From 7eaa53fba08d09bc75f332e5a844b53e589d7f44 Mon Sep 17 00:00:00 2001 From: Cameron Stokes Date: Sun, 15 Sep 2024 15:55:19 -0700 Subject: [PATCH 01/10] terraform: usability improvements updates #22 --- terraform/aws/aws-ec2-autoscaling/main.tf | 95 ++++++++++++++----- .../aws/internal-modules/aws-vpc/main.tf | 45 --------- .../aws/internal-modules/aws-vpc/outputs.tf | 4 - 3 files changed, 71 insertions(+), 73 deletions(-) diff --git a/terraform/aws/aws-ec2-autoscaling/main.tf b/terraform/aws/aws-ec2-autoscaling/main.tf index 1ceb9b2..45f84cb 100644 --- a/terraform/aws/aws-ec2-autoscaling/main.tf +++ b/terraform/aws/aws-ec2-autoscaling/main.tf @@ -1,16 +1,40 @@ locals { name = "example-${basename(path.cwd)}" - tags = { + aws_tags = { Name = local.name } + + tailscale_acl_tags = [ + "tag:example-infra", + "tag:example-exitnode", + "tag:example-subnetrouter", + "tag:example-appconnector", + ] + tailscale_set_preferences = [ + "--auto-update", + "--ssh", + "--advertise-connector", + "--advertise-exit-node", + "--advertise-routes=${join(",", [ + local.vpc_cidr_block, + ])}", + ] + + // Modify these to use your own VPC + vpc_cidr_block = module.vpc.vpc_cidr_block + vpc_id = module.vpc.vpc_id + subnet_id = module.vpc.public_subnets[0] + security_group_ids = [aws_security_group.tailscale.id] + instance_type = "t4g.micro" } +// Remove this to use your own VPC. module "vpc" { source = "../internal-modules/aws-vpc" name = local.name - tags = local.tags + tags = local.aws_tags cidr = "10.0.80.0/22" @@ -23,21 +47,16 @@ resource "tailscale_tailnet_key" "main" { preauthorized = true reusable = true recreate_if_invalid = "always" - tags = [ - "tag:example-infra", - "tag:example-exitnode", - "tag:example-subnetrouter", - "tag:example-appconnector", - ] + tags = local.tailscale_acl_tags } resource "aws_network_interface" "primary" { - subnet_id = module.vpc.public_subnets[0] - security_groups = [module.vpc.tailscale_security_group_id] - tags = local.tags + subnet_id = local.subnet_id + security_groups = local.security_group_ids + tags = local.aws_tags } resource "aws_eip" "primary" { - tags = local.tags + tags = local.aws_tags } resource "aws_eip_association" "primary" { network_interface_id = aws_network_interface.primary.id @@ -48,23 +67,51 @@ module "tailscale_aws_ec2_autoscaling" { source = "../internal-modules/aws-ec2-autoscaling/" autoscaling_group_name = local.name - instance_type = "t4g.micro" - instance_tags = local.tags + instance_type = local.instance_type + instance_tags = local.aws_tags network_interfaces = [aws_network_interface.primary.id] # Variables for Tailscale resources - tailscale_auth_key = tailscale_tailnet_key.main.key - tailscale_hostname = local.name - tailscale_set_preferences = [ - "--auto-update", - "--ssh", - "--advertise-connector", - "--advertise-exit-node", - "--advertise-routes=${join(",", [module.vpc.vpc_cidr_block])}", - ] + tailscale_auth_key = tailscale_tailnet_key.main.key + tailscale_hostname = local.name + tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.vpc.natgw_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets + module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } + +resource "aws_security_group" "tailscale" { + vpc_id = local.vpc_id + name = local.name +} + +resource "aws_security_group_rule" "tailscale_ingress" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 41641 + to_port = 41641 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "egress" { + security_group_id = aws_security_group.tailscale.id + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [local.vpc_cidr_block] +} diff --git a/terraform/aws/internal-modules/aws-vpc/main.tf b/terraform/aws/internal-modules/aws-vpc/main.tf index c99e66e..e666fd8 100644 --- a/terraform/aws/internal-modules/aws-vpc/main.tf +++ b/terraform/aws/internal-modules/aws-vpc/main.tf @@ -30,48 +30,3 @@ module "vpc" { public_subnet_ipv6_prefixes = range(0, length(var.public_subnets)) private_subnet_ipv6_prefixes = range(10, 10 + length(var.private_subnets)) } - -resource "aws_security_group" "tailscale" { - vpc_id = module.vpc.vpc_id - name = var.name -} - -resource "aws_security_group_rule" "egress" { - security_group_id = aws_security_group.tailscale.id - type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] -} - -resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" { - security_group_id = aws_security_group.tailscale.id - type = "ingress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = [var.cidr] -} - -resource "aws_security_group_rule" "internal_vpc_ingress_ipv6" { - count = var.enable_ipv6 == false ? 