From 7c8e1f534ad9710e4f4c8667b45ae29208362148 Mon Sep 17 00:00:00 2001 From: Syuqri Date: Sun, 10 Dec 2023 15:01:24 +0800 Subject: [PATCH] Add misc resources --- main.tf | 1 + misc.tf | 144 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 145 insertions(+) create mode 100644 misc.tf diff --git a/main.tf b/main.tf index 4038420..780dd91 100644 --- a/main.tf +++ b/main.tf @@ -11,6 +11,7 @@ provider "aws" { resource "aws_vpc" "main" { cidr_block = "10.0.0.0/16" + enable_dns_hostnames = true tags = { Name = "main_vpc" diff --git a/misc.tf b/misc.tf new file mode 100644 index 0000000..0bde5c4 --- /dev/null +++ b/misc.tf @@ -0,0 +1,144 @@ +# Can ignore this file as out of scope. Main focus is on the networking +# in main.tf + +data "aws_ami" "aml2" { + most_recent = true + + filter { + name = "name" + values = ["al2023-ami*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + filter { + name = "architecture" + values = ["x86_64"] + } +} + +# allows traffic for SSM to work essentially to connect to EC2 +resource "aws_security_group" "vpce_sg" { + name = "vpce_sg" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "vpce_sg" + } +} + +# VPC endpoints for session manager into EC2 +resource "aws_vpc_endpoint" "ec2_messages" { + vpc_id = aws_vpc.main.id + service_name = "com.amazonaws.ap-southeast-1.ec2messages" + vpc_endpoint_type = "Interface" + subnet_ids = [aws_subnet.first.id] + private_dns_enabled = true + + dns_options { + dns_record_ip_type = "ipv4" + } + + tags = { + Name = "ec2messages-vpc-endpoint" + } +} + +resource "aws_vpc_endpoint_security_group_association" "ec2_messages" { + vpc_endpoint_id = aws_vpc_endpoint.ec2_messages.id + security_group_id = aws_security_group.vpce_sg.id +} + +resource "aws_vpc_endpoint" "ssm_messages" { + vpc_id = aws_vpc.main.id + service_name = "com.amazonaws.ap-southeast-1.ssmmessages" + vpc_endpoint_type = "Interface" + subnet_ids = [aws_subnet.first.id] + private_dns_enabled = true + + dns_options { + dns_record_ip_type = "ipv4" + } + + tags = { + Name = "ssmmessages-vpc-endpoint" + } + +} + +resource "aws_vpc_endpoint_security_group_association" "ssm_messages" { + vpc_endpoint_id = aws_vpc_endpoint.ssm_messages.id + security_group_id = aws_security_group.vpce_sg.id +} +resource "aws_vpc_endpoint" "ssm" { + vpc_id = aws_vpc.main.id + service_name = "com.amazonaws.ap-southeast-1.ssm" + vpc_endpoint_type = "Interface" + subnet_ids = [aws_subnet.first.id] + private_dns_enabled = true + + dns_options { + dns_record_ip_type = "ipv4" + } + + tags = { + Name = "ssm-vpc-endpoint" + } +} + +resource "aws_vpc_endpoint_security_group_association" "ssm" { + vpc_endpoint_id = aws_vpc_endpoint.ssm.id + security_group_id = aws_security_group.vpce_sg.id +} + +# AWS Instance profile to allow SSM to connect to EC2 +data "aws_iam_policy_document" "assume_role" { + statement { + effect = "Allow" + + principals { + type = "Service" + identifiers = ["ec2.amazonaws.com"] + } + + actions = ["sts:AssumeRole"] + } +} + +data "aws_iam_policy" "ssm_managed_instance_core" { + arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" +} + +resource "aws_iam_role" "ec2_role" { + name = "ec2-role" + assume_role_policy = data.aws_iam_policy_document.assume_role.json +} + +resource "aws_iam_instance_profile" "ec2_instance_profile" { + name = "ec2-instance-profile" + role = aws_iam_role.ec2_role.name +} + +resource "aws_iam_role_policy" "ec2_instance_profile_policy" { + name = "${aws_iam_role.ec2_role.id}-policy" + role = aws_iam_role.ec2_role.id + policy = data.aws_iam_policy.ssm_managed_instance_core.policy +} \ No newline at end of file