terraformdsl 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +8 -0
- data/.travis.yml +7 -0
- data/Gemfile +4 -0
- data/LICENSE.txt +21 -0
- data/README.md +370 -0
- data/Rakefile +10 -0
- data/bin/console +14 -0
- data/bin/setup +8 -0
- data/examples/Rakefile +42 -0
- data/examples/aws-infra.rb +204 -0
- data/examples/aws-infra.tf +472 -0
- data/examples/terraform.tfvars +4 -0
- data/lib/terraformdsl.rb +8 -0
- data/lib/terraformdsl/aws.rb +1072 -0
- data/lib/terraformdsl/common.rb +112 -0
- data/lib/terraformdsl/version.rb +5 -0
- data/terraformdsl.gemspec +30 -0
- metadata +103 -0
data/bin/setup
ADDED
data/examples/Rakefile
ADDED
@@ -0,0 +1,42 @@
|
|
1
|
+
|
2
|
+
task :setenv do
|
3
|
+
ENV['AWS_DEFAULT_REGION'] = "us-east-1"
|
4
|
+
ENV['APP_ENV'] ||= "prod"
|
5
|
+
#ENV['APP_ENV'] ||= "stg"
|
6
|
+
#ENV['APP_ENV'] ||= "dev"
|
7
|
+
end
|
8
|
+
|
9
|
+
desc "*.rb -> *.tf"
|
10
|
+
task :generate => :setenv do
|
11
|
+
sh "ruby aws-infra.rb > aws-infra.tf"
|
12
|
+
end
|
13
|
+
|
14
|
+
desc "terraform init"
|
15
|
+
task :init do
|
16
|
+
sh "terraform init"
|
17
|
+
end
|
18
|
+
|
19
|
+
desc "terraform plan"
|
20
|
+
task :plan => [:generate, :init] do
|
21
|
+
sh "terraform plan"
|
22
|
+
end
|
23
|
+
|
24
|
+
desc "terraform apply"
|
25
|
+
task :apply => [:generate, :init] do
|
26
|
+
sh "terraform apply"
|
27
|
+
end
|
28
|
+
|
29
|
+
desc "terraform destroy"
|
30
|
+
task :destroy do
|
31
|
+
sh "terraform destroy"
|
32
|
+
end
|
33
|
+
|
34
|
+
desc "terraform output"
|
35
|
+
task :output do
|
36
|
+
sh "terraform output"
|
37
|
+
end
|
38
|
+
|
39
|
+
desc "terraform refresh"
|
40
|
+
task :refresh do
|
41
|
+
sh "terraform refresh"
|
42
|
+
end
|
@@ -0,0 +1,204 @@
|
|
1
|
+
# -*- coding: utf-8 -*-
|
2
|
+
|
3
|
+
begin
|
4
|
+
require 'terraformdsl/aws'
|
5
|
+
rescue LoadError
|
6
|
+
require_relative '../lib/terraformdsl/aws'
|
7
|
+
end
|
8
|
+
|
9
|
+
region = ENV['AWS_DEFAULT_REGION'] or abort("$AWS_DEFAULT_REGION required.")
|
10
|
+
app_env = ENV['APP_ENV'] or abort("ERROR: $APP_ENV required.")
|
11
|
+
app_env =~ /^(prod|stg|dev)$/ or abort("ERROR: invalid $APP_ENV.")
|
12
|
+
|
13
|
+
var = TerraformDSL::Variables.new
|
14
|
+
var.define :base_domain , "ex: example.com"
|
15
|
+
var.define :office_ip , "ex: 123.123.123.123"
|
16
|
+
var.define :db_user , "ex: dbuser"
|
17
|
+
var.define :db_pass , "db password"
|
18
|
+
|
19
|
+
output = TerraformDSL::Outputs.new
|
20
|
+
|
21
|
+
|
22
|
+
vpc = nil
|
23
|
+
public_dns_records = []
|
24
|
+
private_dns_records = []
|
25
|
+
|
26
|
+
aws_infra = TerraformDSL::AWS.infra()
|
27
|
+
|
28
|
+
|
29
|
+
aws_infra.region(region) {
|
30
|
+
|
31
|
+
az_a = AZ("#{region}a") # ex: 'ap-east-1a'
|
32
|
+
az_b = AZ("#{region}b") # ex: 'ap-east-1b'
|
33
|
+
az_c = AZ("#{region}c") # ex: 'ap-east-1c'
|
34
|
+
az_d = AZ("#{region}d") # ex: 'ap-east-1d'
|
35
|
+
|
36
|
+
t3_nano = "t3.nano"
|
37
|
+
t3_micro = "t3.micro"
|
38
|
+
|
39
|
+
prefix = app_env.downcase()
|
40
|
+
|
41
|
+
ubuntu_ami = AMI('ubuntu18lts', "099720109477",
|
42
|
+
"ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-20190212.1"
|
43
|
+
)
|
44
|
+
|
45
|
+
vpc = VPC("#{prefix}-vpc", "10.0.0.0/16") {|vpc|
|
46
|
+
vpc_cidr = vpc.cidr
|
47
|
+
ec2_sshkey_name = "#{prefix}-ubuntu"
|
48
|
+
bastion_sshkey_name = "#{prefix}-bastion"
|
49
|
+
|
50
|
+
### Internet Gateway
|
51
|
+
gateway = InternetGateway("#{prefix}-gateway")
|
52
|
+
|
53
|
+
## Route Table
|
54
|
+
public_rt = RouteTable("#{prefix}-public-routing") {
|
55
|
+
Route(nil, gateway: gateway)
|
56
|
+
}
|
57
|
+
private_rt = RouteTable("#{prefix}-private-routing") {
|
58
|
+
#Route(nil, gateway: gateway)
|
59
|
+
}
|
60
|
+
|
61
|
+
### Subnet
|
62
|
+
public_a = Subnet("#{prefix}-public-a" , "10.0.1.0/24" , az_a, public_rt)
|
63
|
+
public_b = Subnet("#{prefix}-public-b" , "10.0.2.0/24" , az_b, public_rt)
|
64
|
+
public_c = Subnet("#{prefix}-public-c" , "10.0.3.0/24" , az_c, public_rt)
|
65
|
+
private_a = Subnet("#{prefix}-private-a", "10.0.11.0/24", az_a, private_rt)
|
66
|
+
private_b = Subnet("#{prefix}-private-b", "10.0.12.0/24", az_b, private_rt)
|
67
|
+
private_c = Subnet("#{prefix}-private-c", "10.0.13.0/24", az_c, private_rt)
|
68
|
+
|
69
|
+
## Security Group
|
70
|
+
bastion_server = "#{prefix}-bastion"
|
71
|
+
bastion_secgrp = SecurityGroup("#{prefix}-bastion-secgrp", "allows ssh") {
|
72
|
+
#Ingress(:any , 0, :self)
|
73
|
+
Ingress(:tcp , 22, "#{var.office_ip}/32") # allows ssh only from office ip
|
74
|
+
Ingress(:icmp, nil, [vpc_cidr, "#{var.office_ip}/32"])
|
75
|
+
Egress( :any , 0, nil)
|
76
|
+
}
|
77
|
+
public_secgrp = SecurityGroup("#{prefix}-public-secgrp", "allows http,https") {
|
78
|
+
Ingress(:any , 0, :self)
|
79
|
+
Ingress(:tcp , 22, bastion_server)
|
80
|
+
Ingress(:tcp , 80, nil)
|
81
|
+
Ingress(:tcp , 443, nil)
|
82
|
+
Ingress(:icmp, nil, vpc_cidr)
|
83
|
+
Egress( :any , 0, nil)
|
84
|
+
}
|
85
|
+
private_secgrp = SecurityGroup("#{prefix}-private-secgrp", "deny inbound, allow outbound") {
|
86
|
+
Ingress(:any , 0, :self)
|
87
|
+
Ingress(:tcp , 22, bastion_server)
|
88
|
+
Ingress(:tcp , 5432, public_secgrp) # PostgreSQL port
|
89
|
+
Ingress(:icmp, nil, vpc_cidr)
|
90
|
+
Egress( :any , 0, nil)
|
91
|
+
}
|
92
|
+
|
93
|
+
### EC2 and EIP
|
94
|
+
