Merge pull request #1 from opensource4learn/mr-alpha

AWS multi tier architecture implementation

Author: opensource4learn

README.md

@@ -21,12 +21,13 @@ provider "aws" {
 }
 
 module "vpc" {
-  source              = "opensource4learn/vpc/aws"
-  version             = "0.1.0-beta"
-  cluster_prefix      = "source4learn"
-  cluster_environment = "production"
-  cidr                = "10.0.0.0/20"
-  subnet_bits         = "4"
+  source                = "opensource4learn/vpc/aws"
+  version               = "0.1.0-beta"
+  cluster_prefix        = "source4learn"
+  cluster_environment   = "development"
+  cluster_architecture  = "3-tier"
+  cidr                  = "10.0.0.0/20"
+  subnet_bits           = "4"
 }
 ```
 
@@ -36,6 +37,12 @@ module "vpc" {
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.0 |
 
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
 ## Modules
 
 | Name | Source | Version |
@@ -56,9 +63,10 @@ module "vpc" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_cidr"></a> [cidr](#input\_cidr) | CIDR block value to define the size of the AWS VPC | `string` | `"10.0.0.0/20"` | no |
-| <a name="input_cluster_environment"></a> [cluster_environment](#input\_cluster_environment) | To apply generic cluster_environment to AWS VPC Resources | `string` | n/a | yes |
-| <a name="input_cluster_prefix"></a> [cluster_prefix](#input\_cluster_prefix) | To apply generic naming to AWS VPC Resources | `string` | n/a | yes |
+| <a name="input_cidr"></a> [cidr](#input\_cidr) | CIDR block value to define the size of the AWS VPC | `string` | "10.0.0.0/20" | yes |
+| <a name="input_cluster_architecture"></a> [cluster\_architecture](#input\_cluster\_architecture) | To apply generic cluster architecture to AWS VPC Resources | `string` | n/a | yes |
+| <a name="input_cluster_environment"></a> [cluster\_environment](#input\_cluster\_environment) | To apply generic environment to AWS VPC Resources | `string` | n/a | yes |
+| <a name="input_cluster_prefix"></a> [cluster\_prefix](#input\_cluster\_prefix) | To apply generic naming to AWS VPC Resources | `string` | n/a | yes |
 | <a name="input_subnet_bits"></a> [subnet\_bits](#input\_subnet\_bits) | Subnet bits for cidrsubnet interpolation or Size we need to define for the Subnet (cidr of VPC + Subnet bits) | `string` | n/a | yes |
 
 ## Outputs

main.tf

@@ -33,32 +33,36 @@ module "public_subnet" {
   cluster_prefix          = var.cluster_prefix
   cluster_environment     = var.cluster_environment
   subnet_type             = ["public"]
+  cluster_architecture    = var.cluster_architecture
 }
 
 # AWS NAT Gateway Module
 module "nat_gateway" {
-  source              = "./modules/nat-gateways"
-  cluster_prefix      = var.cluster_prefix
-  cluster_environment = var.cluster_environment
-  public_subnet_ids   = module.public_subnet.public_subnet_ids
+  source               = "./modules/nat-gateways"
+  cluster_prefix       = var.cluster_prefix
+  cluster_environment  = var.cluster_environment
+  public_subnet_ids    = module.public_subnet.public_subnet_ids
+  cluster_architecture = var.cluster_architecture
 }
 
 # AWS VPC Subnets Module - Private Subnet
 module "private_subnet" {
-  source              = "./modules/subnets"
-  vpc_id              = aws_vpc.vpc.id
-  aws_nat_gateway_id  = module.nat_gateway.nat_gateway_ids
-  cidr                = var.cidr
-  cluster_prefix      = var.cluster_prefix
-  cluster_environment = var.cluster_environment
-  subnet_bits         = var.subnet_bits
-  subnet_type         = ["private", "storage"]
+  source               = "./modules/subnets"
+  vpc_id               = aws_vpc.vpc.id
+  aws_nat_gateway_id   = module.nat_gateway.nat_gateway_ids
+  cidr                 = var.cidr
+  cluster_prefix       = var.cluster_prefix
+  cluster_environment  = var.cluster_environment
+  subnet_bits          = var.subnet_bits
+  subnet_type          = ["private", "storage"]
+  cluster_architecture = var.cluster_architecture
 }
 
 # AWS VPC Security Groups Module
 module "security_group" {
-  source              = "./modules/security-groups"
-  vpc_id              = aws_vpc.vpc.id
-  cluster_prefix      = var.cluster_prefix
-  cluster_environment = var.cluster_environment
+  source               = "./modules/security-groups"
+  vpc_id               = aws_vpc.vpc.id
+  cluster_prefix       = var.cluster_prefix
+  cluster_environment  = var.cluster_environment
+  cluster_architecture = var.cluster_architecture
 }

modules/nat-gateways/main.tf

@@ -4,7 +4,7 @@ data "aws_availability_zones" "available_zones" {}
 # AWS Elastic IPs
 resource "aws_eip" "eip" {
   vpc   = true
-  count = length(data.aws_availability_zones.available_zones.names)
+  count = var.cluster_architecture == "2-tier" || var.cluster_architecture == "3-tier" ? length(data.aws_availability_zones.available_zones.names) : 0
 
   tags = {
     Name        = "${var.cluster_prefix}-${count.index + 1}"
@@ -16,7 +16,7 @@ resource "aws_eip" "eip" {
 resource "aws_nat_gateway" "nat_gateway" {
   allocation_id = element(aws_eip.eip.*.id, count.index)
   subnet_id     = element(var.public_subnet_ids, count.index)
-  count         = length(data.aws_availability_zones.available_zones.names)
+  count         = var.cluster_architecture == "2-tier" || var.cluster_architecture == "3-tier" ? length(data.aws_availability_zones.available_zones.names) : 0
 
   tags = {
     Name        = "${var.cluster_prefix}-${count.index + 1}"

modules/nat-gateways/variables.tf

@@ -8,6 +8,11 @@ variable "cluster_environment" {
   type        = string
 }
 
+variable "cluster_architecture" {
+  description = "To apply generic cluster_environment to AWS VPC Resources"
+  type        = string
+}
+
 variable "public_subnet_ids" {
   description = "list of public subnets in order of availability zones so that NAT Gateway's can be created in those respective subnets"
   type        = list(any)

modules/security-groups/main.tf

@@ -1,68 +1,132 @@
 # AWS Public Security Group
-module "public_security_group" {
-  source              = "./resources"
-  vpc_id              = var.vpc_id
-  cluster_prefix      = var.cluster_prefix
-  cluster_environment = var.cluster_environment
-  sg_type             = "public"
-  sg_description      = "Allow connections from internet"
+resource "aws_security_group" "public_security_group" {
+  count                  = var.cluster_architecture == "1-tier" || var.cluster_architecture == "2-tier" || var.cluster_architecture == "3-tier" ? 1 : 0
+  name                   = "${var.cluster_prefix}-public"
+  description            = "Allow connections from internet"
+  vpc_id                 = var.vpc_id
+  revoke_rules_on_delete = true
+
+  egress {
+    description = "Allow all outbound"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "Allow ssh connection inbound public"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+
+  ingress {
+    description = "Allow http inbound public"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "Allow https inbound public"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name        = "${var.cluster_prefix}-public"
+    Environment = var.cluster_environment
+    Type        = "public"
+  }
 }
 
 # AWS Public Security Group Rules
-resource "aws_security_group_rule" "allow_http_inbound_public" {
-  type              = "ingress"
-  from_port         = 80
-  to_port           = 80
-  protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = module.public_security_group.security_group_id
-}
+# resource "aws_security_group_rule" "allow_http_inbound_public" {
+#   type              = "ingress"
+#   from_port         = 80
+#   to_port           = 80
+#   protocol          = "tcp"
+#   cidr_blocks       = ["0.0.0.0/0"]
+#   security_group_id = aws_security_group.public_security_group.id
+# }
 
-resource "aws_security_group_rule" "allow_https_inbound_public" {
-  type              = "ingress"
-  from_port         = 443
-  to_port           = 443
-  protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = module.public_security_group.security_group_id
-}
+# resource "aws_security_group_rule" "allow_https_inbound_public" {
+#   type              = "ingress"
+#   from_port         = 443
+#   to_port           = 443
+#   protocol          = "tcp"
+#   cidr_blocks       = ["0.0.0.0/0"]
+#   security_group_id = aws_security_group.public_security_group.id
+# }
 
 # AWS Private Security Group
-module "private_security_group" {
-  source              = "./resources"
-  vpc_id              = var.vpc_id
-  cluster_prefix      = var.cluster_prefix
-  cluster_environment = var.cluster_environment
-  sg_type             = "private"
-  sg_description      = "The private security group to allows inbound traffic from public group"
+resource "aws_security_group" "private_security_group" {
+  count                  = var.cluster_architecture == "2-tier" || var.cluster_architecture == "3-tier" ? 1 : 0
+  name                   = "${var.cluster_prefix}-private"
+  description            = "The private security group to allows inbound traffic from public group"
+  vpc_id                 = var.vpc_id
+  revoke_rules_on_delete = true
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name        = "${var.cluster_prefix}-private"
+    Environment = var.cluster_environment
+    Type        = "private"
+  }
 }
 
 # AWS Private Security Group Rules
 resource "aws_security_group_rule" "allow_inbound_private" {
+  count                    = var.cluster_architecture == "2-tier" || var.cluster_architecture == "3-tier" ? 1 : 0
   type                     = "ingress"
   from_port                = 0
-  to_port                  = 65535
+  to_port                  = 0
   protocol                 = "-1"
-  source_security_group_id = module.public_security_group.security_group_id
-  security_group_id        = module.private_security_group.security_group_id
+  source_security_group_id = aws_security_group.public_security_group[0].id
+  security_group_id        = aws_security_group.private_security_group[0].id
 }
 
 # AWS Storage Security Group
-module "storage_security_group" {
-  source              = "./resources"
-  vpc_id              = var.vpc_id
-  cluster_prefix      = var.cluster_prefix
-  cluster_environment = var.cluster_environment
-  sg_type             = "storage"
-  sg_description      = "The storage security group to allows inbound traffic from private group"
+resource "aws_security_group" "storage_security_group" {
+  count                  = var.cluster_architecture == "3-tier" ? 1 : 0
+  name                   = "${var.cluster_prefix}-storage"
+  description            = "The storage security group to allows inbound traffic from private group"
+  vpc_id                 = var.vpc_id
+  revoke_rules_on_delete = true
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name        = "${var.cluster_prefix}-storage"
+    Environment = var.cluster_environment
+    Type        = "storage"
+  }
 }
 
 # AWS Storage Security Group Rules
 resource "aws_security_group_rule" "allow_inbound_storage" {
+  count                    = var.cluster_architecture == "3-tier" ? 1 : 0
   type                     = "ingress"
   from_port                = 0
-  to_port                  = 65535
+  to_port                  = 0
   protocol                 = "-1"
-  source_security_group_id = module.private_security_group.security_group_id
-  security_group_id        = module.storage_security_group.security_group_id
-}
+  source_security_group_id = aws_security_group.private_security_group[0].id
+  security_group_id        = aws_security_group.storage_security_group[0].id
+}

modules/security-groups/output.tf

@@ -1,11 +1,3 @@
 output "public_security_group_id" {
-  value = module.public_security_group.security_group_id
+  value = aws_security_group.public_security_group[0].id
 }
-
-output "private_security_group_id" {
-  value = module.private_security_group.security_group_id
-}
-
-output "storage_security_group_id" {
-  value = module.storage_security_group.security_group_id
-}

modules/security-groups/resources/main.tf

@@ -13,3 +13,8 @@ variable "cluster_environment" {
   type        = string
 }
 
+variable "cluster_architecture" {
+  description = "To apply generic cluster_environment to AWS VPC Resources"
+  type        = string
+}
+