From 68a00ec0136340f245f4ad5eb57b3e80b1e9d16d Mon Sep 17 00:00:00 2001 From: bluesoul Date: Fri, 18 Dec 2020 16:12:04 -0700 Subject: [PATCH] Initial draft of Terraform VPC --- terraform/.gitignore | 1 + terraform/aws/us-east-1/dev/providers.tf | 12 +++ terraform/aws/us-east-1/dev/vpc/main.tf | 77 +++++++++++++++++++ terraform/aws/us-east-1/dev/vpc/outputs.tf | 42 ++++++++++ terraform/aws/us-east-1/dev/vpc/variables.tf | 0 terraform/aws/us-east-1/etc/providers.tf | 12 +++ terraform/aws/us-east-1/etc/vpc/main.tf | 77 +++++++++++++++++++ terraform/aws/us-east-1/etc/vpc/outputs.tf | 42 ++++++++++ terraform/aws/us-east-1/etc/vpc/variables.tf | 0 terraform/aws/us-east-1/prod/providers.tf | 12 +++ terraform/aws/us-east-1/prod/vpc/main.tf | 77 +++++++++++++++++++ terraform/aws/us-east-1/prod/vpc/outputs.tf | 42 ++++++++++ terraform/aws/us-east-1/prod/vpc/variables.tf | 0 terraform/aws/us-east-1/qa/providers.tf | 12 +++ terraform/aws/us-east-1/qa/vpc/main.tf | 77 +++++++++++++++++++ terraform/aws/us-east-1/qa/vpc/outputs.tf | 42 ++++++++++ terraform/aws/us-east-1/qa/vpc/variables.tf | 0 terraform/aws/us-east-1/staging/providers.tf | 12 +++ terraform/aws/us-east-1/staging/vpc/main.tf | 77 +++++++++++++++++++ .../aws/us-east-1/staging/vpc/outputs.tf | 42 ++++++++++ .../aws/us-east-1/staging/vpc/variables.tf | 0 terraform/modules/.gitkeep | 0 22 files changed, 656 insertions(+) create mode 100644 terraform/.gitignore create mode 100644 terraform/aws/us-east-1/dev/providers.tf create mode 100644 terraform/aws/us-east-1/dev/vpc/main.tf create mode 100644 terraform/aws/us-east-1/dev/vpc/outputs.tf create mode 100644 terraform/aws/us-east-1/dev/vpc/variables.tf create mode 100644 terraform/aws/us-east-1/etc/providers.tf create mode 100644 terraform/aws/us-east-1/etc/vpc/main.tf create mode 100644 terraform/aws/us-east-1/etc/vpc/outputs.tf create mode 100644 terraform/aws/us-east-1/etc/vpc/variables.tf create mode 100644 terraform/aws/us-east-1/prod/providers.tf create mode 100644 terraform/aws/us-east-1/prod/vpc/main.tf create mode 100644 terraform/aws/us-east-1/prod/vpc/outputs.tf create mode 100644 terraform/aws/us-east-1/prod/vpc/variables.tf create mode 100644 terraform/aws/us-east-1/qa/providers.tf create mode 100644 terraform/aws/us-east-1/qa/vpc/main.tf create mode 100644 terraform/aws/us-east-1/qa/vpc/outputs.tf create mode 100644 terraform/aws/us-east-1/qa/vpc/variables.tf create mode 100644 terraform/aws/us-east-1/staging/providers.tf create mode 100644 terraform/aws/us-east-1/staging/vpc/main.tf create mode 100644 terraform/aws/us-east-1/staging/vpc/outputs.tf create mode 100644 terraform/aws/us-east-1/staging/vpc/variables.tf create mode 100644 terraform/modules/.gitkeep diff --git a/terraform/.gitignore b/terraform/.gitignore new file mode 100644 index 0000000..8b1a7ba --- /dev/null +++ b/terraform/.gitignore @@ -0,0 +1 @@ +.terraform/ \ No newline at end of file diff --git a/terraform/aws/us-east-1/dev/providers.tf b/terraform/aws/us-east-1/dev/providers.tf new file mode 100644 index 0000000..1c2babd --- /dev/null +++ b/terraform/aws/us-east-1/dev/providers.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +provider "aws" { + region="us-east-1" +} \ No newline at end of file diff --git a/terraform/aws/us-east-1/dev/vpc/main.tf b/terraform/aws/us-east-1/dev/vpc/main.tf new file mode 100644 index 0000000..f80824d --- /dev/null +++ b/terraform/aws/us-east-1/dev/vpc/main.tf @@ -0,0 +1,77 @@ +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "2.64.0" + + # Fail safe for now, flip to true or delete the following line to deploy this configuration. + create_vpc = false + + name = "rocky-dev-us-east-1" + cidr = "10.16.224.0/20" + + # IPv6, set to true and Amazon will provision a /56 for this VPC + enable_ipv6 = false + + azs = ["us-east-1a", "us-east-1b", "us-east-1c", "us-east-1d"] + + # Subnets + ## A private subnet includes a route to get to the internet via a NAT Gateway, an intra subnet does not. + ## More info: https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest#private-versus-intra-subnets + public_subnets = ["10.16.224.0/24", "10.16.225.0/24", "10.16.226.0/24", "10.16.227.0/24"] + private_subnets = ["10.16.228.0/24", "10.16.229.0/24", "10.16.230.0/24", "10.16.231.0/24"] + intra_subnets = ["10.16.232.0/24", "10.16.233.0/24", "10.16.234.0/24", "10.16.235.0/24"] + + ## We might want these, we might not. If not, I would make the private subnets /23s instead and fill the space that way. + database_subnets = ["10.16.236.0/26", "10.16.236.64/26", "10.16.236.128/26", "10.16.236.192/26"] + elasticache_subnets = ["10.16.237.0/26", "10.16.237.64/26", "10.16.237.128/26", "10.16.237.192/26"] + redshift_subnets = ["10.16.238.0/26", "10.16.238.64/26", "10.16.238.128/26", "10.16.238.192/26"] + + ## There is one /24 remaining at 10.16.239.0/24 for any other usage we might need. + + # VPC Options + enable_dns_hostnames = true + enable_dns_support = true + + # VPC Flow Logs (Cloudwatch log group and IAM role will be created) + enable_flow_log = true + create_flow_log_cloudwatch_log_group = true + create_flow_log_cloudwatch_iam_role = true + + # NAT Gateway: 1 per AZ + enable_nat_gateway = true + single_nat_gateway = false + one_nat_gateway_per_az = true + + # NAT Gateway: 1 per subnet + # enable_nat_gateway = true + # single_nat_gateway = false + # one_nat_gateway_per_az = false + + # NAT Gateway: 1 per VPC + # enable_nat_gateway = true + # single_nat_gateway = true + # one_nat_gateway_per_az = false + + # DHCP + enable_dhcp_options = true + dhcp_options_domain_name = "dev.us-east-1.aws.rockylinux.org" + dhcp_options_domain_name_servers = ["10.16.244.6", "10.16.245.6", "10.16.246.6", "10.16.247.6"] + + # Default security group - ingress/egress rules cleared to deny all + manage_default_security_group = true + default_security_group_ingress = [{}] + default_security_group_egress = [{}] + + # Product-specific configs: + ## Database, flip these 3 vars to true to make RDS instances available publicly. + create_database_subnet_group = false + create_database_subnet_route_table = false + create_database_internet_gateway_route = false + + ## Elasticache, flip these to true to have AWS manage the subnet and routing for EC + create_elasticache_subnet_group = false + create_elasticache_subnet_route_table = false + + ## Redshift, flip these to true to have AWS manage the subnet and routing for Redshift + create_redshift_subnet_group = false + create_redshift_subnet_route_table = false +} diff --git a/terraform/aws/us-east-1/dev/vpc/outputs.tf b/terraform/aws/us-east-1/dev/vpc/outputs.tf new file mode 100644 index 0000000..72d6e1f --- /dev/null +++ b/terraform/aws/us-east-1/dev/vpc/outputs.tf @@ -0,0 +1,42 @@ +# VPC +output "vpc_id" { + description = "The ID of the VPC" + value = module.vpc.vpc_id +} + +# Subnets +output "private_subnets" { + description = "List of IDs of private subnets" + value = module.vpc.private_subnets +} + +output "public_subnets" { + description = "List of IDs of public subnets" + value = module.vpc.public_subnets +} + +output "database_subnets" { + description = "List of IDs of database subnets" + value = module.vpc.database_subnets +} + +output "elasticache_subnets" { + description = "List of IDs of elasticache subnets" + value = module.vpc.elasticache_subnets +} + +output "redshift_subnets" { + description = "List of IDs of redshift subnets" + value = module.vpc.redshift_subnets +} + +output "intra_subnets" { + description = "List of IDs of intra subnets" + value = module.vpc.intra_subnets +} + +# NAT Gateway +output "nat_public_ips" { + description = "List of public Elastic IPs created for AWS NAT Gateway" + value = module.vpc.nat_public_ips +} diff --git a/terraform/aws/us-east-1/dev/vpc/variables.tf b/terraform/aws/us-east-1/dev/vpc/variables.tf new file mode 100644 index 0000000..e69de29 diff --git a/terraform/aws/us-east-1/etc/providers.tf b/terraform/aws/us-east-1/etc/providers.tf new file mode 100644 index 0000000..1c2babd --- /dev/null +++ b/terraform/aws/us-east-1/etc/providers.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +provider "aws" { + region="us-east-1" +} \ No newline at end of file diff --git a/terraform/aws/us-east-1/etc/vpc/main.tf b/terraform/aws/us-east-1/etc/vpc/main.tf new file mode 100644 index 0000000..f56d481 --- /dev/null +++ b/terraform/aws/us-east-1/etc/vpc/main.tf @@ -0,0 +1,77 @@ +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "2.64.0" + + # Fail safe for now, flip to true or delete the following line to deploy this configuration. + create_vpc = false + + name = "rocky-etc-us-east-1" + cidr = "10.16.240.0/20" + + # IPv6, set to true and Amazon will provision a /56 for this VPC + enable_ipv6 = false + + azs = ["us-east-1a", "us-east-1b", "us-east-1c", "us-east-1d"] + + # Subnets + ## A private subnet includes a route to get to the internet via a NAT Gateway, an intra subnet does not. + ## More info: https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest#private-versus-intra-subnets + public_subnets = ["10.16.240.0/24", "10.16.241.0/24", "10.16.242.0/24", "10.16.243.0/24"] + private_subnets = ["10.16.244.0/24", "10.16.245.0/24", "10.16.246.0/24", "10.16.247.0/24"] + intra_subnets = ["10.16.248.0/24", "10.16.249.0/24", "10.16.250.0/24", "10.16.251.0/24"] + + ## We might want these, we might not. If not, I would make the private subnets /23s instead and fill the space that way. + database_subnets = ["10.16.252.0/26", "10.16.252.64/26", "10.16.252.128/26", "10.16.252.192/26"] + elasticache_subnets = ["10.16.253.0/26", "10.16.253.64/26", "10.16.253.128/26", "10.16.253.192/26"] + redshift_subnets = ["10.16.254.0/26", "10.16.254.64/26", "10.16.254.128/26", "10.16.254.192/26"] + + ## There is one /24 remaining at 10.16.255.0/24 for any other usage we might need. + + # VPC Options + enable_dns_hostnames = true + enable_dns_support = true + + # VPC Flow Logs (Cloudwatch log group and IAM role will be created) + enable_flow_log = true + create_flow_log_cloudwatch_log_group = true + create_flow_log_cloudwatch_iam_role = true + + # NAT Gateway: 1 per AZ + enable_nat_gateway = true + single_nat_gateway = false + one_nat_gateway_per_az = true + + # NAT Gateway: 1 per subnet + # enable_nat_gateway = true + # single_nat_gateway = false + # one_nat_gateway_per_az = false + + # NAT Gateway: 1 per VPC + # enable_nat_gateway = true + # single_nat_gateway = true + # one_nat_gateway_per_az = false + + # DHCP + enable_dhcp_options = true + dhcp_options_domain_name = "etc.us-east-1.aws.rockylinux.org" + dhcp_options_domain_name_servers = ["10.16.244.6", "10.16.245.6", "10.16.246.6", "10.16.247.6"] + + # Default security group - ingress/egress rules cleared to deny all + manage_default_security_group = true + default_security_group_ingress = [{}] + default_security_group_egress = [{}] + + # Product-specific configs: + ## Database, flip these 3 vars to true to make RDS instances available publicly. + create_database_subnet_group = false + create_database_subnet_route_table = false + create_database_internet_gateway_route = false + + ## Elasticache, flip these to true to have AWS manage the subnet and routing for EC + create_elasticache_subnet_group = false + create_elasticache_subnet_route_table = false + + ## Redshift, flip these to true to have AWS manage the subnet and routing for Redshift + create_redshift_subnet_group = false + create_redshift_subnet_route_table = false +} diff --git a/terraform/aws/us-east-1/etc/vpc/outputs.tf b/terraform/aws/us-east-1/etc/vpc/outputs.tf new file mode 100644 index 0000000..72d6e1f --- /dev/null +++ b/terraform/aws/us-east-1/etc/vpc/outputs.tf @@ -0,0 +1,42 @@ +# VPC +output "vpc_id" { + description = "The ID of the VPC" + value = module.vpc.vpc_id +} + +# Subnets +output "private_subnets" { + description = "List of IDs of private subnets" + value = module.vpc.private_subnets +} + +output "public_subnets" { + description = "List of IDs of public subnets" + value = module.vpc.public_subnets +} + +output "database_subnets" { + description = "List of IDs of database subnets" + value = module.vpc.database_subnets +} + +output "elasticache_subnets" { + description = "List of IDs of elasticache subnets" + value = module.vpc.elasticache_subnets +} + +output "redshift_subnets" { + description = "List of IDs of redshift subnets" + value = module.vpc.redshift_subnets +} + +output "intra_subnets" { + description = "List of IDs of intra subnets" + value = module.vpc.intra_subnets +} + +# NAT Gateway +output "nat_public_ips" { + description = "List of public Elastic IPs created for AWS NAT Gateway" + value = module.vpc.nat_public_ips +} diff --git a/terraform/aws/us-east-1/etc/vpc/variables.tf b/terraform/aws/us-east-1/etc/vpc/variables.tf new file mode 100644 index 0000000..e69de29 diff --git a/terraform/aws/us-east-1/prod/providers.tf b/terraform/aws/us-east-1/prod/providers.tf new file mode 100644 index 0000000..1c2babd --- /dev/null +++ b/terraform/aws/us-east-1/prod/providers.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +provider "aws" { + region="us-east-1" +} \ No newline at end of file diff --git a/terraform/aws/us-east-1/prod/vpc/main.tf b/terraform/aws/us-east-1/prod/vpc/main.tf new file mode 100644 index 0000000..13e70fe --- /dev/null +++ b/terraform/aws/us-east-1/prod/vpc/main.tf @@ -0,0 +1,77 @@ +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "2.64.0" + + # Fail safe for now, flip to true or delete the following line to deploy this configuration. + create_vpc = false + + name = "rocky-prod-us-east-1" + cidr = "10.16.0.0/17" + + # IPv6, set to true and Amazon will provision a /56 for this VPC + enable_ipv6 = false + + azs = ["us-east-1a", "us-east-1b", "us-east-1c", "us-east-1d"] + + # Subnets + ## A private subnet includes a route to get to the internet via a NAT Gateway, an intra subnet does not. + ## More