let public_a, bastion_secgrp, ubuntu_ami, bastion_sshkey_name do
|
95
|
+
|sn, sg, ami, kn|
|
96
|
+
bastion = EC2(bastion_server , t3_nano, ami, sn, sg, kn)
|
97
|
+
bastion_ip = EIP("#{prefix}-bastion-ip", bastion)
|
98
|
+
public_dns_records << [:A, "bastion", bastion_ip]
|
99
|
+
private_dns_records << [:A, "bastion", bastion]
|
100
|
+
output[:bastion_ip] = bastion_ip.attr(:public_ip)
|
101
|
+
end
|
102
|
+
let public_a, public_secgrp, ubuntu_ami, ec2_sshkey_name do
|
103
|
+
|sn, sg, ami, kn|
|
104
|
+
www_ec2 = EC2("#{prefix}-www-ec2" , t3_micro, ami, sn, sg, kn)
|
105
|
+
www_ip = EIP("#{prefix}-www-ip" , www_ec2)
|
106
|
+
public_dns_records << [:A, "www" , www_ip]
|
107
|
+
private_dns_records << [:A, "www" , www_ec2]
|
108
|
+
output[:www_ip] = www_ip.attr(:public_ip)
|
109
|
+
end
|
110
|
+
|
111
|
+
### RDS
|
112
|
+
rds_master = nil
|
113
|
+
rds_slave = nil
|
114
|
+
let do
|
115
|
+
subnetgrp = RDS_SubnetGroup("rds-subnetgrp", [private_a, private_c])
|
116
|
+
paramgrp = RDS_ParameterGroup("pg10-paramgrp", "postgres10", {
|
117
|
+
#"rds.log_retention_period" => 10080, # = 60min * 24h * 7day
|
118
|
+
#"random_page_cost" => 1.1,
|
119
|
+
"work_mem" => 16384, # = 1024KB * 16MB
|
120
|
+
"maintenance_work_mem" => 32768, # = 1024KB * 32MB
|
121
|
+
#"log_filename" => "postgresql.log.%Y-%m-%d",
|
122
|
+
#"log_rotation_age" => 1440, # = 60min * 24h
|
123
|
+
#"log_lock_waits" => 1,
|
124
|
+
#"log_min_messages" => "notice",
|
125
|
+
#"log_min_duration_statement" => 200, # msec
|
126
|
+
#"log_temp_files" => 0,
|
127
|
+
#"log_connections" => 1,
|
128
|
+
#"log_disconnections" => 1,
|
129
|
+
"shared_preload_libraries!" => "auto_explain,pg_stat_statements",
|
130
|
+
#"auto_explain.log_min_duration" => 200, # msec
|
131
|
+
#"auto_explain.log_format" => "text", # text,xml,json,yaml
|
132
|
+
#"auto_explain.log_analyze" => 1,
|
133
|
+
#"auto_explain.log_buffers" => 1,
|
134
|
+
#"auto_explain.log_nested_statements" => 1,
|
135
|
+
#"pg_stat_statements.save" => 1, # default: 1
|
136
|
+
#"pg_stat_statements.track" => "all", # default: top
|
137
|
+
#"pg_stat_statements.max!" => 1000, # default: 1000
|
138
|
+
#"track_activity_query_size!" => 1024, # default: 1024
|
139
|
+
})
|
140
|
+
#optiongrp = RDS_OptionGroup("")
|
141
|
+
optiongrp = nil
|
142
|
+
#
|
143
|
+
rds_master = RDS_Instance("db-master", "db.t2.small")
|
144
|
+
let rds_master do |rds|
|
145
|
+
rds.database = {engine: "postgres", version: "10.6",
|
146
|
+
name: nil, port: 5432,
|
147
|
+
user: var.db_user, password: var.db_pass,
|
148
|
+
parameter_group: paramgrp, option_group: optiongrp}
|
149
|
+
rds.network = {subnet_group: subnetgrp,
|
150
|
+
security_group: [private_secgrp],
|
151
|
+
az: az_a, public_access: false, multi_az: false}
|
152
|
+
rds.storage = {type: :general, size: '20GB'}
|
153
|
+
rds.encryption = {enable: false}
|
154
|
+
rds.backup = {days: 14, window: {start: '00:00', hours: 0.5}}
|
155
|
+
rds.monitoring = {interval: 60} # 60sec
|
156
|
+
rds.maintenance = {auto_upgrade: true, maintenace_window: nil}
|
157
|
+
end
|
158
|
+
output[:rds_master_endpoint] = rds_master.attr(:endpoint)
|
159
|
+
#
|
160
|
+
rds_slave = RDS_ReadReplica("db-slave", "db.t2.micro", rds_master)
|
161
|
+
let rds_slave do |rds|
|
162
|
+
rds.database = {port: 5432}
|
163
|
+
rds.network = {region: region, subnet_group: subnetgrp,
|
164
|
+
az: az_c, public_access: false, multi_az: false}
|
165
|
+
rds.storage = {type: :general, size: '20GB'}
|
166
|
+
rds.encryption = {enable: false}
|
167
|
+
rds.monitoring = {interval: 60} # 60sec
|
168
|
+
rds.maintenance = {auto_upgrade: true}
|
169
|
+
end
|
170
|
+
output[:rds_slave_endpoint] = rds_slave.attr(:endpoint)
|
171
|
+
end#let
|
172
|
+
|
173
|
+
}#vpc
|
174
|
+
|
175
|
+
}#region
|
176
|
+
|
177
|
+
|
178
|
+
aws_infra.global {
|
179
|
+
|
180
|
+
Route53() {
|
181
|
+
|
182
|
+
Zone("public-#{app_env}", var.base_domain) {
|
183
|
+
s = app_env == "prod" ? "" : "#{app_env}-"
|
184
|
+
public_dns_records.each do |type, name, value|
|
185
|
+
Record(type, s+name, value)
|
186
|
+
end
|
187
|
+
}
|
188
|
+
|
189
|
+
PrivateZone("private-#{app_env}", "#{app_env}", vpc) {
|
190
|
+
private_dns_records.each do |type, name, value|
|
191
|
+
Record(type, name, value)
|
192
|
+
end
|
193
|
+
}
|
194
|
+
|
195
|
+
}
|
196
|
+
|
197
|
+
}
|
198
|
+
|
199
|
+
|
200
|
+
if __FILE__ == $0
|
201
|
+
puts var.generate_tf()
|
202
|
+
puts aws_infra.generate_tf()
|
203
|
+
puts output.generate_tf()
|
204
|
+
end
|
@@ -0,0 +1,472 @@
|
|
1
|
+
variable "base_domain" {
|
2
|
+
description = "ex: example.com"
|
3
|
+
}
|
4
|
+
variable "office_ip" {
|
5
|
+
description = "ex: 123.123.123.123"
|
6
|
+
}
|
7
|
+
variable "db_user" {
|
8
|
+
description = "ex: dbuser"
|
9
|
+
}
|
10
|
+
variable "db_pass" {
|
11
|
+
description = "db password"
|
12
|
+
}
|
13
|
+
|
14
|
+
provider "aws" {
|
15
|
+
#access_key = "${var.access_key}"
|
16
|
+
#secret_key = "${var.secret_key}"
|
17
|
+
region = "us-east-1"
|
18
|
+
}
|
19
|
+
|
20
|
+
data "aws_ami" "ubuntu18lts" {
|
21
|
+
most_recent = true
|
22
|
+
owners = ["099720109477"]
|
23
|
+
filter {
|
24
|
+
name = "name"
|
25
|
+
values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-20190212.1"]
|
26
|
+
}
|
27
|
+
}
|
28
|
+
|
29
|
+
resource "aws_vpc" "dev-vpc" {
|
30
|
+
cidr_block = "10.0.0.0/16"
|
31
|
+
enable_dns_support = true
|
32
|
+
enable_dns_hostnames = true
|
33
|
+
tags {
|
34
|
+
Name = "dev-vpc"
|
35
|
+
}
|
36
|
+
}
|
37
|
+
|
38
|
+
resource "aws_internet_gateway" "dev-gateway" {
|
39
|
+
vpc_id = "${aws_vpc.dev-vpc.id}"
|
40
|
+
tags {
|
41
|
+
Name = "dev-gateway"
|
42
|
+
}
|
43
|
+
}
|
44
|
+
|
45
|
+
resource "aws_route_table" "dev-public-routing" {
|
46
|
+
vpc_id = "${aws_vpc.dev-vpc.id}"
|
47
|
+
tags {
|
48
|
+
Name = "dev-public-routing"
|
49
|
+
}
|
50
|
+
route {
|
51
|
+
cidr_block = "0.0.0.0/0"
|
52
|
+
gateway_id = "${aws_internet_gateway.dev-gateway.id}"
|
53
|
+
}
|
54
|
+
}
|
55
|
+
|
56
|
+
resource "aws_route_table" "dev-private-routing" {
|
57
|
+
vpc_id = "${aws_vpc.dev-vpc.id}"
|
58
|
+
tags {
|
59
|
+
Name = "dev-private-routing"
|
60
|
+
}
|
61
|
+
}
|
62
|
+
|
63
|
+
resource "aws_subnet" "dev-public-a" {
|
64
|
+
vpc_id = "${aws_vpc.dev-vpc.id}"
|
65
|
+
availability_zone = "us-east-1a"
|
66
|
+
