-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmain.tf
244 lines (195 loc) · 7.43 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
resource "aws_vpc" "this" {
cidr_block = var.cidr_block
instance_tenancy = var.instance_tenancy
enable_dns_support = var.enable_dns_support
enable_dns_hostnames = var.enable_dns_hostnames
assign_generated_ipv6_cidr_block = var.assign_generated_ipv6_cidr_block
enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
ipv6_cidr_block = var.ipv6_cidr_block
ipv6_ipam_pool_id = var.ipv6_ipam_pool_id
ipv6_netmask_length = var.ipv6_netmask_length
ipv6_cidr_block_network_border_group = var.ipv6_cidr_block_network_border_group
ipv4_ipam_pool_id = var.ipv4_ipam_pool_id
ipv4_netmask_length = var.ipv4_netmask_length
tags = merge(
{
Name = var.name
},
var.tags
)
}
resource "aws_internet_gateway" "this" {
count = var.create_internet_geteway ? 1 : 0
vpc_id = aws_vpc.this.id
tags = merge(
{
Name = local.internet_gateway_name
},
var.tags
)
}
resource "aws_subnet" "this" {
for_each = local.subnet_map
vpc_id = aws_vpc.this.id
cidr_block = each.value.cidr_block
availability_zone = each.value.availability_zone
enable_resource_name_dns_a_record_on_launch = each.value.enable_resource_name_dns_a_record_on_launch
enable_resource_name_dns_aaaa_record_on_launch = each.value.enable_resource_name_dns_aaaa_record_on_launch
map_public_ip_on_launch = each.value.map_public_ip_on_launch
ipv6_native = each.value.ipv6_native
assign_ipv6_address_on_creation = each.value.assign_ipv6_address_on_creation
ipv6_cidr_block = each.value.ipv6_cidr_block
enable_dns64 = each.value.enable_dns64
tags = merge(
{
Name = each.value.name
},
var.tags
)
}
resource "aws_eip" "nat_gw" {
for_each = local.nat_gateway_data
tags = merge(
{
Name = "${each.key}-eip"
},
var.tags
)
depends_on = [aws_internet_gateway.this]
}
resource "aws_nat_gateway" "this" {
for_each = { for key, value in local.nat_gateway_data : value.nat_gateway_name => value } // This is to change the keys
allocation_id = aws_eip.nat_gw[each.value.key].id
subnet_id = aws_subnet.this[each.value.key].id
tags = merge(
{
Name = "${each.value.availability_zone}-ngw"
},
var.tags
)
depends_on = [aws_internet_gateway.this]
}
# Creates one Route table for each Subnet
resource "aws_route_table" "this" {
for_each = local.subnet_map
vpc_id = aws_vpc.this.id
tags = merge(
{
Name = each.value.attach_internet_gateway ? "${each.value.name}-public-route" : "${each.value.name}-private-route"
},
var.tags
)
}
resource "aws_route" "nat" {
for_each = local.nat_gw_routes
route_table_id = aws_route_table.this[each.key].id
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.this[each.value.nat_gateway_name].id
}
resource "aws_route" "internet_gw" {
for_each = local.internet_gw_routes
route_table_id = aws_route_table.this[each.key].id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.this[0].id
}
resource "aws_route_table_association" "this" {
for_each = local.subnet_map
subnet_id = aws_subnet.this[each.key].id
route_table_id = aws_route_table.this[each.key].id
}
resource "aws_route" "additional" {
for_each = local.additional_routes_map
route_table_id = aws_route_table.this[each.value.key].id
destination_cidr_block = each.value.destination_cidr_block
destination_ipv6_cidr_block = each.value.destination_ipv6_cidr_block
egress_only_gateway_id = each.value.type == "egress-only-gateway" ? each.value.id : null
network_interface_id = each.value.type == "network-interface" ? each.value.id : null
transit_gateway_id = each.value.type == "transit-gateway" ? each.value.id : null
vpc_endpoint_id = each.value.type == "vpc-endpoint" ? each.value.id : null
vpc_peering_connection_id = each.value.type == "vpc-peering-connection" ? each.value.id : null
}
resource "aws_route_table_association" "additional" {
for_each = local.additional_routes_map
subnet_id = aws_subnet.this[each.value.key].id
route_table_id = aws_route_table.this[each.value.key].id
}
# Module for KMS Key Management
module "kms" {
source = "sourcefuse/arc-kms/aws"
version = "1.0.9"
count = var.vpc_flow_log_config.enable ? 1 : 0
deletion_window_in_days = var.kms_config.deletion_window_in_days
enable_key_rotation = var.kms_config.enable_key_rotation
alias = "alias/vpc-flow-logs-key"
tags = merge(
{
Name = "${var.name}-kms-vpc-flowlogs"
},
var.tags
)
policy = local.kms_policy
}
#### AWS Caller Identity Data Source
data "aws_caller_identity" "current" {}
### CloudWatch Log Group for VPC Flow Logs
resource "aws_cloudwatch_log_group" "this" {
count = var.vpc_flow_log_config.enable ? 1 : 0
name_prefix = "${var.name}-vpcflowlog"
kms_key_id = module.kms[0].key_arn
retention_in_days = var.vpc_flow_log_config.retention_in_days
}
### IAM Policy Document for VPC Flow Logs Role Trust Policy
data "aws_iam_policy_document" "assume" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["vpc-flow-logs.amazonaws.com"]
}
}
}
### IAM Role for VPC Flow Logs
resource "aws_iam_role" "this" {
count = var.vpc_flow_log_config.enable ? 1 : 0
name_prefix = "${var.name}-vpcflowlog-role"
assume_role_policy = data.aws_iam_policy_document.assume.json
}
# IAM Policy for Flow Logs
data "aws_iam_policy_document" "flow_logs_policy" {
statement {
effect = "Allow"
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
]
resources = local.enable_vpc_flow_log && length(aws_cloudwatch_log_group.this) > 0 ? [aws_cloudwatch_log_group.this[0].arn, "${aws_cloudwatch_log_group.this[0].arn}:*"] : ["*"]
}
}
resource "aws_iam_policy" "this" {
count = var.vpc_flow_log_config.enable ? 1 : 0
name_prefix = "${var.name}-vpcflowlog-policy"
policy = data.aws_iam_policy_document.flow_logs_policy.json
}
resource "aws_iam_role_policy_attachment" "attach_flow_logs_policy" {
count = var.vpc_flow_log_config.enable ? 1 : 0
role = aws_iam_role.this[count.index].name
policy_arn = aws_iam_policy.this[count.index].arn
}
# VPC Flow Log Configuration
resource "aws_flow_log" "this" {
count = var.vpc_flow_log_config.enable ? 1 : 0
traffic_type = "ALL"
vpc_id = aws_vpc.this.id
log_destination_type = var.vpc_flow_log_config.s3_bucket_arn != null && var.vpc_flow_log_config.s3_bucket_arn != "" ? "s3" : "cloud-watch-logs"
log_destination = var.vpc_flow_log_config.s3_bucket_arn != null && var.vpc_flow_log_config.s3_bucket_arn != "" ? var.vpc_flow_log_config.s3_bucket_arn : aws_cloudwatch_log_group.this[0].arn
iam_role_arn = var.vpc_flow_log_config.s3_bucket_arn == null || var.vpc_flow_log_config.s3_bucket_arn == "" ? aws_iam_role.this[0].arn : null
tags = merge(
var.tags,
{
Name = "${var.name}-flowlogs"
}
)
}