Skip to content

Commit 5dc08a0

Browse files
clstokesclstokes
authored
terraform/aws: usability improvements (#23)
updates #22
1 parent 80d208c commit 5dc08a0

File tree

7 files changed

+359
-180
lines changed

7 files changed

+359
-180
lines changed

terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf

+75-27
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,41 @@
11
locals {
22
name = "example-${basename(path.cwd)}"
33

4-
tags = {
4+
aws_tags = {
55
Name = local.name
66
}
7+
8+
tailscale_acl_tags = [
9+
"tag:example-infra",
10+
"tag:example-exitnode",
11+
"tag:example-subnetrouter",
12+
"tag:example-appconnector",
13+
]
14+
tailscale_set_preferences = [
15+
"--auto-update",
16+
"--ssh",
17+
"--advertise-connector",
18+
"--advertise-exit-node",
19+
"--advertise-routes=${join(",", [
20+
local.vpc_cidr_block,
21+
])}",
22+
]
23+
24+
// Modify these to use your own VPC
25+
vpc_cidr_block = module.vpc.vpc_cidr_block
26+
vpc_id = module.vpc.vpc_id
27+
subnet_id = module.vpc.public_subnets[0]
28+
private_subnet_id = module.vpc.private_subnets[0]
29+
security_group_ids = [aws_security_group.tailscale.id]
30+
instance_type = "t4g.micro"
731
}
832

33+
// Remove this to use your own VPC.
934
module "vpc" {
1035
source = "../internal-modules/aws-vpc"
1136

1237
name = local.name
13-
tags = local.tags
38+
tags = local.aws_tags
1439

1540
cidr = "10.0.80.0/22"
1641

@@ -23,31 +48,26 @@ resource "tailscale_tailnet_key" "main" {
2348
preauthorized = true
2449
reusable = true
2550
recreate_if_invalid = "always"
26-
tags = [
27-
"tag:example-infra",
28-
"tag:example-exitnode",
29-
"tag:example-subnetrouter",
30-
"tag:example-appconnector",
31-
]
51+
tags = local.tailscale_acl_tags
3252
}
3353

3454
resource "aws_network_interface" "primary" {
35-
subnet_id = module.vpc.public_subnets[0]
36-
security_groups = [module.vpc.tailscale_security_group_id]
37-
tags = merge(local.tags, { Name = "${local.name}-primary" })
55+
subnet_id = local.subnet_id
56+
security_groups = local.security_group_ids
57+
tags = merge(local.aws_tags, { Name = "${local.name}-primary" })
3858
}
3959
resource "aws_eip" "primary" {
40-
tags = local.tags
60+
tags = local.aws_tags
4161
}
4262
resource "aws_eip_association" "primary" {
4363
network_interface_id = aws_network_interface.primary.id
4464
allocation_id = aws_eip.primary.id
4565
}
4666

4767
resource "aws_network_interface" "secondary" {
48-
subnet_id = module.vpc.private_subnets[0]
49-
security_groups = [module.vpc.tailscale_security_group_id]
50-
tags = merge(local.tags, { Name = "${local.name}-secondary" })
68+
subnet_id = local.private_subnet_id
69+
security_groups = local.security_group_ids
70+
tags = merge(local.aws_tags, { Name = "${local.name}-secondary" })
5171

5272
source_dest_check = false
5373
}
@@ -56,26 +76,54 @@ module "tailscale_aws_ec2_autoscaling" {
5676
source = "../internal-modules/aws-ec2-autoscaling/"
5777

5878
autoscaling_group_name = local.name
59-
instance_type = "t4g.micro"
60-
instance_tags = local.tags
79+
instance_type = local.instance_type
80+
instance_tags = local.aws_tags
6181

6282
network_interfaces = [
6383
aws_network_interface.primary.id, # first NIC must be in PUBLIC subnet
6484
aws_network_interface.secondary.id,
6585
]
6686

6787
# Variables for Tailscale resources
68-
tailscale_hostname = local.name
69-
tailscale_auth_key = tailscale_tailnet_key.main.key
70-
tailscale_set_preferences = [
71-
"--auto-update",
72-
"--ssh",
73-
"--advertise-connector",
74-
"--advertise-exit-node",
75-
"--advertise-routes=${join(",", [module.vpc.vpc_cidr_block])}",
76-
]
88+
tailscale_hostname = local.name
89+
tailscale_auth_key = tailscale_tailnet_key.main.key
90+
tailscale_set_preferences = local.tailscale_set_preferences
7791

7892
depends_on = [
79-
module.vpc.natgw_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets
93+
module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available
8094
]
8195
}
96+
97+
resource "aws_security_group" "tailscale" {
98+
vpc_id = local.vpc_id
99+
name = local.name
100+
}
101+
102+
resource "aws_security_group_rule" "tailscale_ingress" {
103+
security_group_id = aws_security_group.tailscale.id
104+
type = "ingress"
105+
from_port = 41641
106+
to_port = 41641
107+
protocol = "udp"
108+
cidr_blocks = ["0.0.0.0/0"]
109+
ipv6_cidr_blocks = ["::/0"]
110+
}
111+
112+
resource "aws_security_group_rule" "egress" {
113+
security_group_id = aws_security_group.tailscale.id
114+
type = "egress"
115+
from_port = 0
116+
to_port = 0
117+
protocol = "-1"
118+
cidr_blocks = ["0.0.0.0/0"]
119+
ipv6_cidr_blocks = ["::/0"]
120+
}
121+
122+
resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" {
123+
security_group_id = aws_security_group.tailscale.id
124+
type = "ingress"
125+
from_port = 0
126+
to_port = 0
127+
protocol = "-1"
128+
cidr_blocks = [local.vpc_cidr_block]
129+
}

terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf

+74-28
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,36 @@
11
locals {
22
name = "example-${basename(path.cwd)}"
33

4-
tags = {
4+
aws_tags = {
55
Name = local.name
66
}
7+
8+
tailscale_acl_tags = [
9+
"tag:example-infra",
10+
]
11+
tailscale_set_preferences = [
12+
"--auto-update",
13+
"--ssh",
14+
]
15+
16+
// Modify these to use your own VPC
17+
vpc_cidr_block = module.vpc.vpc_cidr_block
18+
vpc_id = module.vpc.vpc_id
19+
subnet_id = module.vpc.public_subnets[0]
20+
security_group_ids = [aws_security_group.tailscale.id]
21+
instance_type = "t4g.micro"
22+
vpc_endpoint_route_table_ids = flatten([
23+
module.vpc.public_route_table_ids,
24+
module.vpc.private_route_table_ids,
25+
])
726
}
827

28+
// Remove this to use your own VPC.
929
module "vpc" {
1030
source = "../internal-modules/aws-vpc"
1131

1232
name = local.name
13-
tags = local.tags
33+
tags = local.aws_tags
1434

1535
cidr = "10.0.80.0/22"
1636

@@ -19,18 +39,15 @@ module "vpc" {
1939
}
2040

2141
resource "aws_vpc_endpoint" "recorder" {
22-
vpc_id = module.vpc.vpc_id
23-
service_name = "com.amazonaws.${aws_s3_bucket.recorder.region}.s3"
24-
route_table_ids = flatten([
25-
module.vpc.public_route_table_ids,
26-
module.vpc.private_route_table_ids,
27-
])
28-
tags = local.tags
42+
vpc_id = local.vpc_id
43+
service_name = "com.amazonaws.${aws_s3_bucket.recorder.region}.s3"
44+
route_table_ids = local.vpc_endpoint_route_table_ids
45+
tags = local.aws_tags
2946
}
3047

3148
resource "aws_s3_bucket" "recorder" {
3249
bucket_prefix = substr(local.name, 0, 37)
33-
tags = local.tags
50+
tags = local.aws_tags
3451

3552
force_destroy = true
3653
}
@@ -73,7 +90,7 @@ resource "aws_s3_bucket_policy" "recorder" {
7390
}
7491

7592
resource "aws_iam_policy" "recorder" {
76-
tags = local.tags
93+
tags = local.aws_tags
7794
policy = <<-EOT
7895
{
7996
"Version": "2012-10-17",
@@ -98,7 +115,7 @@ resource "aws_iam_policy" "recorder" {
98115

99116
resource "aws_iam_user" "recorder" {
100117
name = local.name
101-
tags = local.tags
118+
tags = local.aws_tags
102119
}
103120

104121
resource "aws_iam_policy_attachment" "recorder" {
@@ -126,18 +143,16 @@ resource "tailscale_tailnet_key" "main" {
126143
preauthorized = true
127144
reusable = true
128145
recreate_if_invalid = "always"
129-
tags = [
130-
"tag:example-infra",
131-
]
146+
tags = local.tailscale_acl_tags
132147
}
133148

134149
resource "aws_network_interface" "primary" {
135-
subnet_id = module.vpc.public_subnets[0]
136-
security_groups = [module.vpc.tailscale_security_group_id]
137-
tags = local.tags
150+
subnet_id = local.subnet_id
151+
security_groups = local.security_group_ids
152+
tags = local.aws_tags
138153
}
139154
resource "aws_eip" "primary" {
140-
tags = local.tags
155+
tags = local.aws_tags
141156
}
142157
resource "aws_eip_association" "primary" {
143158
network_interface_id = aws_network_interface.primary.id
@@ -148,18 +163,15 @@ module "tailscale_aws_ec2_autoscaling" {
148163
source = "../internal-modules/aws-ec2-autoscaling/"
149164

150165
autoscaling_group_name = local.name
151-
instance_type = "t4g.micro"
152-
instance_tags = local.tags
166+
instance_type = local.instance_type
167+
instance_tags = local.aws_tags
153168

154169
network_interfaces = [aws_network_interface.primary.id]
155170

156171
# Variables for Tailscale resources
157-
tailscale_hostname = local.name
158-
tailscale_auth_key = tailscale_tailnet_key.main.key
159-
tailscale_set_preferences = [
160-
"--auto-update",
161-
"-ssh",
162-
]
172+
tailscale_hostname = local.name
173+
tailscale_auth_key = tailscale_tailnet_key.main.key
174+
tailscale_set_preferences = local.tailscale_set_preferences
163175

164176
#
165177
# Set up Tailscale Session Recorder (tsrecorder)
@@ -178,6 +190,40 @@ module "tailscale_aws_ec2_autoscaling" {
178190
]
179191

180192
depends_on = [
181-
module.vpc.natgw_ids, # for private subnets - ensure NAT gateway is available before instance provisioning
193+
module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available
182194
]
183195
}
196+
197+
resource "aws_security_group" "tailscale" {
198+
vpc_id = local.vpc_id
199+
name = local.name
200+
}
201+
202+
resource "aws_security_group_rule" "tailscale_ingress" {
203+
security_group_id = aws_security_group.tailscale.id
204+
type = "ingress"
205+
from_port = 41641
206+
to_port = 41641
207+
protocol = "udp"
208+
cidr_blocks = ["0.0.0.0/0"]
209+
ipv6_cidr_blocks = ["::/0"]
210+
}
211+
212+
resource "aws_security_group_rule" "egress" {
213+
security_group_id = aws_security_group.tailscale.id
214+
type = "egress"
215+
from_port = 0
216+
to_port = 0
217+
protocol = "-1"
218+
cidr_blocks = ["0.0.0.0/0"]
219+
ipv6_cidr_blocks = ["::/0"]
220+
}
221+
222+
resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" {
223+
security_group_id = aws_security_group.tailscale.id
224+
type = "ingress"
225+
from_port = 0
226+
to_port = 0
227+
protocol = "-1"
228+
cidr_blocks = [local.vpc_cidr_block]
229+
}

0 commit comments

Comments
 (0)