gigablah · August 15, 2014 09:17
diff --git a/terraform-aws-demo.tf b/terraform-aws-demo.tf
 variable "access_key" {}
 variable "secret_key" {}

 variable "region" {
    default = "ap-southeast-1"
 }

 variable "zone" {
    default = "ap-southeast-1a"
 }

 variable "key_paths" {
    default = {
        "us-east-1": "/Users/foobar/.ssh/foobar-us-east-1.pem",
        "ap-southeast-1": "/Users/foobar/.ssh/foobar-ap-southeast-1.pem",
    }
 }

 variable "key_names" {
    default = {
        "us-east-1": "foobar-us-east-1",
        "ap-southeast-1": "foobar-ap-southeast-1",
    }
 }

 variable "ubuntu_amis" {
    default = {
        "us-east-1": "ami-864d84ee",
        "ap-southeast-1": "ami-12356d40",
    }
 }

 variable "nat_amis" {
    default = {
        "us-east-1": "ami-ad227cc4",
        "ap-southeast-1": "ami-f22772a0",
    }
 }

 provider "aws" {
    access_key = "${var.access_key}"
    secret_key = "${var.secret_key}"
    region = "${var.region}"
 }

 ###############################################################################
 #   VPC
 ###############################################################################

 resource "aws_vpc" "foobar" {
    cidr_block = "10.0.0.0/16"
 }

 resource "aws_internet_gateway" "gateway" {
    vpc_id = "${aws_vpc.foobar.id}"
 }

 ###############################################################################
 #   PUBLIC SUBNET
 ###############################################################################

 resource "aws_subnet" "public_1" {
    vpc_id = "${aws_vpc.foobar.id}"
    availability_zone = "${var.zone}"
    cidr_block = "10.0.32.0/20"
 }

 resource "aws_route_table" "public_1" {
    vpc_id = "${aws_vpc.foobar.id}"
    route {
        cidr_block = "10.0.0.0/0"
        gateway_id = "${aws_internet_gateway.gateway.id}"
    }
 }

 resource "aws_route_table_association" "public_1" {
    subnet_id = "${aws_subnet.public_1.id}"
    route_table_id = "${aws_route_table.public_1.id}"
 }

 resource "aws_security_group" "allow_web" {
    name = "allow_web"
    description = "allow web"
    vpc_id = "${aws_vpc.foobar.id}"
    ingress {
        from_port = 443
        to_port = 443
        protocol = "tcp"
        cidr_blocks = ["0.0.0.0/0"]
    }
    ingress {
        from_port = 80
        to_port = 80
        protocol = "tcp"
        cidr_blocks = ["0.0.0.0/0"]
    }
 }

 resource "aws_instance" "web_1" {
    connection {
        user = "ubuntu"
        key_file = "${lookup(var.key_paths, var.region)}"
    }
    ami = "${lookup(var.ubuntu_amis, var.region)}"
    instance_type = "t2.micro"
    key_name = "${lookup(var.key_names, var.region)}"
    security_groups = [
        "${aws_security_group.allow_web.id}",
        "${aws_security_group.allow_bastion_ssh.id}",
    ]
    subnet_id = "${aws_subnet.public_1.id}"
    associate_public_ip_address = true
 }

 ###############################################################################
 #   PRIVATE SUBNET
 ###############################################################################

 resource "aws_subnet" "private_1" {
    vpc_id = "${aws_vpc.foobar.id}"
    availability_zone = "${var.zone}"
    cidr_block = "10.0.0.0/19"
 }

 resource "aws_route_table" "private_1" {
    vpc_id = "${aws_vpc.foobar.id}"
    route {
        instance_id = "${aws_instance.nat_1.id}"
        cidr_block = "10.0.0.0/0"
    }
 }

 resource "aws_route_table_association" "private_1" {
    subnet_id = "${aws_subnet.private_1.id}"
    route_table_id = "${aws_route_table.private_1.id}"
 }

 resource "aws_security_group" "allow_public_all" {
    name = "allow_public_all"
    description = "allow public all"
    vpc_id = "${aws_vpc.foobar.id}"
    ingress {
        from_port = 0
        to_port = 65535
        protocol = "tcp"
        security_groups = ["${aws_security_group.allow_web.id}"]
    }
    ingress {
        from_port = 0
        to_port = 65535
        protocol = "udp"
        security_groups = ["${aws_security_group.allow_web.id}"]
    }
 }

 resource "aws_security_group" "allow_private_all" {
    name = "allow_private_all"
    description = "allow private all"
    vpc_id = "${aws_vpc.foobar.id}"
    ingress {
        from_port = 0
        to_port = 65535
        protocol = "udp"
        cidr_blocks = ["10.0.0.0/19"]
    }
    ingress {
        from_port = 0
        to_port = 65535
        protocol = "tcp"
        cidr_blocks = ["10.0.0.0/19"]
    }
 }

 resource "aws_security_group" "allow_bastion_ssh" {
    name = "allow_bastion_ssh"
    description = "allow ssh"
    vpc_id = "${aws_vpc.foobar.id}"
    ingress {
        from_port = 22
        to_port = 22
        protocol = "tcp"
        security_groups = ["${aws_security_group.bastion.id}"]
    }
 }

 resource "aws_instance" "app_1" {
    connection {
        user = "ubuntu"
        key_file = "${lookup(var.key_paths, var.region)}"
    }
    ami = "${lookup(var.ubuntu_amis, var.region)}"
    instance_type = "t2.micro"
    key_name = "${lookup(var.key_names, var.region)}"
    security_groups = [
        "${aws_security_group.allow_bastion_ssh.id}",
        "${aws_security_group.allow_public_all.id}",
        "${aws_security_group.allow_private_all.id}",
    ]
    subnet_id = "${aws_subnet.private_1.id}"
 }

 ###############################################################################
 #   NAT
 ###############################################################################

 resource "aws_security_group" "nat" {
    name = "nat"
    description = "nat security group"
    vpc_id = "${aws_vpc.foobar.id}"
    ingress = {
        from_port = 443
        to_port = 443
        protocol = "tcp"
        cidr_blocks = ["0.0.0.0/0"]
    }
    ingress = {
        from_port = 80
        to_port = 80
        protocol = "tcp"
        cidr_blocks = ["0.0.0.0/0"]
    }
 }

 resource "aws_instance" "nat_1" {
    ami = "${lookup(var.nat_amis, var.region)}"
    instance_type = "t1.micro"
    key_name = "${lookup(var.key_names, var.region)}"
    security_groups = [
        "${aws_security_group.nat.id}",
        "${aws_security_group.allow_bastion_ssh.id}",
    ]
    subnet_id = "${aws_subnet.public_1.id}"
    source_dest_check = false
    associate_public_ip_address = true
 }

 ###############################################################################
 #   BASTION
 ###############################################################################

 resource "aws_security_group" "bastion" {
    name = "bastion"
    description = "bastion security group"
    vpc_id = "${aws_vpc.foobar.id}"
    ingress = {
        from_port = 22
        to_port = 22
        protocol = "tcp"
        cidr_blocks = ["0.0.0.0/0"]
    }
 }

 resource "aws_instance" "bastion_1" {
    connection {
        user = "ubuntu"
        key_file = "${lookup(var.key_paths, var.region)}"
    }
    ami = "${lookup(var.ubuntu_amis, var.region)}"
    instance_type = "t2.micro"
    key_name = "${lookup(var.key_names, var.region)}"
    security_groups = ["${aws_security_group.bastion.id}"]
    subnet_id = "${aws_subnet.public_1.id}"
    associate_public_ip_address = true
    provisioner "remote-exec" {
        inline = [
            "sudo apt-get -y install fail2ban",
            "sudo service fail2ban start",
        ]
    }
 }

 output "bastion_1" {
    value = "${aws_instance.bastion_1.public_ip}"
 }

 output "web_1" {
    value = "${aws_instance.web_1.public_ip}"
 }

 output "app_1" {
    value = "${aws_instance.app_1.private_ip}"
 }
	variable "access_key" {}
	variable "secret_key" {}

