Created
January 14, 2025 02:27
-
-
Save rhemz/b2d3d7f61ef9a894492d97eeb2a60c99 to your computer and use it in GitHub Desktop.
vpc w/ fck-nat example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # variable definitions not provided, substitute your own values/vars | |
| provider "aws" { | |
| region = var.region | |
| } | |
| /* Network */ | |
| module "your-fancy-vpc" { | |
| source = "terraform-aws-modules/vpc/aws" | |
| name = var.name | |
| cidr = var.cidr | |
| azs = var.azs | |
| private_subnets = var.private_subnets | |
| private_subnet_names = var.private_subnet_names | |
| map_public_ip_on_launch = true | |
| public_subnets = var.public_subnets | |
| public_subnet_names = var.public_subnet_names | |
| database_subnets = var.database_subnets | |
| database_subnet_names = var.database_subnet_names | |
| enable_nat_gateway = false | |
| enable_vpn_gateway = false | |
| tags = { | |
| Terraform = "true" | |
| Environment = var.env | |
| } | |
| } | |
| /* fck-NAT Gateway */ | |
| resource "aws_security_group" "fck-nat" { | |
| count = var.fck_nat_enabled ? 1 : 0 | |
| name_prefix = "your-fancy-vpc-${var.env}-nat-gateway" | |
| vpc_id = module.your-fancy-vpc.vpc_id | |
| description = "Security group for fck-NAT instance your-fancy-vpc-${var.env}" | |
| tags = local.nat_common_tags | |
| } | |
| resource "aws_security_group_rule" "fck-nat-egress-any" { | |
| count = var.fck_nat_enabled ? 1 : 0 | |
| security_group_id = aws_security_group.fck-nat[count.index].id | |
| type = "egress" | |
| cidr_blocks = ["0.0.0.0/0"] | |
| from_port = 0 | |
| to_port = 65535 | |
| protocol = "all" | |
| } | |
| resource "aws_security_group_rule" "fck-nat-ingress-internal-any" { | |
| count = var.fck_nat_enabled ? 1 : 0 | |
| security_group_id = aws_security_group.fck-nat[count.index].id | |
| type = "ingress" | |
| cidr_blocks = module.your-fancy-vpc.private_subnets_cidr_blocks | |
| from_port = 0 | |
| to_port = 65535 | |
| protocol = "all" | |
| } | |
| resource "aws_security_group_rule" "fck-nat-ingress-external-ssh" { | |
| count = var.fck_nat_enabled && var.fck_nat_bastion_enabled ? 1 : 0 | |
| security_group_id = aws_security_group.fck-nat[count.index].id | |
| type = "ingress" | |
| cidr_blocks = var.fck_nat_bastion_cidrs | |
| from_port = 22 | |
| to_port = 22 | |
| protocol = "tcp" | |
| } | |
| data "aws_ec2_instance_type" "fck-nat" { | |
| count = var.fck_nat_enabled ? 1 : 0 | |
| instance_type = var.fck_nat_instance_type | |
| } | |
| # Grab the latest fck-nat AMI | |
| data "aws_ami" "fck-nat" { | |
| count = var.fck_nat_enabled ? 1 : 0 | |
| most_recent = true | |
| owners = ["568608671756"] # packer/fck-nat-public-all-regions.pkrvars.hcl | |
| filter { | |
| name = "architecture" | |
| values = data.aws_ec2_instance_type.fck-nat[count.index].supported_architectures | |
| } | |
| filter { | |
| name = "name" | |
| values = ["fck-nat-amzn2-*"] | |
| } | |
| } | |
| resource "aws_network_interface" "fck-nat" { | |
| count = var.fck_nat_enabled ? 1 : 0 | |
| subnet_id = module.your-fancy-vpc.public_subnets[0] | |
| security_groups = [aws_security_group.fck-nat[count.index].id] | |
| tags = local.nat_common_tags | |
| source_dest_check = false | |
| } | |
| resource "aws_launch_template" "fck-nat" { | |
| count = var.fck_nat_enabled ? 1 : 0 | |
| name_prefix = "your-fancy-vpc-${var.env}-nat-gateway" | |
| image_id = data.aws_ami.fck-nat[count.index].id | |
| # key_name = "your-fancy-vpc-${var.env}-nat-gateway-key" | |
| key_name = var.fck_nat_key_name | |
| instance_type = var.fck_nat_instance_type | |
| description = "Launch template for your-fancy-vpc-${var.env}-nat-gateway" | |
| tags = local.nat_common_tags | |
| metadata_options { | |
| http_endpoint = "enabled" | |
| http_tokens = "required" | |
| } | |
| network_interfaces { | |
| # associate_public_ip_address = true | |
| network_interface_id = aws_network_interface.fck-nat[count.index].id | |
| } | |
| tag_specifications { | |
| resource_type = "instance" | |
| tags = local.nat_common_tags | |
| } | |
| monitoring { | |
| enabled = false | |
| } | |
| } | |
| resource "aws_autoscaling_group" "fck-nat" { | |
| count = var.fck_nat_enabled ? 1 : 0 | |
| # availability_zones = var.azs // only 1 ENI for now, error if ASG tries to create instance in a different AZ | |
| availability_zones = [var.azs[count.index]] | |
| desired_capacity = 1 | |
| max_size = 1 | |
| min_size = 1 | |
| launch_template { | |
| id = aws_launch_template.fck-nat[count.index].id | |
| version = "$Latest" | |
| } | |
| } | |
| # or, single instance for testing | |
| # resource "aws_instance" "fck-nat" { | |
| # count = var.fck_nat_enabled ? 1 : 0 | |
| # source_dest_check = false | |
| # launch_template { | |
| # id = aws_launch_template.fck-nat[count.index].id | |
| # version = "$Latest" | |
| # } | |
| # tags = local.nat_common_tags | |
| # } | |
| resource "aws_route" "fck-nat" { | |
| count = var.fck_nat_enabled ? length(module.your-fancy-vpc.private_route_table_ids) : 0 | |
| route_table_id = module.your-fancy-vpc.private_route_table_ids[count.index] | |
| destination_cidr_block = "0.0.0.0/0" | |
| network_interface_id = aws_network_interface.fck-nat[0].id | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment