brpaz
3/18/2015 - 9:25 PM
Terraform 2 tier VPC with nat #terraform #infrastucture
Terraform 2 tier VPC with nat #terraform #infrastucture
# define some variables
variable "aws_ubuntu_ami" {
default = "ami-972444ad"
}
variable "aws_keypair" {
default = "xxxx"
}
# AWS account details
provider "aws" {
access_key = "xxxx"
secret_key = "xxxx"
region = "ap-southeast-2"
}
# VPC
resource "aws_vpc" "web_app" {
cidr_block = "10.10.0.0/16"
}
# Web tier
resource "aws_internet_gateway" "web" {
vpc_id = "${aws_vpc.web_app.id}"
}
resource "aws_subnet" "web_a" {
vpc_id = "${aws_vpc.web_app.id}"
cidr_block = "10.10.1.0/24"
availability_zone = "ap-southeast-2a"
}
resource "aws_subnet" "web_b" {
vpc_id = "${aws_vpc.web_app.id}"
cidr_block = "10.10.2.0/24"
availability_zone = "ap-southeast-2b"
}
resource "aws_route_table" "web" {
vpc_id = "${aws_vpc.web_app.id}"
route {
cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.web.id}"
}
}
resource "aws_route_table_association" "web_a" {
subnet_id = "${aws_subnet.web_a.id}"
route_table_id = "${aws_route_table.web.id}"
}
resource "aws_route_table_association" "web_b" {
subnet_id = "${aws_subnet.web_b.id}"
route_table_id = "${aws_route_table.web.id}"
}
resource "aws_instance" "web_a" {
ami = "${var.aws_ubuntu_ami}"
availability_zone = "ap-southeast-2a"
instance_type = "t2.micro"
security_groups = ["${aws_security_group.web_instance.id}"]
key_name = "${var.aws_keypair}"
subnet_id = "${aws_subnet.web_a.id}"
}
resource "aws_instance" "web_b" {
ami = "${var.aws_ubuntu_ami}"
availability_zone = "ap-southeast-2b"
instance_type = "t2.micro"
security_groups = ["${aws_security_group.web_instance.id}"]
key_name = "${var.aws_keypair}"
subnet_id = "${aws_subnet.web_b.id}"
}
resource "aws_instance" "nat" {
ami = "ami-0154c73b"
availability_zone = "ap-southeast-2a"
instance_type = "t1.micro"
security_groups = ["${aws_security_group.nat.id}"]
key_name = "${var.aws_keypair}"
subnet_id = "${aws_subnet.web_a.id}"
}
resource "aws_eip" "nat" {
instance = "${aws_instance.nat.id}"
vpc = true
}
resource "aws_elb" "web" {
name = "web-elb"
subnets = ["${aws_subnet.web_a.id}","${aws_subnet.web_b.id}"]
security_groups = ["${aws_security_group.web_elb.id}"]
listener {
instance_port = 80
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
health_check {
healthy_threshold = 2
unhealthy_threshold = 2
timeout = 3
target = "HTTP:80/"
interval = 30
}
instances = ["${aws_instance.web_a.id}","${aws_instance.web_b.id}"]
}
resource "aws_security_group" "web_elb" {
name = "web elb"
description = "Allow http internet traffic into elb"
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
vpc_id = "${aws_vpc.web_app.id}"
}
resource "aws_security_group" "web_instance" {
name = "web instance"
description = "Allow traffic from elb only"
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
security_groups = ["${aws_security_group.web_elb.id}"]
}
vpc_id = "${aws_vpc.web_app.id}"
}
resource "aws_security_group" "nat" {
name = "nat instance"
description = "Allow all TCP traffic from app tier"
ingress {
from_port = 0
to_port = 65535
protocol = "tcp"
security_groups = ["${aws_security_group.app_instance.id}"]
}
vpc_id = "${aws_vpc.web_app.id}"
}
# Application tier
resource "aws_subnet" "app_a" {
vpc_id = "${aws_vpc.web_app.id}"
cidr_block = "10.10.3.0/24"
availability_zone = "ap-southeast-2a"
}
resource "aws_subnet" "app_b" {
vpc_id = "${aws_vpc.web_app.id}"
cidr_block = "10.10.4.0/24"
availability_zone = "ap-southeast-2b"
}
resource "aws_route_table" "app" {
vpc_id = "${aws_vpc.web_app.id}"
route {
cidr_block = "0.0.0.0/0"
instance_id = "${aws_instance.nat.id}"
}
}
resource "aws_route_table_association" "app_a" {
subnet_id = "${aws_subnet.app_a.id}"
route_table_id = "${aws_route_table.app.id}"
}
resource "aws_route_table_association" "app_b" {
subnet_id = "${aws_subnet.app_b.id}"
route_table_id = "${aws_route_table.app.id}"
}
resource "aws_instance" "app_a" {
ami = "${var.aws_ubuntu_ami}"
availability_zone = "ap-southeast-2a"
instance_type = "t2.micro"
security_groups = ["${aws_security_group.app_instance.id}"]
key_name = "${var.aws_keypair}"
subnet_id = "${aws_subnet.app_a.id}"
}
resource "aws_instance" "app_b" {
ami = "${var.aws_ubuntu_ami}"
availability_zone = "ap-southeast-2b"
instance_type = "t2.micro"
security_groups = ["${aws_security_group.app_instance.id}"]
key_name = "${var.aws_keypair}"
subnet_id = "${aws_subnet.app_b.id}"
}
resource "aws_elb" "app" {
name = "app-elb"
subnets = ["${aws_subnet.app_a.id}","${aws_subnet.app_b.id}"]
listener {
instance_port = 8080
instance_protocol = "tcp"
lb_port = 8080
lb_protocol = "tcp"
}
health_check {
healthy_threshold = 2
unhealthy_threshold = 2
timeout = 3
target = "TCP:8080"
interval = 30
}
instances = ["${aws_instance.app_a.id}","${aws_instance.app_b.id}"]
}
resource "aws_security_group" "app_elb" {
name = "app elb"
description = "Allow traffic from web instances"
ingress {
from_port = 8080
to_port = 8080
protocol = "tcp"
security_groups = ["${aws_security_group.web_instance.id}"]
}
vpc_id = "${aws_vpc.web_app.id}"
}
resource "aws_security_group" "app_instance" {
name = "app instance"
description = "Allow traffic from app elb"
ingress {
from_port = 8080
to_port = 8080
protocol = "tcp"
security_groups = ["${aws_security_group.app_elb.id}"]
}
vpc_id = "${aws_vpc.web_app.id}"
}