close
The Wayback Machine - https://web.archive.org/web/20201224165827/https://github.com/infrablocks/terraform-aws-base-networking
Skip to content

/ terraform-aws-base-networking

Terraform module for building base networking in AWS

MIT License
14 stars 8 forks
Star
Watch
master
3 branches 80 tags
Go to file
Code
Clone

Use Git or checkout with SVN using the web URL.

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.circleci
 
 
.git-crypt
 
 
config
 
 
docs
 
 
lib
 
 
scripts/ci
 
 
spec
 
 
.envrc
 
 
.gitattributes
 
 
.gitignore
 
 
.rspec
 
 
.ruby-version
 
 
CHANGELOG.md
 
 
CODE_OF_CONDUCT.md
 
 
Gemfile
 
 
Gemfile.lock
 
 
LICENSE.txt
 
 
README.md
 
 
Rakefile
 
 
TODO.md
 
 
account.tf
 
 
go
 
 
igw.tf
 
 
main.tf
 
 
nat.tf
 
 
outputs.tf
 
 
private_subnets.tf
 
 
public_subnets.tf
 
 
variables.tf
 
 
vpc.tf
 
 

README.md

Terraform AWS Base Networking

CircleCI

A Terraform module for building a base network in AWS.

The network consists of:

  • Public and private subnets for each supplied availability zone
  • A NAT gateway for each supplied availability zone for outbound Internet connectivity
  • Routes from the public subnets to the Internet gateway
  • Routes from the private subnets to the NAT
  • Standard tags for all resources

Diagram of infrastructure managed by this module

Terraform versions

Terraform 0.12. Pin module version to >= 0.6.0.

Terraform 0.11. All 0.x module versions are compatible.

Usage

To use the module, include something like the following in your terraform configuration:

module "base-network" {
  source  = "infrablocks/base-networking/aws"
  version = "2.3.0"
  
  vpc_cidr = "10.0.0.0/16"
  region = "eu-west-2"
  availability_zones = ["eu-west-2a", "eu-west-2b"]
  
  component = "important-component"
  deployment_identifier = "production"
  
  private_zone_id = "Z3CVA9QD5NHSW3"
}

Inputs

Name Description Default Required
vpc_cidr The CIDR to use for the VPC - yes
region The region into which to deploy the VPC - yes
availability_zones The availability zones for which to add subnets - yes
public_subnets_offset The number of /24s to offset the public subnets in the VPC CIDR 0 yes
private_subnets_offset The number of /24s to offset the private subnets in the VPC CIDR 0 yes
component The component this network will contain - yes
deployment_identifier An identifier for this instantiation - yes
dependencies The components depended on by this component - no
include_route53_zone_association Whether or not to associate VPC with the private Route 53 zone ("yes" or "no") "yes" no
private_zone_id The ID of the private Route 53 zone - if include_route53_zone_association is "yes"
include_nat_gateways Whether or not to deploy NAT gateways for outbound Internet connectivity ("yes" or "no") "yes" yes

Outputs

Name Description
vpc_id The ID of the created VPC
vpc_cidr The CIDR of the created VPC
availability_zones The availability zones in which subnets were created
number_of_availability_zones The number of populated availability zones available
public_subnet_ids The IDs of the public subnets
public_subnet_cidrs The CIDRs of the public subnets
public_route_table_ids The IDs of the public route tables
private_subnet_ids The IDs of the private subnets
private_subnet_cidrs The CIDRs of the private subnets
private_route_table_ids The IDs of the private route tables
nat_public_ips The EIPs attached to the NAT gateways

Required Permissions

  • ec2:DescribeVpcs
  • ec2:DescribeAddresses
  • ec2:DescribeVpcAttribute
  • ec2:DescribeVpcClassicLink
  • ec2:DescribeVpcClassicLinkDnsSupport
  • ec2:DescribeRouteTables
  • ec2:DescribeSecurityGroups
  • ec2:DescribeNetworkAcls
  • ec2:DescribeSubnets
  • ec2:DescribeInternetGateways
  • ec2:DescribeNatGateways
  • ec2:ModifyVpcAttribute
  • ec2:AllocateAddress
  • ec2:ReleaseAddress
  • ec2:AssociateRouteTable
  • ec2:DisassociateRouteTable
  • ec2:AttachInternetGateway
  • ec2:DetachInternetGateway
  • ec2:DeleteInternetGateway
  • ec2:CreateRoute
  • ec2:CreateNatGateway
  • ec2:CreateVpc
  • ec2:CreateTags
  • ec2:CreateSubnet
  • ec2:CreateRouteTable
  • ec2:CreateInternetGateway
  • ec2:DeleteRoute
  • ec2:DeleteRouteTable
  • ec2:DeleteSubnet
  • ec2:DeleteNatGateway
  • ec2:DeleteVpc
  • s3:ListBucket
  • s3:GetObject
  • s3:GetObjectTagging
  • s3:DeleteObject
  • route53:AssociateVPCWithHostedZone
  • route53:DisassociateVPCFromHostedZone
  • route53:GetChange
  • route53:GetHostedZone

Development

Machine Requirements

In order for the build to run correctly, a few tools will need to be installed on your development machine:

  • Ruby (2.3.1)
  • Bundler
  • git
  • git-crypt
  • gnupg
  • direnv

Mac OS X Setup

Installing the required tools is best managed by homebrew.

To install homebrew:

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Then, to install the required tools:

# ruby
brew install rbenv
brew install ruby-build
echo 'eval "$(rbenv init - bash)"' >> ~/.bash_profile
echo 'eval "$(rbenv init - zsh)"' >> ~/.zshrc
eval "$(rbenv init -)"
rbenv install 2.3.1
rbenv rehash
rbenv local 2.3.1
gem install bundler

# git, git-crypt, gnupg
brew install git
brew install git-crypt
brew install gnupg

# direnv
brew install direnv
echo "$(direnv hook bash)" >> ~/.bash_profile
echo "$(direnv hook zsh)" >> ~/.zshrc
eval "$(direnv hook $SHELL)"

direnv allow <repository-directory>

Running the build

To provision module infrastructure, run tests and then destroy that infrastructure, execute:

./go

To provision the module prerequisites:

./go deployment:prerequisites:provision[<deployment_identifier>]

To provision the module contents:

./go deployment:harness:provision[<deployment_identifier>]

To destroy the module contents:

./go deployment:harness:destroy[<deployment_identifier>]

To destroy the module prerequisites:

./go deployment:prerequisites:destroy[<deployment_identifier>]

Common Tasks

Generating an SSH key pair

To generate an SSH key pair:

ssh-keygen -t rsa -b 4096 -C integration-test@example.com -N '' -f config/secrets/keys/bastion/ssh

Managing CircleCI keys

To encrypt a GPG key for use by CircleCI:

openssl aes-256-cbc \
  -e \
  -md sha1 \
  -in ./config/secrets/ci/gpg.private \
  -out ./.circleci/gpg.private.enc \
  -k "<passphrase>"

To check decryption is working correctly:

openssl aes-256-cbc \
  -d \
  -md sha1 \
  -in ./.circleci/gpg.private.enc \
  -k "<passphrase>"

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/tobyclemson/terraform-aws-base-networking. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

License

The library is available as open source under the terms of the MIT License.

About

Terraform module for building base networking in AWS

Topics

infrastructure terraform terraform-modules nat vpc subnets private-subnets public-subnets subnet

Resources

Readme

License

MIT License

Releases

80 tags

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages

You can’t perform that action at this time.