terraform: usability improvements

updates #22

Author: clstokes

terraform/aws/aws-ec2-autoscaling/main.tf

@@ -1,16 +1,40 @@
 locals {
   name = "example-${basename(path.cwd)}"
 
-  tags = {
+  aws_tags = {
     Name = local.name
   }
+
+  tailscale_acl_tags = [
+    "tag:example-infra",
+    "tag:example-exitnode",
+    "tag:example-subnetrouter",
+    "tag:example-appconnector",
+  ]
+  tailscale_set_preferences = [
+    "--auto-update",
+    "--ssh",
+    "--advertise-connector",
+    "--advertise-exit-node",
+    "--advertise-routes=${join(",", [
+      local.vpc_cidr_block,
+    ])}",
+  ]
+
+  // Modify these to use your own VPC
+  vpc_cidr_block     = module.vpc.vpc_cidr_block
+  vpc_id             = module.vpc.vpc_id
+  subnet_id          = module.vpc.public_subnets[0]
+  security_group_ids = [aws_security_group.tailscale.id]
+  instance_type      = "t4g.micro"
 }
 
+// Remove this to use your own VPC.
 module "vpc" {
   source = "../internal-modules/aws-vpc"
 
   name = local.name
-  tags = local.tags
+  tags = local.aws_tags
 
   cidr = "10.0.80.0/22"
 
@@ -23,21 +47,16 @@ resource "tailscale_tailnet_key" "main" {
   preauthorized       = true
   reusable            = true
   recreate_if_invalid = "always"
-  tags = [
-    "tag:example-infra",
-    "tag:example-exitnode",
-    "tag:example-subnetrouter",
-    "tag:example-appconnector",
-  ]
+  tags                = local.tailscale_acl_tags
 }
 
 resource "aws_network_interface" "primary" {
-  subnet_id       = module.vpc.public_subnets[0]
-  security_groups = [module.vpc.tailscale_security_group_id]
-  tags            = local.tags
+  subnet_id       = local.subnet_id
+  security_groups = local.security_group_ids
+  tags            = local.aws_tags
 }
 resource "aws_eip" "primary" {
-  tags = local.tags
+  tags = local.aws_tags
 }
 resource "aws_eip_association" "primary" {
   network_interface_id = aws_network_interface.primary.id
@@ -48,23 +67,51 @@ module "tailscale_aws_ec2_autoscaling" {
   source = "../internal-modules/aws-ec2-autoscaling/"
 
   autoscaling_group_name = local.name
-  instance_type          = "t4g.micro"
-  instance_tags          = local.tags
+  instance_type          = local.instance_type
+  instance_tags          = local.aws_tags
 
   network_interfaces = [aws_network_interface.primary.id]
 
   # Variables for Tailscale resources
-  tailscale_auth_key = tailscale_tailnet_key.main.key
-  tailscale_hostname = local.name
-  tailscale_set_preferences = [
-    "--auto-update",
-    "--ssh",
-    "--advertise-connector",
-    "--advertise-exit-node",
-    "--advertise-routes=${join(",", [module.vpc.vpc_cidr_block])}",
-  ]
+  tailscale_auth_key        = tailscale_tailnet_key.main.key
+  tailscale_hostname        = local.name
+  tailscale_set_preferences = local.tailscale_set_preferences
 
   depends_on = [
-    module.vpc.natgw_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets
+    module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available
   ]
 }
+
+resource "aws_security_group" "tailscale" {
+  vpc_id = local.vpc_id
+  name   = local.name
+}
+
+resource "aws_security_group_rule" "tailscale_ingress" {
+  security_group_id = aws_security_group.tailscale.id
+  type              = "ingress"
+  from_port         = 41641
+  to_port           = 41641
+  protocol          = "udp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+}
+
+resource "aws_security_group_rule" "egress" {
+  security_group_id = aws_security_group.tailscale.id
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+}
+
+resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" {
+  security_group_id = aws_security_group.tailscale.id
+  type              = "ingress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = [local.vpc_cidr_block]
+}

terraform/aws/internal-modules/aws-vpc/main.tf

@@ -30,48 +30,3 @@ module "vpc" {
   public_subnet_ipv6_prefixes                   = range(0, length(var.public_subnets))
   private_subnet_ipv6_prefixes                  = range(10, 10 + length(var.private_subnets))
 }
-
-resource "aws_security_group" "tailscale" {
-  vpc_id = module.vpc.vpc_id
-  name   = var.name
-}
-
-resource "aws_security_group_rule" "egress" {
-  security_group_id = aws_security_group.tailscale.id
-  type              = "egress"
-  from_port         = 0
-  to_port           = 0
-  protocol          = "-1"
-  cidr_blocks       = ["0.0.0.0/0"]
-  ipv6_cidr_blocks  = ["::/0"]
-}
-
-resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" {
-  security_group_id = aws_security_group.tailscale.id
-  type              = "ingress"
-  from_port         = 0
-  to_port           = 0
-  protocol          = "-1"
-  cidr_blocks       = [var.cidr]
-}
-
-resource "aws_security_group_rule" "internal_vpc_ingress_ipv6" {
-  count = var.enable_ipv6 == false ? 0 : 1
-
-  security_group_id = aws_security_group.tailscale.id
-  type              = "ingress"
-  from_port         = 0
-  to_port           = 0
-  protocol          = "-1"
-  ipv6_cidr_blocks  = [module.vpc.vpc_ipv6_cidr_block]
-}
-
-resource "aws_security_group_rule" "tailscale_ingress" {
-  security_group_id = aws_security_group.tailscale.id
-  type              = "ingress"
-  from_port         = 41641
-  to_port           = 41641
-  protocol          = "udp"
-  cidr_blocks       = ["0.0.0.0/0"]
-  ipv6_cidr_blocks  = ["::/0"]
-}

terraform/aws/internal-modules/aws-vpc/outputs.tf

@@ -30,10 +30,6 @@ output "natgw_ids" {
   value       = module.vpc.natgw_ids
 }
 
-output "tailscale_security_group_id" {
-  value = aws_security_group.tailscale.id
-}
-
 output "public_route_table_ids" {
   value = module.vpc.public_route_table_ids
 }