	variable "region" {
	default = "ap-southeast-1"
	}

	variable "zone" {
	default = "ap-southeast-1a"
	}

	variable "key_paths" {
	default = {
	"us-east-1": "/Users/foobar/.ssh/foobar-us-east-1.pem",
	"ap-southeast-1": "/Users/foobar/.ssh/foobar-ap-southeast-1.pem",
	}
	}

	variable "key_names" {
	default = {
	"us-east-1": "foobar-us-east-1",
	"ap-southeast-1": "foobar-ap-southeast-1",
	}
	}

	variable "ubuntu_amis" {
	default = {
	"us-east-1": "ami-864d84ee",
	"ap-southeast-1": "ami-12356d40",
	}
	}

	variable "nat_amis" {
	default = {
	"us-east-1": "ami-ad227cc4",
	"ap-southeast-1": "ami-f22772a0",
	}
	}

	provider "aws" {
	access_key = "${var.access_key}"
	secret_key = "${var.secret_key}"
	region = "${var.region}"
	}

	###############################################################################
	# VPC
	###############################################################################

	resource "aws_vpc" "foobar" {
	cidr_block = "10.0.0.0/16"
	}

	resource "aws_internet_gateway" "gateway" {
	vpc_id = "${aws_vpc.foobar.id}"
	}

	###############################################################################
	# PUBLIC SUBNET
	###############################################################################

	resource "aws_subnet" "public_1" {
	vpc_id = "${aws_vpc.foobar.id}"
	availability_zone = "${var.zone}"
	cidr_block = "10.0.32.0/20"
	}

	resource "aws_route_table" "public_1" {
	vpc_id = "${aws_vpc.foobar.id}"
	route {
	cidr_block = "10.0.0.0/0"
	gateway_id = "${aws_internet_gateway.gateway.id}"
	}
	}

	resource "aws_route_table_association" "public_1" {
	subnet_id = "${aws_subnet.public_1.id}"
	route_table_id = "${aws_route_table.public_1.id}"
	}

	resource "aws_security_group" "allow_web" {
	name = "allow_web"
	description = "allow web"
	vpc_id = "${aws_vpc.foobar.id}"
	ingress {
	from_port = 443
	to_port = 443
	protocol = "tcp"
	cidr_blocks = ["0.0.0.0/0"]
	}
	ingress {
	from_port = 80
	to_port = 80
	protocol = "tcp"
	cidr_blocks = ["0.0.0.0/0"]
	}
	}

	resource "aws_instance" "web_1" {
	connection {
	user = "ubuntu"
	key_file = "${lookup(var.key_paths, var.region)}"
	}
	ami = "${lookup(var.ubuntu_amis, var.region)}"
	instance_type = "t2.micro"
	key_name = "${lookup(var.key_names, var.region)}"
	security_groups = [
	"${aws_security_group.allow_web.id}",
	"${aws_security_group.allow_bastion_ssh.id}",
	]
	subnet_id = "${aws_subnet.public_1.id}"
	associate_public_ip_address = true
	}

	###############################################################################
	# PRIVATE SUBNET
	###############################################################################

	resource "aws_subnet" "private_1" {
	vpc_id = "${aws_vpc.foobar.id}"
	availability_zone = "${var.zone}"
	cidr_block = "10.0.0.0/19"
	}

	resource "aws_route_table" "private_1" {
	vpc_id = "${aws_vpc.foobar.id}"
	route {
	instance_id = "${aws_instance.nat_1.id}"
	cidr_block = "10.0.0.0/0"
	}
	}

	resource "aws_route_table_association" "private_1" {
	subnet_id = "${aws_subnet.private_1.id}"
	route_table_id = "${aws_route_table.private_1.id}"
	}

