- AmazonVPCFullAccess
- CloudWatchFullAccess
- AmazonSSMFullAccess
- AmazonEC2FullAccess
- IAMFullAccess
Terraform module to create Networking resources for workload deployment on AWS Cloud.
module "vpc" {
source = "git::https://{GIT_USER}:{GIT_TOKEN}@gitlab.com/squareops/sal/terraform/aws/network.git?ref=dev"
environment = var.environment
name = var.name
region = var.region
additional_aws_tags = var.additional_aws_tags
vpc_cidr = var.vpc_cidr
public_subnets = var.public_subnets
}
This module supports three scenarios for creating Network resource on AWS. Each will be explained in further detail in the corresponding sections.
-
vpc_minimal (default behavior): For creating a VPC with only public subnets and IGW.
vpc_cidr = ""public_subnets = []
-
vpc_secure: For creating a VPC with both public and private subnets and IGW and NAT gateway. Jump server/Bastion Host is also configured.
public_subnets = []private_subnets = []enable_nat_gateway = truesingle_nat_gateway = trueone_nat_gateway_per_az = falsevpn_host_enabled = truevpn_host_instance_type = "t3a.small"enable_flow_log = falseflow_log_max_aggregation_interval = 60flow_log_cloudwatch_log_group_retention_in_days = 90
-
vpc_three_tier: For creating a VPC with public, private and database subnets ( where app and database subnets are private subnets)along with an IGW and NAT gateway. Jump server/Bastion Host is also configured.
public_subnets = []private_subnets = []database_subnets = []create_database_subnet_route_table = truecreate_database_nat_gateway_route = truecreate_cis_vpc = true
This module supports three scenarios for creating NAT gateways. Each will be explained in further detail in the corresponding sections.
- One NAT Gateway per subnet (default behavior)
enable_nat_gateway = truesingle_nat_gateway = falseone_nat_gateway_per_az = false
- Single NAT Gateway
enable_nat_gateway = truesingle_nat_gateway = trueone_nat_gateway_per_az = false
- One NAT Gateway per availability zone
enable_nat_gateway = truesingle_nat_gateway = falseone_nat_gateway_per_az = true
If both single_nat_gateway and one_nat_gateway_per_az are set to true, then single_nat_gateway takes precedence.
Make sure whenever you set one_nat_gateway_per_az to true you should have as many public subnets as we have AZ in the region or else this module will fail cause some region has more than 3 AZ like N.Virginia and we bydefault provisoning only 3 public subnets
-
To create CIS compliant VPC set the variable create_cis_vpc to true in the .tfvars file.
-
To add SSL to the Pritunl endpoint:
Create a DNS record mapping to the vpn host public IP. Login to pritunl from the credentials in the pritunl-info.txt in the pritunl folder. After login,in the Initial setup window, add the record created in the 'Lets Encrypt Domain' field. Pritunl will automatically configure a signed SSL certificate from Lets Encrypt. NOTE: Port 80 to be open publicly in the vpn security group to verify and renewing the domain certificate.
- Follows the VPC recommendations of CIS Amazon Web Services Foundations Benchmark v1.4.0
[ 5. NETWORKING ]
5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)
5.3 Ensure the default security group of every VPC restricts all traffic (Automated)
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 4.23 |
| Name | Version |
|---|---|
| aws | 4.29.0 |
| Name | Source | Version |
|---|---|---|
| vpc | terraform-aws-modules/vpc/aws | 3.14.2 |
| vpn_server | ./modules/vpn | n/a |
| Name | Type |
|---|---|
| aws_ec2_instance_type.arch | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_aws_tags | Additional common Tags for all AWS resources | map(string) |
{ |
no |
| azs | List of Availability Zone to be used by VPC | list(any) |
[] |
no |
| database_subnet_cidrs | Database Tier subnet CIDRs to be created | list(any) |
[] |
no |
| default_network_acl_ingress | List of maps of ingress rules to set on the Default Network ACL | list(map(string)) |
[ |
no |
| enable_database_subnet | Set true to enable database subnets | bool |
false |
no |
| enable_flow_log | Whether or not to enable VPC Flow Logs | bool |
false |
no |
| enable_intra_subnet | Set true to enable intra subnets | bool |
false |
no |
| enable_private_subnet | Set true to enable private subnets | bool |
false |
no |
