Merge pull request #325 from binbashar/feature/update-vpc-modules

Feature/update vpc modules

apps-devstg/us-east-1/base-network/config.tf

@@ -54,38 +54,49 @@ data "terraform_remote_state" "tools-vpn-server" {
   }
 }
 
-#
-# data type from output for vpc
-#
-data "terraform_remote_state" "vpc-shared" {
+# VPC remote states for network
+data "terraform_remote_state" "network-vpcs" {
+  for_each = local.network-vpcs
+
   backend = "s3"
 
   config = {
-    region  = var.region
-    profile = "${var.project}-shared-devops"
-    bucket  = "${var.project}-shared-terraform-backend"
-    key     = "shared/network/terraform.tfstate"
+    region  = lookup(each.value, "region")
+    profile = lookup(each.value, "profile")
+    bucket  = lookup(each.value, "bucket")
+    key     = lookup(each.value, "key")
   }
 }
 
-data "terraform_remote_state" "vpc-network" {
+# VPC remote states for shared
+data "terraform_remote_state" "shared-vpcs" {
+
+  for_each = local.shared-vpcs
+
   backend = "s3"
 
   config = {
-    region  = var.region
-    profile = "${var.project}-network-devops"
-    bucket  = "${var.project}-network-terraform-backend"
-    key     = "network/network/terraform.tfstate"
+    region  = lookup(each.value, "region")
+    profile = lookup(each.value, "profile")
+    bucket  = lookup(each.value, "bucket")
+    key     = lookup(each.value, "key")
   }
 }
 
-data "terraform_remote_state" "k8s-eks-demoapps" {
+# VPC remote states for apps-devstg
+data "terraform_remote_state" "apps-devstg-vpcs" {
+
+  for_each = {
+    for k, v in local.apps-devstg-vpcs :
+    k => v if !v["tgw"]
+  }
+
   backend = "s3"
 
   config = {
-    region  = var.region
-    profile = "${var.project}-apps-devstg-devops"
-    bucket  = "${var.project}-apps-devstg-terraform-backend"
-    key     = "apps-devstg/k8s-eks-demoapps/network/terraform.tfstate"
+    region  = lookup(each.value, "region")
+    profile = lookup(each.value, "profile")
+    bucket  = lookup(each.value, "bucket")
+    key     = lookup(each.value, "key")
   }
 }

apps-devstg/us-east-1/base-network/locals.tf

@@ -55,6 +55,21 @@ locals {
 }
 
 locals {
+  # private inbounds
+  private_inbound = flatten([
+    for index, state in local.datasources-vpcs : [
+      for k, v in state.outputs.private_subnets_cidr :
+      {
+        rule_number = 10 * (index(keys(local.datasources-vpcs), index) + 1) + 100 * k
+        rule_action = "allow"
+        from_port   = 0
+        to_port     = 65535
+        protocol    = "all"
+        cidr_block  = state.outputs.private_subnets_cidr[k]
+      }
+    ]
+  ])
+
   network_acls = {
     #
     # Allow / Deny VPC private subnets inbound default traffic
@@ -69,26 +84,34 @@ locals {
         cidr_block  = local.private_subnets_cidr[0]
       },
       {
-        rule_number = 900 # NTP traffic
+        rule_number = 900 # shared pritunl vpn server
+        rule_action = "allow"
+        from_port   = 0
+        to_port     = 65535
+        protocol    = "all"
+        cidr_block  = "${data.terraform_remote_state.tools-vpn-server.outputs.instance_private_ip}/32"
+      },
+      {
+        rule_number = 910 # NTP traffic
         rule_action = "allow"
         from_port   = 123
         to_port     = 123
         protocol    = "udp"
         cidr_block  = "0.0.0.0/0"
       },
       {
-        rule_number = 910 # Fltering known TCP ports (0-1024)
+        rule_number = 920 # Fltering known TCP ports (0-1024)
         rule_action = "allow"
         from_port   = 1024
-        to_port     = 65535
+        to_port     = 65525
         protocol    = "tcp"
         cidr_block  = "0.0.0.0/0"
       },
       {
-        rule_number = 920 # Fltering known UDP ports (0-1024)
+        rule_number = 930 # Fltering known UDP ports (0-1024)
         rule_action = "allow"
         from_port   = 1024
-        to_port     = 65535
+        to_port     = 65525
         protocol    = "udp"
         cidr_block  = "0.0.0.0/0"
       },
@@ -97,23 +120,75 @@ locals {
     #
     # Allow VPC private subnets inbound traffic
     #
-    private_inbound = [
-      {
-        rule_number = 100 # shared pritunl vpn server
-        rule_action = "allow"
-        from_port   = 0
-        to_port     = 65535
-        protocol    = "all"
-        cidr_block  = "${data.terraform_remote_state.tools-vpn-server.outputs.instance_private_ip}/32"
-      },
-      {
-        rule_number = 110 # shared private subnets
-        rule_action = "allow"
-        from_port   = 0
-        to_port     = 65535
-        protocol    = "all"
-        cidr_block  = data.terraform_remote_state.vpc-shared.outputs.private_subnets_cidr[0]
-      }
-    ]
+    private_inbound = local.private_inbound
+  }
+
+  #
+  # Data source definitions
+  #
+
+  #########
+  # NACLs #
+  #########
+
+  # shared
+  shared-vpcs = {
+    shared-base = {
+      region  = var.region
+      profile = "${var.project}-shared-devops"
+      bucket  = "${var.project}-shared-terraform-backend"
+      key     = "shared/network/terraform.tfstate"
+    }
+  }
+
+  # network
+  network-vpcs = {
+    network-base = {
+      region  = var.region
+      profile = "${var.project}-network-devops"
+      bucket  = "${var.project}-network-terraform-backend"
+      key     = "network/network/terraform.tfstate"
+    }
+    network-firewall = {
+      region  = var.region
+      profile = "${var.project}-network-devops"
+      bucket  = "${var.project}-network-terraform-backend"
+      key     = "network/network-firewall/terraform.tfstate"
+    }
   }
+
+  datasources-vpcs = merge(
+    var.enable_tgw ? data.terraform_remote_state.network-vpcs : null, # network
+    data.terraform_remote_state.shared-vpcs,                          # shared
+  )
+
+  ################
+  # VPC Peerings #
+  ################
+
+  # apps-devstg
+  apps-devstg-vpcs = {
+    apps-devstg-base = {
+      region  = var.region
+      profile = "${var.project}-apps-devstg-devops"
+      bucket  = "${var.project}-apps-devstg-terraform-backend"
+      key     = "apps-devstg/network/terraform.tfstate"
+      tgw     = false
+    }
+    apps-devstg-k8s-eks = {
+      region  = var.region
+      profile = "${var.project}-apps-devstg-devops"
+      bucket  = "${var.project}-apps-devstg-terraform-backend"
+      key     = "apps-devstg/k8s-eks/network/terraform.tfstate"
+      tgw     = false
+    }
+    apps-devstg-k8s-eks-demoapps = {
+      region  = var.region
+      profile = "${var.project}-apps-devstg-devops"
+      bucket  = "${var.project}-apps-devstg-terraform-backend"
+      key     = "apps-devstg/k8s-eks-demoapps/network/terraform.tfstate"
+      tgw     = false
+    }
+  }
+
 }