	resource "aws_security_group" "allow_public_all" {
	name = "allow_public_all"
	description = "allow public all"
	vpc_id = "${aws_vpc.foobar.id}"
	ingress {
	from_port = 0
	to_port = 65535
	protocol = "tcp"
	security_groups = ["${aws_security_group.allow_web.id}"]
	}
	ingress {
	from_port = 0
	to_port = 65535
	protocol = "udp"
	security_groups = ["${aws_security_group.allow_web.id}"]
	}
	}

	resource "aws_security_group" "allow_private_all" {
	name = "allow_private_all"
	description = "allow private all"
	vpc_id = "${aws_vpc.foobar.id}"
	ingress {
	from_port = 0
	to_port = 65535
	protocol = "udp"
	cidr_blocks = ["10.0.0.0/19"]
	}
	ingress {
	from_port = 0
	to_port = 65535
	protocol = "tcp"
	cidr_blocks = ["10.0.0.0/19"]
	}
	}

	resource "aws_security_group" "allow_bastion_ssh" {
	name = "allow_bastion_ssh"
	description = "allow ssh"
	vpc_id = "${aws_vpc.foobar.id}"
	ingress {
	from_port = 22
	to_port = 22
	protocol = "tcp"
	security_groups = ["${aws_security_group.bastion.id}"]
	}
	}

	resource "aws_instance" "app_1" {
	connection {
	user = "ubuntu"
	key_file = "${lookup(var.key_paths, var.region)}"
	}
	ami = "${lookup(var.ubuntu_amis, var.region)}"
	instance_type = "t2.micro"
	key_name = "${lookup(var.key_names, var.region)}"
	security_groups = [
	"${aws_security_group.allow_bastion_ssh.id}",
	"${aws_security_group.allow_public_all.id}",
	"${aws_security_group.allow_private_all.id}",
	]
	subnet_id = "${aws_subnet.private_1.id}"
	}

	###############################################################################
	# NAT
	###############################################################################

	resource "aws_security_group" "nat" {
	name = "nat"
	description = "nat security group"
	vpc_id = "${aws_vpc.foobar.id}"
	ingress = {
	from_port = 443
	to_port = 443
	protocol = "tcp"
	cidr_blocks = ["0.0.0.0/0"]
	}
	ingress = {
	from_port = 80
	to_port = 80
	protocol = "tcp"
	cidr_blocks = ["0.0.0.0/0"]
	}
	}

	resource "aws_instance" "nat_1" {
	ami = "${lookup(var.nat_amis, var.region)}"
	instance_type = "t1.micro"
	key_name = "${lookup(var.key_names, var.region)}"
	security_groups = [
	"${aws_security_group.nat.id}",
	"${aws_security_group.allow_bastion_ssh.id}",
	]
	subnet_id = "${aws_subnet.public_1.id}"
	source_dest_check = false
	associate_public_ip_address = true
	}

	###############################################################################
	# BASTION
	###############################################################################

	resource "aws_security_group" "bastion" {
	name = "bastion"
	description = "bastion security group"
	vpc_id = "${aws_vpc.foobar.id}"
	ingress = {
	from_port = 22
	to_port = 22
	protocol = "tcp"
	cidr_blocks = ["0.0.0.0/0"]
	}
	}

	resource "aws_instance" "bastion_1" {
	connection {
	user = "ubuntu"
	key_file = "${lookup(var.key_paths, var.region)}"
	}
	ami = "${lookup(var.ubuntu_amis, var.region)}"
	instance_type = "t2.micro"
	key_name = "${lookup(var.key_names, var.region)}"
	security_groups = ["${aws_security_group.bastion.id}"]
	subnet_id = "${aws_subnet.public_1.id}"
	associate_public_ip_address = true
	provisioner "remote-exec" {
	inline = [
	"sudo apt-get -y install fail2ban",
	"sudo service fail2ban start",
	]
	}
	}

	output "bastion_1" {
	value = "${aws_instance.bastion_1.public_ip}"
	}

	output "web_1" {
	value = "${aws_instance.web_1.public_ip}"
	}

	output "app_1" {
	value = "${aws_instance.app_1.private_ip}"
	}