Add private subnets and Terraform bugfixes

andrewlod · Apr 2, 2024 · dda3339 · dda3339
1 parent 3e4b88c
commit dda3339
Show file tree

Hide file tree

Showing 4 changed files with 122 additions and 18 deletions.
diff --git a/.gitignore b/.gitignore
@@ -145,4 +145,5 @@ docs
 *.tfvars.json
 *.tfstate
 *.tfstate.*
+**/*tfplan*
 **/.terraform/*
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -19,6 +19,8 @@ provider "aws" {
 resource "aws_vpc" "main_vpc" {
   cidr_block       = var.vpc_cidr
 
+  enable_dns_hostnames = true
+
   tags = {
     "Environment"   = var.infra_env
     "Name"          = "auth-vpc-${var.infra_env}"
@@ -28,10 +30,11 @@ resource "aws_vpc" "main_vpc" {
   }
 }
 
+## Public resources
 resource "aws_subnet" "public_subnets" {
   for_each = var.public_subnet_map
 
-  vpc_id                  = "${aws_vpc.vpc.id}"
+  vpc_id                  = "${aws_vpc.main_vpc.id}"
   cidr_block              = "${each.value}"
   availability_zone       = "${each.key}"
   map_public_ip_on_launch = true
@@ -45,10 +48,6 @@ resource "aws_subnet" "public_subnets" {
   }
 }
 
-locals {
-  public_subnet_ids = [ for subnet in aws_subnet.public_subnets : subnet.id ]
-}
-
 resource "aws_internet_gateway" "igw" {
   vpc_id = "${aws_vpc.main_vpc.id}"
 
@@ -80,9 +79,9 @@ resource "aws_route" "public_internet_gateway" {
 }
 
 resource "aws_route_table_association" "public_subnets_associations" {
-  for_each        = toset(local.public_subnet_ids)
+  for_each       = aws_subnet.public_subnets
 
-  subnet_id      =  each.key
+  subnet_id      = each.value.id
   route_table_id = aws_route_table.public_route_table.id
 }
 
@@ -117,7 +116,7 @@ resource "aws_security_group" "public_sg" {
     from_port   = "0"
     to_port     = "0"
     protocol    = "-1"
-    cidr_blocks = [ "0.0.0.0" ]
+    cidr_blocks = [ "0.0.0.0/0" ]
   }
   tags = {
     "Environment"   = var.infra_env
@@ -128,6 +127,54 @@ resource "aws_security_group" "public_sg" {
   }
 }
 
+## Private resources
+resource "aws_eip" "nat" {
+  domain = "vpc"
+
+  tags = {
+    "Environment"   = var.infra_env
+    "Name"          = "auth-nat-eip"
+    "Project"       = "authentication-app"
+    "ManagedBy"     = "terraform"
+    "Organization"  = "andrewlod"
+  }
+}
+
+resource "aws_nat_gateway" "nat" {
+  allocation_id = aws_eip.nat.id
+  subnet_id     = values(aws_subnet.public_subnets)[0].id
+
+  tags = {
+    "Environment"   = var.infra_env
+    "Name"          = "auth-nat-eip"
+    "Project"       = "authentication-app"
+    "ManagedBy"     = "terraform"
+    "Organization"  = "andrewlod"
+  }
+
+  depends_on = [aws_internet_gateway.igw]
+}
+
+resource "aws_subnet" "private_subnets" {
+  for_each          = var.private_subnet_map
+
+  vpc_id            = aws_vpc.main_vpc.id
+  cidr_block        = each.value
+  availability_zone = each.key
+
+  map_public_ip_on_launch = false
+
+  tags = {
+    "Environment"   = var.infra_env
+    "Name"          = "auth-private-subnet"
+    "Project"       = "authentication-app"
+    "ManagedBy"     = "terraform"
+    "Organization"  = "andrewlod"
+    "kubernetes.io/role/internal-elb"                               = "1"
+    "kubernetes.io/cluster/authentication-cluster-${var.infra_env}" = "owned"
+  }
+}
+
 resource "aws_security_group" "private_sg" {
   name        = "auth-private-sg"
   description = "Security group for internal VPC traffic"
@@ -145,17 +192,47 @@ resource "aws_security_group" "private_sg" {
     from_port   = "0"
     to_port     = "0"
     protocol    = "-1"
-    cidr_blocks = [ "0.0.0.0" ]
+    cidr_blocks = [ "0.0.0.0/0" ]
   }
   tags = {
     "Environment"   = var.infra_env
-    "Name"          = "auth-public-sg"
+    "Name"          = "auth-private-sg"
     "Project"       = "authentication-app"
     "ManagedBy"     = "terraform"
     "Organization"  = "andrewlod"
   }
 }
 
