github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/pkg/cmd/roachprod/vm/aws/terraform/aws-region/network.tf (about)

     1  locals {
     2    # AWS VPCs are per-region, and the default ones all have the same CIDR range so cannot
     3    # be connected.
     4    # We need to create one VPC per region with known CIDR ranges.
     5    # We create a single private class-A network: 10.0.0.0/8
     6    # Each region is a fixed class-B network:     10.<region id>.0.0/12
     7    # Each zone is a fixed class-C network:       10.<region id>.<zone id 4 bits>0.0/20
     8    #
     9    # Note: this allows for a maximum of 4095 (minus reserved IPs) VMs per zone.
    10    #
    11    # The region ID and zone ID mapping must **NEVER** change during the lifetime of a cluster.
    12    # If a region or zone no longer exists, comment it but do not reuse the number.
    13    # If a region or zone is added, use the next available number.
    14    region_number = {
    15      ap-northeast-1  = 0,
    16      ap-northeast-2  = 1,
    17      ap-south-1      = 2,
    18      ap-southeast-1  = 3,
    19      ap-southeast-2  = 4,
    20      ca-central-1    = 5,
    21      eu-central-1    = 6,
    22      eu-west-1       = 7,
    23      eu-west-2       = 8,
    24      eu-west-3       = 9,
    25      sa-east-1       = 10,
    26      us-east-1       = 11,
    27      us-east-2       = 12,
    28      us-west-1       = 13,
    29      us-west-2       = 14,
    30    }
    31  
    32    zone_number = {
    33      a = 0,
    34      b = 1,
    35      c = 2,
    36      d = 3,
    37      e = 4,
    38      f = 5,
    39      g = 6,
    40      h = 7,
    41      i = 8,
    42      j = 9,
    43      k = 10,
    44    }
    45  
    46    # Computed variable: number of availability zones (and subnets) in this region.
    47    num_zones = "${length(data.aws_availability_zones.available.names)}"
    48  }
    49  
    50  # List of all availability zones in this region.
    51  data "aws_availability_zones" "available" {}
    52  
    53  # Details for each availability zone.
    54  data "aws_availability_zone" "zone_detail" {
    55    count = "${local.num_zones}"
    56    name = "${data.aws_availability_zones.available.names[count.index]}"
    57  }
    58  
    59  # One VPC per region, with CIDR 10.<region ID>.0.0/8.
    60  resource "aws_vpc" "region_vpc" {
    61    cidr_block           = "${cidrsubnet("10.0.0.0/8", 8, local.region_number[var.region])}"
    62    enable_dns_hostnames = true
    63    tags {
    64      Name               = "${var.label}-vpc-${var.region}"
    65    }
    66  }
    67  
    68  # Gateway for the VPC.
    69  resource "aws_internet_gateway" "gateway" {
    70    vpc_id = "${aws_vpc.region_vpc.id}"
    71  }
    72  
    73  # Route table for the VPC (automatically associated with all subnets).
    74  data "aws_route_table" "region_route_table" {
    75    vpc_id = "${aws_vpc.region_vpc.id}"
    76  }
    77  
    78  # Route all traffic through internet gateway (VPC CIDRs are separate routes).
    79  resource "aws_route" "internet_route" {
    80    route_table_id         = "${data.aws_route_table.region_route_table.id}"
    81    destination_cidr_block = "0.0.0.0/0"
    82    gateway_id             = "${aws_internet_gateway.gateway.id}"
    83  }
    84  
    85  # List of subnets. One for each availability zone, with CIDR 10.<region ID>.<zone ID>.0/16.
    86  resource "aws_subnet" "region_subnets" {
    87    count             = "${local.num_zones}"
    88    availability_zone = "${data.aws_availability_zone.zone_detail.*.name[count.index]}"
    89    vpc_id            = "${aws_vpc.region_vpc.id}"
    90    cidr_block        = "${cidrsubnet(aws_vpc.region_vpc.cidr_block, 4, local.zone_number[data.aws_availability_zone.zone_detail.*.name_suffix[count.index]])}"
    91    tags {
    92      Name        = "${var.label}-subnet-${data.aws_availability_zone.zone_detail.*.name[count.index]}"
    93    }
    94  }
    95  
    96  # Security group for the VPC.
    97  # WARNING: do not define any rules inside the "aws_security_group" stanza, use "aws_security_group_rule" instead.
    98  resource "aws_security_group" "region_security_group" {
    99    name        = "${var.label}-group-${var.region}"
   100    description = "Security group for region ${var.region}"
   101    vpc_id      = "${aws_vpc.region_vpc.id}"
   102  }
   103  
   104  # Egress: allow all.
   105  resource "aws_security_group_rule" "allow_egress" {
   106    type              = "egress"
   107    from_port         = 0
   108    to_port           = 0
   109    protocol          = "all"
   110    cidr_blocks       = ["0.0.0.0/0"]
   111    security_group_id = "${aws_security_group.region_security_group.id}"
   112    description       = "Egress"
   113  }
   114  
   115  # Ingress: allow all.
   116  resource "aws_security_group_rule" "allow_ingress" {
   117    type              = "ingress"
   118    from_port         = 0
   119    to_port           = 0
   120    protocol          = "all"
   121    cidr_blocks       = ["0.0.0.0/0"]
   122    security_group_id = "${aws_security_group.region_security_group.id}"
   123    description       = "Ingress"
   124  }
   125  
   126  
   127  # Ingress: allow from all other VPCs.
   128  resource "aws_security_group_rule" "allow_vpc_ingress" {
   129    type              = "ingress"
   130    from_port         = 0
   131    to_port           = 0
   132    protocol          = "all"
   133    cidr_blocks       = ["10.0.0.0/8"]
   134    security_group_id = "${aws_security_group.region_security_group.id}"
   135    description       = "Inter-VPC traffic"
   136  }
   137  
   138  # Ingress: allow SSH from everywhere.
   139  resource "aws_security_group_rule" "allow_ssh_ingress" {
   140    type              = "ingress"
   141    from_port         = 22
   142    to_port           = 22
   143    protocol          = "tcp"
   144    cidr_blocks       = ["0.0.0.0/0"]
   145    security_group_id = "${aws_security_group.region_security_group.id}"
   146    description       = "SSH Access"
   147  }