### Module Main provider "aws" { region = var.aws_region } # == OUR VPC resource "aws_vpc" "main" { cidr_block = var.vpc_cidr tags = { Name = "${var.vpc_name}-vpc", Terraform = true, Environment = "production" } } # == OUR VPC SUBNETS ## Fonction super utile pour le calc de ss réseaux # cidrsubnet("172.22.0.0/16",4,iterate_value) resource "aws_subnet" "private" { for_each = var.azs vpc_id = aws_vpc.main.id cidr_block = cidrsubnet(var.vpc_cidr, 4, each.value) availability_zone = "${var.aws_region}${each.key}" map_public_ip_on_launch = false tags = { Name = "${var.vpc_name}-private-${var.aws_region}${each.key}" } } resource "aws_subnet" "public" { # Creation de multiples ressources --> aws_subnet.public["b"].id for_each = var.azs vpc_id = aws_vpc.main.id cidr_block = cidrsubnet(var.vpc_cidr, 4, 15 - each.value) availability_zone = "${var.aws_region}${each.key}" map_public_ip_on_launch = true tags = { Name = "${var.vpc_name}-public-${var.aws_region}${each.key}" } } # == INTERNET GATEWAY resource "aws_internet_gateway" "gw" { vpc_id = aws_vpc.main.id tags = { Name = "${var.vpc_name}-igw" } } # == NAT Machines within public subnet # === Recuperation de l'id d'ami nécessaire data "aws_ami" "nat_ami" { most_recent = true name_regex = "amzn-ami-vpc-nat-*" owners = ["amazon"] filter { name = "root-device-type" values = ["ebs"] } filter { name = "virtualization-type" values = ["hvm"] } } # === Uploading our public_key with ssh keypair resource "aws_key_pair" "deployer" { key_name = "${var.vpc_name}-deployer-key" public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEW+kreEW6fiuB0CwyO1hg5QzWLG09fMiRDvgyyaWu/dGJMGcfHU9qYE2e0elSzneFhqJtrYVnZa3XTRRMip57bgWdW7wnwcbUz4P9obIIj7jKYKxS4aNJeV7lteer9Q4bLMJF20eAVDVUc9ZlQJcu3ecKz+zHeMYYqxAbVT6fMQid6FqajTvrNZ3Gue4uWw+bvZuiNTArn4ZSoAcRRdDOY03c3F55eNOiAI2p6aefBv8GKQw8+4IyYkGeblyyXNGqPJyD9WgydOM3WviKhffxYorzra1AnbHap8OIRgN2fJ2enqVzjkA9JlVGDtEwdkoPahqkeIYp9YBnBiCpFKUjuK0c5DxdXqPpAaG8dJfXgTnd7LQID7xy/8o3YosaLqs3bAM1cYXn6MmroOepLHYC9LuzDReEdD3ks+0M/RJURO96BVClZjIZfYzFY6ru1WIlEcQ62lDSKyr8oXVM7qmf7t9piozklcpGP6Mj+Bee//MjBf7blKnNWGElLDe/UDE= art@OPH80PO196" } # == preparating security_group resource "aws_security_group" "allow_ssh_to_nat" { name = "allow_ssh" description = "Allow SSH inbound traffic" vpc_id = aws_vpc.main.id ingress { description = "SSH from 0.0.0.0/0" from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "allow_ssh_to_nat" } } resource "aws_security_group" "allow_all_trafic_from_vpc" { name = "allow_all_trafic_from_vpc" description = "Allow allow_all_trafic_from_vpc inbound traffic" vpc_id = aws_vpc.main.id ingress { description = "All from VPC" from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = [aws_vpc.main.cidr_block] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "allow_all_trafic_from_vpc" } } # === Providing instance resource "aws_instance" "nat_instance" { for_each = var.azs ami = data.aws_ami.nat_ami.id instance_type = "t2.micro" source_dest_check = false # necessaire pour les NATs ou VPNs qui forward du trafic