Terraform module which creates EC2 resources with security groups, key pair, EIP associations, Backup plans and CloudWatch alarms on AWS.
Terraform 0.12 and newer.
module "applicationserver" {
source = "/path/to/module/terraform-aws-ec2"
name = var.name
region = var.region
vpc_cidr = var.vpc_cidr
vpc_id = var.vpc_id
subnet_ids = var.subnet_ids
ami = var.app_ami
instance_count = var.app_instance_count
instance_type = var.app_instance_type
iam_instance_profile = var.app_iam_instance_profile
ssh_pubkey = var.app_ssh_pubkey
root_block_device = var.app_root_block_device
ebs_block_device = var.app_ebs_block_device
sg_rule_rds_port = var.app_sg_rule_rds_port
sg_rules_egress_cidr_map = {
internet_http = {
port = 80
protocol = "tcp"
cidr_block = "0.0.0.0/0"
}
internet_https = {
port = 443
protocol = "tcp"
cidr_block = "0.0.0.0/0"
}
}
sg_rules_ingress_cidr_map = {
vpn_ssh = {
port = 22
protocol = "tcp"
cidr_block = "192.168.178.0/24"
}
}
sg_rules_ingress_source_sg_map = {
webserver_http = {
port = 8080
protocol = "tcp"
source_sg_id = "sg-........."
}
}
backup_enabled = var.backup_enabled[terraform.workspace]
backup_create_role = var.backup_create_role[terraform.workspace]
backup_plan_delete_after = var.backup_plan_delete_after[terraform.workspace]
backup_role_name = var.backup_role_name
backup_plan_tag_key = "Backup"
backup_plan_tag_value = var.backup_plan_tag_value
backup_tags = {
Backup = var.backup_plan_tag_value
}
tags = {
Environment = var.environment,
Tier = var.app_tier
}
}Mandatory input variables:
ami = {
"eu-central-1" = "ami-0a6dc7529cd559185"
"eu-west-1" = "ami-0fc970315c2d38f01"
"us-east-1" = "ami-047a51fa27710816e"
}
instance_type = "t3.medium"
region = "eu-central-1"
ssh_pubkey = "ssh-rsa AAAAB3NzaC1.... ec2"
vpc_id = "vpc-......"
CloudWatch alarms Issue:
The input variable cloudwatch_sns_topic_arn can only be used after EC2 instance was provisioned by this module. Otherwise you get the error message: "The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first apply only the resources that the count depends on."
Workaround:
Run terraform apply initially without defining an input value for cloudwatch_sns_topic_arn
| Name | Version |
|---|---|
| terraform | >= 0.12.6 |
| aws | >= 2.65 |
| Name | Version |
|---|---|
| aws | >= 2.65 |
No modules.
| Name | Type |
|---|---|
| aws_backup_plan.ec2 | resource |
| aws_backup_selection.ec2 | resource |
| aws_backup_vault.ec2 | resource |
| aws_cloudwatch_metric_alarm.ec2-autorecover | resource |
| aws_cloudwatch_metric_alarm.ec2-autorecover-and-notify | resource |
| aws_cloudwatch_metric_alarm.ec2-cpu-utilization-notify | resource |
| aws_eip_association.ec2 | resource |
| aws_iam_role.ec2_backup | resource |
| aws_iam_role_policy_attachment.ec2_backup_backup | resource |
| aws_iam_role_policy_attachment.ec2_backup_restores | resource |
| aws_instance.ec2 | resource |
| aws_key_pair.ec2 | resource |
| aws_security_group.ec2 | resource |
| aws_security_group.ec2-to-database | resource |
| aws_security_group_rule.in-each-port-ec2-from-cidr | resource |
| aws_security_group_rule.in-each-port-ec2-from-source_sg_id | resource |
| aws_security_group_rule.out-any-ec2-to-vpc | resource |
| aws_security_group_rule.out-each-port-ec2-to-cidr | resource |
| aws_security_group_rule.out-each-port-ec2-to-source_sg_id | resource |
| aws_caller_identity.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| ami | ID of AMI to use for the instance | map |
n/a | yes |
| associate_public_ip_address | If true, the EC2 instance will have associated public | |||
| IP address | bool |
null |
no | |
| backup_create_role | Create IAM role for AWS backup | bool |
false |
no |
| backup_enabled | Enable or disable AWS Backup | bool |
false |
no |
| backup_plan_cold_storage_after | Specifies the number of days after creation that a recovery point is moved to cold storage | number |
null |
no |
| backup_plan_delete_after | Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater than cold_storage_after |