| enable_public_subnet | Set true to enable public subnets | bool |
false |
no |
| environment | Specify the environment indentifier for the VPC | string |
"" |
no |
| flow_log_cloudwatch_log_group_retention_in_days | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs. | number |
null |
no |
| flow_log_max_aggregation_interval | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: 60 seconds or 600 seconds. |
number |
60 |
no |
| intra_subnet_cidrs | A list of intra subnets CIDR to be created | list(any) |
[] |
no |
| name | Specify the name of the VPC | string |
"" |
no |
| one_nat_gateway_per_az | Set to true if a NAT Gateway is required per availability zone for Private Subnet Tier | bool |
false |
no |
| private_subnet_cidrs | A list of private subnets CIDR to be created inside the VPC | list(any) |
[] |
no |
| public_subnet_cidrs | A list of public subnets CIDR to be created inside the VPC | list(any) |
[] |
no |
| region | Specify the region in which VPC will be created | string |
"us-east-1" |
no |
| vpc_cidr | The CIDR block of the VPC | string |
"10.0.0.0/16" |
no |
| vpn_key_pair | Specify the name of AWS Keypair to be used for VPN Server | string |
"" |
no |
| vpn_server_enabled | Set to true if you want to deploy VPN Gateway resource and attach it to the VPC | bool |
false |
no |
| vpn_server_instance_type | EC2 instance Type for VPN Server, Only amd64 based instance type are supported eg. t2.medium, t3.micro, c5a.large etc. | string |
"t3a.small" |
no |
| Name | Description |
|---|---|
| database_subnets | List of IDs of database subnets |
| intra_subnets | Intra Subnet IDs |
| private_subnets | List of IDs of private subnets |
| public_subnets | List of IDs of public subnets |
| region | AWS Region for the VPC |
| vpc_cidr_block | IPV4 CIDR Block for this VPC |
| vpc_id | The ID of the VPC |
| vpn_host_public_ip | IP Address of VPN Server |
| vpn_security_group | Security Group ID of VPN Server |
The Policy required is:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AttachVolume",
"ec2:AttachVpnGateway",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateFlowLogs",
"ec2:CreateInternetGateway",
"ec2:CreateNatGateway",
"ec2:CreateNetworkAcl",
"ec2:CreateNetworkAclEntry",
"ec2:CreateNetworkInterface",
"ec2:CreatePlacementGroup",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVPC",
"ec2:CreateVolume",
"ec2:CreateVpcEndpoint",
"ec2:CreateVpnGateway",
"ec2:DeleteFlowLogs",
"ec2:DeleteInternetGateway",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteNetworkInterface",
"ec2:DeletePlacementGroup",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVPC",
"ec2:DeleteVolume",
"ec2:DeleteVpcEndpoints",
"ec2:DeleteVpnGateway",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeFlowLogs",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePlacementGroups",
"ec2:DescribePrefixLists",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"ec2:DescribeVpnGateways",
"ec2:DetachInternetGateway",
"ec2:DetachVolume",
"ec2:DetachVpnGateway",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume",
"ec2:ModifyVpcEndpoint",
"ec2:MonitorInstances",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:UnmonitorInstances"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DetachRolePolicy",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:PutRolePermissionsBoundary",
"iam:RemoveRoleFromInstanceProfile",
"iam:TagPolicy",
"iam:TagRole",
"iam:UntagPolicy"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"kms:CreateKey",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListResourceTags",
"kms:ScheduleKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"logs:AssociateKmsKey",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DeleteRetentionPolicy",
"logs:DescribeLogGroups",
"logs:DisassociateKmsKey",
"logs:ListTagsLogGroup",
"logs:PutRetentionPolicy",
"logs:TagLogGroup",
"logs:UntagLogGroup"
],
"Resource": "*"
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:CreateDBSubnetGroup",
"rds:DeleteDBSubnetGroup",
"rds:DescribeDBSubnetGroups",
"rds:ListTagsForResource",
"rds:RemoveTagsFromResource"
],
"Resource": "*"
},
{
"Sid": "VisualEditor5",
"Effect": "Allow",
"Action": [
"ssm:CreateDocument",
"ssm:DeleteDocument",
"ssm:DescribeDocument",
"ssm:DescribeDocumentPermission",
"ssm:GetDocument",
"ssm:UpdateDocument"
],
"Resource": "*"
}
]
}