Terraform 2 tier VPC with nat

terraform-2tier-vpc

# define some variables
variable "aws_ubuntu_ami" {
	default = "ami-972444ad"
}

variable "aws_keypair" {
	default = "xxxx"
}

# AWS account details
provider "aws" {
	access_key  = "xxxx"
	secret_key  = "xxxx"
	region      = "ap-southeast-2"
}

# VPC
resource "aws_vpc" "web_app" {
	cidr_block = "10.10.0.0/16"
}

# Web tier
resource "aws_internet_gateway" "web" {
	vpc_id = "${aws_vpc.web_app.id}"
}

resource "aws_subnet" "web_a" {
	vpc_id = "${aws_vpc.web_app.id}"
	
	cidr_block = "10.10.1.0/24"
	availability_zone = "ap-southeast-2a"
}

resource "aws_subnet" "web_b" {
	vpc_id = "${aws_vpc.web_app.id}"

	cidr_block = "10.10.2.0/24"
	availability_zone = "ap-southeast-2b"
}

resource "aws_route_table" "web" {
	vpc_id = "${aws_vpc.web_app.id}"

	route {
		cidr_block = "0.0.0.0/0"
		gateway_id = "${aws_internet_gateway.web.id}"
	}
}

resource "aws_route_table_association" "web_a" {
	subnet_id = "${aws_subnet.web_a.id}"
	route_table_id = "${aws_route_table.web.id}"
}

resource "aws_route_table_association" "web_b" {
	subnet_id = "${aws_subnet.web_b.id}"
	route_table_id = "${aws_route_table.web.id}"
}

resource "aws_instance" "web_a" {
	ami = "${var.aws_ubuntu_ami}"
	availability_zone = "ap-southeast-2a"
	instance_type = "t2.micro"
	security_groups = ["${aws_security_group.web_instance.id}"]
	key_name = "${var.aws_keypair}"
	subnet_id = "${aws_subnet.web_a.id}"
}

resource "aws_instance" "web_b" {
	ami = "${var.aws_ubuntu_ami}"
	availability_zone = "ap-southeast-2b"
	instance_type = "t2.micro"
	security_groups = ["${aws_security_group.web_instance.id}"]
	key_name = "${var.aws_keypair}"
	subnet_id = "${aws_subnet.web_b.id}"
}

resource "aws_instance" "nat" {
	ami = "ami-0154c73b"
	availability_zone = "ap-southeast-2a"
	instance_type = "t1.micro"
	security_groups = ["${aws_security_group.nat.id}"]
	key_name = "${var.aws_keypair}"
	subnet_id = "${aws_subnet.web_a.id}"
}

resource "aws_eip" "nat" {
	instance = "${aws_instance.nat.id}"
	vpc = true
}

resource "aws_elb" "web" {
	name = "web-elb"
	subnets = ["${aws_subnet.web_a.id}","${aws_subnet.web_b.id}"]
	security_groups = ["${aws_security_group.web_elb.id}"]

	listener {
		instance_port = 80
		instance_protocol = "http"
		lb_port = 80
		lb_protocol = "http"
	}

	health_check {
		healthy_threshold = 2
		unhealthy_threshold = 2
		timeout = 3
		target = "HTTP:80/"
		interval = 30
	}

	instances = ["${aws_instance.web_a.id}","${aws_instance.web_b.id}"]
}

resource "aws_security_group" "web_elb" {
	name = "web elb"
	description = "Allow http internet traffic into elb"

	ingress {
		from_port = 80
		to_port = 80
		protocol = "tcp"
		cidr_blocks = ["0.0.0.0/0"]
	}

	vpc_id = "${aws_vpc.web_app.id}"
}

resource "aws_security_group" "web_instance" {
	name = "web instance"
	description = "Allow traffic from elb only"

	ingress {
		from_port = 80
		to_port = 80
		protocol = "tcp"
		security_groups = ["${aws_security_group.web_elb.id}"]
	}

	vpc_id = "${aws_vpc.web_app.id}"
}

resource "aws_security_group" "nat" {
	name = "nat instance"
	description = "Allow all TCP traffic from app tier"

	ingress {
		from_port = 0
		to_port = 65535
		protocol = "tcp"
		security_groups = ["${aws_security_group.app_instance.id}"]
	}

	vpc_id = "${aws_vpc.web_app.id}"
}

# Application tier
resource "aws_subnet" "app_a" {
	vpc_id = "${aws_vpc.web_app.id}"

	cidr_block = "10.10.3.0/24"
	availability_zone = "ap-southeast-2a"
}

resource "aws_subnet" "app_b" {
	vpc_id = "${aws_vpc.web_app.id}"

	cidr_block = "10.10.4.0/24"
	availability_zone = "ap-southeast-2b"
}

resource "aws_route_table" "app" {
	vpc_id = "${aws_vpc.web_app.id}"
	
	route {
		cidr_block = "0.0.0.0/0"
		instance_id = "${aws_instance.nat.id}"
	}
}

resource "aws_route_table_association" "app_a" {
	subnet_id = "${aws_subnet.app_a.id}"
	route_table_id = "${aws_route_table.app.id}"
}

resource "aws_route_table_association" "app_b" {
	subnet_id = "${aws_subnet.app_b.id}"
	route_table_id = "${aws_route_table.app.id}"
}

resource "aws_instance" "app_a" {
	ami = "${var.aws_ubuntu_ami}"
	availability_zone = "ap-southeast-2a"
	instance_type = "t2.micro"
	security_groups = ["${aws_security_group.app_instance.id}"]
	key_name = "${var.aws_keypair}"
	subnet_id = "${aws_subnet.app_a.id}"
}

resource "aws_instance" "app_b" {
	ami = "${var.aws_ubuntu_ami}"
	availability_zone = "ap-southeast-2b"
	instance_type = "t2.micro"
	security_groups = ["${aws_security_group.app_instance.id}"]
	key_name = "${var.aws_keypair}"
	subnet_id = "${aws_subnet.app_b.id}"
}

resource "aws_elb" "app" {
	name = "app-elb"
	subnets = ["${aws_subnet.app_a.id}","${aws_subnet.app_b.id}"]

	listener {
		instance_port = 8080
		instance_protocol = "tcp"
		lb_port = 8080
		lb_protocol = "tcp"
	}

	health_check {
		healthy_threshold = 2
		unhealthy_threshold = 2
		timeout = 3
		target = "TCP:8080"
		interval = 30
	}

	instances = ["${aws_instance.app_a.id}","${aws_instance.app_b.id}"]
}

resource "aws_security_group" "app_elb" {
	name = "app elb"
	description = "Allow traffic from web instances"

	ingress {
		from_port = 8080
		to_port = 8080
		protocol = "tcp"
		security_groups = ["${aws_security_group.web_instance.id}"]
	}

	vpc_id = "${aws_vpc.web_app.id}"
}

resource "aws_security_group" "app_instance" {
	name = "app instance"
	description = "Allow traffic from app elb"

	ingress {
		from_port = 8080
		to_port = 8080
		protocol = "tcp"
		security_groups = ["${aws_security_group.app_elb.id}"]
	}

	vpc_id = "${aws_vpc.web_app.id}"
}