info: https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest#private-versus-intra-subnets + public_subnets = ["10.16.0.0/21", "10.16.8.0/21", "10.16.16.0/21", "10.16.24.0/21"] + private_subnets = ["10.16.32.0/21", "10.16.40.0/21", "10.16.48.0/21", "10.16.56.0/21"] + intra_subnets = ["10.16.64.0/21", "10.16.72.0/21", "10.16.80.0/21", "10.16.88.0/21"] + + ## We might want these, we might not. If not, I would make the private subnets /20s instead and fill the space that way. + database_subnets = ["10.16.96.0/23", "10.16.98.0/23", "10.16.100.0/23", "10.16.102.0/23"] + elasticache_subnets = ["10.16.104.0/23", "10.16.106.0/23", "10.16.108.0/23", "10.16.110.0/23"] + redshift_subnets = ["10.16.112.0/23", "10.16.114.0/23", "10.16.116.0/23", "10.16.118.0/23"] + + ## There is one /21 remaining at 10.16.120.0/21 for any other usage we might need. + + # VPC Options + enable_dns_hostnames = true + enable_dns_support = true + + # VPC Flow Logs (Cloudwatch log group and IAM role will be created) + enable_flow_log = true + create_flow_log_cloudwatch_log_group = true + create_flow_log_cloudwatch_iam_role = true + + # NAT Gateway: 1 per AZ + enable_nat_gateway = true + single_nat_gateway = false + one_nat_gateway_per_az = true + + # NAT Gateway: 1 per subnet + # enable_nat_gateway = true + # single_nat_gateway = false + # one_nat_gateway_per_az = false + + # NAT Gateway: 1 per VPC + # enable_nat_gateway = true + # single_nat_gateway = true + # one_nat_gateway_per_az = false + + # DHCP + enable_dhcp_options = true + dhcp_options_domain_name = "prod.us-east-1.aws.rockylinux.org" + dhcp_options_domain_name_servers = ["10.16.244.6", "10.16.245.6", "10.16.246.6", "10.16.247.6"] + + # Default security group - ingress/egress rules cleared to deny all + manage_default_security_group = true + default_security_group_ingress = [{}] + default_security_group_egress = [{}] + + # Product-specific configs: + ## Database, flip these 3 vars to true to make RDS instances available publicly. + create_database_subnet_group = false + create_database_subnet_route_table = false + create_database_internet_gateway_route = false + + ## Elasticache, flip these to true to have AWS manage the subnet and routing for EC + create_elasticache_subnet_group = false + create_elasticache_subnet_route_table = false + + ## Redshift, flip these to true to have AWS manage the subnet and routing for Redshift + create_redshift_subnet_group = false + create_redshift_subnet_route_table = false +} diff --git a/terraform/aws/us-east-1/prod/vpc/outputs.tf b/terraform/aws/us-east-1/prod/vpc/outputs.tf new file mode 100644 index 0000000..72d6e1f --- /dev/null +++ b/terraform/aws/us-east-1/prod/vpc/outputs.tf @@ -0,0 +1,42 @@ +# VPC +output "vpc_id" { + description = "The ID of the VPC" + value = module.vpc.vpc_id +} + +# Subnets +output "private_subnets" { + description = "List of IDs of private subnets" + value = module.vpc.private_subnets +} + +output "public_subnets" { + description = "List of IDs of public subnets" + value = module.vpc.public_subnets +} + +output "database_subnets" { + description = "List of IDs of database subnets" + value = module.vpc.database_subnets +} + +output "elasticache_subnets" { + description = "List of IDs of elasticache subnets" + value = module.vpc.elasticache_subnets +} + +output "redshift_subnets" { + description = "List of IDs of redshift subnets" + value = module.vpc.redshift_subnets +} + +output "intra_subnets" { + description = "List of IDs of intra subnets" + value = module.vpc.intra_subnets +} + +# NAT Gateway +output "nat_public_ips" { + description = "List of public Elastic IPs created for AWS NAT Gateway" + value = module.vpc.nat_public_ips +} diff --git a/terraform/aws/us-east-1/prod/vpc/variables.tf b/terraform/aws/us-east-1/prod/vpc/variables.tf new file mode 100644 index 0000000..e69de29 diff --git a/terraform/aws/us-east-1/qa/providers.tf b/terraform/aws/us-east-1/qa/providers.tf new file mode 100644 index 0000000..1c2babd --- /dev/null +++ b/terraform/aws/us-east-1/qa/providers.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +provider "aws" { + region="us-east-1" +} \ No newline at end of file diff --git a/terraform/aws/us-east-1/qa/vpc/main.tf b/terraform/aws/us-east-1/qa/vpc/main.tf new file mode 100644 index 0000000..b2bb521 --- /dev/null +++ b/terraform/aws/us-east-1/qa/vpc/main.tf @@ -0,0 +1,77 @@ +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "2.64.0" + + # Fail safe for now, flip to true or delete the following line to deploy this configuration. + create_vpc = false + + name = "rocky-qa-us-east-1" + cidr = "10.16.192.0/19" + + # IPv6, set to true and Amazon will provision a /56 for this VPC + enable_ipv6 = false + + azs = ["us-east-1a", "us-east-1b", "us-east-1c", "us-east-1d"] + + # Subnets + ## A private subnet includes a route to get to the internet via a NAT Gateway, an intra subnet does not. + ## More info: https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest#private-versus-intra-subnets + public_subnets = ["10.16.192.0/23", "10.16.194.0/23", "10.16.196.0/23", "10.16.198.0/23"] + private_subnets = ["10.16.200.0/23", "10.16.202.0/23", "10.16.204.0/23", "10.16.206.0/23"] + intra_subnets = ["10.16.208.0/23", "10.16.210.0/23", "10.16.212.0/23", "10.16.214.0/23"] + + ## We might want these, we might not. If not, I would make the private subnets /22s instead and fill the space that way. + database_subnets = ["10.16.216.0/25", "10.16.216.128/25", "10.16.217.0/25", "10.16.217.128/25"] + elasticache_subnets = ["10.16.218.0/25", "10.16.218.128/25", "10.16.219.0/25", "10.16.219.128/25"] + redshift_subnets = ["10.16.220.0/25", "10.16.220.128/25", "10.16.221.0/25", "10.16.221.128/25"] + + ## There is one /23 remaining at 10.16.222.0/23 for any other usage we might need. + + # VPC Options + enable_dns_hostnames = true + enable_dns_support = true + + # VPC Flow Logs (Cloudwatch log group and IAM role will be created) + enable_flow_log = true + create_flow_log_cloudwatch_log_group = true + create_flow_log_cloudwatch_iam_role = true + + # NAT Gateway: 1 per AZ + enable_nat_gateway = true + single_nat_gateway = false + one_nat_gateway_per_az = true + + # NAT Gateway: 1 per subnet + # enable_nat_gateway = true + # single_nat_gateway = false + # one_nat_gateway_per_az = false + + # NAT Gateway: 1 per VPC + # enable_nat_gateway = true + # single_nat_gateway = true + # one_nat_gateway_per_az = false + + # DHCP + enable_dhcp_options = true + dhcp_options_domain_name = "qa.us-east-1.aws.rockylinux.org" + dhcp_options_domain_name_servers = ["10.16.244.6", "10.16.245.6", "10.16.246.6", "10.16.247.6"] + + # Default security group - ingress/egress rules cleared to deny all + manage_default_security_group = true + default_security_group_ingress = [{}] + default_security_group_egress = [{}] + + # Product-specific configs: + ## Database, flip these 3 vars to true to make RDS instances available publicly. + create_database_subnet_group = false + create_database_subnet_route_table = false + create_database_internet_gateway_route = false + + ## Elasticache, flip these to true to have AWS manage the subnet and routing for EC + create_elasticache_subnet_group = false + create_elasticache_subnet_route_table = false + + ## Redshift, flip these to true to have AWS manage the subnet and routing for Redshift + create_redshift_subnet_group = false + create_redshift_subnet_route_table = false +} diff --git a/terraform/aws/us-east-1/qa/vpc/outputs.tf b/terraform/aws/us-east-1/qa/vpc/outputs.tf new file mode 100644 index 0000000..72d6e1f --- /dev/null +++ b/terraform/aws/us-east-1/qa/vpc/outputs.tf @@ -0,0 +1,42 @@ +# VPC +output "vpc_id" { + description = "The ID of the VPC" + value = module.vpc.vpc_id +} + +# Subnets +output "private_subnets" { + description = "List of IDs of private subnets" + value = module.vpc.private_subnets +} + +output "public_subnets" { + description = "List of IDs of public subnets" + value = module.vpc.public_subnets +} + +output "database_subnets" { + description = "List of IDs of database subnets" + value = module.vpc.database_subnets +} + +output "elasticache_subnets" { + description = "List of IDs of elasticache subnets" + value = module.vpc.elasticache_subnets +} + +output "redshift_subnets" { + description = "List of IDs of redshift subnets" + value = module.vpc.redshift_subnets +} + +output "intra_subnets" { + description = "List of IDs of intra subnets" + value = module.vpc.intra_subnets +} + +# NAT Gateway +output "nat_public_ips" { + description = "List of public Elastic IPs created for AWS NAT Gateway" + value = module.vpc.nat_public_ips +} diff --git a/terraform/aws/us-east-1/qa/vpc/variables.tf b/terraform/aws/us-east-1/qa/vpc/variables.tf new file mode 100644 index 0000000..e69de29 diff --git a/terraform/aws/us-east-1/staging/providers.tf b/terraform/aws/us-east-1/staging/providers.tf new file mode 100644 index 0000000..1c2babd --- /dev/null +++ b/terraform/aws/us-east-1/staging/providers.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +provider "aws" { + region="us-east-1" +} \ No newline at end of file diff --git a/terraform/aws/us-east-1/staging/vpc/main.tf b/terraform/aws/us-east-1/staging/vpc/main.tf new file mode 100644 index 0000000..baf0b5c --- /dev/null +++ b/terraform/aws/us-east-1/staging/vpc/main.tf @@ -0,0 +1,77 @@ +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "2.64.0" + + # Fail safe for now, flip to true or delete the following line to deploy this configuration. + create_vpc = false + + name = "rocky-staging-us-east-1" + cidr = "10.16.128.0/18" + + # IPv6, set to true and Amazon will provision a /56 for this VPC + enable_ipv6 = false + + azs = ["us-east-1a", "us-east-1b", "us-east-1c", "us-east-1d"] + + # Subnets + ## A private subnet includes a route to get to the internet via a NAT Gateway, an intra subnet does not. + ## More info: https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest#private-versus-intra-subnets + public_subnets = ["10.16.128.0/22", "10.16.132.0/22", "10.16.136.0/22", "10.16.140.0/22"] + private_subnets = ["10.16.144.0/22", "10.16.148.0/22", "10.16.152.0/22", "10.16.156.0/22"] + intra_subnets = ["10.16.160.0/22", "10.16.164.0/22", "10.16.168.0/22", "10.16.172.0/22"] + + ## We might want these, we might not. If not, I would make the private subnets /21s instead and fill the space that way. + database_subnets = ["10.16.176.0/24", "10.16.177.0/24", "10.16.178.0/24", "10.16.179.0/24"] + elasticache_subnets = ["10.16.180.0/24", "10.16.181.0/24", "10.16.182.0/24", "10.16.183.0/24"] + redshift_subnets = ["10.16.184.0/24", "10.16.185.0/24", "10.16.186.0/24", "10.16.187.0/24"] + + ## There is one /22 remaining at 10.16.188.0/22 for any other usage we might need. + + # VPC Options + enable_dns_hostnames = true + enable_dns_support = true + + # VPC Flow Logs (Cloudwatch log group and IAM role will be created) + enable_flow_log = true + create_flow_log_cloudwatch_log_group = true + create_flow_log_cloudwatch_iam_role = true + + # NAT Gateway: 1 per AZ + enable_nat_gateway = true + single_nat_gateway = false + one_nat_gateway_per_az = true + + # NAT Gateway: 1 per subnet + # enable_nat_gateway = true + # single_nat_gateway = false + # one_nat_gateway_per_az = false + + # NAT Gateway: 1 per VPC + # enable_nat_gateway = true + # single_nat_gateway = true + # one_nat_gateway_per_az = false + + # DHCP + enable_dhcp_options = true + dhcp_options_domain_name = "staging.us-east-1.aws.rockylinux.org" + dhcp_options_domain_name_servers = ["10.16.244.6", "10.16.245.6", "10.16.246.6", "10.16.247.6"] + + # Default security group - ingress/egress rules cleared to deny all + manage_default_security_group = true + default_security_group_ingress = [{}] + default_security_group_egress = [{}] + + # Product-specific configs: + ## Database, flip these 3 vars to true to make RDS instances available publicly. + create_database_subnet_group = false + create_database_subnet_route_table = false + create_database_internet_gateway_route = false + + ## Elasticache, flip these to true to have AWS manage the subnet and routing for EC + create_elasticache_subnet_group = false + create_elasticache_subnet_route_table = false + + ## Redshift, flip these to true to have AWS manage the subnet and routing for Redshift + create_redshift_subnet_group = false + create_redshift_subnet_route_table = false +} diff --git a/terraform/aws/us-east-1/staging/vpc/outputs.tf b/terraform/aws/us-east-1/staging/vpc/outputs.tf new file mode 100644 index 0000000..72d6e1f --- /dev/null +++ b/terraform/aws/us-east-1/staging/vpc/outputs.tf @@ -0,0 +1,42 @@ +# VPC +output "vpc_id" { + description = "The ID of the VPC" + value = module.vpc.vpc_id +} + +# Subnets +output "private_subnets" { + description = "List of IDs of private subnets" + value = module.vpc.private_subnets +} + +output "public_subnets" { + description = "List of IDs of public subnets" + value = module.vpc.public_subnets +} + +output "database_subnets" { + description = "List of IDs of database subnets" + value = module.vpc.database_subnets +} + +output "elasticache_subnets" { + description = "List of IDs of elasticache subnets" + value = module.vpc.elasticache_subnets +} + +output "redshift_subnets" { + description = "List of IDs of redshift subnets" + value = module.vpc.redshift_subnets +} + +output "intra_subnets" { + description = "List of IDs of intra subnets" + value = module.vpc.intra_subnets +} + +# NAT Gateway +output "nat_public_ips" { + description = "List of public Elastic IPs created for AWS NAT Gateway" + value = module.vpc.nat_public_ips +} diff --git a/terraform/aws/us-east-1/staging/vpc/variables.tf b/terraform/aws/us-east-1/staging/vpc/variables.tf new file mode 100644 index 0000000..e69de29 diff --git a/terraform/modules/.gitkeep b/terraform/modules/.gitkeep new file mode 100644 index 0000000..e69de29