cidr_block = "10.0.1.0/24"
|
67
|
+
tags {
|
68
|
+
Name = "dev-public-a"
|
69
|
+
}
|
70
|
+
}
|
71
|
+
|
72
|
+
resource "aws_route_table_association" "dev-public-routing-dev-public-a" {
|
73
|
+
route_table_id = "${aws_route_table.dev-public-routing.id}"
|
74
|
+
subnet_id = "${aws_subnet.dev-public-a.id}"
|
75
|
+
}
|
76
|
+
|
77
|
+
resource "aws_subnet" "dev-public-b" {
|
78
|
+
vpc_id = "${aws_vpc.dev-vpc.id}"
|
79
|
+
availability_zone = "us-east-1b"
|
80
|
+
cidr_block = "10.0.2.0/24"
|
81
|
+
tags {
|
82
|
+
Name = "dev-public-b"
|
83
|
+
}
|
84
|
+
}
|
85
|
+
|
86
|
+
resource "aws_route_table_association" "dev-public-routing-dev-public-b" {
|
87
|
+
route_table_id = "${aws_route_table.dev-public-routing.id}"
|
88
|
+
subnet_id = "${aws_subnet.dev-public-b.id}"
|
89
|
+
}
|
90
|
+
|
91
|
+
resource "aws_subnet" "dev-public-c" {
|
92
|
+
vpc_id = "${aws_vpc.dev-vpc.id}"
|
93
|
+
availability_zone = "us-east-1c"
|
94
|
+
cidr_block = "10.0.3.0/24"
|
95
|
+
tags {
|
96
|
+
Name = "dev-public-c"
|
97
|
+
}
|
98
|
+
}
|
99
|
+
|
100
|
+
resource "aws_route_table_association" "dev-public-routing-dev-public-c" {
|
101
|
+
route_table_id = "${aws_route_table.dev-public-routing.id}"
|
102
|
+
subnet_id = "${aws_subnet.dev-public-c.id}"
|
103
|
+
}
|
104
|
+
|
105
|
+
resource "aws_subnet" "dev-private-a" {
|
106
|
+
vpc_id = "${aws_vpc.dev-vpc.id}"
|
107
|
+
availability_zone = "us-east-1a"
|
108
|
+
cidr_block = "10.0.11.0/24"
|
109
|
+
tags {
|
110
|
+
Name = "dev-private-a"
|
111
|
+
}
|
112
|
+
}
|
113
|
+
|
114
|
+
resource "aws_route_table_association" "dev-private-routing-dev-private-a" {
|
115
|
+
route_table_id = "${aws_route_table.dev-private-routing.id}"
|
116
|
+
subnet_id = "${aws_subnet.dev-private-a.id}"
|
117
|
+
}
|
118
|
+
|
119
|
+
resource "aws_subnet" "dev-private-b" {
|
120
|
+
vpc_id = "${aws_vpc.dev-vpc.id}"
|
121
|
+
availability_zone = "us-east-1b"
|
122
|
+
cidr_block = "10.0.12.0/24"
|
123
|
+
tags {
|
124
|
+
Name = "dev-private-b"
|
125
|
+
}
|
126
|
+
}
|
127
|
+
|
128
|
+
resource "aws_route_table_association" "dev-private-routing-dev-private-b" {
|
129
|
+
route_table_id = "${aws_route_table.dev-private-routing.id}"
|
130
|
+
subnet_id = "${aws_subnet.dev-private-b.id}"
|
131
|
+
}
|
132
|
+
|
133
|
+
resource "aws_subnet" "dev-private-c" {
|
134
|
+
vpc_id = "${aws_vpc.dev-vpc.id}"
|
135
|
+
availability_zone = "us-east-1c"
|
136
|
+
cidr_block = "10.0.13.0/24"
|
137
|
+
tags {
|
138
|
+
Name = "dev-private-c"
|
139
|
+
}
|
140
|
+
}
|
141
|
+
|
142
|
+
resource "aws_route_table_association" "dev-private-routing-dev-private-c" {
|
143
|
+
route_table_id = "${aws_route_table.dev-private-routing.id}"
|
144
|
+
subnet_id = "${aws_subnet.dev-private-c.id}"
|
145
|
+
}
|
146
|
+
|
147
|
+
resource "aws_security_group" "dev-bastion-secgrp" {
|
148
|
+
name = "dev-bastion-secgrp"
|
149
|
+
description = "allows ssh"
|
150
|
+
vpc_id = "${aws_vpc.dev-vpc.id}"
|
151
|
+
tags {
|
152
|
+
Name = "dev-bastion-secgrp"
|
153
|
+
}
|
154
|
+
ingress {
|
155
|
+
from_port = "22"
|
156
|
+
to_port = "22"
|
157
|
+
protocol = "tcp"
|
158
|
+
cidr_blocks = ["${var.office_ip}/32"]
|
159
|
+
}
|
160
|
+
ingress {
|
161
|
+
from_port = "-1"
|
162
|
+
to_port = "-1"
|
163
|
+
protocol = "icmp"
|
164
|
+
cidr_blocks = ["10.0.0.0/16", "${var.office_ip}/32"]
|
165
|
+
}
|
166
|
+
egress {
|
167
|
+
from_port = "0"
|
168
|
+
to_port = "0"
|
169
|
+
protocol = "-1"
|
170
|
+
cidr_blocks = ["0.0.0.0/0"]
|
171
|
+
}
|
172
|
+
}
|
173
|
+
|
174
|
+
resource "aws_security_group" "dev-public-secgrp" {
|
175
|
+
name = "dev-public-secgrp"
|
176
|
+
description = "allows http,https"
|
177
|
+
vpc_id = "${aws_vpc.dev-vpc.id}"
|
178
|
+
tags {
|
179
|
+
Name = "dev-public-secgrp"
|
180
|
+
}
|
181
|
+
ingress {
|
182
|
+
from_port = "0"
|
183
|
+
to_port = "0"
|
184
|
+
protocol = "-1"
|
185
|
+
self = true
|
186
|
+
}
|
187
|
+
ingress {
|
188
|
+
from_port = "22"
|
189
|
+
to_port = "22"
|
190
|
+
protocol = "tcp"
|
191
|
+
cidr_blocks = ["${aws_instance.dev-bastion.private_ip}/32"]
|
192
|
+
}
|
193
|
+
ingress {
|
194
|
+
from_port = "80"
|
195
|
+
to_port = "80"
|
196
|
+
protocol = "tcp"
|
197
|
+
cidr_blocks = ["0.0.0.0/0"]
|
198
|
+
}
|
199
|
+
ingress {
|
200
|
+
from_port = "443"
|
201
|
+
to_port = "443"
|
202
|
+
protocol = "tcp"
|
203
|
+
cidr_blocks = ["0.0.0.0/0"]
|
204
|
+
}
|
205
|
+
ingress {
|
206
|
+
from_port = "-1"
|
207
|
+
to_port = "-1"
|
208
|
+
protocol = "icmp"
|
209
|
+
cidr_blocks = ["10.0.0.0/16"]
|
210
|
+
}
|
211
|
+
egress {
|
212
|
+
from_port = "0"
|
213
|
+
to_port = "0"
|
214
|
+
protocol = "-1"
|
215
|
+
cidr_blocks = ["0.0.0.0/0"]
|
216
|
+
}
|
217
|
+
}
|
218
|
+
|
219
|
+
resource "aws_security_group" "dev-private-secgrp" {
|
220
|
+
name = "dev-private-secgrp"
|
221
|
+
description = "deny inbound, allow outbound"
|
222
|
+
vpc_id = "${aws_vpc.dev-vpc.id}"
|
223
|
+
tags {
|
224
|
+
Name = "dev-private-secgrp"
|
225
|
+
}
|
226
|
+
ingress {
|
227
|
+
from_port = "0"
|
228
|
+
to_port = "0"
|
229
|
+
protocol = "-1"
|
230
|
+
self = true
|
231
|
+
}
|
232
|
+
ingress {
|
233
|
+
from_port = "22"
|
234
|
+
to_port = "22"
|
235
|
+
protocol = "tcp"
|
236
|
+
cidr_blocks = ["${aws_instance.dev-bastion.private_ip}/32"]
|
237
|
+
}
|
238
|
+
ingress {
|
239
|
+
from_port = "5432"
|
240
|
+
to_port = "5432"
|
241
|
+
protocol = "tcp"
|
242
|
+
security_groups = ["${aws_security_group.dev-public-secgrp.id}"]
|
243
|
+
}
|
244
|
+
ingress {
|
245
|
+
from_port = "-1"
|
246
|
+
to_port = "-1"
|
247
|
+
protocol = "icmp"
|
248
|
+
cidr_blocks = ["10.0.0.0/16"]
|
249
|
+
}
|
250
|
+
egress {
|
251
|
+
from_port = "0"
|
252
|
+
to_port = "0"
|
253
|
+
protocol = "-1"
|
254
|
+
cidr_blocks = ["0.0.0.0/0"]
|
255
|
+
}
|
256
|
+
}
|
257
|
+
|
258
|
+
resource "aws_instance" "dev-bastion" {
|
259
|
+
instance_type = "t3.nano"
|
260
|
+
ami = "${data.aws_ami.ubuntu18lts.image_id}"
|
261
|
+
subnet_id = "${aws_subnet.dev-public-a.id}"
|
262
|
+
vpc_security_group_ids = ["${aws_security_group.dev-bastion-secgrp.id}"]
|
263
|
+
key_name = "dev-bastion"
|
264
|
+
credit_specification {
|
265
|
+
cpu_credits = "unlimited"
|
266
|
+
}
|
267
|
+
tags {
|
268
|
+
Name = "dev-bastion"
|
269
|
+
}
|
270
|
+
}
|
271
|
+
|
272
|
+
resource "aws_eip" "dev-bastion-ip" {
|
273
|
+
vpc = true
|
274
|
+
instance = "${aws_instance.dev-bastion.id}"
|
275
|
+
tags {
|
276
|
+
Name = "dev-bastion-ip"
|
277
|
+
}
|
278
|
+
}
|
279
|
+
|
280
|
+
resource "aws_instance" "dev-www-ec2" {
|
281
|
+
instance_type = "t3.micro"
|
282
|
+
ami = "${data.aws_ami.ubuntu18lts.image_id}"
|
283
|
+
subnet_id = "${aws_subnet.dev-public-a.id}"
|
284
|
+
vpc_security_group_ids = ["${aws_security_group.dev-public-secgrp.id}"]
|
285
|
+
key_name = "dev-ubuntu"
|
286
|
+
credit_specification {
|
287
|
+
cpu_credits = "unlimited"
|
288
|
+
}
|
289
|
+
tags {
|
290
|
+
Name = "dev-www-ec2"
|
291
|
+
}
|
292
|
+
}
|
293
|
+
|
294
|
+
resource "aws_eip" "dev-www-ip" {
|
295
|
+
vpc = true
|
296
|
+
instance = "${aws_instance.dev-www-ec2.id}"
|
297
|
+
tags {
|
298
|
+
Name = "dev-www-ip"
|
299
|
+
}
|
300
|
+
}
|
301
|
+
|
302
|
+
resource "aws_db_subnet_group" "rds-subnetgrp" {
|
303
|
+
name = "rds-subnetgrp"
|
304
|
+
subnet_ids = ["${aws_subnet.dev-private-a.id}", "${aws_subnet.dev-private-c.id}"]
|
305
|
+
tags {
|
306
|
+
Name = "rds-subnetgrp"
|
307
|
+
}
|
308
|
+
}
|
309
|
+
|
310
|
+
resource "aws_db_parameter_group" "pg10-paramgrp" {
|
311
|
+
name = "pg10-paramgrp"
|
312
|
+
family = "postgres10"
|
313
|
+
parameter {
|
314
|
+
name = "work_mem"
|
315
|
+
value = "16384"
|
316
|
+
}
|
317
|
+
parameter {
|
318
|
+
name = "maintenance_work_mem"
|
319
|
+
value = "32768"
|
320
|
+
}
|
321
|
+
parameter {
|
322
|
+
name = "shared_preload_libraries"
|
323
|
+
value = "auto_explain,pg_stat_statements"
|
324
|
+
apply_method = "pending-reboot"
|
325
|
+
}
|
326
|
+
}
|
327
|
+
|
328
|
+
resource "aws_db_instance" "db-master" {
|
329
|
+
allocated_storage = "20"
|
330
|
+
auto_minor_version_upgrade = "true"
|
331
|
+
availability_zone = "us-east-1a"
|
332
|
+
backup_retention_period = "14"
|
333
|
+
backup_window = "00:00-00:30"
|
334
|
+
copy_tags_to_snapshot = "true"
|
335
|
+
db_subnet_group_name = "rds-subnetgrp"
|
336
|
+
engine = "postgres"
|
337
|
+
engine_version = "10.6"
|
338
|
+
identifier = "db-master"
|
339
|
+
instance_class = "db.t2.small"
|
340
|
+
monitoring_interval = "60"
|
341
|
+
monitoring_role_arn = "${aws_iam_role.rds-monitoring-role.arn}"
|
342
|
+
multi_az = "false"
|
343
|
+
parameter_group_name = "pg10-paramgrp"
|
344
|
+
password = "${var.db_pass}"
|
345
|
+
port = "5432"
|
346
|
+
publicly_accessible = "false"
|
347
|
+
storage_encrypted = "false"
|
348
|
+
storage_type = "gp2"
|
349
|
+
#timezone = "UTC"
|
350
|
+
username = "${var.db_user}"
|
351
|
+
vpc_security_group_ids = ["${aws_security_group.dev-private-secgrp.id}"]
|
352
|
+
#tags = {
|
353
|
+
# Name = "db-master"
|
354
|
+
#}
|
355
|
+
}
|
356
|
+
|
357
|
+
resource "aws_db_instance" "db-slave" {
|
358
|
+
allocated_storage = "20"
|
359
|
+
availability_zone = "us-east-1c"
|
360
|
+
copy_tags_to_snapshot = "true"
|
361
|
+
identifier = "db-slave"
|
362
|
+
instance_class = "db.t2.micro"
|
363
|
+
monitoring_interval = "60"
|
364
|
+
monitoring_role_arn = "${aws_iam_role.rds-monitoring-role.arn}"
|
365
|
+
multi_az = "false"
|
366
|
+
parameter_group_name = "pg10-paramgrp"
|
367
|
+
port = "5432"
|
368
|
+
publicly_accessible = "false"
|
369
|
+
replicate_source_db = "${aws_db_instance.db-master.id}"
|
370
|
+
storage_encrypted = "false"
|
371
|
+
storage_type = "gp2"
|
372
|
+
#timezone = "UTC"
|
373
|
+
vpc_security_group_ids = ["${aws_security_group.dev-private-secgrp.id}"]
|
374
|
+
#tags = {
|
375
|
+
# Name = "db-slave"
|
376
|
+
#}
|
377
|
+
}
|
378
|
+
|
379
|
+
resource "aws_route53_zone" "public-dev" {
|
380
|
+
name = "${var.base_domain}"
|
381
|
+
tags {
|
382
|
+
Name = "public-dev"
|
383
|
+
}
|
384
|
+
}
|
385
|
+
|
386
|
+
resource "aws_route53_record" "public-dev-dev-bastion-A" {
|
387
|
+
zone_id = "${aws_route53_zone.public-dev.zone_id}"
|
388
|
+
type = "A"
|
389
|
+
name = "dev-bastion"
|
390
|
+
ttl = "5"
|
391
|
+
records = ["${aws_eip.dev-bastion-ip.public_ip}"]
|
392
|
+
}
|
393
|
+
|
394
|
+
resource "aws_route53_record" "public-dev-dev-www-A" {
|
395
|
+
zone_id = "${aws_route53_zone.public-dev.zone_id}"
|
396
|
+
type = "A"
|
397
|
+
name = "dev-www"
|
398
|
+
ttl = "5"
|
399
|
+
records = ["${aws_eip.dev-www-ip.public_ip}"]
|
400
|
+
}
|
401
|
+
|
402
|
+
resource "aws_route53_zone" "private-dev" {
|
403
|
+
name = "dev"
|
404
|
+
vpc {
|
405
|
+
vpc_id = "${aws_vpc.dev-vpc.id}"
|
406
|
+
}
|
407
|
+
tags {
|
408
|
+
Name = "private-dev"
|
409
|
+
}
|
410
|
+
}
|
411
|
+
|
412
|
+
resource "aws_route53_record" "private-dev-bastion-A" {
|
413
|
+
zone_id = "${aws_route53_zone.private-dev.zone_id}"
|
414
|
+
type = "A"
|
415
|
+
name = "bastion"
|
416
|
+
ttl = "5"
|
417
|
+
records = ["${aws_instance.dev-bastion.private_ip}"]
|
418
|
+
}
|
419
|
+
|
420
|
+
resource "aws_route53_record" "private-dev-www-A" {
|
421
|
+
zone_id = "${aws_route53_zone.private-dev.zone_id}"
|
422
|
+
type = "A"
|
423
|
+
name = "www"
|
424
|
+
ttl = "5"
|
425
|
+
records = ["${aws_instance.dev-www-ec2.private_ip}"]
|
426
|
+
}
|
427
|
+
|
428
|
+
resource "aws_iam_role" "rds-monitoring-role" {
|
429
|
+
name = "rds-monitoring-role"
|
430
|
+
path = "/"
|
431
|
+
assume_role_policy = <<POLICY
|
432
|
+
{
|
433
|
+
"Version": "2012-10-17",
|
434
|
+
"Statement": [
|
435
|
+
{
|
436
|
+
"Sid": "",
|
437
|
+
"Effect": "Allow",
|
438
|
+
"Principal": {
|
439
|
+
"Service": "monitoring.rds.amazonaws.com"
|
440
|
+
},
|
441
|
+
"Action": "sts:AssumeRole"
|
442
|
+
}
|
443
|
+
]
|
444
|
+
}
|
445
|
+
POLICY
|
446
|
+
}
|
447
|
+
|
448
|
+
resource "aws_iam_policy_attachment" "AmazonRDSEnhancedMonitoringRole-policy-attachment" {
|
449
|
+
|
450
|
+
name = "AmazonRDSEnhancedMonitoringRole-policy-attachment"
|
451
|
+
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
|
452
|
+
groups = []
|
453
|
+
users = []
|
454
|
+
roles = ["rds-monitoring-role"]
|
455
|
+
}
|
456
|
+
|
457
|
+
output "bastion_ip" {
|
458
|
+
value = "${aws_eip.dev-bastion-ip.public_ip}"
|
459
|
+
}
|
460
|
+
|
461
|
+
output "www_ip" {
|
462
|
+
value = "${aws_eip.dev-www-ip.public_ip}"
|
463
|
+
}
|
464
|
+
|
465
|
+
output "rds_master_endpoint" {
|
466
|
+
value = "${aws_db_instance.db-master.endpoint}"
|
467
|
+
}
|
468
|
+
|
469
|
+
output "rds_slave_endpoint" {
|
470
|
+
value = "${aws_db_instance.db-slave.endpoint}"
|
471
|
+
}
|
472
|
+
|