diff --git a/.gitignore b/.gitignore index 1c5f1b5..9937392 100644 --- a/.gitignore +++ b/.gitignore @@ -145,4 +145,5 @@ docs *.tfvars.json *.tfstate *.tfstate.* +**/*tfplan* **/.terraform/* \ No newline at end of file diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl new file mode 100644 index 0000000..a2363b7 --- /dev/null +++ b/terraform/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.43.0" + constraints = "~> 5.43.0" + hashes = [ + "h1:g+aulJVHZfXjrC06odZcQPCkNZqD2jiJGsxGnh34Tmw=", + "zh:07fb2abb9cf4d2042b41b2b2c642d4c4bd2feccbd856cd7040a7d15158fed478", + "zh:1373339e796d8d8473c267c0ecddb701559fce454c2cdd192cf8b0eadf759b48", + "zh:1644b4e0fd2e0b28d465bb5cf08b1f594a623324d176e879e5052f78cd2ea8cb", + "zh:385943b8d4170c5269b8e13e876636b7edc0ad2576edc7eb5d81cd4286a461d8", + "zh:48cf103f4fa866b67b686e8c085ac15264d6f020b6ad4a90f496b7283d31faa6", + "zh:4a4c4b4236542089d1bdb688c248e0b7c941ce42887da87e487bfb15038dcaf9", + "zh:5d84f3e12100bdd62a8c295b56358b82afc130642dca80d104bd868fdc28ed7c", + "zh:68294a601ce588a8838bcf4e136bb5ed8d2b1ee410f8871d88e35ce4861cf33f", + "zh:7ae1af6e9b95bd6c33dd0922216ac2b59f2f5b22fedbeab1db7a80b2f4358919", + "zh:89c718d41b2eeeaefd1acdbd839f1326a8c866bd49752648b0b32d3dd4a38163", + "zh:96e54ccb0f5ddf60465edf5c9f46e64f7d2f392507b851f102723797b4a15d09", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:b102ce204ebbbf32d68ff47b5224eeb60873bef5b58a7fd7790f6b4020801578", + "zh:cae4cb16d15ac4b15c8de5bc9dddc2032583e12c4f31e23b3a7ef22da60657dc", + "zh:fecbcbd63111c9518de261bcb37482cb06ee149e7298f567d45b2a55674faa75", + ] +} diff --git a/terraform/main.tf b/terraform/main.tf index 95cd792..d725c87 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -19,6 +19,8 @@ provider "aws" { resource "aws_vpc" "main_vpc" { cidr_block = var.vpc_cidr + enable_dns_hostnames = true + tags = { "Environment" = var.infra_env "Name" = "auth-vpc-${var.infra_env}" @@ -28,10 +30,11 @@ resource "aws_vpc" "main_vpc" { } } +## Public resources resource "aws_subnet" "public_subnets" { for_each = var.public_subnet_map - vpc_id = "${aws_vpc.vpc.id}" + vpc_id = "${aws_vpc.main_vpc.id}" cidr_block = "${each.value}" availability_zone = "${each.key}" map_public_ip_on_launch = true @@ -45,10 +48,6 @@ resource "aws_subnet" "public_subnets" { } } -locals { - public_subnet_ids = [ for subnet in aws_subnet.public_subnets : subnet.id ] -} - resource "aws_internet_gateway" "igw" { vpc_id = "${aws_vpc.main_vpc.id}" @@ -80,9 +79,9 @@ resource "aws_route" "public_internet_gateway" { } resource "aws_route_table_association" "public_subnets_associations" { - for_each = toset(local.public_subnet_ids) + for_each = aws_subnet.public_subnets - subnet_id = each.key + subnet_id = each.value.id route_table_id = aws_route_table.public_route_table.id } @@ -117,7 +116,7 @@ resource "aws_security_group" "public_sg" { from_port = "0" to_port = "0" protocol = "-1" - cidr_blocks = [ "0.0.0.0" ] + cidr_blocks = [ "0.0.0.0/0" ] } tags = { "Environment" = var.infra_env @@ -128,6 +127,54 @@ resource "aws_security_group" "public_sg" { } } +## Private resources +resource "aws_eip" "nat" { + domain = "vpc" + + tags = { + "Environment" = var.infra_env + "Name" = "auth-nat-eip" + "Project" = "authentication-app" + "ManagedBy" = "terraform" + "Organization" = "andrewlod" + } +} + +resource "aws_nat_gateway" "nat" { + allocation_id = aws_eip.nat.id + subnet_id = values(aws_subnet.public_subnets)[0].id + + tags = { + "Environment" = var.infra_env + "Name" = "auth-nat-eip" + "Project" = "authentication-app" + "ManagedBy" = "terraform" + "Organization" = "andrewlod" + } + + depends_on = [aws_internet_gateway.igw] +} + +resource "aws_subnet" "private_subnets" { + for_each = var.private_subnet_map + + vpc_id = aws_vpc.main_vpc.id + cidr_block = each.value + availability_zone = each.key + + map_public_ip_on_launch = false + + tags = { + "Environment" = var.infra_env + "Name" = "auth-private-subnet" + "Project" = "authentication-app" + "ManagedBy" = "terraform" + "Organization" = "andrewlod" + "kubernetes.io/role/internal-elb" = "1" + "kubernetes.io/cluster/authentication-cluster-${var.infra_env}" = "owned" + } +} + resource "aws_security_group" "private_sg" { name = "auth-private-sg" description = "Security group for internal VPC traffic" @@ -145,17 +192,47 @@ resource "aws_security_group" "private_sg" { from_port = "0" to_port = "0" protocol = "-1" - cidr_blocks = [ "0.0.0.0" ] + cidr_blocks = [ "0.0.0.0/0" ] } tags = { "Environment" = var.infra_env - "Name" = "auth-public-sg" + "Name" = "auth-private-sg" "Project" = "authentication-app" "ManagedBy" = "terraform" "Organization" = "andrewlod" } } +resource "aws_route_table" "private_route_table" { + vpc_id = "${aws_vpc.main_vpc.id}" + + route { + cidr_block = "0.0.0.0/0" + nat_gateway_id = aws_nat_gateway.nat.id + } + + tags = { + "Environment" = var.infra_env + "Name" = "auth-vpc-private-rt" + "Project" = "authentication-app" + "ManagedBy" = "terraform" + "Organization" = "andrewlod" + } +} + +resource "aws_route_table_association" "private_subnets_associations" { + for_each = aws_subnet.private_subnets + + subnet_id = each.value.id + route_table_id = aws_route_table.private_route_table.id +} + + +locals { + public_subnet_ids = values(aws_subnet.public_subnets)[*].id + private_subnet_ids = values(aws_subnet.private_subnets)[*].id +} + # RDS Resources resource "aws_db_subnet_group" "authentication_db_sng" { name = "authdbsng" @@ -172,7 +249,7 @@ resource "aws_db_subnet_group" "authentication_db_sng" { resource "aws_db_instance" "authentication_db" { allocated_storage = var.db_storage - db_name = "${var.db_name}-${var.infra_env}" + db_name = "${var.db_name}${var.infra_env}" engine = "postgres" engine_version = "16.2" instance_class = var.db_instance_type @@ -182,6 +259,7 @@ resource "aws_db_instance" "authentication_db" { publicly_accessible = true db_subnet_group_name = aws_db_subnet_group.authentication_db_sng.name + vpc_security_group_ids = [aws_security_group.public_sg.id] tags = { "Environment" = var.infra_env @@ -230,7 +308,7 @@ resource "aws_iam_role" "eks_fargate_execution_role" { resource "aws_iam_role_policy_attachment" "eks_fargate_execution_attachment" { policy_arn = "arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy" - role = aws_iam_role.eks_fargate_execution_role.arn + role = aws_iam_role.eks_fargate_execution_role.name } resource "aws_iam_role" "eks_cluster_role" { @@ -280,7 +358,7 @@ resource "aws_eks_fargate_profile" "auth_cluster_fargate_profile" { fargate_profile_name = "authentication-cluster-profile-${var.infra_env}" cluster_name = aws_eks_cluster.authentication_cluster.name pod_execution_role_arn = aws_iam_role.eks_fargate_execution_role.arn - subnet_ids = local.public_subnet_ids + subnet_ids = local.private_subnet_ids selector { namespace = "default" diff --git a/terraform/variables.tf b/terraform/variables.tf index ca798d1..108576d 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -24,15 +24,15 @@ variable "aws_region" { variable "vpc_cidr" { type = string description = "CIDR of the main VPC" - default = "10.0.0.0/24" + default = "10.0.0.0/18" } variable "public_subnet_map" { type = map(string) description = "Mapping between public subnet AZs and CIDRs" default = { - "us-east-1a" = "10.0.0.0/28" - "us-east-1b" = "10.0.0.16/28" + "us-east-1a" = "10.0.0.0/20" + "us-east-1b" = "10.0.16.0/20" } } @@ -40,8 +40,8 @@ variable "private_subnet_map" { type = map(string) description = "Mapping between private subnet AZs and CIDRs" default = { - "us-east-1a" = "10.0.0.32/28" - "us-east-1b" = "10.0.0.48/28" + "us-east-1a" = "10.0.32.0/20" + "us-east-1b" = "10.0.48.0/20" } }