0 : 1 - - security_group_id = aws_security_group.tailscale.id - type = "ingress" - from_port = 0 - to_port = 0 - protocol = "-1" - ipv6_cidr_blocks = [module.vpc.vpc_ipv6_cidr_block] -} - -resource "aws_security_group_rule" "tailscale_ingress" { - security_group_id = aws_security_group.tailscale.id - type = "ingress" - from_port = 41641 - to_port = 41641 - protocol = "udp" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] -} diff --git a/terraform/aws/internal-modules/aws-vpc/outputs.tf b/terraform/aws/internal-modules/aws-vpc/outputs.tf index 234c506..c523e3a 100644 --- a/terraform/aws/internal-modules/aws-vpc/outputs.tf +++ b/terraform/aws/internal-modules/aws-vpc/outputs.tf @@ -30,10 +30,6 @@ output "natgw_ids" { value = module.vpc.natgw_ids } -output "tailscale_security_group_id" { - value = aws_security_group.tailscale.id -} - output "public_route_table_ids" { value = module.vpc.public_route_table_ids } From 429c5ef2d1e3a6b7e9a22aca8dd3b6a00d9cc9d6 Mon Sep 17 00:00:00 2001 From: Cameron Stokes Date: Sun, 15 Sep 2024 16:08:24 -0700 Subject: [PATCH 02/10] aws-ec2-instance --- terraform/aws/aws-ec2-instance/main.tf | 91 +++++++++++++++++++------- 1 file changed, 68 insertions(+), 23 deletions(-) diff --git a/terraform/aws/aws-ec2-instance/main.tf b/terraform/aws/aws-ec2-instance/main.tf index 47c6dd9..2c532e7 100644 --- a/terraform/aws/aws-ec2-instance/main.tf +++ b/terraform/aws/aws-ec2-instance/main.tf @@ -1,16 +1,40 @@ locals { name = "example-${basename(path.cwd)}" - tags = { + aws_tags = { Name = local.name } + + tailscale_acl_tags = [ + "tag:example-infra", + "tag:example-exitnode", + "tag:example-subnetrouter", + "tag:example-appconnector", + ] + tailscale_set_preferences = [ + "--auto-update", + "--ssh", + "--advertise-connector", + "--advertise-exit-node", + "--advertise-routes=${join(",", [ + local.vpc_cidr_block, + ])}", + ] + + // Modify these to use your own VPC + vpc_cidr_block = module.vpc.vpc_cidr_block + vpc_id = module.vpc.vpc_id + subnet_id = module.vpc.public_subnets[0] + security_group_ids = [aws_security_group.tailscale.id] + instance_type = "t4g.micro" } +// Remove this to use your own VPC. module "vpc" { source = "../internal-modules/aws-vpc" name = local.name - tags = local.tags + tags = local.aws_tags cidr = "10.0.80.0/22" @@ -23,37 +47,58 @@ resource "tailscale_tailnet_key" "main" { preauthorized = true reusable = true recreate_if_invalid = "always" - tags = [ - "tag:example-infra", - "tag:example-exitnode", - "tag:example-subnetrouter", - "tag:example-appconnector", - ] + tags = local.tailscale_acl_tags } module "tailscale_aws_ec2" { source = "../internal-modules/aws-ec2-instance" instance_type = "t4g.micro" - instance_tags = local.tags + instance_tags = local.aws_tags - subnet_id = module.vpc.public_subnets[0] - vpc_security_group_ids = [ - module.vpc.tailscale_security_group_id, - ] + subnet_id = local.subnet_id + vpc_security_group_ids = local.security_group_ids # Variables for Tailscale resources - tailscale_hostname = local.name - tailscale_auth_key = tailscale_tailnet_key.main.key - tailscale_set_preferences = [ - "--auto-update", - "--ssh", - "--advertise-connector", - "--advertise-exit-node", - "--advertise-routes=${join(",", [module.vpc.vpc_cidr_block])}", - ] + tailscale_hostname = local.name + tailscale_auth_key = tailscale_tailnet_key.main.key + tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.vpc.natgw_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets + module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } + +resource "aws_security_group" "tailscale" { + vpc_id = local.vpc_id + name = local.name +} + +resource "aws_security_group_rule" "tailscale_ingress" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 41641 + to_port = 41641 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "egress" { + security_group_id = aws_security_group.tailscale.id + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [local.vpc_cidr_block] +} From 78208f9b5c1afd5b10fd1b58056eb01d3dde3222 Mon Sep 17 00:00:00 2001 From: Cameron Stokes Date: Mon, 16 Sep 2024 10:54:11 -0700 Subject: [PATCH 03/10] aws-ec2-autoscaling-dual-subnet --- .../aws-ec2-autoscaling-dual-subnet/main.tf | 102 +++++++++++++----- 1 file changed, 75 insertions(+), 27 deletions(-) diff --git a/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf b/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf index 4ad2a0d..c62a2af 100644 --- a/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf +++ b/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf @@ -1,16 +1,41 @@ locals { name = "example-${basename(path.cwd)}" - tags = { + aws_tags = { Name = local.name } + + tailscale_acl_tags = [ + "tag:example-infra", + "tag:example-exitnode", + "tag:example-subnetrouter", + "tag:example-appconnector", + ] + tailscale_set_preferences = [ + "--auto-update", + "--ssh", + "--advertise-connector", + "--advertise-exit-node", + "--advertise-routes=${join(",", [ + local.vpc_cidr_block, + ])}", + ] + + // Modify these to use your own VPC + vpc_cidr_block = module.vpc.vpc_cidr_block + vpc_id = module.vpc.vpc_id + subnet_id = module.vpc.public_subnets[0] + private_subnet_id = module.vpc.private_subnets[0] + security_group_ids = [aws_security_group.tailscale.id] + instance_type = "t4g.micro" } +// Remove this to use your own VPC. module "vpc" { source = "../internal-modules/aws-vpc" name = local.name - tags = local.tags + tags = local.aws_tags cidr = "10.0.80.0/22" @@ -23,21 +48,16 @@ resource "tailscale_tailnet_key" "main" { preauthorized = true reusable = true recreate_if_invalid = "always" - tags = [ - "tag:example-infra", - "tag:example-exitnode", - "tag:example-subnetrouter", - "tag:example-appconnector", - ] + tags = local.tailscale_acl_tags } resource "aws_network_interface" "primary" { - subnet_id = module.vpc.public_subnets[0] - security_groups = [module.vpc.tailscale_security_group_id] - tags = merge(local.tags, { Name = "${local.name}-primary" }) + subnet_id = local.subnet_id + security_groups = local.security_group_ids + tags = merge(local.aws_tags, { Name = "${local.name}-primary" }) } resource "aws_eip" "primary" { - tags = local.tags + tags = local.aws_tags } resource "aws_eip_association" "primary" { network_interface_id = aws_network_interface.primary.id @@ -45,9 +65,9 @@ resource "aws_eip_association" "primary" { } resource "aws_network_interface" "secondary" { - subnet_id = module.vpc.private_subnets[0] - security_groups = [module.vpc.tailscale_security_group_id] - tags = merge(local.tags, { Name = "${local.name}-secondary" }) + subnet_id = local.private_subnet_id + security_groups = local.security_group_ids + tags = merge(local.aws_tags, { Name = "${local.name}-secondary" }) source_dest_check = false } @@ -56,8 +76,8 @@ module "tailscale_aws_ec2_autoscaling" { source = "../internal-modules/aws-ec2-autoscaling/" autoscaling_group_name = local.name - instance_type = "t4g.micro" - instance_tags = local.tags + instance_type = local.instance_type + instance_tags = local.aws_tags network_interfaces = [ aws_network_interface.primary.id, # first NIC must be in PUBLIC subnet @@ -65,17 +85,45 @@ module "tailscale_aws_ec2_autoscaling" { ] # Variables for Tailscale resources - tailscale_hostname = local.name - tailscale_auth_key = tailscale_tailnet_key.main.key - tailscale_set_preferences = [ - "--auto-update", - "--ssh", - "--advertise-connector", - "--advertise-exit-node", - "--advertise-routes=${join(",", [module.vpc.vpc_cidr_block])}", - ] + tailscale_hostname = local.name + tailscale_auth_key = tailscale_tailnet_key.main.key + tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.vpc.natgw_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets + module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } + +resource "aws_security_group" "tailscale" { + vpc_id = local.vpc_id + name = local.name +} + +resource "aws_security_group_rule" "tailscale_ingress" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 41641 + to_port = 41641 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "egress" { + security_group_id = aws_security_group.tailscale.id + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [local.vpc_cidr_block] +} From d865fd0c967eb2f993e7983e7e6311643bac5c5f Mon Sep 17 00:00:00 2001 From: Cameron Stokes Date: Mon, 16 Sep 2024 11:57:59 -0700 Subject: [PATCH 04/10] fix instance type --- terraform/aws/aws-ec2-instance/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aws/aws-ec2-instance/main.tf b/terraform/aws/aws-ec2-instance/main.tf index 2c532e7..93e6771 100644 --- a/terraform/aws/aws-ec2-instance/main.tf +++ b/terraform/aws/aws-ec2-instance/main.tf @@ -53,7 +53,7 @@ resource "tailscale_tailnet_key" "main" { module "tailscale_aws_ec2" { source = "../internal-modules/aws-ec2-instance" - instance_type = "t4g.micro" + instance_type = local.instance_type instance_tags = local.aws_tags subnet_id = local.subnet_id From 86147e936e3619c08dde57006d7c2e817e87bcbb Mon Sep 17 00:00:00 2001 From: Cameron Stokes Date: Mon, 16 Sep 2024 12:42:05 -0700 Subject: [PATCH 05/10] aws-ec2-autoscaling-session-recorder --- .../main.tf | 96 ++++++++++++++----- 1 file changed, 71 insertions(+), 25 deletions(-) diff --git a/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf b/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf index e3e2ebd..b539746 100644 --- a/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf +++ b/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf @@ -1,16 +1,36 @@ locals { name = "example-${basename(path.cwd)}" - tags = { + aws_tags = { Name = local.name } + + tailscale_acl_tags = [ + "tag:example-infra", + ] + tailscale_set_preferences = [ + "--auto-update", + "--ssh", + ] + + // Modify these to use your own VPC + vpc_cidr_block = module.vpc.vpc_cidr_block + vpc_id = module.vpc.vpc_id + subnet_id = module.vpc.public_subnets[0] + security_group_ids = [aws_security_group.tailscale.id] + instance_type = "t4g.micro" + vpc_endpoint_route_table_ids = flatten([ + module.vpc.public_route_table_ids, + module.vpc.private_route_table_ids, + ]) } +// Remove this to use your own VPC. module "vpc" { source = "../internal-modules/aws-vpc" name = local.name - tags = local.tags + tags = local.aws_tags cidr = "10.0.80.0/22" @@ -19,18 +39,15 @@ module "vpc" { } resource "aws_vpc_endpoint" "recorder" { - vpc_id = module.vpc.vpc_id + vpc_id = local.vpc_id service_name = "com.amazonaws.${aws_s3_bucket.recorder.region}.s3" - route_table_ids = flatten([ - module.vpc.public_route_table_ids, - module.vpc.private_route_table_ids, - ]) - tags = local.tags + route_table_ids = local.vpc_endpoint_route_table_ids + tags = local.aws_tags } resource "aws_s3_bucket" "recorder" { bucket_prefix = substr(local.name, 0, 37) - tags = local.tags + tags = local.aws_tags force_destroy = true } @@ -73,7 +90,7 @@ resource "aws_s3_bucket_policy" "recorder" { } resource "aws_iam_policy" "recorder" { - tags = local.tags + tags = local.aws_tags policy = <<-EOT { "Version": "2012-10-17", @@ -98,7 +115,7 @@ resource "aws_iam_policy" "recorder" { resource "aws_iam_user" "recorder" { name = local.name - tags = local.tags + tags = local.aws_tags } resource "aws_iam_policy_attachment" "recorder" { @@ -126,18 +143,16 @@ resource "tailscale_tailnet_key" "main" { preauthorized = true reusable = true recreate_if_invalid = "always" - tags = [ - "tag:example-infra", - ] + tags = local.tailscale_acl_tags } resource "aws_network_interface" "primary" { - subnet_id = module.vpc.public_subnets[0] - security_groups = [module.vpc.tailscale_security_group_id] - tags = local.tags + subnet_id = local.subnet_id + security_groups = local.security_group_ids + tags = local.aws_tags } resource "aws_eip" "primary" { - tags = local.tags + tags = local.aws_tags } resource "aws_eip_association" "primary" { network_interface_id = aws_network_interface.primary.id @@ -148,18 +163,15 @@ module "tailscale_aws_ec2_autoscaling" { source = "../internal-modules/aws-ec2-autoscaling/" autoscaling_group_name = local.name - instance_type = "t4g.micro" - instance_tags = local.tags + instance_type = local.instance_type + instance_tags = local.aws_tags network_interfaces = [aws_network_interface.primary.id] # Variables for Tailscale resources tailscale_hostname = local.name tailscale_auth_key = tailscale_tailnet_key.main.key - tailscale_set_preferences = [ - "--auto-update", - "-ssh", - ] + tailscale_set_preferences = local.tailscale_set_preferences # # Set up Tailscale Session Recorder (tsrecorder) @@ -178,6 +190,40 @@ module "tailscale_aws_ec2_autoscaling" { ] depends_on = [ - module.vpc.natgw_ids, # for private subnets - ensure NAT gateway is available before instance provisioning + module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } + +resource "aws_security_group" "tailscale" { + vpc_id = local.vpc_id + name = local.name +} + +resource "aws_security_group_rule" "tailscale_ingress" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 41641 + to_port = 41641 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "egress" { + security_group_id = aws_security_group.tailscale.id + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [local.vpc_cidr_block] +} From 138e87b960dbd0f79b4dc0ca475aac04362a5982 Mon Sep 17 00:00:00 2001 From: Cameron Stokes Date: Mon, 16 Sep 2024 12:42:52 -0700 Subject: [PATCH 06/10] terraform fmt -recursive --- .../aws/aws-ec2-autoscaling-session-recorder/main.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf b/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf index b539746..4cb7dc8 100644 --- a/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf +++ b/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf @@ -39,10 +39,10 @@ module "vpc" { } resource "aws_vpc_endpoint" "recorder" { - vpc_id = local.vpc_id - service_name = "com.amazonaws.${aws_s3_bucket.recorder.region}.s3" + vpc_id = local.vpc_id + service_name = "com.amazonaws.${aws_s3_bucket.recorder.region}.s3" route_table_ids = local.vpc_endpoint_route_table_ids - tags = local.aws_tags + tags = local.aws_tags } resource "aws_s3_bucket" "recorder" { @@ -169,8 +169,8 @@ module "tailscale_aws_ec2_autoscaling" { network_interfaces = [aws_network_interface.primary.id] # Variables for Tailscale resources - tailscale_hostname = local.name - tailscale_auth_key = tailscale_tailnet_key.main.key + tailscale_hostname = local.name + tailscale_auth_key = tailscale_tailnet_key.main.key tailscale_set_preferences = local.tailscale_set_preferences # From ebed1adab2143843d806062bd8bc562aae468415 Mon Sep 17 00:00:00 2001 From: Cameron Stokes Date: Mon, 16 Sep 2024 12:49:54 -0700 Subject: [PATCH 07/10] aws-ec2-instance-dual-stack-ipv4-ipv6 --- .../main.tf | 98 +++++++++++++------ 1 file changed, 70 insertions(+), 28 deletions(-) diff --git a/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf b/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf index 5ddb48d..0be5620 100644 --- a/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf +++ b/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf @@ -1,16 +1,40 @@ locals { name = "example-${basename(path.cwd)}" - tags = { + aws_tags = { Name = local.name } + + tailscale_acl_tags = [ + "tag:example-infra", + "tag:example-exitnode", + "tag:example-subnetrouter", + "tag:example-appconnector", + ] + tailscale_set_preferences = [ + "--auto-update", + "--ssh", + "--advertise-connector", + "--advertise-exit-node", + "--advertise-routes=${join(",", [ + local.vpc_cidr_block, + ])}", + ] + + // Modify these to use your own VPC + vpc_cidr_block = module.vpc.vpc_cidr_block + vpc_id = module.vpc.vpc_id + subnet_id = module.vpc.public_subnets[0] + security_group_ids = [aws_security_group.tailscale.id] + instance_type = "t4g.micro" } +// Remove this to use your own VPC. module "vpc" { source = "../internal-modules/aws-vpc" name = local.name - tags = local.tags + tags = local.aws_tags cidr = "10.0.80.0/22" @@ -25,41 +49,59 @@ resource "tailscale_tailnet_key" "main" { preauthorized = true reusable = true recreate_if_invalid = "always" - tags = [ - "tag:example-infra", - "tag:example-exitnode", - "tag:example-subnetrouter", - "tag:example-appconnector", - ] + tags = local.tailscale_acl_tags } module "tailscale_aws_ec2" { source = "../internal-modules/aws-ec2-instance" - instance_type = "t4g.micro" - instance_tags = local.tags + instance_type = local.instance_type + instance_tags = local.aws_tags - subnet_id = module.vpc.private_subnets[0] - vpc_security_group_ids = [ - module.vpc.tailscale_security_group_id, - ] - ipv6_address_count = 1 + subnet_id = local.subnet_id + vpc_security_group_ids = local.security_group_ids + ipv6_address_count = 1 # Variables for Tailscale resources - tailscale_hostname = local.name - tailscale_auth_key = tailscale_tailnet_key.main.key - tailscale_set_preferences = [ - "--auto-update", - "--ssh", - "--advertise-connector", - "--advertise-exit-node", - "--advertise-routes=${join(",", [ - module.vpc.vpc_cidr_block, - module.vpc.vpc_ipv6_cidr_block, - ])}", - ] + tailscale_hostname = local.name + tailscale_auth_key = tailscale_tailnet_key.main.key + tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.vpc.natgw_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets + module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } + +resource "aws_security_group" "tailscale" { + vpc_id = local.vpc_id + name = local.name +} + +resource "aws_security_group_rule" "tailscale_ingress" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 41641 + to_port = 41641 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "egress" { + security_group_id = aws_security_group.tailscale.id + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [local.vpc_cidr_block] +} From c80fdc4922a5af55f4d0f08401fd31a6393ec222 Mon Sep 17 00:00:00 2001 From: Cameron Stokes Date: Tue, 17 Sep 2024 08:41:32 -0700 Subject: [PATCH 08/10] azure-linux-vm --- terraform/azure/azure-linux-vm/main.tf | 86 +++++++++++++------ .../internal-modules/azure-linux-vm/main.tf | 21 +---- .../azure-linux-vm/variables.tf | 4 + 3 files changed, 66 insertions(+), 45 deletions(-) diff --git a/terraform/azure/azure-linux-vm/main.tf b/terraform/azure/azure-linux-vm/main.tf index d6b4d33..1e55f32 100644 --- a/terraform/azure/azure-linux-vm/main.tf +++ b/terraform/azure/azure-linux-vm/main.tf @@ -1,9 +1,36 @@ locals { name = "example-${basename(path.cwd)}" - tags = { + azure_tags = { Name = local.name } + + tailscale_acl_tags = [ + "tag:example-infra", + "tag:example-exitnode", + "tag:example-subnetrouter", + "tag:example-appconnector", + ] + tailscale_set_preferences = [ + "--auto-update", + "--ssh", + "--advertise-connector", + "--advertise-exit-node", + "--advertise-routes=${join(",", coalescelist( + local.vpc_cidr_block, + ))}", + ] + + // Modify these to use your own VPC + resource_group_name = azurerm_resource_group.main.name + location = azurerm_resource_group.main.location + + vpc_cidr_block = module.network.vnet_address_space + vpc_id = module.network.vnet_id + subnet_id = module.network.public_subnet_id + network_security_group_id = azurerm_network_security_group.tailscale_ingress.id + instance_type = "Standard_DS1_v2" + admin_public_key_path = var.admin_public_key_path } resource "azurerm_resource_group" "main" { @@ -15,10 +42,10 @@ module "network" { source = "../internal-modules/azure-network" name = local.name - tags = local.tags + tags = local.azure_tags - location = azurerm_resource_group.main.location - resource_group_name = azurerm_resource_group.main.name + location = local.location + resource_group_name = local.resource_group_name cidrs = ["10.0.0.0/22"] subnet_cidrs = [ @@ -39,40 +66,49 @@ resource "tailscale_tailnet_key" "main" { preauthorized = true reusable = true recreate_if_invalid = "always" - tags = [ - "tag:example-infra", - "tag:example-exitnode", - "tag:example-subnetrouter", - "tag:example-appconnector", - ] + tags = local.tailscale_acl_tags } module "tailscale_azure_linux_virtual_machine" { source = "../internal-modules/azure-linux-vm" - location = azurerm_resource_group.main.location - resource_group_name = azurerm_resource_group.main.name + location = local.location + resource_group_name = local.resource_group_name # public subnet - primary_subnet_id = module.network.public_subnet_id + primary_subnet_id = local.subnet_id + network_security_group_id = local.network_security_group_id machine_name = local.name - machine_size = "Standard_DS1_v2" - admin_public_key_path = var.admin_public_key_path - resource_tags = local.tags + machine_size = local.instance_type + admin_public_key_path = local.admin_public_key_path + resource_tags = local.azure_tags # Variables for Tailscale resources - tailscale_hostname = local.name - tailscale_auth_key = tailscale_tailnet_key.main.key - tailscale_set_preferences = [ - "--auto-update", - "--ssh", - "--advertise-connector", - "--advertise-exit-node", - "--advertise-routes=${join(",", module.network.vnet_address_space)}", - ] + tailscale_hostname = local.name + tailscale_auth_key = tailscale_tailnet_key.main.key + tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ module.network.natgw_ids, # for private subnets - ensure NAT gateway is available before instance provisioning ] } + +resource "azurerm_network_security_group" "tailscale_ingress" { + location = local.location + resource_group_name = local.resource_group_name + + name = "nsg-tailscale-ingress" + + security_rule { + name = "AllowTailscaleInbound" + access = "Allow" + direction = "Inbound" + priority = 100 + protocol = "Udp" + source_address_prefix = "Internet" + source_port_range = "*" + destination_address_prefix = "*" + destination_port_range = "41641" + } +} diff --git a/terraform/azure/internal-modules/azure-linux-vm/main.tf b/terraform/azure/internal-modules/azure-linux-vm/main.tf index 34f4445..bb0577d 100644 --- a/terraform/azure/internal-modules/azure-linux-vm/main.tf +++ b/terraform/azure/internal-modules/azure-linux-vm/main.tf @@ -28,26 +28,7 @@ resource "azurerm_network_interface" "primary" { resource "azurerm_network_interface_security_group_association" "tailscale" { network_interface_id = azurerm_network_interface.primary.id - network_security_group_id = azurerm_network_security_group.tailscale_ingress.id -} - -resource "azurerm_network_security_group" "tailscale_ingress" { - location = var.location - resource_group_name = var.resource_group_name - - name = "nsg-tailscale-ingress" - - security_rule { - name = "AllowTailscaleInbound" - access = "Allow" - direction = "Inbound" - priority = 100 - protocol = "Udp" - source_address_prefix = "Internet" - source_port_range = "*" - destination_address_prefix = "*" - destination_port_range = "41641" - } + network_security_group_id = var.network_security_group_id } resource "azurerm_linux_virtual_machine" "tailscale_instance" { diff --git a/terraform/azure/internal-modules/azure-linux-vm/variables.tf b/terraform/azure/internal-modules/azure-linux-vm/variables.tf index 336ec8c..82652bb 100644 --- a/terraform/azure/internal-modules/azure-linux-vm/variables.tf +++ b/terraform/azure/internal-modules/azure-linux-vm/variables.tf @@ -25,6 +25,10 @@ variable "primary_subnet_id" { description = "The primary subnet (typically PUBLIC) to assign to the virtual machine" type = string } +variable "network_security_group_id" { + description = "The network security group to assign to the virtual machine" + type = string +} variable "machine_size" { description = "The machine size to assign the virtual machine" type = string From cbca157b5bb2ad4926a791a7fd56bcdbe31cbf3a Mon Sep 17 00:00:00 2001 From: Cameron Stokes Date: Tue, 17 Sep 2024 09:03:10 -0700 Subject: [PATCH 09/10] google-compute-instance --- .../google/google-compute-instance/main.tf | 100 +++++++++++++----- .../google-compute-instance/main.tf | 30 ------ 2 files changed, 71 insertions(+), 59 deletions(-) diff --git a/terraform/google/google-compute-instance/main.tf b/terraform/google/google-compute-instance/main.tf index 5a4278a..3713ebb 100644 --- a/terraform/google/google-compute-instance/main.tf +++ b/terraform/google/google-compute-instance/main.tf @@ -1,31 +1,54 @@ locals { - name = "example-${basename(path.cwd)}" - metadata = { + google_metadata = { Name = local.name } - tags = [] + + tailscale_acl_tags = [ + "tag:example-infra", + "tag:example-exitnode", + "tag:example-subnetrouter", + "tag:example-appconnector", + ] + tailscale_set_preferences = [ + "--auto-update", + "--ssh", + "--advertise-connector", + "--advertise-exit-node", + "--advertise-routes=${join(",", coalescelist( + local.vpc_cidr_block, + ))}", + ] + + // Modify these to use your own VPC + project_id = var.project_id + region = var.region + zone = var.zone + vpc_cidr_block = module.vpc.subnets_ips + subnet_id = module.vpc.subnets_ids[0] + instance_type = "e2-medium" + instance_tags = ["tailscale-instance"] } module "vpc" { source = "../internal-modules/google-vpc" - project_id = var.project_id - region = var.region + project_id = local.project_id + region = local.region name = local.name subnets = [ { - subnet_name = "subnet-${var.region}-10-0-121" + subnet_name = "subnet-${local.region}-10-0-121" subnet_ip = "10.0.121.0/24" - subnet_region = var.region + subnet_region = local.region }, { - subnet_name = "subnet-${var.region}-10-0-122" + subnet_name = "subnet-${local.region}-10-0-122" subnet_ip = "10.0.122.0/24" - subnet_region = var.region + subnet_region = local.region } ] } @@ -35,37 +58,56 @@ resource "tailscale_tailnet_key" "main" { preauthorized = true reusable = true recreate_if_invalid = "always" - tags = [ - "tag:example-infra", - "tag:example-exitnode", - "tag:example-subnetrouter", - "tag:example-appconnector", - ] + tags = local.tailscale_acl_tags } module "tailscale_instance" { source = "../internal-modules/google-compute-instance" - zone = var.zone + zone = local.zone machine_name = local.name - machine_type = "e2-medium" - subnet = module.vpc.subnets_ids[0] + machine_type = local.instance_type + subnet = local.subnet_id - instance_metadata = local.metadata - instance_tags = local.tags + instance_metadata = local.google_metadata + instance_tags = local.instance_tags # Variables for Tailscale resources - tailscale_hostname = local.name - tailscale_auth_key = tailscale_tailnet_key.main.key - tailscale_set_preferences = [ - "--auto-update", - "--ssh", - "--advertise-connector", - "--advertise-exit-node", - "--advertise-routes=${join(",", module.vpc.subnets_ips)}", - ] + tailscale_hostname = local.name + tailscale_auth_key = tailscale_tailnet_key.main.key + tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ module.vpc.nat_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets ] } + +resource "google_compute_firewall" "tailscale_ingress_ipv4" { + name = "${local.name}-tailscale-ingress-ipv4" + network = module.vpc.vpc_id + + allow { + protocol = "udp" + ports = ["41641"] + } + + source_ranges = [ + "0.0.0.0/0", + ] + target_tags = local.instance_tags +} + +resource "google_compute_firewall" "tailscale_ingress_ipv6" { + name = "${local.name}-tailscale-ingress-ipv6" + network = module.vpc.vpc_id + + allow { + protocol = "udp" + ports = ["41641"] + } + + source_ranges = [ + "::/0", + ] + target_tags = local.instance_tags +} diff --git a/terraform/google/internal-modules/google-compute-instance/main.tf b/terraform/google/internal-modules/google-compute-instance/main.tf index 9c5f572..0619ddc 100644 --- a/terraform/google/internal-modules/google-compute-instance/main.tf +++ b/terraform/google/internal-modules/google-compute-instance/main.tf @@ -13,36 +13,6 @@ data "google_compute_subnetwork" "selected" { self_link = "https://www.googleapis.com/compute/v1/${var.subnet}" # requires full URL - https://github.com/hashicorp/terraform-provider-google/issues/9919 } -resource "google_compute_firewall" "tailscale_ingress_ipv4" { - name = "tailscale-ingress-ipv4" - network = data.google_compute_subnetwork.selected.network - - allow { - protocol = "udp" - ports = ["41641"] - } - - source_ranges = [ - "0.0.0.0/0", - ] - target_tags = var.instance_tags -} - -resource "google_compute_firewall" "tailscale_ingress_ipv6" { - name = "tailscale-ingress-ipv6" - network = data.google_compute_subnetwork.selected.network - - allow { - protocol = "udp" - ports = ["41641"] - } - - source_ranges = [ - "::/0", - ] - target_tags = var.instance_tags -} - data "google_compute_image" "ubuntu" { project = "ubuntu-os-cloud" family = "ubuntu-2404-lts-amd64" From 81b9389097e0f112690e7911fcb8327957f967fa Mon Sep 17 00:00:00 2001 From: Cameron Stokes Date: Tue, 17 Sep 2024 09:10:22 -0700 Subject: [PATCH 10/10] consistent names --- .../aws/aws-ec2-autoscaling-dual-subnet/main.tf | 2 +- .../aws-ec2-autoscaling-session-recorder/main.tf | 2 +- terraform/aws/aws-ec2-autoscaling/main.tf | 2 +- .../main.tf | 2 +- terraform/aws/aws-ec2-instance/main.tf | 2 +- .../aws/internal-modules/aws-vpc/outputs.tf | 4 ++-- terraform/azure/azure-linux-vm/main.tf | 10 +++++----- terraform/azure/azure-linux-vm/outputs.tf | 10 +++++----- .../azure/internal-modules/azure-network/main.tf | 16 ++++++++-------- .../internal-modules/azure-network/outputs.tf | 10 +++++----- terraform/google/google-compute-instance/main.tf | 2 +- 11 files changed, 31 insertions(+), 31 deletions(-) diff --git a/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf b/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf index c62a2af..410685e 100644 --- a/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf +++ b/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf @@ -90,7 +90,7 @@ module "tailscale_aws_ec2_autoscaling" { tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available + module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } diff --git a/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf b/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf index 4cb7dc8..80f1277 100644 --- a/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf +++ b/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf @@ -190,7 +190,7 @@ module "tailscale_aws_ec2_autoscaling" { ] depends_on = [ - module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available + module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } diff --git a/terraform/aws/aws-ec2-autoscaling/main.tf b/terraform/aws/aws-ec2-autoscaling/main.tf index 45f84cb..df1c205 100644 --- a/terraform/aws/aws-ec2-autoscaling/main.tf +++ b/terraform/aws/aws-ec2-autoscaling/main.tf @@ -78,7 +78,7 @@ module "tailscale_aws_ec2_autoscaling" { tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available + module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } diff --git a/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf b/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf index 0be5620..d9bccaa 100644 --- a/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf +++ b/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf @@ -68,7 +68,7 @@ module "tailscale_aws_ec2" { tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available + module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } diff --git a/terraform/aws/aws-ec2-instance/main.tf b/terraform/aws/aws-ec2-instance/main.tf index 93e6771..f243b0c 100644 --- a/terraform/aws/aws-ec2-instance/main.tf +++ b/terraform/aws/aws-ec2-instance/main.tf @@ -65,7 +65,7 @@ module "tailscale_aws_ec2" { tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available + module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } diff --git a/terraform/aws/internal-modules/aws-vpc/outputs.tf b/terraform/aws/internal-modules/aws-vpc/outputs.tf index c523e3a..8930437 100644 --- a/terraform/aws/internal-modules/aws-vpc/outputs.tf +++ b/terraform/aws/internal-modules/aws-vpc/outputs.tf @@ -25,9 +25,9 @@ output "nat_public_ips" { value = module.vpc.nat_public_ips } -output "natgw_ids" { +output "nat_ids" { description = "Useful for using within `depends_on` for other resources" - value = module.vpc.natgw_ids + value = module.vpc.nat_ids } output "public_route_table_ids" { diff --git a/terraform/azure/azure-linux-vm/main.tf b/terraform/azure/azure-linux-vm/main.tf index 1e55f32..f2e958c 100644 --- a/terraform/azure/azure-linux-vm/main.tf +++ b/terraform/azure/azure-linux-vm/main.tf @@ -25,9 +25,9 @@ locals { resource_group_name = azurerm_resource_group.main.name location = azurerm_resource_group.main.location - vpc_cidr_block = module.network.vnet_address_space - vpc_id = module.network.vnet_id - subnet_id = module.network.public_subnet_id + vpc_cidr_block = module.vpc.vnet_address_space + vpc_id = module.vpc.vnet_id + subnet_id = module.vpc.public_subnet_id network_security_group_id = azurerm_network_security_group.tailscale_ingress.id instance_type = "Standard_DS1_v2" admin_public_key_path = var.admin_public_key_path @@ -38,7 +38,7 @@ resource "azurerm_resource_group" "main" { name = local.name } -module "network" { +module "vpc" { source = "../internal-modules/azure-network" name = local.name @@ -90,7 +90,7 @@ module "tailscale_azure_linux_virtual_machine" { tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.network.natgw_ids, # for private subnets - ensure NAT gateway is available before instance provisioning + module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } diff --git a/terraform/azure/azure-linux-vm/outputs.tf b/terraform/azure/azure-linux-vm/outputs.tf index 7d0ffb2..f228bc9 100644 --- a/terraform/azure/azure-linux-vm/outputs.tf +++ b/terraform/azure/azure-linux-vm/outputs.tf @@ -1,20 +1,20 @@ output "vpc_id" { - value = module.network.vnet_id + value = module.vpc.vnet_id } output "nat_public_ips" { - value = module.network.nat_public_ips + value = module.vpc.nat_public_ips } output "public_subnet_id" { - value = module.network.public_subnet_id + value = module.vpc.public_subnet_id } output "private_subnet_id" { - value = module.network.private_subnet_id + value = module.vpc.private_subnet_id } output "private_dns_resolver_inbound_endpoint_ip" { - value = module.network.private_dns_resolver_inbound_endpoint_ip + value = module.vpc.private_dns_resolver_inbound_endpoint_ip } output "internal_domain_name_suffix" { value = module.tailscale_azure_linux_virtual_machine.internal_domain_name_suffix diff --git a/terraform/azure/internal-modules/azure-network/main.tf b/terraform/azure/internal-modules/azure-network/main.tf index 8a7097d..a6952af 100644 --- a/terraform/azure/internal-modules/azure-network/main.tf +++ b/terraform/azure/internal-modules/azure-network/main.tf @@ -1,4 +1,4 @@ -module "network" { +module "vpc" { # https://registry.terraform.io/modules/Azure/network/azurerm/latest source = "Azure/network/azurerm" version = ">= 5.0, < 6.0" @@ -37,28 +37,28 @@ module "network" { data "azurerm_subnet" "public" { resource_group_name = var.resource_group_name - virtual_network_name = module.network.vnet_name + virtual_network_name = module.vpc.vnet_name name = var.subnet_name_public - depends_on = [module.network.vnet_subnets] + depends_on = [module.vpc.vnet_subnets] } data "azurerm_subnet" "private" { resource_group_name = var.resource_group_name - virtual_network_name = module.network.vnet_name + virtual_network_name = module.vpc.vnet_name name = var.subnet_name_private - depends_on = [module.network.vnet_subnets] + depends_on = [module.vpc.vnet_subnets] } data "azurerm_subnet" "dns-inbound" { resource_group_name = var.resource_group_name - virtual_network_name = module.network.vnet_name + virtual_network_name = module.vpc.vnet_name name = var.subnet_name_private_dns_resolver - depends_on = [module.network.vnet_subnets] + depends_on = [module.vpc.vnet_subnets] } # # Private DNS resolver resources @@ -70,7 +70,7 @@ resource "azurerm_private_dns_resolver" "main" { name = var.name tags = var.tags - virtual_network_id = module.network.vnet_id + virtual_network_id = module.vpc.vnet_id } resource "azurerm_private_dns_resolver_inbound_endpoint" "main" { diff --git a/terraform/azure/internal-modules/azure-network/outputs.tf b/terraform/azure/internal-modules/azure-network/outputs.tf index 60791fe..68bb83e 100644 --- a/terraform/azure/internal-modules/azure-network/outputs.tf +++ b/terraform/azure/internal-modules/azure-network/outputs.tf @@ -1,14 +1,14 @@ output "vnet_id" { - value = module.network.vnet_id + value = module.vpc.vnet_id } output "vnet_name" { - value = module.network.vnet_name + value = module.vpc.vnet_name } output "vnet_address_space" { - value = module.network.vnet_address_space + value = module.vpc.vnet_address_space } output "vnet_subnets" { - value = module.network.vnet_subnets + value = module.vpc.vnet_subnets } output "public_subnet_id" { @@ -40,7 +40,7 @@ output "nat_public_ips" { value = azurerm_public_ip.nat.*.ip_address } -output "natgw_ids" { +output "nat_ids" { description = "Useful for using within `depends_on` for other resources" value = azurerm_nat_gateway.nat.*.id } diff --git a/terraform/google/google-compute-instance/main.tf b/terraform/google/google-compute-instance/main.tf index 3713ebb..31b8930 100644 --- a/terraform/google/google-compute-instance/main.tf +++ b/terraform/google/google-compute-instance/main.tf @@ -78,7 +78,7 @@ module "tailscale_instance" { tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.vpc.nat_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets + module.vpc.nat_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] }