Skip to content

A demo for deploying Amazon VPC structure using Terraform best pracitces.

License

Notifications You must be signed in to change notification settings

zewenwu/terraform-aws-vpc-demo

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

terraform-aws-vpc-demo

A demo for deploying Amazon VPC structure using Terraform best pracitces.

Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

This module creates:

  • VPC and subnets with public and private subnets
  • Internet Gateway: To connect the VPC to the internet
  • NAT Gateway: [Optional] To allow instances in private subnets to connect to the internet
  • Elastic IP: [Optional] To assign to NAT Gateway
  • Route Tables: To route traffic between the VPC and the internet
  • VPC Endpoints for S3: [Optional] To connect to S3 within private subnets without going through the internet

Architecture

alt text

Implementation decisions

VPC and Subnets

This module creates a VPC with one public subnet and multiple private subnet layers associated to multiple tiers. For example, in a typical web application, you might have a public subnet for the load balancer and private subnets for the application servers, database servers, and cache servers, which has its own service tier.

The public subnets are associated with a single shared route table that routes traffic to the internet gateway.

For each service specified by the user, private subnets are deployed to different availability zones. Each private subnet is associated with a dedicated route table that routes traffic to the NAT Gateway if the service is public facing and to the S3 VPC endpoint if the service need to route traffic to S3 privately.

Multi-AZ NAT Gateway

You can optionally enable a multi-AZ NAT Gateway to provide high availability for instances in private subnets. This is useful for scenarios where you want to ensure that instances in private subnets can connect to the internet even if one of the NAT Gateways fails.

If you disable the multi-AZ NAT Gateway, the module will deploy a single NAT Gateway in the first availability zone in of the public subnet.

S3 VPC Endpoint

You can optionally enable an S3 VPC endpoint to allow instances in private subnets to connect to S3 without going through the internet. This is useful for scenarios where you want to restrict access to S3 to only instances within the VPC.

How to use this module

module "vpc" {
  source = "../terraform-components/aws-vpc"

  vpc_name                  = "testvpc"
  vpc_cidr_block            = "10.1.0.0/16"
  public_subnet_cidr_blocks = ["10.1.0.0/20", "10.1.16.0/20"]
  private_subnet_info = [
    {
      tier_name               = "application"
      cidr_blocks             = ["10.1.128.0/20", "10.1.144.0/20"]
      availability_zones      = ["us-east-1a", "us-east-1b"]
      public_facing           = true
      connect_s3_vpc_endpoint = true
    },
    {
      tier_name               = "database"
      cidr_blocks             = ["10.1.160.0/20", "10.1.176.0/20"]
      availability_zones      = ["us-east-1a", "us-east-1b"]
      public_facing           = false
      connect_s3_vpc_endpoint = false
    }
  ]

  enable_s3_endpoint = true

  enable_nat_gateway         = true
  enable_multiaz_nat_gateway = true

  tags = local.tags
}

Requirements

Name Version
terraform >= 0.13
aws = 5.45.0

Providers

Name Version
aws = 5.45.0

Modules

No modules.

Resources

Name Type
aws_eip.nat resource
aws_internet_gateway.main resource
aws_nat_gateway.main resource
aws_route.nat_gateway resource
aws_route_table.private resource
aws_route_table.public resource
aws_route_table_association.private resource
aws_route_table_association.public resource
aws_subnet.private resource
aws_subnet.public resource
aws_vpc.main resource
aws_vpc_endpoint.s3 resource
aws_vpc_endpoint_route_table_association.s3 resource
aws_availability_zones.available data source
aws_region.current data source

Inputs

Name Description Type Default Required
enable_multiaz_nat_gateway Enable Multi-AZ NAT Gateway bool false no
enable_nat_gateway Enable NAT Gateway bool false no
enable_s3_endpoint Enable S3 VPC endpoint bool true no
public_subnet_cidr_blocks The CIDR blocks for the public subnets list(string)
[
"10.0.0.0/20",
"10.0.16.0/20"
]
no
tags Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys. map(any) {} no
tier_info The info blocks for the private subnet structure for the tiers to deploy.
Each block respresents a tier should have tier_name, cidr_blocks, availability_zones, public_facing,
connect_s3_vpc_endpoint.
list(object({
tier_name = string
cidr_blocks = list(string)
availability_zones = list(string)
public_facing = bool
connect_s3_vpc_endpoint = bool

}))
[
{
"availability_zones": [
"us-east-1a",
"us-east-1b"
],
"cidr_blocks": [
"10.0.128.0/20",
"10.0.144.0/20"
],
"connect_s3_vpc_endpoint": true,
"public_facing": true,
"tier_name": "application"
},
{
"availability_zones": [
"us-east-1a",
"us-east-1b"
],
"cidr_blocks": [
"10.0.160.0/20",
"10.0.172.0/20"
],
"connect_s3_vpc_endpoint": false,
"public_facing": false,
"tier_name": "database"
}
]
no
vpc_cidr_block The CIDR block for the VPC string "10.0.0.0/16" no
vpc_name The name of the vpc string n/a yes

Outputs

Name Description
private_subnets_ids The IDs of the deployed private subnets, identified by the tier name.
public_subnets_ids The IDs of the deployed public subnets
vpc_id The ID of the deployed VPC

Terraform Blueprints/Components

We use Terraform to deploy the solution architecture. The Terraform blueprints are located in the live-sandbox folder. The Terraform blueprints are Terraform use-case specific files that references Terraform components. For our use case, we are defining Terraform blueprints to deploy a AWS VPC.

Terraform components are located in the terraform-components folder. The Terraform components are reusable Terraform code that can be used to deploy a specific AWS resource. Terraform components not only deploys its specific AWS resource, but deploys them considering best practices regarding reusability, security, and scalability.

For more info on Terraform, please refer to the Terraform documentation.

Tutorial

Please follow the below tutorials to deploy the solution architecture in the previous section:

  1. Set up Terraform with AWS Cloud account
  2. Deploy VPC module using Terraform

1. Set up Terraform with AWS Cloud account

To set up Terraform with AWS Cloud account,

Step 1. Create an AWS account. You need to have AWS access key and secret key to use Terraform to deploy resources on AWS of the following format:

export AWS_ACCESS_KEY_ID="xxx"
export AWS_SECRET_ACCESS_KEY="xxx"
export AWS_SESSION_TOKEN="xxx"

Step 2. Install Terraform on your local machine. Please follow the official documentation to install Terraform on your local machine.

Step 3. Configure Terraform to use your AWS access key and secret key by copy-pasting your AWS access and secret key in a Terminal.

Step 4. Change directory to live-sandbox that contains Terraform blueprints. Setup up and validate the Terraform blueprints by running the below commands:

cd live-sandbox
terraform init
terraform validate

2. Deploy VPC module using Terraform

Step 1. Change directory to live-sandbox that contains Terraform blueprints to deploy the solution architecture by running the below commands:

cd live-sandbox
terraform apply

Step 2. Once you are happy with the resources that Terraform is going to deploy in your AWS account, confirm by typing yes in the Terminal.

About

A demo for deploying Amazon VPC structure using Terraform best pracitces.

Topics

Resources

License

Stars

Watchers

Forks