Created
August 11, 2016 20:28
-
-
Save Bjorn248/892e7d7563cb86403f026dc99970ccd8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| provider "aws" { | |
| region = "us-west-1" | |
| shared_credentials_file = "REDACTED" | |
| profile = "REDACTED" | |
| } | |
| # East Coast Region | |
| # us-east-1 aka Northern Virginia | |
| provider "aws" { | |
| alias = "east" | |
| region = "us-east-1" | |
| shared_credentials_file = "REDACTED" | |
| profile = "REDACTED" | |
| } | |
| # # # # # | |
| # VPCs # | |
| # # # # # | |
| # Create a VPC to launch our instances into | |
| resource "aws_vpc" "Demo_West" { | |
| cidr_block = "10.0.0.0/16" | |
| tags { | |
| Name = "Demo" | |
| managed_by_terraform = true | |
| } | |
| } | |
| # Cloning Resources in us-east-1 | |
| resource "aws_vpc" "Demo_East" { | |
| provider = "aws.east" | |
| cidr_block = "10.1.0.0/16" | |
| tags { | |
| Name = "Demo" | |
| managed_by_terraform = true | |
| } | |
| } | |
| # # # # # # # # # # # | |
| # Internet Gateways # | |
| # # # # # # # # # # # | |
| # Create an internet gateway to give our subnet access to the internet | |
| resource "aws_internet_gateway" "demo_igw_west" { | |
| vpc_id = "${aws_vpc.Demo_West.id}" | |
| } | |
| # Cloning Resources in us-east-1 | |
| resource "aws_internet_gateway" "demo_igw_east" { | |
| provider = "aws.east" | |
| vpc_id = "${aws_vpc.Demo_East.id}" | |
| } | |
| # # # # # | |
| # Routes # | |
| # # # # # | |
| # Grant the VPC internet access on its main route table | |
| resource "aws_route" "internet_access_west" { | |
| route_table_id = "${aws_vpc.Demo_West.main_route_table_id}" | |
| destination_cidr_block = "0.0.0.0/0" | |
| gateway_id = "${aws_internet_gateway.demo_igw_west.id}" | |
| } | |
| # Cloning Resources in us-east-1 | |
| resource "aws_route" "internet_access_east" { | |
| provider = "aws.east" | |
| route_table_id = "${aws_vpc.Demo_East.main_route_table_id}" | |
| destination_cidr_block = "0.0.0.0/0" | |
| gateway_id = "${aws_internet_gateway.demo_igw_east.id}" | |
| } | |
| # Routing traffic between the VPCs through the StrongSwan instances | |
| resource "aws_route" "west_to_east_route_through_vpn" { | |
| route_table_id = "${aws_vpc.Demo_West.main_route_table_id}" | |
| destination_cidr_block = "${aws_vpc.Demo_East.cidr_block}" | |
| instance_id = "${aws_instance.StrongSwan_Instance_West.id}" | |
| } | |
| # Routing traffic between the VPCs through the StrongSwan instances | |
| resource "aws_route" "east_to_west_route_through_vpn" { | |
| provider = "aws.east" | |
| route_table_id = "${aws_vpc.Demo_East.main_route_table_id}" | |
| destination_cidr_block = "${aws_vpc.Demo_West.cidr_block}" | |
| instance_id = "${aws_instance.StrongSwan_Instance_East.id}" | |
| } | |
| # # # # # # | |
| # Subnets # | |
| # # # # # # | |
| # Create a subnet for our VPN instances | |
| resource "aws_subnet" "Demo_vpn_west" { | |
| vpc_id = "${aws_vpc.Demo_West.id}" | |
| cidr_block = "10.0.9.0/24" | |
| map_public_ip_on_launch = true | |
| availability_zone = "us-west-1b" | |
| tags { | |
| Name = "Demo_vpn_west" | |
| managed_by_terraform = true | |
| } | |
| } | |
| # Cloning Resources in us-east-1 | |
| resource "aws_subnet" "Demo_vpn_east" { | |
| provider = "aws.east" | |
| vpc_id = "${aws_vpc.Demo_East.id}" | |
| cidr_block = "10.1.9.0/24" | |
| map_public_ip_on_launch = true | |
| availability_zone = "us-east-1e" | |
| tags { | |
| Name = "Demo_vpn_east" | |
| managed_by_terraform = true | |
| } | |
| } | |
| # # # # # # # # # # | |
| # Security Groups # | |
| # # # # # # # # # # | |
| # Security group for our StrongSwan instances | |
| resource "aws_security_group" "StrongSwan_West" { | |
| name = "StrongSwan-West" | |
| vpc_id = "${aws_vpc.Demo_West.id}" | |
| # Allow ALL traffic from within the VPC through the strongswan instance | |