number |
null |
no |
| backup_plan_schedule | AWS Backup plan schedule | string |
"cron(0 3 * * ? *)" |
no |
| backup_plan_tag_key | AWS Backup selection tag key | string |
"Backup" |
no |
| backup_plan_tag_value | AWS Backup selection tag value | string |
"enabled" |
no |
| backup_plan_windows_vss | AWS Backup plan Windows VSS feature | string |
"disabled" |
no |
| backup_role_name | Name of the IAM role which will be created when backup_enabled is true and backup_create_role is true | string |
"ec2-backup-role" |
no |
| backup_tags | A mapping of backup tags to assign to the resource | map(string) |
{} |
no |
| backup_vault_kms_key_arn | AWS Backup vault KMS key arn | string |
null |
no |
| cloudwatch_autorecover_enabled | Enable or disable CloudWatch alarm EC2 autorecover | bool |
true |
no |
| cloudwatch_cpu_utilization_enabled | Enable or disable CloudWatch alarm CPU utilization | bool |
false |
no |
| cloudwatch_sns_topic_arn | SNS Topic ARN for CloudWatch alarms | string |
null |
no |
| cpu_credits | The credit option for CPU usage (unlimited or standard) | string |
"standard" |
no |
| disable_api_termination | If true, enables EC2 Instance Termination Protection | bool |
false |
no |
| ebs_block_device | Additional EBS block devices to attach to the instance | list(map(string)) |
[] |
no |
|
| ebs_optimized | If true, the launched EC2 instance will be EBS-optimized | bool | false | no |
| eip_alloc_ids | List of Elastic IP associations for the EC2 instance | list(string) | null | no |
| enable_any_egress_to_vpc | Enable any egress traffic from EC2 instance to VPC | bool | true | no |
| ephemeral_block_device | Customize Ephemeral (also known as Instance Store) volumes on the instance | list(map(string)) | [] | no |
| get_password_data | If true, wait for password data to become available and retrieve it. | bool | false | no |
| iam_instance_profile | The IAM Instance Profile to launch the instance with. Specified as the name of the Instance Profile. | string | "" | no |
| instance_count | Number of instances to launch | number | 1 | no |
| instance_initiated_shutdown_behavior | Shutdown behavior for the instance | string | "" | no |
| instance_type | The type of instance to start | string | n/a | yes |
| ipv6_address_count | A number of IPv6 addresses to associate with the primary network interface. Amazon
EC2 chooses the IPv6 addresses from the range of your subnet. | number | null | no |
| ipv6_addresses | Specify one or more IPv6 addresses from the range of the subnet to associate with the primary network interface | list(string) | null | no |
| metadata_options | Customize the metadata options of the instance | map(string) | {} | no |
| monitoring | If true, the launched EC2 instance will have detailed monitoring enabled | bool | false | no |
| name | Name to be used on all resources as prefix | string | n/a | yes |
| network_interface | Customize network interfaces to be attached at instance boot time | list(map(string))
| [] | no |
| num_suffix_format | Numerical suffix format used as the volume and EC2 instance name suffix | string | "-%d" | no |
| placement_group | The Placement Group to start the instance in | string | "" | no |
| private_ip | Private IP address to associate with the instance in a VPC | string | null | no |
| private_ips | A list of private IP address to associate with the instance in a VPC. Should match the number of instances. | list(string) | [] | no |
| region | Name of region | string | n/a | yes |
| root_block_device | Customize details about the root block device of the instance. See Block Devices below for details | list(map(string)) | [] | no |
| sg_rule_rds_port | Port for ingress security group rules to RDS | number | null | no |
| sg_rules_egress_cidr_map | Map of security group rules for egress communication of cidr
| map | {} | no |
| sg_rules_egress_source_sg_map | Map of security group rules for egress communication of security group source ids | map | {} | no |
