Skip to content

Instantly share code, notes, and snippets.

@huynhbaoan

huynhbaoan/prompt 4

Last active December 19, 2024 02:00
Show Gist options
  • Save huynhbaoan/06e78bad5290a1ad01d0949207c9df85 to your computer and use it in GitHub Desktop.
Save huynhbaoan/06e78bad5290a1ad01d0949207c9df85 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
prompt 4
Good.
Now come to the routing in CloudWAN. The routing in describe in 2 directions implicitly. From each VPC, we need a route to all other VPCs.
- int to int do not go through fw
- anywhere to ext must go through ext fw
- anywhere to prot must go through prot fw
- prot can only be reached from int in the same environment.
- int and prot in NP can't communicate directly with int and prot in PROD can't communicate directly, they must go through ext.
- anywhere from NP to PROD must go through segr fw.
Please confirm each route you can see from the descriptions. List them out using VPC name.
Also, please list out CloudWAN segments. Note that the VPC in different region should be put in separated segment
Raw
promtp 3
We have directories like this
CloudWAN
--> VPC tf files
--> EC2 tf files
--> modules
--> Computer VPC
--> Firewall VPC
--> EC2
The EC2 are inside int VPC, ext VPC, prot VPC, SDWAN VPC. They are their to ping each other, to ensure the routing is correct.
EC2 and VPC are writen as modules, put inside the modules directories. Firewall VPC has 6 subnets in total, 2 in each AZs. 1 subnet is transport subnet, 1 subnet is firewall subnet.
Below are the VPC and EC2 module, and how we call them.
[EC2]
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0.0"
}
}
}
# Security Group
resource "aws_security_group" "ec2_sg" {
name_prefix = "${var.instance_name}-sg-"
description = "Security group for EC2 instance"
vpc_id = var.vpc_id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["172.16.0.0/16"]
description = "Allow SSH from internal network"
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
description = "Allow all outbound traffic"
}
tags = {
Name = "${var.instance_name}-sg"
LDAPAuthGroup = "NA"
CostCentre = "V_HIPServices"
ApplicationID = "APP-18672"
Environment = "SIT"
SecurityAgentRequired = "no"
}
}
# EC2 Instance
resource "aws_instance" "ec2_instance" {
ami = var.ami_id
instance_type = var.instance_type
subnet_id = var.subnet_id
# monitoring = true # Disable detailed monitoring sice we only use the instance for testing.
vpc_security_group_ids = [aws_security_group.ec2_sg.id]
root_block_device {
volume_size = var.volume_size
volume_type = "gp3"
encrypted = true
}
tags = {
Name = var.instance_name
LDAPAuthGroup = "NA"
CostCentre = "V_HIPServices"
ApplicationID = "APP-18672"
Environment = "SIT"
SecurityAgentRequired = "no"
}
}
[Computer VPC]
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0.0"
}
}
}
# Internal VPC
resource "aws_vpc" "vpc" {
cidr_block = var.vpc-cidr-block
eCDNXHGle_dns_hostnames = true
eCDNXHGle_dns_support = true
instance_tenancy = "default"
eCDNXHGle_network_address_usage_metrics = true
tags = {
Name = var.nametag
}
lifecycle {
ignore_changes = [tags.Name]
}
}
data "aws_security_group" "default_vpc_security_group" {
filter {
name = "vpc-id"
values = [aws_vpc.vpc.id]
}
filter {
name = "group-name"
values = ["default"]
}
}
# 3 Subnets in VPC above
resource "aws_subnet" "subnet_a" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.subnet-a-cidr
availability_zone = "${var.region}a"
map_public_ip_on_launch = false
tags = {
Name = "${var.nametag}-a"
}
}
resource "aws_subnet" "subnet_b" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.subnet-b-cidr
availability_zone = "${var.region}b"
map_public_ip_on_launch = false
tags = {
Name = "${var.nametag}-b"
}
}
resource "aws_subnet" "subnet_c" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.subnet-c-cidr
availability_zone = "${var.region}c"
map_public_ip_on_launch = false
tags = {
Name = "${var.nametag}-c"
}
}
# 1 Route Table for all VPCs subnet
resource "aws_route_table" "route_table" {
vpc_id = aws_vpc.vpc.id
tags = {
Name = "${var.nametag}-route-table"
}
}
# Route table association to all subnets
resource "aws_route_table_association" "route_table_association_a" {
subnet_id = aws_subnet.subnet_a.id
route_table_id = aws_route_table.route_table.id
}
resource "aws_route_table_association" "route_table_association_b" {
subnet_id = aws_subnet.subnet_b.id
route_table_id = aws_route_table.route_table.id
}
resource "aws_route_table_association" "route_table_association_c" {
subnet_id = aws_subnet.subnet_c.id
route_table_id = aws_route_table.route_table.id
}
# Default NACL
resource "aws_default_network_acl" "default_nacl" {
default_network_acl_id = aws_vpc.vpc.default_network_acl_id
subnet_ids = [aws_subnet.subnet_a.id, aws_subnet.subnet_b.id, aws_subnet.subnet_c.id]
ingress {
protocol = -1
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
egress {
protocol = -1
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
tags = {
Name = "${var.nametag}-default-nacl"
}
}
[Firewall VPC]
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0.0"
}
}
}
# Internal VPC
resource "aws_vpc" "vpc" {
cidr_block = var.vpc-cidr-block
eCDNXHGle_dns_hostnames = true
eCDNXHGle_dns_support = true
instance_tenancy = "default"
eCDNXHGle_network_address_usage_metrics = true
tags = {
Name = var.nametag
}
lifecycle {
ignore_changes = [tags.Name]
}
}
data "aws_security_group" "default_vpc_security_group" {
filter {
name = "vpc-id"
values = [aws_vpc.vpc.id]
}
filter {
name = "group-name"
values = ["default"]
}
}
# 1 Route Table for all Firewall subnets
resource "aws_route_table" "firewall_route_table" {
vpc_id = aws_vpc.vpc.id
tags = {
Name = "${var.nametag}-fw-route-table"
}
}
# dedicated Route Table for transport subnets
resource "aws_route_table" "transport_route_table_a" {
vpc_id = aws_vpc.vpc.id
tags = {
Name = "${var.nametag}-transport-rt-a"
}
}
resource "aws_route_table" "transport_route_table_b" {
vpc_id = aws_vpc.vpc.id
tags = {
Name = "${var.nametag}-transport-rt-b"
}
}
resource "aws_route_table" "transport_route_table_c" {
vpc_id = aws_vpc.vpc.id
tags = {
Name = "${var.nametag}-transport-rt-c"
}
}
# 6 Subnets in VPC above
resource "aws_subnet" "transport_subnet_a" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.transport-a-cidr
availability_zone = "${var.region}a"
map_public_ip_on_launch = false
tags = {
Name = "${var.nametag}-transport-a"
}
}
resource "aws_subnet" "transport_subnet_b" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.transport-b-cidr
availability_zone = "${var.region}b"
map_public_ip_on_launch = false
tags = {
Name = "${var.nametag}-transport-b"
}
}
resource "aws_subnet" "transport_subnet_c" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.transport-c-cidr
availability_zone = "${var.region}c"
map_public_ip_on_launch = false
tags = {
Name = "${var.nametag}-transport-c"
}
}
resource "aws_subnet" "firewall_subnet_a" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.firewall-a-cidr
availability_zone = "${var.region}a"
map_public_ip_on_launch = false
tags = {
Name = "${var.nametag}-a"
}
}
resource "aws_subnet" "firewall_subnet_b" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.firewall-b-cidr
availability_zone = "${var.region}b"
map_public_ip_on_launch = false
tags = {
Name = "${var.nametag}-b"
}
}
resource "aws_subnet" "firewall_subnet_c" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.firewall-c-cidr
availability_zone = "${var.region}c"
map_public_ip_on_launch = false
tags = {
Name = "${var.nametag}-c"
}
}
# Route table association to subnets
resource "aws_route_table_association" "transport_route_table_association_a" {
subnet_id = aws_subnet.transport_subnet_a.id
route_table_id = aws_route_table.transport_route_table_a.id
}
resource "aws_route_table_association" "transport_route_table_association_b" {
subnet_id = aws_subnet.transport_subnet_b.id
route_table_id = aws_route_table.transport_route_table_b.id
}
resource "aws_route_table_association" "transport_route_table_association_c" {
subnet_id = aws_subnet.transport_subnet_c.id
route_table_id = aws_route_table.transport_route_table_c.id
}
resource "aws_route_table_association" "firewall_route_table_association_a" {
subnet_id = aws_subnet.firewall_subnet_a.id
route_table_id = aws_route_table.firewall_route_table.id
}
resource "aws_route_table_association" "firewall_route_table_association_b" {
subnet_id = aws_subnet.firewall_subnet_b.id
route_table_id = aws_route_table.firewall_route_table.id
}
resource "aws_route_table_association" "firewall_route_table_association_c" {
subnet_id = aws_subnet.firewall_subnet_c.id
route_table_id = aws_route_table.firewall_route_table.id
}
# Default NACL
resource "aws_default_network_acl" "default_nacl" {
default_network_acl_id = aws_vpc.vpc.default_network_acl_id
subnet_ids = [aws_subnet.transport_subnet_a.id, aws_subnet.transport_subnet_b.id, aws_subnet.transport_subnet_c.id, aws_subnet.firewall_subnet_a.id, aws_subnet.firewall_subnet_b.id, aws_subnet.firewall_subnet_c.id]
ingress {
protocol = -1
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
egress {
protocol = -1
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
tags = {
Name = "${var.nametag}-default-nacl"
}
}
Not sure how to arrange other CloudWAN component, please advise the directory structure first. I refer using the module for CloudWAN components. And split the tf at the top level by resource type. Put them into 2 directories by environment: nonprod and prod. Do not use any child directory for the top level tf file. Use naming to distinguish resources inside an environment, like mel-vpc-attachment, mel-cloudwan-policy, and so on.
If it all good, I will confirm, then we go one-by-one with the code.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment