github.com/dahs81/otto@v0.2.1-0.20160126165905-6400716cf085/builtin/infra/aws/data/vpc-public-private/main.tf (about) 1 # Generated by Otto, do not edit manually. 2 3 provider "aws" { 4 access_key = "${var.aws_access_key}" 5 secret_key = "${var.aws_secret_key}" 6 region = "${var.aws_region}" 7 } 8 9 # Main VPC that will contain everything. 10 resource "aws_vpc" "main" { 11 cidr_block = "10.0.0.0/16" 12 13 tags { Name = "otto" } 14 } 15 16 # The public subnet is where resources connected to the internet will go 17 resource "aws_subnet" "public" { 18 vpc_id = "${aws_vpc.main.id}" 19 cidr_block = "10.0.2.0/24" 20 map_public_ip_on_launch = true 21 22 tags { Name = "public" } 23 } 24 25 # The private subnet is where resources that are internal only will go 26 resource "aws_subnet" "private" { 27 vpc_id = "${aws_vpc.main.id}" 28 cidr_block = "10.0.1.0/24" 29 30 # Doesn't matter which AZ we land in, but public/private subnets 31 # need to be colocated in an AZ for ELBs to be able to route. 32 availability_zone = "${aws_subnet.public.availability_zone}" 33 34 tags { Name = "private" } 35 } 36 37 # Internet accessible route table + gateway for the public subnet 38 resource "aws_internet_gateway" "public" { 39 vpc_id = "${aws_vpc.main.id}" 40 } 41 42 resource "aws_route_table" "public" { 43 vpc_id = "${aws_vpc.main.id}" 44 route { 45 cidr_block = "0.0.0.0/0" 46 gateway_id = "${aws_internet_gateway.public.id}" 47 } 48 tags { Name = "public" } 49 } 50 51 resource "aws_route_table_association" "public" { 52 subnet_id = "${aws_subnet.public.id}" 53 route_table_id = "${aws_route_table.public.id}" 54 } 55 56 # SSH key that app implementations can use to grant SSH access to instances 57 resource "aws_key_pair" "main" { 58 key_name = "otto-${element(split("-", aws_vpc.main.id), 1)}" 59 public_key = "${var.ssh_public_key}" 60 } 61 62 # Bastion instance for SSH access to private hosts 63 resource "aws_security_group" "bastion" { 64 name = "otto-bastion-${element(split("-", aws_vpc.main.id), 1)}" 65 vpc_id = "${aws_vpc.main.id}" 66 67 egress { 68 protocol = -1 69 from_port = 0 70 to_port = 0 71 cidr_blocks = ["0.0.0.0/0"] 72 } 73 74 ingress { 75 protocol = -1 76 from_port = 0 77 to_port = 0 78 cidr_blocks = ["10.0.0.0/16"] 79 } 80 81 ingress { 82 protocol = "tcp" 83 from_port = 22 84 to_port = 22 85 cidr_blocks = ["0.0.0.0/0"] 86 } 87 } 88 89 resource "aws_instance" "bastion" { 90 # TODO: lookup ubuntu AMI by region / instance typej 91 # TODO: configurable instance type 92 ami = "ami-21630d44" 93 instance_type = "t2.micro" 94 key_name = "${aws_key_pair.main.id}" 95 subnet_id = "${aws_subnet.public.id}" 96 vpc_security_group_ids = ["${aws_security_group.bastion.id}"] 97 98 # Wait for cloud-init (ensures instance is fully booted before moving on) 99 provisioner "remote-exec" { 100 inline = ["while sudo pkill -0 cloud-init 2>/dev/null; do sleep 2; done"] 101 connection { 102 user = "ubuntu" 103 host = "${self.public_ip}" 104 } 105 } 106 107 tags { Name = "otto-bastion" } 108 } 109 110 # NAT instance for internet access from the private subnet 111 resource "aws_security_group" "nat" { 112 name = "otto-nat-${element(split("-", aws_vpc.main.id), 1)}" 113 vpc_id = "${aws_vpc.main.id}" 114 115 ingress { 116 protocol = -1 117 from_port = 0 118 to_port = 0 119 cidr_blocks = ["10.0.0.0/16"] 120 } 121 egress { 122 protocol = -1 123 from_port = 0 124 to_port = 0 125 cidr_blocks = ["0.0.0.0/0"] 126 } 127 } 128 129 resource "template_file" "nat" { 130 filename = "${path.module}/nat_user_data.conf.tftpl" 131 132 vars { 133 vpc_cidr = "10.0.0.0/16" 134 } 135 } 136 137 resource "aws_instance" "nat" { 138 # TODO: lookup ubuntu AMI by region / instance typej 139 # TODO: configurable instance type 140 ami = "ami-21630d44" 141 instance_type = "t2.micro" 142 subnet_id = "${aws_subnet.public.id}" 143 key_name = "${aws_key_pair.main.id}" 144 vpc_security_group_ids = ["${aws_security_group.nat.id}"] 145 146 # Configure as NAT machine 147 source_dest_check = false 148 user_data = "${template_file.nat.rendered}" 149 150 # Wait for cloud-init (ensures instance is fully booted before moving on) 151 provisioner "remote-exec" { 152 inline = ["while sudo pkill -0 cloud-init 2>/dev/null; do sleep 2; done"] 153 connection { 154 user = "ubuntu" 155 host = "${self.private_ip}" 156 bastion_host = "${aws_instance.bastion.public_ip}" 157 bastion_user = "ubuntu" 158 } 159 } 160 161 tags { Name = "otto-nat" } 162 } 163 164 resource "aws_route_table" "private" { 165 vpc_id = "${aws_vpc.main.id}" 166 167 route { 168 cidr_block = "0.0.0.0/0" 169 instance_id = "${aws_instance.nat.id}" 170 } 171 172 tags { Name = "otto-private" } 173 } 174 175 resource "aws_route_table_association" "mod" { 176 subnet_id = "${aws_subnet.private.id}" 177 route_table_id = "${aws_route_table.private.id}" 178 } 179