-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
160 lines (137 loc) · 4.61 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
resource "aws_security_group" "bastion" {
name = var.name
vpc_id = var.vpc_id
description = "Bastion security group (only SSH inbound access is allowed)"
tags = {
Name = var.name
}
}
resource "aws_security_group_rule" "ssh_ingress" {
type = "ingress"
from_port = "22"
to_port = "22"
protocol = "tcp"
cidr_blocks = var.allowed_cidr
ipv6_cidr_blocks = var.allowed_ipv6_cidr
security_group_id = aws_security_group.bastion.id
}
resource "aws_security_group_rule" "ssh_sg_ingress" {
count = length(var.allowed_security_groups)
type = "ingress"
from_port = "22"
to_port = "22"
protocol = "tcp"
source_security_group_id = element(var.allowed_security_groups, count.index)
security_group_id = aws_security_group.bastion.id
}
resource "aws_security_group_rule" "bastion_all_egress" {
type = "egress"
from_port = "0"
to_port = "65535"
protocol = "all"
cidr_blocks = [
"0.0.0.0/0",
]
ipv6_cidr_blocks = [
"::/0",
]
security_group_id = aws_security_group.bastion.id
}
data "template_file" "user_data" {
template = var.user_data_file != "" ? var.user_data_file : file("${path.module}/user_data.sh")
vars = {
s3_bucket_name = var.s3_bucket_name
s3_bucket_uri = var.s3_bucket_uri
ssh_user = var.ssh_user
keys_update_frequency = var.keys_update_frequency
enable_hourly_cron_updates = var.enable_hourly_cron_updates
additional_user_data_script = var.additional_user_data_script
}
}
//resource "aws_instance" "bastion" {
// ami = "${var.ami}"
// instance_type = "${var.instance_type}"
// iam_instance_profile = "${var.iam_instance_profile}"
// subnet_id = "${var.subnet_id}"
// vpc_security_group_ids = ["${aws_security_group.bastion.id}"]
// user_data = "${template_file.user_data.rendered}"
// http_endpoint = var.enable_http_endpoint ? "enabled" : "disabled"
// http_tokens = var.use_imds_v2 ? "required" : "optional"
// http_put_response_hop_limit = var.http_put_response_hop_limit
// http_protocol_ipv6 = var.enable_http_protocol_ipv6 ? "enabled" : "disabled"
// instance_metadata_tags = var.enable_instance_metadata_tags ? "enabled" : "disabled"
//
// count = 1
//
// tags {
// Name = "${var.name}"
// }
//}
resource "aws_launch_configuration" "bastion" {
name_prefix = "${var.name}-"
image_id = var.ami
instance_type = var.instance_type
user_data = data.template_file.user_data.rendered
enable_monitoring = var.enable_monitoring
security_groups = compact(
concat(
[aws_security_group.bastion.id],
split(",", var.security_group_ids),
),
)
root_block_device {
volume_size = var.instance_volume_size_gb
}
iam_instance_profile = var.iam_instance_profile
associate_public_ip_address = var.associate_public_ip_address
key_name = var.key_name
# Doc: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata_options
metadata_options {
http_endpoint = var.enable_http_endpoint ? "enabled" : "disabled"
http_tokens = var.use_imds_v2 ? "required" : "optional"
http_put_response_hop_limit = var.http_put_response_hop_limit
}
lifecycle {
create_before_destroy = true
}
}
resource "aws_autoscaling_group" "bastion" {
name = var.apply_changes_immediately ? aws_launch_configuration.bastion.name : var.name
vpc_zone_identifier = var.subnet_ids
desired_capacity = "1"
min_size = "1"
max_size = "1"
health_check_grace_period = "60"
health_check_type = "EC2"
force_delete = false
wait_for_capacity_timeout = 0
launch_configuration = aws_launch_configuration.bastion.name
enabled_metrics = [
"GroupMinSize",
"GroupMaxSize",
"GroupDesiredCapacity",
"GroupInServiceInstances",
"GroupPendingInstances",
"GroupStandbyInstances",
"GroupTerminatingInstances",
"GroupTotalInstances",
]
tags = concat(
[
{
"key" = "Name"
"value" = var.name
"propagate_at_launch" = true
},
{
"key" = "EIP"
"value" = var.eip
"propagate_at_launch" = true
},
],
var.extra_tags,
)
lifecycle {
create_before_destroy = true
}
}