diff --git a/README.md b/README.md index d5126e9..c15b7b0 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,6 @@ ## Examples - [EC2 Blueprint](https://github.com/Young-ook/terraform-aws-ssm/tree/main/examples/blueprint) -- [Bastion host using EIP for allowlist firewall](https://github.com/Young-ook/terraform-aws-ssm/blob/main/examples/eip) - [AWS Fault Injection Simulator with AWS Systems Manager](https://github.com/Young-ook/terraform-aws-fis/blob/main/examples/ec2) - [AWS Fault Injection Simulator with Amazon Elastic Kubernetes Service](https://github.com/Young-ook/terraform-aws-fis/blob/main/examples/eks) - [AWS Fault Injection Simulator with Amazon ElastiCach for Redis](https://github.com/Young-ook/terraform-aws-fis/blob/main/examples/redis) diff --git a/examples/blueprint/main.tf b/examples/blueprint/main.tf index 48a1a0b..02fa1b4 100644 --- a/examples/blueprint/main.tf +++ b/examples/blueprint/main.tf @@ -14,7 +14,7 @@ provider "aws" { region = var.aws_region } -### vpc +### network/vpc module "vpc" { source = "Young-ook/vpc/aws" version = "1.0.3" @@ -23,7 +23,7 @@ module "vpc" { vpc_config = var.use_default_vpc ? null : { azs = var.azs cidr = "10.10.0.0/16" - subnet_type = "isolated" + subnet_type = "public" single_ngw = true } vpce_config = [ @@ -38,10 +38,19 @@ module "vpc" { private_dns_enabled = true }, ] +} + +### network/eip +resource "aws_eip" "eip" { + vpc = true + tags = var.tags + lifecycle { + create_before_destroy = true + } } -# ec2 +### compute module "ec2" { source = "Young-ook/ssm/aws" version = "1.0.5" @@ -57,6 +66,16 @@ module "ec2" { "arn:aws:iam::aws:policy/SecretsManagerReadWrite" ] }, + { + name = "eip" + desired_size = 1 + min_size = 1 + max_size = 1 + instance_type = "t3.small" + tags = merge({ eipAllocId = aws_eip.eip.id }) + user_data = file("${path.module}/templates/eip.tpl") + policy_arns = [aws_iam_policy.eip.arn] + }, { name = "spot" desired_size = 1 @@ -83,7 +102,7 @@ module "ec2" { min_size = 0 max_size = 3 instance_type = "t3.small" - user_data = templatefile("${path.module}/templates/userdata.tpl", { lc_name = "warmpools-lifecycle-hook-action" }) + user_data = templatefile("${path.module}/templates/httpd.tpl", { lc_name = "warmpools-lifecycle-hook-action" }) policy_arns = [aws_iam_policy.lc.arn] warm_pool = { max_group_prepared_capacity = 2 @@ -128,3 +147,20 @@ resource "local_file" "elapsedtime" { filename = "${path.module}/elapsedtime.sh" file_permission = "0500" } + +### security/policy +resource "aws_iam_policy" "eip" { + name = "eip-auto-reassociation-policy" + tags = var.tags + policy = jsonencode({ + Version = "2012-10-17" + Statement = [{ + Action = [ + "ec2:DescribeTags", + "ec2:AssociateAddress", + ] + Effect = "Allow" + Resource = ["*"] + }, ] + }) +} diff --git a/examples/eip/userdata.tpl b/examples/blueprint/templates/eip.tpl similarity index 100% rename from examples/eip/userdata.tpl rename to examples/blueprint/templates/eip.tpl diff --git a/examples/blueprint/templates/userdata.tpl b/examples/blueprint/templates/httpd.tpl similarity index 100% rename from examples/blueprint/templates/userdata.tpl rename to examples/blueprint/templates/httpd.tpl diff --git a/examples/eip/README.md b/examples/eip/README.md deleted file mode 100644 index 0c51025..0000000 --- a/examples/eip/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# bastion host using EIP (Elastic IP) - -## Download example -Download this example on your workspace -```sh -git clone https://github.com/Young-ook/terraform-aws-ssm -cd terraform-aws-ssm/examples/eip -``` - -## Setup -[This](https://github.com/Young-ook/terraform-aws-ssm/blob/main/examples/eip/main.tf) is the example of terraform configuration file to create an EC2 instance which is managed by Systems Manager on your AWS account. Check out and apply it using terraform command. - -If you don't have the terraform tools in your environment, go to the main [page](https://github.com/Young-ook/terraform-aws-ssm#terraform) of this repository and follow the installation instructions. - -Run terraform: -``` -terraform init -terraform apply -``` -Also you can use the `-var-file` option for customized paramters when you run the terraform plan/apply command. -``` -terraform plan -var-file tc1.tfvars -terraform apply -var-file tc1.tfvars -``` - -## Connect -Move to the EC2 service page on the AWS Management Conosol and select Instances button on the left side menu. Find an instance that you launched. Select the instance and click 'Connect' button on top of the window. After then you will see three tabs EC2 Instance Connect, Session Manager, SSH client. Select Session Manager tab and follow the instruction on the screen. - -## Clean up -Run terraform: -``` -terraform destroy -``` -Don't forget you have to use the `-var-file` option when you run terraform destroy command to delete the aws resources created with extra variable files. -``` -terraform destroy -var-file tc1.tfvars -``` diff --git a/examples/eip/default.auto.tfvars b/examples/eip/default.auto.tfvars deleted file mode 100644 index 2c51d4e..0000000 --- a/examples/eip/default.auto.tfvars +++ /dev/null @@ -1,6 +0,0 @@ -aws_region = "ap-northeast-2" -name = "ssm-eip" -tags = { - env = "dev" - region = "seoul" -} diff --git a/examples/eip/fixture.tc1.tfvars b/examples/eip/fixture.tc1.tfvars deleted file mode 100644 index 60e51a1..0000000 --- a/examples/eip/fixture.tc1.tfvars +++ /dev/null @@ -1,7 +0,0 @@ -aws_region = "ap-northeast-1" -name = "ssm-eip-tc1" -tags = { - env = "dev" - region = "tokyo" - test = "tc1" -} diff --git a/examples/eip/fixture.tc2.tfvars b/examples/eip/fixture.tc2.tfvars deleted file mode 100644 index d09c3c0..0000000 --- a/examples/eip/fixture.tc2.tfvars +++ /dev/null @@ -1,7 +0,0 @@ -aws_region = "us-east-2" -name = "ssm-eip-tc2" -tags = { - env = "dev" - region = "ohio" - test = "tc2" -} diff --git a/examples/eip/main.tf b/examples/eip/main.tf deleted file mode 100644 index 60749dd..0000000 --- a/examples/eip/main.tf +++ /dev/null @@ -1,68 +0,0 @@ -# bastion host using EIP - -terraform { - required_version = "~> 1.0" - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.71" - } - } -} - -provider "aws" { - region = var.aws_region -} - -# eip -resource "aws_eip" "eip" { - vpc = true - - lifecycle { - create_before_destroy = true - } -} - -# describe tags policy -resource "aws_iam_policy" "eip" { - name = join("-", [var.name, "describe-tags"]) - tags = var.tags - policy = jsonencode({ - Version = "2012-10-17" - Statement = [{ - Action = [ - "ec2:DescribeTags", - "ec2:AssociateAddress", - ] - Effect = "Allow" - Resource = ["*"] - }, ] - }) -} - -# default vpc -module "vpc" { - source = "Young-ook/vpc/aws" - version = "1.0.1" - name = var.name - tags = var.tags -} - -# ec2 -module "ec2" { - source = "../../" - name = var.name - tags = merge(var.tags, { eipAllocId = aws_eip.eip.id }) - subnets = values(module.vpc.subnets["public"]) - node_groups = [ - { - name = "gateway" - desired_size = 1 - min_size = 1 - max_size = 1 - instance_type = "t3.small" - user_data = file("${path.module}/userdata.tpl") - policy_arns = [aws_iam_policy.eip.arn] - } - ] -} diff --git a/examples/eip/outputs.tf b/examples/eip/outputs.tf deleted file mode 100644 index 1a9da9f..0000000 --- a/examples/eip/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "ec2" { - description = "The generated AWS EC2 autoscaling group" - value = module.ec2.cluster -} diff --git a/examples/eip/variables.tf b/examples/eip/variables.tf deleted file mode 100644 index 21418fc..0000000 --- a/examples/eip/variables.tf +++ /dev/null @@ -1,27 +0,0 @@ -# Variables for providing to module fixture codes - -### network -variable "aws_region" { - description = "The aws region to deploy" - type = string - default = "us-east-1" -} - -variable "node_groups" { - description = "Node groups definition" - default = [] -} - -### description -variable "name" { - description = "The logical name of the module instance" - type = string - default = "ssm" -} - -### tags -variable "tags" { - description = "The key-value maps for tagging" - type = map(string) - default = {} -}