Skip to content

terraform

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

terraform

README.md

AWS Cloud WAN - Terraform

AWS Cloud WAN is a managed wide-area networking (WAN) service that you can use to build, manage, and monitor an unified global network that connects resources running across your cloud and on-premises environments. It provides a central dashboard from which you can connect on-premises branch offices, data centers, and Amazon Virtual Private Clouds (VPCs) across the AWS global network. You can use simple network policies to centrally configure and automate network management and security tasks, and get a complete view of your global network.

This repository shows you an example in Terraform of global communication with AWS Cloud WAN, showing the same architecture you can build in the AWS Cloud WAN Workshop.

architecture diagram

NOTE: The resources created incur costs in your AWS Account. Consider deleting the resources created once your tests are done. For more information, check the AWS Cloud WAN pricing.

Pre Requisites

  • An AWS account with an IAM user that has appropriate permissions
  • Terraform installed

Deployment instructions

  • Clone the repository
  • If you want to follow the workshop instructions, move to the Following the lab instructions section.
  • If you want to test out the code outside the lab instructions:
    • Check the variables.tf file and change the values accordingly.
    • The Cloud WAN policy can be found in the file cloudwan_policy.tf, and the AWS Network Firewall policies in the firewall_policies.tf file.
    • Main resources can be found in the main.tf file, while the resources simulating the on-premises environments are in the on_prem.tf file.
  • Initialize Terraform using terraform init.

Following the lab instructions

NOTE: The final state of both workshop labs is codified in this repository. However, some pieces are commented so the first terraform apply will create only the initial architecture when starting Lab 1. To create the whole architecture in one deployment, uncomment all the commented lines and use terraform apply

Lab 1 - Build a global, segmented network with central egress

NOTE: Due to the Terraform modules used, Inspection VPCs' attachments will be created at the same time as the initial environment. Take that into account when following the lab instructions.

  1. If you want to follow the lab guide:
  • terraform apply to build the initial environment.
  1. If you want to build the end architecture after finishing the steps, uncomment the following lines and do terraform apply:
  • In cloudwan_policy.tf uncomment lines 59-64 and 73-147.
  • In main.tf uncomment lines 33-39, 44-50, 200-206, 211-217, and 355-388.

Use terraform destroy to clean-up the test environment and avoid undesired charges.

Lab 2 - Federate with AWS Transit Gateway

  1. If you want to follow the lab guide:
  • Check point 2 in Lab 1 to uncomment the corresponding lines and do terraform apply to build the initial environment.
  • Follow Step 6 in the workshop guide to configure the VPN connection.
  1. If you want to build the end architecture after finishing the steps, uncomment the following lines and do terraform apply:
  • In cloudwan_policy.tf uncomment lines 40-47, 59-71, and 73-161.
  • In main.tf uncomment lines 33-39, 44-50, 200-206, 211-217, 355-388, 472-512 and 594-634.

Use terraform destroy to clean-up the test environment and avoid undesired charges.

### Lab 3 - Additional inspection scenarios

  1. If you want to follow the lab guide, check point 2 in Lab 2 to uncomment the corresponding lines and do terraform apply to build the initial environment.
  2. If you want to build the end architecture after finishing the steps, check lab3.md to understand what to change from the provided code.

Use terraform destroy to clean-up the test environment and avoid undesired charges.

Requirements

Name Version
terraform >= 1.3.0
aws >= 5.0.0

Providers

Name Version
aws >= 5.0.0
aws.awslondon >= 5.0.0
aws.awsoregon >= 5.0.0
aws.awsstockholm >= 5.0.0

Modules

Name Source Version
cloud_wan aws-ia/cloudwan/aws 3.3.0
on_prem_vpc aws-ia/vpc/aws = 4.4.4
oregon_compute ./modules/compute n/a
oregon_egress_vpc aws-ia/vpc/aws = 4.4.4
oregon_firewall_policies ./modules/firewall_policy n/a
oregon_inspection_vpc aws-ia/vpc/aws = 4.4.4
oregon_legacy_compute ./modules/compute n/a
oregon_legacy_vpc aws-ia/vpc/aws = 4.4.4
oregon_network_firewall_egress aws-ia/networkfirewall/aws 1.0.2
oregon_network_firewall_inspection aws-ia/networkfirewall/aws 1.0.2
oregon_spoke_vpcs aws-ia/vpc/aws = 4.4.4
stockholm_compute ./modules/compute n/a
stockholm_egress_vpc aws-ia/vpc/aws = 4.4.4
stockholm_firewall_policies ./modules/firewall_policy n/a
stockholm_inspection_vpc aws-ia/vpc/aws = 4.4.4
stockholm_legacy_compute ./modules/compute n/a
stockholm_legacy_vpc aws-ia/vpc/aws = 4.4.4
stockholm_network_firewall_egress aws-ia/networkfirewall/aws 1.0.2
stockholm_network_firewall_inspection aws-ia/networkfirewall/aws 1.0.2
stockholm_spoke_vpcs aws-ia/vpc/aws = 4.4.4

Resources

Name Type
aws_customer_gateway.cgw resource
aws_ec2_transit_gateway.oregon_tgw resource
aws_ec2_transit_gateway.stockholm_tgw resource
aws_ec2_transit_gateway_policy_table.oregon_tgw_policy_table resource
aws_ec2_transit_gateway_policy_table.stockholm_tgw_policy_table resource
aws_ec2_transit_gateway_policy_table_association.oregon_tgw_policy_table_association resource
aws_ec2_transit_gateway_policy_table_association.stockholm_tgw_policy_table_association resource
aws_ec2_transit_gateway_route_table.oregon_tgw_rt resource
aws_ec2_transit_gateway_route_table.stockholm_tgw_rt resource
aws_ec2_transit_gateway_route_table_association.oregon_tgw_rt_association resource
aws_ec2_transit_gateway_route_table_association.stockholm_tgw_rt_association resource
aws_ec2_transit_gateway_route_table_propagation.oregon_tgw_rt_propagation resource
aws_ec2_transit_gateway_route_table_propagation.stockholm_tgw_rt_propagation resource
aws_eip.cgw_eip resource
aws_eip_association.cgw_eip_assoc resource
aws_iam_instance_profile.instance_profile resource
aws_iam_policy.describe_vpn_connections resource
aws_iam_role.instance_role resource
aws_iam_role_policy_attachment.iam_role_policy_attachment_ssm resource
aws_iam_role_policy_attachment.vpn_policy_attachment resource
aws_instance.cgw resource
aws_networkmanager_site_to_site_vpn_attachment.vpn_attachment resource
aws_networkmanager_transit_gateway_peering.cwan_oregon_peering resource
aws_networkmanager_transit_gateway_peering.cwan_stockholm_peering resource
aws_networkmanager_transit_gateway_route_table_attachment.oregon_cwan_tgw_rt_attachment resource
aws_networkmanager_transit_gateway_route_table_attachment.stockholm_cwan_tgw_rt_attachment resource
aws_security_group.cgw_sg resource
aws_vpn_connection.vpn resource
aws_networkmanager_core_network_policy_document.core_nw_policy data source
aws_ssm_parameter.ubuntu_ami data source

Inputs

Name Description Type Default Required
aws_regions AWS regions to spin up resources. map(string) 
{
  "london": "eu-west-2",
  "oregon": "us-west-2",
  "stockholm": "eu-north-1"
}
 no
oregon_egress_vpc Information about the Egress VPC to create in us-west-2. any 
{
  "cidr_block": "100.64.0.0/16",
  "cnetwork_subnet_cidrs": [
    "100.64.0.64/28",
    "100.64.0.80/28"
  ],
  "inspection_subnet_cidrs": [
    "100.64.0.32/28",
    "100.64.0.48/28"
  ],
  "name": "egress-us-west-2",
  "number_azs": 2,
  "public_subnet_cidrs": [
    "100.64.0.0/28",
    "100.64.0.16/28"
  ]
}
 no
oregon_inspection_vpc Information about the Inspection VPC to create in us-west-2. any 
{
  "cidr_block": "100.64.0.0/16",
  "cnetwork_subnet_cidrs": [
    "100.64.0.32/28",
    "100.64.0.48/28"
  ],
  "inspection_subnet_cidrs": [
    "100.64.0.0/28",
    "100.64.0.16/28"
  ],
  "name": "inspection-us-west-2",
  "number_azs": 2
}
 no
oregon_legacy_vpc Information about the Legacy VPC to create in us-west-2. any 
{
  "cidr_block": "10.12.0.0/16",
  "endpoint_subnet_cidrs": [
    "10.12.2.0/28",
    "10.12.3.16/28"
  ],
  "instance_type": "t3.micro",
  "name": "legacy-us-west-2",
  "number_azs": 2,
  "tgw_subnet_cidrs": [
    "10.12.3.32/28",
    "10.12.3.48/28"
  ],
  "workload_subnet_cidrs": [
    "10.12.0.0/24",
    "10.12.1.0/24"
  ]
}
 no
oregon_spoke_vpcs Information about the VPCs to create in us-west-2. any 
{
  "prod": {
    "cidr_block": "10.10.0.0/16",
    "cnetwork_subnet_cidrs": [
      "10.10.2.32/28",
      "10.10.2.48/28"
    ],
    "endpoint_subnet_cidrs": [
      "10.10.2.0/28",
      "10.10.2.16/28"
    ],
    "instance_type": "t3.micro",
    "name": "prod-us-west-2",
    "number_azs": 2,
    "type": "prod",
    "workload_subnet_cidrs": [
      "10.10.0.0/24",
      "10.10.1.0/24"
    ]
  },
  "thirdparty": {
    "cidr_block": "10.11.0.0/16",
    "cnetwork_subnet_cidrs": [
      "10.11.2.32/28",
      "10.11.2.48/28"
    ],
    "endpoint_subnet_cidrs": [
      "10.11.2.0/28",
      "10.11.2.16/28"
    ],
    "instance_type": "t3.micro",
    "name": "thirdpary-us-west-2",
    "number_azs": 2,
    "type": "thirdparty",
    "workload_subnet_cidrs": [
      "10.11.0.0/24",
      "10.11.1.0/24"
    ]
  }
}
 no
project_identifier Project Identifier. string "CloudWAN_Workshop" no
stockholm_egress_vpc Information about the Egress VPC to create in eu-north-1. any 
{
  "cidr_block": "100.64.0.0/16",
  "cnetwork_subnet_cidrs": [
    "100.64.0.64/28",
    "100.64.0.80/28"
  ],
  "inspection_subnet_cidrs": [
    "100.64.0.32/28",
    "100.64.0.48/28"
  ],
  "name": "egress-eu-north-1",
  "number_azs": 2,
  "public_subnet_cidrs": [
    "100.64.0.0/28",
    "100.64.0.16/28"
  ]
}
 no
stockholm_inspection_vpc Information about the Inspection VPC to create in eu-north-1. any 
{
  "cidr_block": "100.64.0.0/16",
  "cnetwork_subnet_cidrs": [
    "100.64.0.32/28",
    "100.64.0.48/28"
  ],
  "inspection_subnet_cidrs": [
    "100.64.0.0/28",
    "100.64.0.16/28"
  ],
  "name": "inspection-eu-north-1",
  "number_azs": 2
}
 no
stockholm_legacy_vpc Information about the Legacy VPC to create in eu-north-1. any 
{
  "cidr_block": "10.2.0.0/16",
  "endpoint_subnet_cidrs": [
    "10.2.2.0/28",
    "10.2.3.16/28"
  ],
  "instance_type": "t3.micro",
  "name": "legacy-eu-north-1",
  "number_azs": 2,
  "tgw_subnet_cidrs": [
    "10.2.3.32/28",
    "10.2.3.48/28"
  ],
  "workload_subnet_cidrs": [
    "10.2.0.0/24",
    "10.2.1.0/24"
  ]
}
 no
stockholm_spoke_vpcs Information about the VPCs to create in eu-north-1. any 
{
  "prod": {
    "cidr_block": "10.0.0.0/16",
    "cnetwork_subnet_cidrs": [
      "10.0.2.32/28",
      "10.0.2.48/28"
    ],
    "endpoint_subnet_cidrs": [
      "10.0.2.0/28",
      "10.0.2.16/28"
    ],
    "instance_type": "t3.micro",
    "name": "prod-eu-north-1",
    "number_azs": 2,
    "type": "prod",
    "workload_subnet_cidrs": [
      "10.0.0.0/24",
      "10.0.1.0/24"
    ]
  },
  "thirdparty": {
    "cidr_block": "10.1.0.0/16",
    "cnetwork_subnet_cidrs": [
      "10.1.2.32/28",
      "10.1.2.48/28"
    ],
    "endpoint_subnet_cidrs": [
      "10.1.2.0/28",
      "10.1.2.16/28"
    ],
    "instance_type": "t3.micro",
    "name": "thirdpary-us-west-2",
    "number_azs": 2,
    "type": "thirdparty",
    "workload_subnet_cidrs": [
      "10.1.0.0/24",
      "10.1.1.0/24"
    ]
  }
}
 no
transit_gateway_asn Transit Gateway ASNs. map(number) 
{
  "oregon": 64515,
  "stockholm": 64516
}
 no

Outputs

No outputs.