# VPC Setup resource "aws_vpc" "app_vpc" { cidr_block = var.vpc_cidr enable_dns_support = true enable_dns_hostnames = true tags = { Name = "${var.project_name}-vpc" } } # Internet Gateway resource "aws_internet_gateway" "app_igw" { vpc_id = aws_vpc.app_vpc.id tags = { Name = "${var.project_name}-igw" project = var.project_name } } # Subnet Setup resource "aws_subnet" "pub_subnet_1" { vpc_id = aws_vpc.app_vpc.id cidr_block = var.public_subnet_1_cidr availability_zone = var.availability_zone_1 map_public_ip_on_launch = true tags = { Name = "${var.project_name}-vpc-subnet-public1-${var.availability_zone_1}" } } resource "aws_subnet" "pub_subnet_2" { vpc_id = aws_vpc.app_vpc.id cidr_block = var.public_subnet_2_cidr availability_zone = var.availability_zone_2 map_public_ip_on_launch = true tags = { Name = "${var.project_name}-vpc-subnet-public2-${var.availability_zone_2}" } } resource "aws_subnet" "priv_subnet_1" { vpc_id = aws_vpc.app_vpc.id cidr_block = var.private_subnet_1_cidr availability_zone = var.availability_zone_1 tags = { Name = "${var.project_name}-vpc-subnet-private1-${var.availability_zone_1}" } } resource "aws_subnet" "priv_subnet_2" { vpc_id = aws_vpc.app_vpc.id cidr_block = var.private_subnet_2_cidr availability_zone = var.availability_zone_2 tags = { Name = "${var.project_name}-vpc-subnet-private2-${var.availability_zone_2}" } } # Route Tables resource "aws_route_table" "public_route_table" { vpc_id = aws_vpc.app_vpc.id route { cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.app_igw.id } tags = { Name = "${var.project_name}-rtb-public" } } resource "aws_route_table" "private_route_table" { vpc_id = aws_vpc.app_vpc.id tags = { Name = "${var.project_name}-rtb-private" } } # List of public subnets as a map locals { public_subnets = { "${var.availability_zone_1}" = aws_subnet.pub_subnet_1.id "${var.availability_zone_2}" = aws_subnet.pub_subnet_2.id } } # Route Table Associations for each Public Subnet resource "aws_route_table_association" "public_subnet_associations" { for_each = local.public_subnets subnet_id = each.value route_table_id = aws_route_table.public_route_table.id } # List of private subnets as a map locals { private_subnets = { "${var.availability_zone_1}" = aws_subnet.priv_subnet_1.id "${var.availability_zone_2}" = aws_subnet.priv_subnet_2.id } } # Route Table Associations for each Private Subnet resource "aws_route_table_association" "private_subnet_associations" { for_each = local.private_subnets subnet_id = each.value route_table_id = aws_route_table.private_route_table.id } # AMI Lookup for Amazon Linux 2023 data "aws_ami" "amazon_linux_2023" { most_recent = true owners = ["137112412989"] filter { name = "name" values = ["al2023-ami-*-x86_64"] } } # Generate TLS Private Key for SSH resource "tls_private_key" "jump_key" { algorithm = "RSA" rsa_bits = 4096 } # Save Private Key to Local File resource "local_file" "private_key" { filename = "${path.module}/${var.project_name}-${var.key_pair_name}.pem" content = tls_private_key.jump_key.private_key_pem file_permission = "0400" } # Create AWS Key Pair resource "aws_key_pair" "jump_key" { key_name = "${var.project_name}-${var.key_pair_name}" public_key = tls_private_key.jump_key.public_key_openssh tags = { Name = "${var.project_name}-${var.key_pair_name}" } } # Security Group for Jump Instance resource "aws_security_group" "jump_sg" { name = "${var.project_name}-jump-sg" description = "Allow SSH access to ${var.project_name} jump instance" vpc_id = aws_vpc.app_vpc.id ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "${var.project_name}-jump-sg" } } # IAM Role for EC2 with necessary policies resource "aws_iam_role" "jump_role" { name = "${var.project_name}-jump-role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Principal = { Service = "ec2.amazonaws.com" } Effect = "Allow" } ] }) tags = { Name = "${var.project_name}-jump-role" } } resource "aws_iam_role_policy_attachment" "jump_role_administrator" { role = aws_iam_role.jump_role.name policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" } resource "aws_iam_role_policy_attachment" "jump_role_ecr" { role = aws_iam_role.jump_role.name policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess" } resource "aws_iam_role_policy_attachment" "jump_role_ec2" { role = aws_iam_role.jump_role.name policy_arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess" } resource "aws_iam_role_policy_attachment" "jump_role_eks_cluster" { role = aws_iam_role.jump_role.name policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" } resource "aws_iam_role_policy_attachment" "jump_role_eks_service" { role = aws_iam_role.jump_role.name policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy" } resource "aws_iam_role_policy_attachment" "jump_role_eks_vpc" { role = aws_iam_role.jump_role.name policy_arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController" } resource "aws_iam_role_policy_attachment" "jump_role_eks_worker" { role = aws_iam_role.jump_role.name policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" } resource "aws_iam_role_policy_attachment" "jump_role_cloudformation" { role = aws_iam_role.jump_role.name policy_arn = "arn:aws:iam::aws:policy/AWSCloudFormationFullAccess" } # IAM Instance Profile for Jump EC2 instance resource "aws_iam_instance_profile" "jump_instance_profile" { name = "${var.project_name}-jump-instance-profile" role = aws_iam_role.jump_role.name tags = { Name = "${var.project_name}-jump-instance-profile" } } # EC2 Instance for Jump Box resource "aws_instance" "jump" { ami = data.aws_ami.amazon_linux_2023.id instance_type = var.jump_instance_type key_name = aws_key_pair.jump_key.key_name vpc_security_group_ids = [aws_security_group.jump_sg.id] subnet_id = aws_subnet.pub_subnet_1.id associate_public_ip_address = true iam_instance_profile = aws_iam_instance_profile.jump_instance_profile.name root_block_device { volume_size = var.jump_root_volume_size volume_type = "gp2" } tags = { Name = "${var.project_name}-jump" } # User data to install necessary tools user_data = <<-EOF #!/bin/bash -xe # Update system and install utilities dnf update -y dnf install -y curl unzip tar gzip shadow-utils git --allowerasing || dnf install -y curl git unzip tar gzip shadow-utils --skip-broken # Log output exec > >(tee /var/log/userdata.log | logger -t user-data -s) 2>&1 # Install Terraform dnf install -y dnf-plugins-core dnf config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo dnf install -y terraform terraform version # Install kubectl curl -LO "https://dl.k8s.io/release/${var.kubectl_version}/bin/linux/amd64/kubectl" chmod +x kubectl mv kubectl /usr/local/bin/ # Install eksctl curl -L "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_Linux_amd64.tar.gz" -o eksctl.tar.gz tar -xzf eksctl.tar.gz -C /tmp mv /tmp/eksctl /usr/local/bin/ # Install Helm curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 chmod 700 get_helm.sh ./get_helm.sh # Install AWS CLI curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip ./aws/install ln -sf /usr/local/aws-cli/v2/current/bin/aws /usr/bin/aws EOF }