AWS Network Terraform module

SquareOps Technologies Your DevOps Partner for Accelerating cloud journey.

Terraform module to create Networking resources for workload deployment on AWS Cloud.

Usage Example

module "key_pair_vpn" {
  source             = "squareops/keypair/aws"
  environment        = "production"
  key_name           = format("%s-%s-vpn", "production", "skaf")
  ssm_parameter_path = format("%s-%s-vpn", "production", "skaf")
}


module "vpc" {
  source = "squareops/vpc/aws"

  environment                                     = "production"
  name                                            = "skaf"
  vpc_cidr                                        = "10.0.0.0/16"
  azs                                             = ["us-east-1a", "us-east-1b"]
  enable_public_subnet                            = true
  enable_private_subnet                           = true
  enable_database_subnet                          = true
  enable_intra_subnet                             = true
  one_nat_gateway_per_az                          = true
  vpn_server_enabled                              = true
  vpn_server_instance_type                        = "t3a.small"
  vpn_key_pair                                    = module.key_pair_vpn.key_pair_name
  enable_flow_log                                 = true
  flow_log_max_aggregation_interval               = 60
  flow_log_cloudwatch_log_group_retention_in_days = 90

}

Refer examples for all examples.

Important Note

To prevent destruction interruptions, any resources that have been created outside of Terraform and attached to the resources provisioned by Terraform must be deleted before the module is destroyed.

The private key generated by Keypair module will be stored in AWS Systems Manager Parameter Store. For more details refer this

Network Scenarios

Users need to declare vpc_cidr and subnets are calculated with the help of in-built functions.

This module supports three scenarios to create Network resource on AWS. Each will be explained in brief in the corresponding sections.

simple-vpc (default behavior): To create a VPC with public subnets and IGW.
- vpc_cidr = ""
- enable_public_subnet = true
vpc-with-private-sub: To create a VPC with public subnets, private subnets, IGW gateway and NAT gateway.
- vpc_cidr = ""
- enable_public_subnet = true
- enable_private_subnet = true
complete-vpc-with-vpn: To create a VPC with public, private, database and intra subnets along with an IGW and NAT gateway. Jump server/Bastion Host is also configured.
- vpc_cidr = ""
- enable_public_subnet = true
- enable_private_subnet = true
- enable_database_subnet = true
- enable_intra_subnet = true
- one_nat_gateway_per_az = true
- vpn_server_enabled = true
- vpn_server_instance_type = "t3a.small"
- vpn_key_pair = ""
- enable_flow_log = true
- flow_log_max_aggregation_interval = 60
- flow_log_cloudwatch_log_group_retention_in_days = 90

IAM Permissions

The required IAM permissions to create resources from this module can be found here

VPN setup-

To configure Pritunl VPN:

  1. Access the Pritunl UI over HTTPS using the public IP of EC2 instance in browser
  2. Retrieve the initial key, user and password for setting up Pritunl from AWS Secrets Manager and log in to Pritunl.
  3. Create a DNS record mapping to the EC2 instance's public IP
  4. After login, in the Initial setup window, add the record created in the 'Lets Encrypt Domain' field.
  5. Pritunl will automatically configure a signed SSL certificate from Lets Encrypt.
  6. Add organization and user to pritunl.
  7. Add server and set port as 10150 which is already allowed from security group while creating instance for VPN server.
  8. Attach organization to the server and Start the server.
  9. Copy or download user profile link or file.
 10. Import the profile in Pritunl client.

NOTE: Port 80 should be open publicly in the vpn security group to verify and renewing the domain certificate.

CIS COMPLIANCE

Security scanning is graciously provided by Prowler. Prowler is the leading fully hosted, cloud-native solution providing continuous cluster security and compliance.

Benchmark	Description
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389	No Security Groups open to 0.0.0.0/0
Ensure the default security group of every VPC restricts all traffic	No Default Security Groups open to 0.0.0.0/0

Requirements

Name	Version
terraform	>= 1.0
aws	>= 4.23

Providers

Name	Version
aws	>= 4.23

Modules

Name	Source	Version
vpc	terraform-aws-modules/vpc/aws	3.14.4
vpn_server	./modules/vpn	n/a

Resources

Name	Type
aws_ec2_instance_type.arch	data source

Inputs

Name	Description	Type	Default	Required
azs	List of Availability Zone to be used by VPC	`list(any)`	n/a	yes
database_subnet_cidrs	Database Tier subnet CIDRs to be created	`list(any)`	`[]`	no
default_network_acl_ingress	List of maps of ingress rules to set on the Default Network ACL	`list(map(string))`	[ { "action": "deny", "cidr_block": "0.0.0.0/0", "from_port": 22, "protocol": "tcp", "rule_no": 98, "to_port": 22 }, { "action": "deny", "cidr_block": "0.0.0.0/0", "from_port": 3389, "protocol": "tcp", "rule_no": 99, "to_port": 3389 }, { "action": "allow", "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_no": 100, "to_port": 0 }, { "action": "allow", "from_port": 0, "ipv6_cidr_block": "::/0", "protocol": "-1", "rule_no": 101, "to_port": 0 } ]	no
enable_database_subnet	Set true to enable database subnets	`bool`	`false`	no
enable_flow_log	Whether or not to enable VPC Flow Logs	`bool`	`false`	no
enable_intra_subnet	Set true to enable intra subnets	`bool`	`false`	no
enable_private_subnet	Set true to enable private subnets	`bool`	`false`	no
enable_public_subnet	Set true to enable public subnets	`bool`	`false`	no
environment	Specify the environment indentifier for the VPC	`string`	`""`	no
flow_log_cloudwatch_log_group_retention_in_days	Specifies the number of days you want to retain log events in the specified log group for VPC flow logs.	`number`	`null`	no
flow_log_max_aggregation_interval	The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds.	`number`	`60`	no
intra_subnet_cidrs	A list of intra subnets CIDR to be created	`list(any)`	`[]`	no
name	Specify the name of the VPC	`string`	`""`	no
one_nat_gateway_per_az	Set to true if a NAT Gateway is required per availability zone for Private Subnet Tier	`bool`	`false`	no
private_subnet_cidrs	A list of private subnets CIDR to be created inside the VPC	`list(any)`	`[]`	no
public_subnet_cidrs	A list of public subnets CIDR to be created inside the VPC	`list(any)`	`[]`	no
vpc_cidr	The CIDR block of the VPC	`string`	`"10.0.0.0/16"`	no
vpn_key_pair	Specify the name of AWS Keypair to be used for VPN Server	`string`	`""`	no
vpn_server_enabled	Set to true if you want to deploy VPN Gateway resource and attach it to the VPC	`bool`	`false`	no
vpn_server_instance_type	EC2 instance Type for VPN Server, Only amd64 based instance type are supported eg. t2.medium, t3.micro, c5a.large etc.	`string`	`"t3a.small"`	no

Outputs

Name	Description
database_subnets	List of IDs of database subnets
intra_subnets	List of IDs of Intra subnets
private_subnets	List of IDs of private subnets
public_subnets	List of IDs of public subnets
vpc_cidr_block	IPV4 CIDR Block for this VPC
vpc_id	The ID of the VPC
vpn_host_public_ip	IP Address of VPN Server
vpn_security_group	Security Group ID of VPN Server

Contribute & Issue Report

To report an issue with a project:

Check the repository's issue tracker on GitHub
Search to check if the issue has already been reported
If you can't find an answer to your question in the documentation or issue tracker, you can ask a question by creating a new issue. Make sure to provide enough context and details.

License

Apache License, Version 2.0, January 2004 (https://www.apache.org/licenses/LICENSE-2.0)

Support Us

To support our GitHub project by liking it, you can follow these steps:

Visit the repository: Navigate to the GitHub repository
Click the "Star" button: On the repository page, you'll see a "Star" button in the upper right corner. Clicking on it will star the repository, indicating your support for the project.
Optionally, you can also leave a comment on the repository or open an issue to give feedback or suggest changes.

Staring a repository on GitHub is a simple way to show your support and appreciation for the project. It also helps to increase the visibility of the project and make it more discoverable to others.

Who we are

We believe that the key to success in the digital age is the ability to deliver value quickly and reliably. That’s why we offer a comprehensive range of DevOps & Cloud services designed to help your organization optimize its systems & Processes for speed and agility.

We are an AWS Advanced consulting partner which reflects our deep expertise in AWS Cloud and helping 100+ clients over the last 5 years.
Expertise in Kubernetes and overall container solution helps companies expedite their journey by 10X.
Infrastructure Automation is a key component to the success of our Clients and our Expertise helps deliver the same in the shortest time.
DevSecOps as a service to implement security within the overall DevOps process and helping companies deploy securely and at speed.
Platform engineering which supports scalable,Cost efficient infrastructure that supports rapid development, testing, and deployment.
24*7 SRE service to help you Monitor the state of your infrastructure and eradicate any issue within the SLA.

We provide support on all of our projects, no matter how small or large they may be.

To find more information about our company, visit squareops.com, follow us on Linkedin, or fill out a job application. If you have any questions or would like assistance with your cloud strategy and implementation, please don't hesitate to contact us.

aadesh-bhardwaj / terraform-aws-vpc