d'autres machines key_name = "${var.vpc_name}-deployer-key" # private_ip = cidrhost(cidrsubnet(var.vpc_cidr, 4, 15 - each.value), 3) # bonne pratiques cloud on laissera notre subnet attribuer l'ip subnet_id = aws_subnet.public[each.key].id vpc_security_group_ids = [aws_security_group.allow_ssh_to_nat.id, aws_security_group.allow_all_trafic_from_vpc.id] tags = { Name = "${var.vpc_name}-amzn-ami-vpc-nat-${each.key}" } } resource "aws_eip" "nat_eip" { for_each = var.azs vpc = true # instance = aws_instance.nat_instance[each.key].id # on pourrait attribuer directement l'eip à une instance mais on préfèrera découpler en utilisant "aws_eip_association" # associate_with_private_ip = cidrhost(cidrsubnet(var.vpc_cidr, 4, 15 - each.value), 3) depends_on = [aws_internet_gateway.gw] } resource "aws_eip_association" "eip_assoc" { for_each = var.azs instance_id = aws_instance.nat_instance[each.key].id allocation_id = aws_eip.nat_eip[each.key].id } # == Routing our subnets ## PUBLIC ROUTE TABLE /* 1 pour les 3 azs pub */ resource "aws_route_table" "public" { vpc_id = aws_vpc.main.id tags = { Name = "${var.vpc_name}-public" } } /* 1 route */ resource "aws_route" "public_igw" { route_table_id = aws_route_table.public.id destination_cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.gw.id } ## Private ROUTE TABLE /* 3 pour les 3 azs private */ resource "aws_route_table" "private" { for_each = var.azs vpc_id = aws_vpc.main.id tags = { Name = "${var.vpc_name}-private-${var.aws_region}${each.key}" } } resource "aws_route" "private_route_through_nat" { for_each = var.azs route_table_id = aws_route_table.private[each.key].id destination_cidr_block = "0.0.0.0/0" instance_id = aws_instance.nat_instance[each.key].id } /* Reste à associer les 4 tables (3 priv et 1 pub) avec les 6 subnets (3 priv et 3 pub) */ resource "aws_route_table_association" "asso_pub_igw" { for_each = var.azs subnet_id = aws_subnet.public[each.key].id route_table_id = aws_route_table.public.id } resource "aws_route_table_association" "association_private_nat" { for_each = var.azs subnet_id = aws_subnet.private[each.key].id route_table_id = aws_route_table.private[each.key].id } # Deploy one Ubuntu to private subnet 1a # resource "aws_key_pair" "key_nat" { # key_name = "my-key-nat-12345" # public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7IKentO/3FHXk1T2DTudVB6G/FxN2ziGT1UcOiTGzUu9JyZmZrskQKzyFfMvsiSkOio8tT9tHSj1x148nWX8qtu/NM26uVu2DuOg2oN60Y6HSUppeEwtnxH9zYH2WAU4Y45Y28YpLDz9/CC+O+ulBZP2JHHfYG4seX3Zk7+kLdPFLW6HwhMBn1WydDjT/U1x6aHSIIE/JEq9Kj8ni3GKG/JCghBLXDTrg4zg8JhqnY2qFky/ys1OUcusP0CPOHgiXO4OLaYGhZYX0FLYlWZqpazj/A/EBgXgH4owqMtI0Ro4r5hL10VcpUee/3I0Hba1E75Es6wk474wyw7Rj0bql ec2-user@ip-172-22-252-73" # } # resource "aws_instance" "web" { # ami = "ami-0144fa93c0eb299d2" # instance_type = "t2.micro" # subnet_id = aws_subnet.private["a"].id # key_name = "my-key-nat-12345" # vpc_security_group_ids = [aws_security_group.allow_ssh_to_nat.id, aws_security_group.allow_all_trafic_from_vpc.id] # tags = { # Name = "test private" # } # }