Skip to content

Commit

Permalink
updated documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@vijay-stephen
vijay-stephen committed Oct 24, 2024
1 parent facf5da commit 1713b56
Show file tree
Hide file tree
Showing 3 changed files with 92 additions and 210 deletions.
192 changes: 87 additions & 105 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,6 @@ Create the following resources in a single region.
* VPC
* Multi-AZ private and public subnets
* Route tables, internet gateway, and NAT gateways
* Configurable VPN Gateway
* Configurable Client VPN Endpoint
* Configurable VPC Endpoints

### Prerequisites
Expand All @@ -37,35 +35,25 @@ See the `examples` folder for a complete example.
```shell

module "network" {
source = "sourcefuse/arc-network/aws"
version = "2.6.10"
namespace = var.namespace
environment = var.environment
availability_zones = var.availability_zones
vpc_ipv4_primary_cidr_block = var.vpc_ipv4_primary_cidr_block
client_vpn_enabled = false
tags = module.tags.tags
client_vpn_authorization_rules = [
namespace = var.namespace
environment = var.environment

name = "arc-poc"
create_internet_geteway = true
availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]
cidr_block = "10.0.0.0/16"
vpc_endpoint_data = [
{
service = "s3"
route_table_filter = "private"
},
{
target_network_cidr = var.vpc_ipv4_primary_cidr_block
authorize_all_groups = true
description = "default authorization group to allow all authenticated clients to access the vpc"
service = "dynamodb"
route_table_filter = "private"
}
]

vpc_endpoint_config = {
s3 = true
kms = false
cloudwatch = false
elb = false
dynamodb = true
ec2 = false
sns = true
sqs = true
ecs = true
rds = true
}
gateway_endpoint_route_table_filter = ["*private*"]
tags = module.tags.tags
}

```
Expand All @@ -75,99 +63,93 @@ module "network" {

module "network" {
source = "sourcefuse/arc-network/aws"
version = "2.6.10"
version = "3.0.0"

namespace = var.namespace
environment = var.environment
availability_zones = var.availability_zones
vpc_ipv4_primary_cidr_block = var.vpc_ipv4_primary_cidr_block
client_vpn_enabled = true
namespace = var.namespace
environment = var.environment

## custom subnets
custom_subnets_enabled = true
custom_private_subnets = [
{
name = "${var.namespace}-${var.environment}-private-${var.region}a"
availability_zone = "${var.region}a"
cidr_block = "10.0.0.0/19"
},
{
name = "${var.namespace}-${var.environment}-private-${var.region}b"
availability_zone = "${var.region}b"
cidr_block = "10.0.64.0/19"
}
]
custom_public_subnets = [
name = "arc-poc"
create_internet_geteway = true
subnet_map = local.subnet_map
cidr_block = "10.0.0.0/16"
vpc_endpoint_data = [
{
name = "${var.namespace}-${var.environment}-public-${var.region}a"
availability_zone = "${var.region}a"
cidr_block = "10.0.96.0/20"
service = "s3"
route_table_filter = "private"
},
{
name = "${var.namespace}-${var.environment}-public-${var.region}b"
availability_zone = "${var.region}b"
cidr_block = "10.0.112.0/20"
service = "dynamodb"
route_table_filter = "private"
}
]

// If have disabled the default nat gateways for your custom subnetes
// then you need to pass a nat gateway id for each private subnet that
// you are creating. If custom_az_ngw_ids is left empty in this case
// then no default route is created by the module.
tags = module.tags.tags

custom_nat_gateway_enabled = false
custom_az_ngw_ids = {
"us-east-1a" = "ngw-13df3f3" // Dummy NAT gateway IDs. Use data sources or resource attributes instead.
"us-east-1b" = "ngw-12cesc3"
}
}

client_vpn_authorization_rules = [
{
target_network_cidr = var.vpc_ipv4_primary_cidr_block
authorize_all_groups = true
description = "default authorization group to allow all authenticated clients to access the vpc"
}
]
// if no vpc endpoint is required then you can remove this block with gateway_endpoint_route_table_filter
vpc_endpoint_config = {
s3 = true
kms = false
cloudwatch = false
elb = false
dynamodb = true
ec2 = false
sns = true
sqs = true
ecs = true
rds = true
}
locals {

gateway_endpoint_route_table_filter = ["*private*"]
prefix = "arc-poc"

