Skip to content
/ terraform-aws-ec2-basic-layout Public

Terraform module to deploy a typical EC2 layout that includes an instance with a security group and a dns record.

License

Apache-2.0 license
5 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

binbashar/terraform-aws-ec2-basic-layout

BranchesTags

Repository files navigation

binbash
leverage

Terraform Module: AWS EC2 Basic Layout

Overview

This module could be useful if you find yourself creating a layout that includes the following resources:

  • EC2 Instance w/ configurable AMI, family type, key pair, networking, userdata, among others.
  • EC2 Profile with a customizable IAM Role supporting both AWS and customer managed policies.
  • Multiple EBS dynamic blocks (root_block_device, ebs_block_device and ephemeral_block_device) w/ configurable type, size, device name and encryption configs among others.
  • Security group for the instance above.
  • Optionally associate a public IP address with the instance.
  • DNS record with a record that points to the instance private IP / public IP.
  • Tags: both EC2 and EBS.

Personally we have seen the need of creating a similar set of such resources for an OpenVPN instance, for Jenkins, Spinnaker, DroneCI, Prometheus, Grafana, Hashicorp Vault, ElasticSearch, Kibana and so forth.

Requirements

Name Version
terraform >= 0.13.2
aws ~> 4.0

Providers

Name Version
aws ~> 4.0

Modules

No modules.

Resources

Name Type
aws_eip.this resource
aws_iam_instance_profile.basic_instance resource
aws_iam_policy.cross_org_instance_access resource
aws_iam_role.basic_instance_assume_role resource
aws_iam_role_policy_attachment.basic_instance_aws_roles resource
aws_iam_role_policy_attachment.ec2_ssm_access resource
aws_iam_role_policy_attachment.this resource
aws_instance.main resource
aws_route53_record.main_private resource
aws_route53_record.main_public resource
aws_security_group.main resource
aws_security_group_rule.egress_allow_all resource
aws_security_group_rule.ingress_rules resource
aws_ami.ubuntu_linux data source
aws_iam_policy_document.cross_org_instance_access data source
aws_iam_policy_document.this data source

Inputs

Name Description Type Default Required
ami_id AMI Identifier string "" no
associate_public_ip_address Associate a public IP address with the instance bool false no
aws_ami_os_id AWS AMI Operating System Identificator string "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*" no
aws_ami_os_owner AWS AMI Operating System Owner, eg: 099720109477 for Canonical string "099720109477" no
credit_specification_cpu Can be applied/modified to the EC2 at any time. The credit option for CPU usage. Can be 'standard' or 'unlimited'. By default T3 = unlimited & T2 'standard'. string "unlimited" no
cross_account_roles_resource_arn_list Resources arn list for cross org roles for EC2 profile IAM Role policy. list(string) [] no
disable_api_termination If true, enables EC2 Instance Termination Protection string "false" no
dns_records_internal_hosted_zone A list of DNS private (internal hosted zone) records to create with the instance's IP list(any) [] no
dns_records_public_hosted_zone A list of DNS public (public hosted zone) records to create with the instance's IP list(any) [] no
ebs_block_device Additional EBS block devices to attach to the instance list(map(string)) [] no
ebs_optimized Enable EBS Optimized string "false" no
enable_ssm_access If true, attaches SSM policy to instance role bool false no
ephemeral_block_device Customize Ephemeral (also known as Instance Store) volumes on the instance list(map(string)) [] no
instance_profile The IAM Instance Profile to launch the instance with. Specified as the name of the Instance Profile. string "" no
instance_type EC2 Instance Type string "t3.micro" no
key_pair_name Key Pair Name string n/a yes
monitoring If true, the launched EC2 instance will have detailed monitoring enabled bool false no
name Name string n/a yes
policy_arn Attach AWS IAM managed policies to the IAM Role. list(string) [] no
prefix Prefix string "default" no
root_block_device Customize details about the root block device of the instance. See Block Devices below for details list(map(string)) [] no
root_device_backup_tag EC2 Root Block Device backup tag string "True" no
security_group_rules A list of security group rules list(any) [] no
subnet_id Subnet ID string n/a yes
tag_approved_ami_value Set the specific tag ApprovedAMI ('true' | 'false') that identifies aws-config compliant AMIs string "false" no
tags Tags map(string) {} no
user_data The user data to provide when launching the instance. Do not pass gzip-compressed data via this argument; see user_data_base64 instead. string null no
user_data_base64 Can be used instead of user_data to pass base64-encoded binary data directly. Use this instead of user_data whenever the value is not a valid UTF-8 string. For example, gzip-encoded user data must be base64-encoded and passed via this argument to avoid corruption. string null no
vpc_id VPC ID string n/a yes

Outputs

Name Description
aws_instance_ami The AMI of the Instance.
aws_instance_assume_role_name The IAM instance profile of the EC2.
aws_instance_iam_profile The IAM instance profile of the EC2.
aws_instance_key_name The ssh key pair name of the Instance.
aws_instance_private_ip Contains the instance private IP address.
aws_instance_public_ip Contains the instance public IP address.
aws_instance_type The type of the Instance.
aws_instance_volume_tags The root EBS volume tags of the instace.
dns_record_private DNS
dns_record_public n/a
instance Compute
security_group n/a

Examples

EC2 Basic Layout

ec2-default-instance-profile-simple

module "terraform-aws-basic-layout" {
  source = "../../"

  vpc_id                      = data.terraform_remote_state.vpc.outputs.vpc_id
  subnet_id                   = data.terraform_remote_state.vpc.outputs.public_subnets[0]
  key_pair_name               = data.terraform_remote_state.security.outputs.aws_key_pair_name
}

ec2-default-instance-profile

module "terraform-aws-basic-layout" {
    source = "../../"

    prefix                      = var.prefix
    name                        = var.name

    aws_ami_os_id               = var.aws_ami_os_id
    aws_ami_os_owner            = var.aws_ami_os_owner
    instance_type               = var.instance_type
    vpc_id                      = data.terraform_remote_state.vpc.outputs.vpc_id
    subnet_id                   = data.terraform_remote_state.vpc.outputs.public_subnets[0]
    associate_public_ip_address = var.associate_public_ip_address
    key_pair_name               = data.terraform_remote_state.security.outputs.aws_key_pair_name
    ebs_optimized               = var.ebs_optimized
    monitoring                  = var.monitoring
    user_data_base64            = base64encode(local.user_data)

    root_block_device = [
        {
            volume_type = "gp2"
            volume_size = 10
            encrypted   = true
        },
    ]

    ebs_block_device = [
        {
            device_name = "/dev/sdf"
            volume_type = "gp2"
            volume_size = 5
            encrypted   = true
        },
        {
            device_name = "/dev/sdg"
            volume_type = "gp2"
            volume_size = 5
            encrypted   = true
        }
    ]


    security_group_rules = [
        {
            from_port   = 22,
            to_port     = 22,
            protocol    = "tcp",
            cidr_blocks = [ data.terraform_remote_state.vpc.outputs.vpc_cidr_block ],
            description = "Allow SSH"
        },
        {
            from_port   = 8080,
            to_port     = 8082,
            protocol    = "tcp",
            cidr_blocks = [ "0.0.0.0/0" ],
            description = "Allow nginx proxy"
        }
    ]

    dns_records_internal_hosted_zone = [{
        zone_id = data.terraform_remote_state.vpc.outputs.aws_internal_zone_id[0],
        name    = "ec2-basic-layout.aws.binbash.com.ar",
        type    = "A",
        ttl     = 300
    }]

    dns_records_public_hosted_zone = [{
        zone_id = data.terraform_remote_state.vpc.outputs.aws_public_zone_id[0],
        name    = "ec2-basic-layout.binbash.com.ar",
        type    = "A",
        ttl     = 300
    }]

    # EC2 IAM Profile (Role + Policies)
    cross_account_roles_resource_arn_list = [
        "arn:aws:iam::${var.dev_account_id}:role/DevOps",
        "arn:aws:iam::${var.shared_account_id}:role/DevOps",
        "arn:aws:iam::${var.dev_account_id}:role/Auditor",
        "arn:aws:iam::${var.shared_account_id}:role/Auditor",
    ]
    policy_arn = [
        "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
        "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess",
    ]

    tags = local.tags
}

ec2-external-instance-profile

module "terraform-aws-basic-layout" {
    source = "../../"

    prefix                      = var.prefix
    name                        = var.name

    aws_ami_os_id               = var.aws_ami_os_id
    aws_ami_os_owner            = var.aws_ami_os_owner
    instance_type               = var.instance_type
    vpc_id                      = data.terraform_remote_state.vpc.outputs.vpc_id
    subnet_id                   = data.terraform_remote_state.vpc.outputs.public_subnets[0]
    associate_public_ip_address = var.associate_public_ip_address
    key_pair_name               = data.terraform_remote_state.security.outputs.aws_key_pair_name
    ebs_optimized               = var.ebs_optimized
    monitoring                  = var.monitoring
    user_data_base64            = base64encode(local.user_data)

    root_block_device = [
        {
            volume_type = "gp2"
            volume_size = 10
            encrypted   = true
        },
    ]

    ebs_block_device = [
        {
            device_name = "/dev/sdf"
            volume_type = "gp2"
            volume_size = 5
            encrypted   = true
        },
        {
            device_name = "/dev/sdg"
            volume_type = "gp2"
            volume_size = 5
            encrypted   = true
        }
    ]


    security_group_rules = [
        {
            from_port   = 22,
            to_port     = 22,
            protocol    = "tcp",
            cidr_blocks = [ data.terraform_remote_state.vpc.outputs.vpc_cidr_block ],
            description = "Allow SSH"
        },
        {
            from_port   = 8080,
            to_port     = 8082,
            protocol    = "tcp",
            cidr_blocks = [ "0.0.0.0/0" ],
            description = "Allow nginx proxy"
        }
    ]

    dns_records_internal_hosted_zone = [{
        zone_id = data.terraform_remote_state.vpc.outputs.aws_internal_zone_id[0],
        name    = "ec2-basic-layout.aws.binbash.com.ar",
        type    = "A",
        ttl     = 300
    }]

    dns_records_public_hosted_zone = [{
        zone_id = data.terraform_remote_state.vpc.outputs.aws_public_zone_id[0],
        name    = "ec2-basic-layout.binbash.com.ar",
        type    = "A",
        ttl     = 300
    }]

    # EC2 IAM Profile (Role + Policies)
    instance_profile = aws_iam_instance_profile.basic_instance_profile.name

    tags = local.tags
}

Binbash Leverage | DevOps Automation Code Library Integration

In order to get the full automated potential of the Binbash Leverage DevOps Automation Code Library
you should initialize all the necessary helper Makefiles.

How?

You must execute the make init-makefiles command at the root context

╭─delivery at delivery-I7567 in ~/terraform/terraform-aws-backup-by-tags on master✔ 20-09-17
╰─⠠⠵ make
Available Commands:
 - init-makefiles     initialize makefiles

Why?

You'll get all the necessary commands to automatically operate this module via a dockerized approach, example shown below

╭─delivery at delivery-I7567 in ~/terraform/terraform-aws-backup-by-tags on master✔ 20-09-17
╰─⠠⠵ make
Available Commands:
 - circleci-validate-config  ## Validate A CircleCI Config (https
 - format-check        ## The terraform fmt is used to rewrite tf conf files to a canonical format and style.
 - format              ## The terraform fmt is used to rewrite tf conf files to a canonical format and style.
 - tf-dir-chmod        ## run chown in ./.terraform to gran that the docker mounted dir has the right permissions
 - version             ## Show terraform version
 - init-makefiles      ## initialize makefiles
╭─delivery at delivery-I7567 in ~/terraform/terraform-aws-backup-by-tags on master✔ 20-09-17
╰─⠠⠵ make format-check
docker run --rm -v /home/delivery/Binbash/repos/Leverage/terraform/terraform-aws-backup-by-tags:"/go/src/project/":rw -v :/config -v /common.config:/common-config/common.config -v ~/.ssh:/root/.ssh -v ~/.gitconfig:/etc/gitconfig -v ~/.aws/bb:/root/.aws/bb -e AWS_SHARED_CREDENTIALS_FILE=/root/.aws/bb/credentials -e AWS_CONFIG_FILE=/root/.aws/bb/config --entrypoint=/bin/terraform -w "/go/src/project/" -it binbash/terraform-awscli-slim:0.12.28 fmt -check

Release Management

CircleCi PR auto-release job

circleci

About

Terraform module to deploy a typical EC2 layout that includes an instance with a security group and a dns record.

Topics

terraform bb-le-mod-terraform binbash-terraform

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

5 stars

Watchers

12 watching

Forks

3 forks
Report repository

Releases 9

v0.3.34 - 2023-09-11T14:48:43Z Latest
Sep 11, 2023
+ 8 releases

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Contributors 6

Languages