| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100 |
- locals {
- azs = slice(data.aws_availability_zones.available.names,0,2)
- subnets = [
- cidrsubnet(var.security_vpc_cidr,3,0),
- cidrsubnet(var.security_vpc_cidr,3,1),
- cidrsubnet(var.security_vpc_cidr,3,2),
- cidrsubnet(var.security_vpc_cidr,3,3),
- cidrsubnet(var.security_vpc_cidr,3,4),
- cidrsubnet(var.security_vpc_cidr,3,5),
- cidrsubnet(var.security_vpc_cidr,3,6),
- cidrsubnet(var.security_vpc_cidr,3,7),
- ]
- }
- data "aws_availability_zones" "available" {
- state = "available"
- }
- module "vpc" {
- source = "terraform-aws-modules/vpc/aws"
- version = "~> v2.0"
- name = "security_vpc_${var.aws_partition_alias}_${var.environment}"
- cidr = var.security_vpc_cidr
- azs = local.azs
- # 2 private and 2 public here, but 2 more of each will be created after in the same azs
- private_subnets = [
- local.subnets[0],
- local.subnets[1],
- ]
- private_subnet_tags = {
- "Name" = "FW private (private)"
- }
- public_subnets = [
- local.subnets[4],
- local.subnets[5]
- ]
- public_subnet_tags = {
- "Name" = "FW Untrusted (Public)"
- }
- enable_nat_gateway = false
- enable_vpn_gateway = false
- enable_dns_hostnames = true
- enable_s3_endpoint = true
- enable_dynamodb_endpoint = false
- enable_sts_endpoint = false
- enable_kms_endpoint = false
- enable_dhcp_options = true
- enable_ec2_endpoint = true # PA likes a local ec2 endpoint
- ec2_endpoint_security_group_ids = [ module.aws_endpoints_sg.this_security_group_id ]
- dhcp_options_domain_name = var.dns_info["private"]["zone"]
- tags = merge(var.standard_tags, var.tags)
- }
- resource "aws_flow_log" "flowlogs" {
- iam_role_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws_services/flowlogs"
- log_destination = "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:vpc_flow_logs"
- traffic_type = "REJECT" # ALL is very noisy, and CIS only requires rejects.
- vpc_id = module.vpc.vpc_id
- tags = merge(var.standard_tags, var.tags)
- }
- resource "aws_subnet" "mgmt" {
- count = 2
- depends_on = [ module.vpc ]
- vpc_id = module.vpc.vpc_id
- cidr_block = local.subnets[6 + count.index]
- availability_zone = local.azs[count.index]
- tags = {
- Name = "FW Management (Public)"
- }
- }
- resource "aws_route_table_association" "mgmt-to-internet" {
- count = 2
- depends_on = [ aws_subnet.mgmt, module.vpc ]
- subnet_id = aws_subnet.mgmt[count.index].id
- route_table_id = module.vpc.public_route_table_ids[0] # only 1 public route table
- }
- resource "aws_subnet" "standalone_tgw" {
- # A standalone private subnet that could be connected to the tgw
- count = 2
- depends_on = [ module.vpc ]
- vpc_id = module.vpc.vpc_id
- cidr_block = local.subnets[2 + count.index]
- availability_zone = local.azs[count.index]
- tags = {
- Name = "Standalone TGW"
- }
- }
|
