Skip to content

Instantly share code, notes, and snippets.

@Bjorn248
Created August 11, 2016 20:28
Show Gist options
  • Save Bjorn248/892e7d7563cb86403f026dc99970ccd8 to your computer and use it in GitHub Desktop.
Save Bjorn248/892e7d7563cb86403f026dc99970ccd8 to your computer and use it in GitHub Desktop.
provider "aws" {
region = "us-west-1"
shared_credentials_file = "REDACTED"
profile = "REDACTED"
}
# East Coast Region
# us-east-1 aka Northern Virginia
provider "aws" {
alias = "east"
region = "us-east-1"
shared_credentials_file = "REDACTED"
profile = "REDACTED"
}
# # # # #
# VPCs #
# # # # #
# Create a VPC to launch our instances into
resource "aws_vpc" "Demo_West" {
cidr_block = "10.0.0.0/16"
tags {
Name = "Demo"
managed_by_terraform = true
}
}
# Cloning Resources in us-east-1
resource "aws_vpc" "Demo_East" {
provider = "aws.east"
cidr_block = "10.1.0.0/16"
tags {
Name = "Demo"
managed_by_terraform = true
}
}
# # # # # # # # # # #
# Internet Gateways #
# # # # # # # # # # #
# Create an internet gateway to give our subnet access to the internet
resource "aws_internet_gateway" "demo_igw_west" {
vpc_id = "${aws_vpc.Demo_West.id}"
}
# Cloning Resources in us-east-1
resource "aws_internet_gateway" "demo_igw_east" {
provider = "aws.east"
vpc_id = "${aws_vpc.Demo_East.id}"
}
# # # # #
# Routes #
# # # # #
# Grant the VPC internet access on its main route table
resource "aws_route" "internet_access_west" {
route_table_id = "${aws_vpc.Demo_West.main_route_table_id}"
destination_cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.demo_igw_west.id}"
}
# Cloning Resources in us-east-1
resource "aws_route" "internet_access_east" {
provider = "aws.east"
route_table_id = "${aws_vpc.Demo_East.main_route_table_id}"
destination_cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.demo_igw_east.id}"
}
# Routing traffic between the VPCs through the StrongSwan instances
resource "aws_route" "west_to_east_route_through_vpn" {
route_table_id = "${aws_vpc.Demo_West.main_route_table_id}"
destination_cidr_block = "${aws_vpc.Demo_East.cidr_block}"
instance_id = "${aws_instance.StrongSwan_Instance_West.id}"
}
# Routing traffic between the VPCs through the StrongSwan instances
resource "aws_route" "east_to_west_route_through_vpn" {
provider = "aws.east"
route_table_id = "${aws_vpc.Demo_East.main_route_table_id}"
destination_cidr_block = "${aws_vpc.Demo_West.cidr_block}"
instance_id = "${aws_instance.StrongSwan_Instance_East.id}"
}
# # # # # #
# Subnets #
# # # # # #
# Create a subnet for our VPN instances
resource "aws_subnet" "Demo_vpn_west" {
vpc_id = "${aws_vpc.Demo_West.id}"
cidr_block = "10.0.9.0/24"
map_public_ip_on_launch = true
availability_zone = "us-west-1b"
tags {
Name = "Demo_vpn_west"
managed_by_terraform = true
}
}
# Cloning Resources in us-east-1
resource "aws_subnet" "Demo_vpn_east" {
provider = "aws.east"
vpc_id = "${aws_vpc.Demo_East.id}"
cidr_block = "10.1.9.0/24"
map_public_ip_on_launch = true
availability_zone = "us-east-1e"
tags {
Name = "Demo_vpn_east"
managed_by_terraform = true
}
}
# # # # # # # # # #
# Security Groups #
# # # # # # # # # #
# Security group for our StrongSwan instances
resource "aws_security_group" "StrongSwan_West" {
name = "StrongSwan-West"
vpc_id = "${aws_vpc.Demo_West.id}"
# Allow ALL traffic from within the VPC through the strongswan instance
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["${aws_vpc.Demo_West.cidr_block}"]
}
# Outbound access
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags {
Name = "StrongSwan_West"
managed_by_terraform = true
}
}
resource "aws_security_group" "StrongSwan_East" {
provider = "aws.east"
name = "StrongSwan-East"
vpc_id = "${aws_vpc.Demo_East.id}"
# Allow ALL traffic from within the VPC through the strongswan instance
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["${aws_vpc.Demo_East.cidr_block}"]
}
# Outbound access
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags {
Name = "StrongSwan_East"
managed_by_terraform = true
}
}
resource "aws_eip" "StrongSwan_West_EIP" {
instance = "${aws_instance.StrongSwan_Instance_West.id}"
vpc = true
}
# Elastic IP for the East VPN Instance
resource "aws_eip" "StrongSwan_East_EIP" {
provider = "aws.east"
instance = "${aws_instance.StrongSwan_Instance_East.id}"
vpc = true
}
# Adding the ingress rules to the VPN security groups to allow UDP traffic between the two VPN instances
resource "aws_security_group_rule" "udp_4500_from_us_east_1" {
type = "ingress"
from_port = 4500
to_port = 4500
protocol = "udp"
cidr_blocks = ["${aws_eip.StrongSwan_East_EIP.public_ip}/32"]
security_group_id = "${aws_security_group.StrongSwan_West.id}"
}
resource "aws_security_group_rule" "udp_4500_from_us_west_1" {
provider = "aws.east"
type = "ingress"
from_port = 4500
to_port = 4500
protocol = "udp"
cidr_blocks = ["${aws_eip.StrongSwan_West_EIP.public_ip}/32"]
security_group_id = "${aws_security_group.StrongSwan_East.id}"
}
resource "aws_security_group_rule" "udp_500_from_us_east_1" {
type = "ingress"
from_port = 500
to_port = 500
protocol = "udp"
cidr_blocks = ["${aws_eip.StrongSwan_East_EIP.public_ip}/32"]
security_group_id = "${aws_security_group.StrongSwan_West.id}"
}
resource "aws_security_group_rule" "udp_500_from_us_west_1" {
provider = "aws.east"
type = "ingress"
from_port = 500
to_port = 500
protocol = "udp"
cidr_blocks = ["${aws_eip.StrongSwan_West_EIP.public_ip}/32"]
security_group_id = "${aws_security_group.StrongSwan_East.id}"
}
# # # # # # #
# Instances #
# # # # # # #
resource "aws_instance" "StrongSwan_Instance_West" {
# AMI for "CentOS 7 (x86_64) - with Updates HVM"
ami = "ami-af4333cf"
instance_type = "t2.small"
subnet_id = "${aws_subnet.Demo_vpn_west.id}"
source_dest_check = false
key_name = "REDACTED"
vpc_security_group_ids = ["${aws_security_group.StrongSwan_West.id}"]
tags {
Name = "StrongSwan_Instance_West"
managed_by_terraform = true
}
}
resource "aws_instance" "StrongSwan_Instance_East" {
provider = "aws.east"
# AMI for "CentOS 7 (x86_64) - with Updates HVM"
ami = "ami-6d1c2007"
instance_type = "t2.small"
subnet_id = "${aws_subnet.Demo_vpn_east.id}"
source_dest_check = false
key_name = "REDACTED"
vpc_security_group_ids = ["${aws_security_group.StrongSwan_East.id}"]
tags {
Name = "StrongSwan_Instance_East"
managed_by_terraform = true
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment