Moved to the blog.
Last active
February 11, 2022 17:18
-
-
Save okelet/f4bf0643c166d8c7033037daffb51972 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| terraform { | |
| required_providers { | |
| aws = { | |
| source = "hashicorp/aws" | |
| } | |
| } | |
| } | |
| data "aws_region" "current" {} | |
| data "aws_availability_zones" "available" { | |
| state = "available" | |
| } | |
| variable "key_pair" { | |
| type = string | |
| default = null | |
| } | |
| variable "create_endpoints" { | |
| type = bool | |
| default = false | |
| } | |
| module "vpc" { | |
| source = "terraform-aws-modules/vpc/aws" | |
| name = "privatelink-test-vpc" | |
| cidr = "10.0.0.0/16" | |
| azs = slice(data.aws_availability_zones.available.names, 0, 2) | |
| private_subnets = ["10.0.1.0/24", "10.0.2.0/24"] | |
| public_subnets = ["10.0.101.0/24", "10.0.102.0/24"] | |
| enable_vpn_gateway = true | |
| enable_dns_hostnames = true | |
| enable_dns_support = true | |
| tags = { | |
| Terraform = "true" | |
| Environment = "dev" | |
| } | |
| } | |
| data "aws_ami" "amazon_linux_2" { | |
| most_recent = true | |
| owners = ["amazon"] | |
| filter { | |
| name = "name" | |
| values = ["amzn2-ami-hvm-*-x86_64-ebs"] | |
| } | |
| } | |
| resource "aws_security_group" "allow_all" { | |
| name = "allow_all" | |
| vpc_id = module.vpc.vpc_id | |
| ingress { | |
| from_port = 0 | |
| to_port = 0 | |
| protocol = "ALL" | |
| cidr_blocks = ["0.0.0.0/0"] | |
| } | |
| egress { | |
| from_port = 0 | |
| to_port = 0 | |
| protocol = "ALL" | |
| cidr_blocks = ["0.0.0.0/0"] | |
| } | |
| } | |
| resource "aws_security_group" "allow_ssh" { | |
| name = "allow_ssh" | |
| vpc_id = module.vpc.vpc_id | |
| ingress { | |
| from_port = 22 | |
| to_port = 22 | |
| protocol = "tcp" | |
| cidr_blocks = ["0.0.0.0/0"] | |
| } | |
| egress { | |
| from_port = 0 | |
| to_port = 0 | |
| protocol = "ALL" | |
| cidr_blocks = ["0.0.0.0/0"] | |
| } | |
| } | |
| resource "aws_security_group" "allow_http" { | |
| name = "allow_http" | |
| vpc_id = module.vpc.vpc_id | |
| ingress { | |
| from_port = 80 | |
| to_port = 80 | |
| protocol = "tcp" | |
| cidr_blocks = ["0.0.0.0/0"] | |
| } | |
| egress { | |
| from_port = 0 | |
| to_port = 0 | |
| protocol = "ALL" | |
| cidr_blocks = ["0.0.0.0/0"] | |
| } | |
| } | |
| resource "aws_iam_role" "instance_role" { | |
| name = "instance_role" | |
| assume_role_policy = <<-EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": "sts:AssumeRole", | |
| "Principal": { | |
| "Service": "ec2.amazonaws.com" | |
| }, | |
| "Effect": "Allow" | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_role_policy" "instance_policy" { | |
| name = "instance_policy" | |
| role = aws_iam_role.instance_role.id | |
| policy = <<-EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "s3:*" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": "*" | |
| }, | |
| { | |
| "Action": [ | |
| "ec2:*" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": "*" | |
| }, | |
| { | |
| "Action": [ | |
| "dynamodb:*" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": "*" | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_instance_profile" "instance_profile" { | |
| name = "instance_profile" | |
| role = aws_iam_role.instance_role.name | |
| } | |
| resource "aws_instance" "bastion" { | |
| ami = data.aws_ami.amazon_linux_2.id | |
| instance_type = "t3.micro" | |
| key_name = var.key_pair | |
| user_data = <<-EOF | |
| #!/bin/bash | |
| amazon-linux-extras install nginx1 -y | |
| systemctl enable nginx | |
| cp /usr/share/nginx/html/index.html{,.old} | |
| echo "Hello from $(hostname)" > /usr/share/nginx/html/index.html | |
| systemctl start nginx | |
| EOF | |
| associate_public_ip_address = true | |
| subnet_id = module.vpc.public_subnets[0] | |
| vpc_security_group_ids = [aws_security_group.allow_ssh.id, aws_security_group.allow_http.id] | |
| tags = { | |
| Name = "bastion" | |
| } | |
| } | |
| resource "aws_instance" "internal" { | |
| ami = data.aws_ami.amazon_linux_2.id | |
| instance_type = "t3.micro" | |
| iam_instance_profile = aws_iam_instance_profile.instance_profile.name | |
| key_name = var.key_pair | |
| subnet_id = module.vpc.private_subnets[0] | |
| vpc_security_group_ids = [aws_security_group.allow_ssh.id] | |
| tags = { | |
| Name = "internal" | |
| } | |
| } | |
| resource "aws_vpc_endpoint" "s3" { | |
| count = var.create_endpoints ? 1 : 0 | |
| vpc_id = module.vpc.vpc_id | |
| service_name = "com.amazonaws.${data.aws_region.current.name}.s3" | |
| route_table_ids = module.vpc.private_route_table_ids | |
| tags = { | |
| "Name" = "s3-gateway" | |
| } | |
| } | |
| resource "aws_vpc_endpoint" "ec2" { | |
| count = var.create_endpoints ? 1 : 0 | |
| vpc_id = module.vpc.vpc_id | |
| service_name = "com.amazonaws.${data.aws_region.current.name}.ec2" | |
| vpc_endpoint_type = "Interface" | |
| subnet_ids = module.vpc.private_subnets | |
| security_group_ids = [aws_security_group.allow_all.id] | |
| private_dns_enabled = true | |
| tags = { | |
| "Name" = "ec2-interface" | |
| } | |
| } | |
| output "bastion_public_ip" { | |
| value = aws_instance.bastion.public_ip | |
| } | |
| output "internal_private_ip" { | |
| value = aws_instance.internal.private_ip | |
| } | |
| output "private_route_tables" { | |
| value = module.vpc.private_route_table_ids | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment