From 9b6ab94804f0f32712fffc9bd8d4c093be0efcc2 Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 3 May 2021 08:31:59 -0400 Subject: [PATCH] add vpc --- vpc/data.tf | 1 + vpc/defaults.tf | 1 + vpc/locals.tf | 31 ++++++++ vpc/main.tf | 74 +++++++++++++++++++ vpc/original-README.md | 110 +++++++++++++++++++++++++++++ vpc/outputs.tf | 30 ++++++++ vpc/parameters.tf | 19 +++++ vpc/prefixes.tf | 1 + vpc/templates/setting_dns.json.tpl | 4 ++ vpc/variables.common.tf | 1 + vpc/variables.common.vpc.tf | 1 + vpc/variables.tf | 97 +++++++++++++++++++++++++ vpc/variables.vpc.auto.tfvars.x | 20 ++++++ vpc/variables.vpc.tf | 73 +++++++++++++++++++ vpc/version.tf | 1 + vpc/vpc.tf.x | 83 ++++++++++++++++++++++ 16 files changed, 547 insertions(+) create mode 120000 vpc/data.tf create mode 120000 vpc/defaults.tf create mode 100644 vpc/locals.tf create mode 100644 vpc/main.tf create mode 100644 vpc/original-README.md create mode 100644 vpc/outputs.tf create mode 100644 vpc/parameters.tf create mode 120000 vpc/prefixes.tf create mode 100644 vpc/templates/setting_dns.json.tpl create mode 120000 vpc/variables.common.tf create mode 120000 vpc/variables.common.vpc.tf create mode 100644 vpc/variables.tf create mode 100644 vpc/variables.vpc.auto.tfvars.x create mode 100644 vpc/variables.vpc.tf create mode 120000 vpc/version.tf create mode 100644 vpc/vpc.tf.x diff --git a/vpc/data.tf b/vpc/data.tf new file mode 120000 index 0000000..995624d --- /dev/null +++ b/vpc/data.tf @@ -0,0 +1 @@ +../common/data.tf \ No newline at end of file diff --git a/vpc/defaults.tf b/vpc/defaults.tf new file mode 120000 index 0000000..a5556ac --- /dev/null +++ b/vpc/defaults.tf @@ -0,0 +1 @@ +../common/defaults.tf \ No newline at end of file diff --git a/vpc/locals.tf b/vpc/locals.tf new file mode 100644 index 0000000..bc406a1 --- /dev/null +++ b/vpc/locals.tf @@ -0,0 +1,31 @@ +locals { + az_list = data.aws_availability_zones.zones.names + az_count = length(local.az_list) + az_count_list = range(local.az_count) + region = data.aws_region.current.name +} + +data "aws_availability_zones" "zones" { + state = "available" +} + +data "aws_availability_zone" "zone" { + count = length(data.aws_availability_zones.zones.names) + state = "available" + name = data.aws_availability_zones.zones.names[count.index] +} + +output "availability_zone_names" { + description = "VPC Availability zone name list (3)" + value = data.aws_availability_zones.zones.names +} + +output "availability_zone_ids" { + description = "VPC Availability zone id list (3)" + value = data.aws_availability_zones.zones.zone_ids +} + +output "availability_zone_suffixes" { + description = "VPC Availability zone suffix list (3)" + value = data.aws_availability_zone.zone[*].name_suffix +} diff --git a/vpc/main.tf b/vpc/main.tf new file mode 100644 index 0000000..42cf82d --- /dev/null +++ b/vpc/main.tf @@ -0,0 +1,74 @@ +/* +* # About aws-vpc-setup :: vpc +* +* This submodule creates a VPC with DHCP setting. Used in conjunction with other submodules (routing, subnets, etc.) +* it allows for a complete setup. See the [main module](../README.md) documentation for more details. +* +* # Usage +* +* ```hcl +* module "vpc" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc" +* vpc_name = var.vpc_name +* vpc_cidr_block = var.vpc_cidr_block +* vpc_index = var.vpc_index +* vpc_short_name = var.vpc_short_name +* vpc_full_name = var.vpc_full_name +* vpc_environment = var.vpc_environment +* vpc_domain_name = var.vpc_domain_name +* vpc_dns_servers = var.vpc_dns_servers +* vpc_ntp_servers = var.vpc_ntp_servers +* +* # optional +* enable_dns_support = true +* enable_dns_hostnames = true +* +* tags = {} +* } +*/ + +locals { + account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id + account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" + + base_tags = { + "boc:tf_module_version" = local._module_version + "boc:created_by" = "terraform" + } +} + +#--- +# dhcp options +#--- +resource "aws_vpc_dhcp_options" "vpc" { + domain_name = var.vpc_domain_name != "" ? var.vpc_domain_name : "unknown.census.gov" + domain_name_servers = var.vpc_dns_servers + ntp_servers = var.vpc_ntp_servers + + tags = merge( + local.base_tags, + var.tags, + map("Name", format("%v-dhcp-options", var.vpc_full_name)), + ) +} + +resource "aws_vpc_dhcp_options_association" "vpc" { + vpc_id = aws_vpc.vpc.id + dhcp_options_id = aws_vpc_dhcp_options.vpc.id +} + +#--- +# vpc +#--- +resource "aws_vpc" "vpc" { + cidr_block = var.vpc_cidr_block + enable_dns_support = true + enable_dns_hostnames = true + + tags = merge( + local.base_tags, + var.tags, + map("Name", var.vpc_full_name), + ) +} + diff --git a/vpc/original-README.md b/vpc/original-README.md new file mode 100644 index 0000000..3e000fa --- /dev/null +++ b/vpc/original-README.md @@ -0,0 +1,110 @@ + +1. copy from prior vpc + +cd e1-vpc1-services +rsync -avRWH . ../e1-vpc2-production/ --exclude=.terraform --exclude=logs + +1. update remote_state.yml to change the directory line to reflect the current vpc + +directory: "vpc/e1-vpc2" + +1. run the script + +./init/setup-generate-rs-backend.py + +{'account_alias': 'do2-govcloud', + 'account_id': '107742151971', + 'aws_environment': 'govcloud', + 'bucket': 'inf-tfstate-107742151971', + 'bucket_region': 'us-gov-west-1', + 'directory': 'vpc/e1-vpc2', + 'profile': '107742151971-do2-govcloud', + 'region': 'us-gov-east-1', + 'regions': ['us-gov-east-1']} + +* creating file remote_state.backend.tf.new +* creating file remote_state.vpc_e1-vpc2.tf.s3 +* touching file remote_state.vpc_e1-vpc2.tf.none +* sample ln commands to run + +# ln -sf remote_state.vpc_e1-vpc2.tf.none remote_state.vpc_e1-vpc2.tf +# ln -sf remote_state.vpc_e1-vpc2.tf.s3 remote_state.vpc_e1-vpc2.tf + +1. rename the remote_state.backend.tf.new to remote_state.backend.tf (this will be unnecessary shortly) + +mv remote_state.backend.tf.new remote_state.backend.tf + +1. run first ln, since there is no state in s3 yet + +ln -sf remote_state.vpc_e1-vpc2.tf.none remote_state.vpc_e1-vpc2.tf + +1. remove files from a previous vpc + +rm remote_state.vpc_e1-vpc1* + +1. update these files for the proper configurations for the vpc + +* variables.vpc.auto.tfvars + +This has the main cidr block and other settings + +vpc_index = 2 +vpc_short_name = "vpc2" +vpc_environment = "production" +vpc_full_name = "vpc2-production" +vpc_cidr_block = "10.197.32.0/19" +vpc_vpn_dynamic_routing = true +vpc_enable_igw = false +vpc_enable_nat = false +vpc_enable_vpn = true + +vpn_connections = { + hq : { + "asn_id" : 65510, + "ip" : "148.129.160.13" + } + bcc : { + "asn_id" : 65511, + "ip" : "148.129.90.13" + } +} + +* variables.subnet.auto.tfvars + +This lists the subnets + +subnet_maps = [ + { + label = "web" + bits = 2 + private = true + }, + . + . +] + +* subnet.local.tf + +This sets up the breakdown of subnet cidrs for the subnets listed in variables.subnet.auto.tfvars + +locals { + subnet_cidrs = cidrsubnets(var.vpc_cidr_block, 3, 3, 3, 4, 5) +} + +* variables.peers.auto.tfvars.disabled + +This is for when peering is enabled. + +# After Apply + +1. run second ln, since there is now a state in s3 + +ln -sf remote_state.vpc_e1-vpc2.tf.s3 remote_state.vpc_e1-vpc2.tf + + +1. download config for vpn from vpn connection + +save respectively as: + +hq_(filename) +bcc_(filename) diff --git a/vpc/outputs.tf b/vpc/outputs.tf new file mode 100644 index 0000000..0f9f5a2 --- /dev/null +++ b/vpc/outputs.tf @@ -0,0 +1,30 @@ +output "vpc_id" { + description = "VPC ID" + value = aws_vpc.vpc.id +} + +output "vpc_arn" { + description = "VPC ARN" + value = aws_vpc.vpc.arn +} + +output "vpc_domain_name" { + description = "VPC domain name" + value = var.vpc_domain_name +} + +output "vpc_dns_servers" { + description = "VPC DNS Servers" + value = var.vpc_dns_servers +} + +output "vpc_info" { + description = "VPC info" + value = { + "vpc_id" = aws_vpc.vpc.id + "vpc_arn" = aws_vpc.vpc.arn + "vpc_full_name" = var.vpc_full_name + # "s3_endpoint_id" = aws_vpc_endpoint.s3.id + # "dynamodb_endpoint_id" = aws_vpc_endpoint.dynamodb.id + } +} diff --git a/vpc/parameters.tf b/vpc/parameters.tf new file mode 100644 index 0000000..1b617c9 --- /dev/null +++ b/vpc/parameters.tf @@ -0,0 +1,19 @@ +# data "template_file" "dns_parameters" { +# template = file("${path.root}/templates/setting_dns.json.tpl") +# vars = { +# vpc_domain_name = var.vpc_environment == "shared" || var.vpc_environment == "prod" ? var.vpc_domain_name : "${var.vpc_environment}.${var.vpc_domain_name}" +# vpc_dns_servers = join(",", var.vpc_dns_servers) +# } +# } +# +# resource "aws_ssm_parameter" "dns_parameters" { +# name = "/${var.vpc_environment}/settings/dns" +# description = "DNS settings for environment ${var.vpc_environment}" +# type = "String" +# value = data.template_file.dns_parameters.rendered +# +# tags = merge( +# local.common_tags, +# map("Name", "${var.vpc_name}-${var.vpc_environment}-dns-settings") +# ) +# } diff --git a/vpc/prefixes.tf b/vpc/prefixes.tf new file mode 120000 index 0000000..7e265d5 --- /dev/null +++ b/vpc/prefixes.tf @@ -0,0 +1 @@ +../common/prefixes.tf \ No newline at end of file diff --git a/vpc/templates/setting_dns.json.tpl b/vpc/templates/setting_dns.json.tpl new file mode 100644 index 0000000..8d7196e --- /dev/null +++ b/vpc/templates/setting_dns.json.tpl @@ -0,0 +1,4 @@ +{ + "domain": "${vpc_domain_name}", + "nameservers": "${vpc_dns_servers}" +} diff --git a/vpc/variables.common.tf b/vpc/variables.common.tf new file mode 120000 index 0000000..7439ed8 --- /dev/null +++ b/vpc/variables.common.tf @@ -0,0 +1 @@ +../common/variables.common.tf \ No newline at end of file diff --git a/vpc/variables.common.vpc.tf b/vpc/variables.common.vpc.tf new file mode 120000 index 0000000..5e77d37 --- /dev/null +++ b/vpc/variables.common.vpc.tf @@ -0,0 +1 @@ +../common/variables.common.vpc.tf \ No newline at end of file diff --git a/vpc/variables.tf b/vpc/variables.tf new file mode 100644 index 0000000..fb7b94c --- /dev/null +++ b/vpc/variables.tf @@ -0,0 +1,97 @@ +variable "vpc_cidr_block" { + description = "VPC CIDR Block" + type = string +} + +variable "enable_dns_support" { + description = "Enable DNS support within the VPC" + type = bool + default = true +} + +variable "enable_dns_hostnames" { + description = "Enable DNS hostnames within the VPC" + type = bool + default = true +} + +### +## +## variable "vpc_domain_name" { +## description = "Domain Name" +## default = "csp1.census.gov" +## } +## +## variable "dhcp_vpc_domain_name" { +## description = "Domain Name for DHCP Options" +## default = "compute.csp1.census.gov" +## } +## +## variable "vpc_dns_servers" { +## description = "Enterprise DNS Servers" +## # default = ["10.193.0.22", "10.193.2.22" ] +## default = ["148.129.127.22", "148.129.191.22"] +## # add 10.193.0.22, 10.193.2.22 +## } +## +## variable "vpc_ntp_servers" { +## description = "Enterprise NTP Servers" +## default = ["148.129.127.23", "148.129.191.23"] +## } +## +## variable "network_census" { +## description = "Census Subnets" +## type = list +## default = ["148.129.0.0/16", "172.16.0.0/12", "192.168.0.0/16"] +## } +## +## variable "network_peers" { +## description = "Census AWS Peer Subnets" +## type = list +## default = ["10.193.0.0/19"] +## # default = [ ] +## } +## +## variable "vpn_connections" { +## description = "VPN Connection Details" +## type = map +## } +## +## variable "vpc_vpn_dynamic_routing" { +## description = "Dyanmic routing with BGP (true | false)" +## type = bool +## } +## +## variable "vpc_enable_igw" { +## description = "Enable AWS Internet Gateway (IGW) on the VPC (true | false[x])" +## type = bool +## default = false +## } +## +## variable "vpc_enable_nat" { +## description = "Enable AWS NAT Gateway on the VPC (true | false[x])" +## type = bool +## default = false +## } +## +## variable "vpc_enable_vpn" { +## description = "Enable AWS VPN Configuration on the VPC (true[x] | false)" +## type = bool +## default = true +## } +## +## # bits is the extra size of the bits from the subnet, which is split from the size of the vpc cidr +## # vpc_cidr = /19 +## # cidr_subnets defines values (19 + N) +## # this bits gets you (19 + N + bits) +## # example: /19 vpc cidr, 3 for cidr means a /22 (19+3) and then 2 for bits means /24 +## variable "subnet_maps" { +## description = "Subnet objects" +## type = list(object( +## { +## label = string +## bits = number +## private = bool +## })) +## } +## diff --git a/vpc/variables.vpc.auto.tfvars.x b/vpc/variables.vpc.auto.tfvars.x new file mode 100644 index 0000000..fff96c9 --- /dev/null +++ b/vpc/variables.vpc.auto.tfvars.x @@ -0,0 +1,20 @@ +vpc_index = 2 +vpc_short_name = "vpc2" +vpc_environment = "production" +vpc_full_name = "vpc2-production" +vpc_cidr_block = "10.197.32.0/19" +vpc_vpn_dynamic_routing = true +vpc_enable_igw = false +vpc_enable_nat = false +vpc_enable_vpn = true + +vpn_connections = { + hq : { + "asn_id" : 65510, + "ip" : "148.129.160.13" + } + bcc : { + "asn_id" : 65511, + "ip" : "148.129.90.13" + } +} diff --git a/vpc/variables.vpc.tf b/vpc/variables.vpc.tf new file mode 100644 index 0000000..67cc510 --- /dev/null +++ b/vpc/variables.vpc.tf @@ -0,0 +1,73 @@ +variable "vpc_domain_name" { + description = "VPC Domain Name for DHCP settings" + type = string + default = "unknown.census.gov" +} + +variable "vpc_dns_servers" { + description = "VPC DNS Servers (default: Enterprise primary DNS at BCC and HQ)" + type = list(string) + default = ["148.129.127.22", "148.129.191.22"] +} + +variable "vpc_ntp_servers" { + description = "VPC NTP Servers (default: Enterprise primary NPT at BCC and HQ)" + type = list(string) + default = ["148.129.127.23", "148.129.191.23"] +} + +variable "network_census" { + description = "Census Subnets" + type = list + default = ["148.129.0.0/16", "172.16.0.0/12", "192.168.0.0/16"] +} + +## variable "network_peers" { +## description = "Census AWS Peer Subnets" +## type = list +## default = ["10.193.0.0/19"] +## # default = [ ] +## } +## +## variable "vpn_connections" { +## description = "VPN Connection Details" +## type = map +## } +## +## variable "vpc_vpn_dynamic_routing" { +## description = "Dyanmic routing with BGP (true | false)" +## type = bool +## } +## +## variable "vpc_enable_igw" { +## description = "Enable AWS Internet Gateway (IGW) on the VPC (true | false[x])" +## type = bool +## default = false +## } +## +## variable "vpc_enable_nat" { +## description = "Enable AWS NAT Gateway on the VPC (true | false[x])" +## type = bool +## default = false +## } +## +## variable "vpc_enable_vpn" { +## description = "Enable AWS VPN Configuration on the VPC (true[x] | false)" +## type = bool +## default = true +## } +## +## # bits is the extra size of the bits from the subnet, which is split from the size of the vpc cidr +## # vpc_cidr = /19 +## # cidr_subnets defines values (19 + N) +## # this bits gets you (19 + N + bits) +## # example: /19 vpc cidr, 3 for cidr means a /22 (19+3) and then 2 for bits means /24 +## variable "subnet_maps" { +## description = "Subnet objects" +## type = list(object( +## { +## label = string +## bits = number +## private = bool +## })) +## } diff --git a/vpc/version.tf b/vpc/version.tf new file mode 120000 index 0000000..b83c5b7 --- /dev/null +++ b/vpc/version.tf @@ -0,0 +1 @@ +../common/version.tf \ No newline at end of file diff --git a/vpc/vpc.tf.x b/vpc/vpc.tf.x new file mode 100644 index 0000000..9d1fa16 --- /dev/null +++ b/vpc/vpc.tf.x @@ -0,0 +1,83 @@ +#--- +# dhcp options +#--- +resource "aws_vpc_dhcp_options" "vpc" { + domain_name = var.dhcp_vpc_domain_name == "" ? var.vpc_domain_name : var.dhcp_vpc_domain_name + domain_name_servers = var.vpc_dns_servers + ntp_servers = var.vpc_ntp_servers + + tags = merge( + local.common_tags, + map("Name", "${var.vpc_full_name}-dhcp-options"), + ) +} + +resource "aws_vpc_dhcp_options_association" "vpc" { + vpc_id = aws_vpc.vpc.id + dhcp_options_id = aws_vpc_dhcp_options.vpc.id +} + +#--- +# vpc +#--- +resource "aws_vpc" "vpc" { + cidr_block = var.vpc_cidr_block + enable_dns_support = false + enable_dns_hostnames = true + + tags = merge( + local.common_tags, + map("Name", "${var.vpc_full_name}"), + ) +} + +#--- +# route table: main +#--- +resource "aws_default_route_table" "vpc" { + default_route_table_id = aws_vpc.vpc.main_route_table_id + + tags = merge( + local.common_tags, + map("Name", format("default-rt-%s", var.vpc_full_name)) + ) +} + +#--- +# route table: public +#--- +resource "aws_route_table" "public" { + count = local.az_count + vpc_id = aws_vpc.vpc.id + + tags = merge( + local.common_tags, + map("Name", format("route-%s-%s-%s", var.vpc_full_name, "public", element(local.az_list, count.index))) + ) +} + +resource "aws_route_table_association" "public" { + count = length(local.public_subnets) + subnet_id = aws_subnet.public[count.index].id + route_table_id = element(aws_route_table.public[*].id, count.index) +} + +#--- +# route table: private +#--- +resource "aws_route_table" "private" { + count = local.az_count + vpc_id = aws_vpc.vpc.id + # propagating_vgws = var.vpc_vpn_dynamic_routing ? [ aws_vpn_gateway.vpn.id ] : [] + + tags = merge( + local.common_tags, + map("Name", format("route-%s-%s-%s", var.vpc_full_name, "private", element(local.az_list, count.index))) + ) +} + +resource "aws_route_table_association" "private" { + count = length(local.private_subnets) + subnet_id = aws_subnet.private[count.index].id + route_table_id = element(aws_route_table.private[*].id, count.index) +}