local.security_group_ids + + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + + tags = merge( + local.common_tags, + local.tags, + ) +} + +module "vpce_secretsmanager" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint" + + service = "secretsmanager" + subnet_ids = tolist(data.aws_subnet_ids.endpoint_subnets.ids) + security_group_ids = local.security_group_ids + + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + + tags = merge( + local.common_tags, + local.tags, + ) +} + +module "vpce_ssm" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint" + + service = "ssm" + subnet_ids = tolist(data.aws_subnet_ids.endpoint_subnets.ids) + security_group_ids = local.security_group_ids + + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + + tags = merge( + local.common_tags, + local.tags, + ) +} + +module "vpce_sts" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint" + + service = "sts" + subnet_ids = tolist(data.aws_subnet_ids.endpoint_subnets.ids) + security_group_ids = local.security_group_ids + + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + + tags = merge( + local.common_tags, + local.tags, + ) +} diff --git a/examples/typical/vpc.tf b/examples/typical/vpc.tf new file mode 100644 index 0000000..7e44141 --- /dev/null +++ b/examples/typical/vpc.tf @@ -0,0 +1,87 @@ +# routing needs stuff from subnets + +# tf-apply -target=module.vpc -target=module.subnets +# tf-apply -target=module.routing +# tf-apply +# (download configs) +# hide hq and bcc configs +# commit/push/pr +# for f in $(ls *.vpn-*.txt); do sed -e 's/\(pre-shared.*key \).*$/\1{redacted}/' $f > $f.redacted; echo $f; done + +locals { + vpc_id = module.vpc.vpc_id + + tags = { + CostAllocation = "csvd:infrastructure" + # Environment = "development" + Environment = var.vpc_environment + } +} + +module "vpc" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc" + + vpc_name = var.vpc_name + vpc_cidr_block = var.vpc_cidr_block + vpc_index = var.vpc_index + vpc_short_name = var.vpc_short_name + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + vpc_domain_name = var.vpc_domain_name + vpc_dns_servers = var.vpc_dns_servers + vpc_ntp_servers = var.vpc_ntp_servers + enable_aws_dns = var.vpc_enable_awsdns + + tags = local.tags +} + +module "subnets" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//subnets" + + vpc_id = local.vpc_id + vpc_full_name = var.vpc_full_name + availability_zones = [] + public_subnets = var.public_subnets + private_subnets = var.private_subnets + tags = local.tags +} + +module "routing" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//routing" + vpc_id = local.vpc_id + + vpc_full_name = var.vpc_full_name + availability_zones = [] + private_subnets_ids = module.subnets.private_subnets_ids + public_subnets_ids = module.subnets.public_subnets_ids + enable_igw = var.vpc_enable_igw + enable_nat = var.vpc_enable_nat + + vpc_name = var.vpc_name + vpc_short_name = var.vpc_short_name + vpc_cidr_block = var.vpc_cidr_block + vpc_index = var.vpc_index + vpc_environment = var.vpc_environment + + tags = local.tags +} + +module "vpn" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpn" + vpc_id = local.vpc_id + + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + vpn_settings = var.vpn_settings + route_table_ids = values(module.routing.private_route_table_ids) + tags = local.tags +} + +module "base-security-groups" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//security-groups" + vpc_id = local.vpc_id + + vpc_full_name = var.vpc_full_name + vpc_environment = var.vpc_environment + tags = local.tags +}