tags = module.tags.tags
subnet_map = {
"${local.prefix}-public-az1" = {
name = "${local.prefix}-public-az1"
cidr_block = "10.0.0.0/19"
availability_zone = "us-east-1a"
nat_gateway_name = "${local.prefix}-az1-ngtw01"
attach_nat_gateway = false
create_nat_gateway = true
attach_internet_gateway = true
},
"${local.prefix}-public-az2" = {
name = "${local.prefix}-public-az2"
cidr_block = "10.0.32.0/19"
availability_zone = "us-east-1b"
nat_gateway_name = "${local.prefix}-az2-ngtw01"
attach_nat_gateway = false
create_nat_gateway = true
attach_internet_gateway = true
},
"${local.prefix}-db-az1" = {
name = "${local.prefix}-db-az1"
cidr_block = "10.0.64.0/19"
availability_zone = "us-east-1a"
nat_gateway_name = "${local.prefix}-az1-ngtw01"
attach_nat_gateway = true
create_nat_gateway = false
attach_internet_gateway = false
},
"${local.prefix}-db-az2" = {
name = "${local.prefix}-db-az2"
cidr_block = "10.0.96.0/19"
availability_zone = "us-east-1b"
nat_gateway_name = "${local.prefix}-az2-ngtw01"
attach_nat_gateway = true
create_nat_gateway = false
attach_internet_gateway = false
},
"${local.prefix}-app-az1" = {
name = "${local.prefix}-app-az1"
cidr_block = "10.0.128.0/19"
availability_zone = "us-east-1a"
nat_gateway_name = "${local.prefix}-az1-ngtw01"
attach_nat_gateway = true
create_nat_gateway = false
attach_internet_gateway = false
},
"${local.prefix}-app-az2" = {
name = "${local.prefix}-app-az2"
cidr_block = "10.0.160.0/19"
availability_zone = "us-east-1b"
nat_gateway_name = "${local.prefix}-az2-ngtw01"
attach_nat_gateway = true
create_nat_gateway = false
attach_internet_gateway = false
}
}
}


```
## Configuring your VPN Client
Please reference the [AWS Documentation](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-endpoint-export.html) on how to configure the client
once the VPN has been configured in AWS.
The pki keys and certificates can be obtained from the respective SSM parameters and can be used
to generate client certificate for mutual authentication using easy-rsa.
You shall need to copy the ca cert and ca key to:
/path/etc/pki/ca.crt
and
/path/etc/pki/private/ca.key
respectively to use the ca certificate and key generated in this module for mutual auth.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements

Expand Down
89 changes: 0 additions & 89 deletions docs/example/README.md
View file

This file was deleted.

21 changes: 5 additions & 16 deletions docs/module-usage-guide/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ To incorporate the module into your main Terraform configuration file (e.g., mai
```hcl
module "network" {
source = "sourcefuse/arc-network/aws"
version = "2.6.10"
version = "3.0.0"
# insert the required variables here
}
```
Expand Down Expand Up @@ -87,25 +87,14 @@ For basic usage, see the [example](https://github.com/sourcefuse/terraform-aws-a

This example will create:

- A VPC with CIDR block `10.9.0.0/16`
- Two subnets in availability zones : `"us-east-1a"`, `"us-east-1b"`
- A VPC with CIDR block `10.0.0.0/16`
- Two subnets in availability zones : `"us-east-1a"`, `"us-east-1b"` and `"us-east-1c"`
- Route tables, internet gateway, NAT Gateways
- vpc endpoints for the services: s3, kms, cloudwatch, elb, dynamodb, ec2, sns, sqs, ecs, rds
- vpc endpoints for the services: s3, dynamodb

### Tips and Recommendations

- If you want to create custom subnet ranges, check [example](https://github.com/sourcefuse/terraform-aws-arc-network/tree/main/examples/custom-subnets)
- If you want to create your own nat gateway(s) check [example](https://github.com/sourcefuse/terraform-aws-arc-network/tree/main/examples/custom-nat-gateways)
- If you have disabled the default nat gateways for your custom subnets
then you need to pass a nat gateway id for each private subnet that
you are creating. If custom_az_ngw_ids is left empty in this case
then no default route is created by the module.
- Creating nat gateway as demonstrated in this example is a 3 step process:
- STEP 1 : Apply the configuration without any nat gateway and eip resources and without custom_az_ngw_ids value
- STEP 2 : Add nat gateway and eip resources and run apply
- STEP 3 : finally add custom_az_ngw_ids input map and run apply
This does introduce a cyclical dependency between the network module and the nat and eip resources, but it is expected
since its a deviation from the [recommended aws nat gateway configuration](https://aws.amazon.com/blogs/networking-and-content-delivery/using-nat-gateways-with-multiple-amazon-vpcs-at-scale/).
- The module allows you to define and create subnets with granular control over placement in specific availability zones (AZs). You can configure subnet attributes like CIDR blocks, public or private subnet type, NAT Gateway attachment etc, please refer [custom subnets](https://github.com/sourcefuse/terraform-aws-arc-network/tree/main/examples/custom-subnets) folder.

<details><summary>tldr</summary>

Expand Down

0 comments on commit 1713b56

Please sign in to comment.