| sg_rules_ingress_cidr_map | Map of security group rules for ingress communication of cidr | map | {} | no |
| sg_rules_ingress_source_sg_map | Map of security group rules for ingress communication of security group source ids | map | {} | no |
| sg_tags | Additional tags for the security group | map(string) | {} | no |
| sg_tags_db | Additional tags for the security group of the db | map(string) | {} | no |
| source_dest_check | Controls if traffic is routed to the instance when the destination address does not match the instance. Used for NAT or VPNs. | bool | true | no |
| ssh_pubkey | SSH Public Key | string | n/a | yes |
| subnet_id | The VPC Subnet ID to launch in | string | "" | no |
| subnet_ids | A list of VPC Subnet IDs to launch in | list(string) | [] | no |
| tags | A mapping of tags to assign to the resource | map(string) | {} | no |
| tenancy | The tenancy of the instance (if the instance is running in a VPC). Available values: default, dedicated, host. | string | "default" | no |
| use_num_suffix | Always append numerical suffix to instance name, even if instance_count is 1 | bool | false | no |
| user_data | The user data to provide when launching the instance. Do not pass gzip-compressed data via this argument; see user_data_base64 instead. | string | null | no |
| user_data_base64 | Can be used instead of user_data to pass base64-encoded binary data directly. | string | null | no |
| volume_tags | A mapping of tags to assign to the devices created by the instance at launch time | map(string) | {} | no |
| vpc_cidr | VPC cidr for security group rules | string | "10.0.0.0/16" | no |
| vpc_id | String of vpc id | string | n/a | yes |
| vpc_security_group_ids | A list of security group IDs to associate with | list(string) | null | no |
| Name | Description |
|---|---|
| arn | List of ARNs of instances |
| availability_zone | List of availability zones of instances |
| credit_specification | List of credit specification of instances |
| ebs_block_device_volume_ids | List of volume IDs of EBS block devices of instances |
| id | List of IDs of instances |
| instance_count | Number of instances to launch specified as argument to this module |
| instance_state | List of instance states of instances |
| ipv6_addresses | List of assigned IPv6 addresses of instances |
| key_name | List of key names of instances |
| metadata_options | List of metadata options of instances |
| password_data | List of Base-64 encoded encrypted password data for the instance |
| placement_group | List of placement groups of instances |
| primary_network_interface_id | List of IDs of the primary network interface of instances |
| private_dns | List of private DNS names assigned to the instances. Can only be used inside the Amazon EC2, and only available if you've enabled DNS hostnames for your VPC |
| private_ip | List of private IP addresses assigned to the instances |
| public_dns | List of public DNS names assigned to the instances. For EC2-VPC, this is only available if you've enabled DNS hostnames for your VPC |
| public_ip | List of public IP addresses assigned to the instances, if applicable |
| root_block_device_volume_ids | List of volume IDs of root block devices of instances |
| security_group_id_database_from_ec2 | ID of security group to |
| use for the RDS that allows incoming connections from the application server | |
| security_group_id_ec2 | ID of security group to use for the application server |
| security_groups | List of associated security groups of instances |
| subnet_id | List of IDs of VPC subnets of instances |
| tags | List of tags of instances |
| volume_tags | List of tags of volumes of instances |
| vpc_security_group_ids | List of associated security groups of instances, if running in non-default VPC |
Module managed by Marcel Emmert. Module based on AWS EC2 instance module created by Anton Babenko.
Apache 2 Licensed. See LICENSE for full details.