apps-devstg/us-east-1/base-network/network.tf

@@ -1,8 +1,8 @@
 #
-# Network Resources
+# VPC
 #
 module "vpc" {
-  source = "github.com/binbashar/terraform-aws-vpc.git?ref=v2.71.0"
+  source = "github.com/binbashar/terraform-aws-vpc.git?ref=v3.11.0"
 
   name = local.vpc_name
   cidr = local.vpc_cidr_block
@@ -11,16 +11,15 @@ module "vpc" {
   private_subnets = local.private_subnets
   public_subnets  = local.public_subnets
 
-  enable_nat_gateway       = var.vpc_enable_nat_gateway
-  single_nat_gateway       = var.vpc_single_nat_gateway
-  enable_dns_hostnames     = var.vpc_enable_dns_hostnames
-  enable_vpn_gateway       = var.vpc_enable_vpn_gateway
-  enable_s3_endpoint       = var.vpc_enable_s3_endpoint
-  enable_dynamodb_endpoint = var.vpc_enable_dynamodb_endpoint
+  enable_nat_gateway   = var.vpc_enable_nat_gateway
+  single_nat_gateway   = var.vpc_single_nat_gateway
+  enable_dns_hostnames = var.vpc_enable_dns_hostnames
+  enable_vpn_gateway   = var.vpc_enable_vpn_gateway
 
+  # Use a custom network ACL rules for private and public subnets
   manage_default_network_acl    = false
-  public_dedicated_network_acl  = true // use dedicated network ACL for the public subnets.
-  private_dedicated_network_acl = true // use dedicated network ACL for the private subnets.
+  public_dedicated_network_acl  = true
+  private_dedicated_network_acl = true
   private_inbound_acl_rules = concat(
     local.network_acls["default_inbound"],
     local.network_acls["private_inbound"],
@@ -30,3 +29,74 @@ module "vpc" {
   private_subnet_tags = local.private_subnet_tags
   tags                = local.tags
 }
+
+# VPC Endpoints
+locals {
+  vpc_endpoints = merge({
+    # S3
+    s3 = {
+      service      = "s3"
+      service_type = "Gateway"
+    }
+    # DynamamoDB
+    dynamodb = {
+      service      = "dynamodb"
+      service_type = "Gateway"
+    }
+    },
+    # KMS
+    { for k, v in { kms = "Interface" } :
+      k => {
+        service             = k
+        service_type        = v
+        security_group_ids  = aws_security_group.kms_vpce[0].id
+        private_dns_enabled = var.enable_kms_endpoint_private_dns
+      } if var.enable_kms_endpoint
+    }
+  )
+}
+
+module "vpc_endpoints" {
+  source = "github.com/binbashar/terraform-aws-vpc.git//modules/vpc-endpoints?ref=v3.11.0"
+
+  for_each = local.vpc_endpoints
+
+  vpc_id = module.vpc.vpc_id
+
+  endpoints = {
+    endpoint = merge(each.value,
+      {
+        route_table_ids = concat(module.vpc.private_route_table_ids, module.vpc.public_route_table_ids)
+      }
+    )
+  }
+
+  tags = local.tags
+}
+
+#
+# KMS VPC Endpoint: Security Group
+#
+resource "aws_security_group" "kms_vpce" {
+  count       = var.enable_kms_endpoint ? 1 : 0
+  name        = "kms_vpce"
+  description = "Allow TLS inbound traffic"
+  vpc_id      = module.vpc.vpc_id
+
+  ingress {
+    description = "TLS from VPC"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = [local.vpc_cidr_block]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = local.tags
+}