+resource "aws_route_table" "private_route_table" {
+  vpc_id = "${aws_vpc.main_vpc.id}"
+
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = aws_nat_gateway.nat.id
+  }
+
+  tags = {
+    "Environment"   = var.infra_env
+    "Name"          = "auth-vpc-private-rt"
+    "Project"       = "authentication-app"
+    "ManagedBy"     = "terraform"
+    "Organization"  = "andrewlod"
+  }
+}
+
+resource "aws_route_table_association" "private_subnets_associations" {
+  for_each       = aws_subnet.private_subnets
+
+  subnet_id      = each.value.id
+  route_table_id = aws_route_table.private_route_table.id
+}
+
+
+locals {
+  public_subnet_ids = values(aws_subnet.public_subnets)[*].id
+  private_subnet_ids = values(aws_subnet.private_subnets)[*].id
+}
+
 # RDS Resources
 resource "aws_db_subnet_group" "authentication_db_sng" {
   name       = "authdbsng"
@@ -172,7 +249,7 @@ resource "aws_db_subnet_group" "authentication_db_sng" {
 
 resource "aws_db_instance" "authentication_db" {
   allocated_storage    = var.db_storage
-  db_name              = "${var.db_name}-${var.infra_env}"
+  db_name              = "${var.db_name}${var.infra_env}"
   engine               = "postgres"
   engine_version       = "16.2"
   instance_class       = var.db_instance_type
@@ -182,6 +259,7 @@ resource "aws_db_instance" "authentication_db" {
   publicly_accessible  = true
 
   db_subnet_group_name = aws_db_subnet_group.authentication_db_sng.name
+  vpc_security_group_ids = [aws_security_group.public_sg.id]
 
   tags = {
     "Environment"   = var.infra_env
@@ -230,7 +308,7 @@ resource "aws_iam_role" "eks_fargate_execution_role" {
 
 resource "aws_iam_role_policy_attachment" "eks_fargate_execution_attachment" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
-  role       = aws_iam_role.eks_fargate_execution_role.arn
+  role       = aws_iam_role.eks_fargate_execution_role.name
 }
 
 resource "aws_iam_role" "eks_cluster_role" {
@@ -280,7 +358,7 @@ resource "aws_eks_fargate_profile" "auth_cluster_fargate_profile" {
   fargate_profile_name = "authentication-cluster-profile-${var.infra_env}"
   cluster_name = aws_eks_cluster.authentication_cluster.name
   pod_execution_role_arn = aws_iam_role.eks_fargate_execution_role.arn
-  subnet_ids = local.public_subnet_ids
+  subnet_ids = local.private_subnet_ids
 
   selector {
     namespace = "default"

diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -24,24 +24,24 @@ variable "aws_region" {
 variable "vpc_cidr" {
   type        = string
   description = "CIDR of the main VPC"
-  default     = "10.0.0.0/24"
+  default     = "10.0.0.0/18"
 }
 
 variable "public_subnet_map" {
   type        = map(string)
   description = "Mapping between public subnet AZs and CIDRs"
   default = {
-    "us-east-1a" = "10.0.0.0/28"
-    "us-east-1b" = "10.0.0.16/28"
+    "us-east-1a" = "10.0.0.0/20"
+    "us-east-1b" = "10.0.16.0/20"
   }
 }
 
 variable "private_subnet_map" {
   type        = map(string)
   description = "Mapping between private subnet AZs and CIDRs"
   default = {
-    "us-east-1a" = "10.0.0.32/28"
-    "us-east-1b" = "10.0.0.48/28"
+    "us-east-1a" = "10.0.32.0/20"
+    "us-east-1b" = "10.0.48.0/20"
   }
 }