VPC with public and private EC2 instances

bastion_vpc.tf

locals {
  common_tags = {
    Description = "VPC with public and private EC2 instances",
    Env         = "dev",
    Project     = "bastion-vpc"
  }
}

resource "aws_vpc" "ami_exp" {
  cidr_block                       = "10.0.0.0/16"
  enable_dns_hostnames             = true
  assign_generated_ipv6_cidr_block = false

  tags = local.common_tags
}

resource "aws_internet_gateway" "ami_exp" {
  vpc_id = aws_vpc.ami_exp.id
  tags   = local.common_tags
}

resource "aws_subnet" "restricted" {
  cidr_block              = cidrsubnet(aws_vpc.ami_exp.cidr_block, 8, 0)
  vpc_id                  = aws_vpc.ami_exp.id
  map_public_ip_on_launch = true
}

resource "aws_subnet" "open" {
  cidr_block              = cidrsubnet(aws_vpc.ami_exp.cidr_block, 8, 1)
  vpc_id                  = aws_vpc.ami_exp.id
  map_public_ip_on_launch = true
}

resource "aws_route_table" "internet" {
  vpc_id = aws_vpc.ami_exp.id

  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.ami_exp.id
  }

  tags = local.common_tags
}

resource "aws_route_table_association" "open" {
  subnet_id      = aws_subnet.open.id
  route_table_id = aws_route_table.internet.id
}

resource "aws_route_table_association" "restricted" {
  subnet_id      = aws_subnet.restricted.id
  route_table_id = aws_route_table.internet.id
}

resource "aws_security_group" "allow_internal_ingress" {
  name   = "allow-internal-ingress"
  vpc_id = aws_vpc.ami_exp.id

  ingress {
    cidr_blocks = [aws_vpc.ami_exp.cidr_block]
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
  }

  egress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
  }
}

resource "aws_security_group" "allow_all" {
  name   = "allow-all"
  vpc_id = aws_vpc.ami_exp.id

  ingress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
  }

  egress {
    cidr_blocks = ["0.0.0.0/0"]
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
  }
}

data "aws_ami" "arch" {
  owners      = ["093273469852"] # Uplink Labs
  most_recent = true

  filter {
    name   = "name"
    values = ["arch-linux-hvm-*"]
  }

  filter {
    name   = "root-device-type"
    values = ["ebs"]
  }
}

resource "aws_instance" "arch" {
  ami                    = data.aws_ami.arch.id
  instance_type          = "t2.micro"
  vpc_security_group_ids = [aws_security_group.allow_all.id]
  subnet_id              = aws_subnet.open.id
  key_name               = aws_key_pair.fionn_cb_102.key_name
  tags                   = local.common_tags
}

resource "aws_instance" "arch_prime" {
  ami                    = data.aws_ami.arch.id
  instance_type          = "t2.micro"
  vpc_security_group_ids = [aws_security_group.allow_internal_ingress.id]
  subnet_id              = aws_subnet.restricted.id
  key_name               = aws_key_pair.fionn_cb_102.key_name
  tags                   = local.common_tags
}

resource "aws_key_pair" "fionn_cb_102" {
  key_name   = "fionn-cb-102"
  public_key = file("~/.ssh/id_rsa.pub")
}

outputs.tf

output "arch" {
  description = "Instance IPs and hostname"
  value = {
    "public_ip"  = aws_instance.arch.public_ip
    "private_ip" = aws_instance.arch.private_ip
    "public_dns" = aws_instance.arch.public_dns
  }
}

output "arch_prime" {
  description = "Instance IPs and hostname"
  value = {
    "public_ip"  = aws_instance.arch_prime.public_ip
    "private_ip" = aws_instance.arch_prime.private_ip
    "public_dns" = aws_instance.arch_prime.public_dns
  }
}

provider.tf

provider "aws" {
  region              = var.aws_region
  allowed_account_ids = [var.aws_account_id]
  profile             = var.aws_profile
}

variables.tf

variable "aws_region" {
  type    = string
  default = "ap-northeast-1"
}

variable "aws_account_id" {
  type    = string
  default = "id"
}

variable "aws_profile" {
  type    = string
  default = "profile"
}