| ingress { | |
| from_port = 0 | |
| to_port = 0 | |
| protocol = "-1" | |
| cidr_blocks = ["${aws_vpc.Demo_West.cidr_block}"] | |
| } | |
| # Outbound access | |
| egress { | |
| from_port = 0 | |
| to_port = 0 | |
| protocol = "-1" | |
| cidr_blocks = ["0.0.0.0/0"] | |
| } | |
| tags { | |
| Name = "StrongSwan_West" | |
| managed_by_terraform = true | |
| } | |
| } | |
| resource "aws_security_group" "StrongSwan_East" { | |
| provider = "aws.east" | |
| name = "StrongSwan-East" | |
| vpc_id = "${aws_vpc.Demo_East.id}" | |
| # Allow ALL traffic from within the VPC through the strongswan instance | |
| ingress { | |
| from_port = 0 | |
| to_port = 0 | |
| protocol = "-1" | |
| cidr_blocks = ["${aws_vpc.Demo_East.cidr_block}"] | |
| } | |
| # Outbound access | |
| egress { | |
| from_port = 0 | |
| to_port = 0 | |
| protocol = "-1" | |
| cidr_blocks = ["0.0.0.0/0"] | |
| } | |
| tags { | |
| Name = "StrongSwan_East" | |
| managed_by_terraform = true | |
| } | |
| } | |
| resource "aws_eip" "StrongSwan_West_EIP" { | |
| instance = "${aws_instance.StrongSwan_Instance_West.id}" | |
| vpc = true | |
| } | |
| # Elastic IP for the East VPN Instance | |
| resource "aws_eip" "StrongSwan_East_EIP" { | |
| provider = "aws.east" | |
| instance = "${aws_instance.StrongSwan_Instance_East.id}" | |
| vpc = true | |
| } | |
| # Adding the ingress rules to the VPN security groups to allow UDP traffic between the two VPN instances | |
| resource "aws_security_group_rule" "udp_4500_from_us_east_1" { | |
| type = "ingress" | |
| from_port = 4500 | |
| to_port = 4500 | |
| protocol = "udp" | |
| cidr_blocks = ["${aws_eip.StrongSwan_East_EIP.public_ip}/32"] | |
| security_group_id = "${aws_security_group.StrongSwan_West.id}" | |
| } | |
| resource "aws_security_group_rule" "udp_4500_from_us_west_1" { | |
| provider = "aws.east" | |
| type = "ingress" | |
| from_port = 4500 | |
| to_port = 4500 | |
| protocol = "udp" | |
| cidr_blocks = ["${aws_eip.StrongSwan_West_EIP.public_ip}/32"] | |
| security_group_id = "${aws_security_group.StrongSwan_East.id}" | |
| } | |
| resource "aws_security_group_rule" "udp_500_from_us_east_1" { | |
| type = "ingress" | |
| from_port = 500 | |
| to_port = 500 | |
| protocol = "udp" | |
| cidr_blocks = ["${aws_eip.StrongSwan_East_EIP.public_ip}/32"] | |
| security_group_id = "${aws_security_group.StrongSwan_West.id}" | |
| } | |
| resource "aws_security_group_rule" "udp_500_from_us_west_1" { | |
| provider = "aws.east" | |
| type = "ingress" | |
| from_port = 500 | |
| to_port = 500 | |
| protocol = "udp" | |
| cidr_blocks = ["${aws_eip.StrongSwan_West_EIP.public_ip}/32"] | |
| security_group_id = "${aws_security_group.StrongSwan_East.id}" | |
| } | |
| # # # # # # # | |
| # Instances # | |
| # # # # # # # | |
| resource "aws_instance" "StrongSwan_Instance_West" { | |
| # AMI for "CentOS 7 (x86_64) - with Updates HVM" | |
| ami = "ami-af4333cf" | |
| instance_type = "t2.small" | |
| subnet_id = "${aws_subnet.Demo_vpn_west.id}" | |
| source_dest_check = false | |
| key_name = "REDACTED" | |
| vpc_security_group_ids = ["${aws_security_group.StrongSwan_West.id}"] | |
| tags { | |
| Name = "StrongSwan_Instance_West" | |
| managed_by_terraform = true | |
| } | |
| } | |
| resource "aws_instance" "StrongSwan_Instance_East" { | |
| provider = "aws.east" | |
| # AMI for "CentOS 7 (x86_64) - with Updates HVM" | |
| ami = "ami-6d1c2007" | |
| instance_type = "t2.small" | |
| subnet_id = "${aws_subnet.Demo_vpn_east.id}" | |
| source_dest_check = false | |
| key_name = "REDACTED" | |
| vpc_security_group_ids = ["${aws_security_group.StrongSwan_East.id}"] | |
| tags { | |
| Name = "StrongSwan_Instance_East" | |
| managed_by_terraform = true | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment