-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwebserver.tf
122 lines (108 loc) · 3.23 KB
/
webserver.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
variable "web_app_port" {
type = "string"
default = "5000"
}
data "template_file" "user_data" {
template = "${file("${path.module}/userdata.tpl")}"
vars = {
code_bucket = "${aws_s3_bucket.codebucket.id}"
}
}
resource "aws_iam_role" "webserver" {
name = "${var.project}-webserver-${terraform.workspace}"
path = "/"
tags = {
Name = "${var.project}-webserver-${terraform.workspace}"
project = "${var.project}"
Environment = "${terraform.workspace}"
}
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy" "allow_codebucket_read" {
name = "${var.project}-allow-codebucket-read-${terraform.workspace}"
role = "${aws_iam_role.webserver.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["${aws_s3_bucket.codebucket.arn}"]
},
{
"Sid": "AllObjectRead",
"Effect": "Allow",
"Action": "s3:Get*",
"Resource": ["${aws_s3_bucket.codebucket.arn}/*"]
}
]
}
EOF
}
resource "aws_iam_instance_profile" "webserver" {
name = "${var.project}-webserver-${terraform.workspace}"
role = "${aws_iam_role.webserver.name}"
}
resource "aws_security_group" "allow_ssh_from_bastion" {
name = "${var.project}-allow-ssh-from-bastion-${terraform.workspace}"
description = "Allow ssh from bastion"
vpc_id = "${aws_vpc.this.id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["${aws_instance.bastion.private_ip}/32"]
}
tags = {
Name = "${var.project}-allow-ssh-from-bastion-${terraform.workspace}"
project = "${var.project}"
Environment = "${terraform.workspace}"
}
}
resource "aws_security_group" "allow_webapp_from_vpc" {
name = "${var.project}-allow-webapp-from-vpc-${terraform.workspace}"
description = "Allow webapp from vpc"
vpc_id = "${aws_vpc.this.id}"
ingress {
from_port = "${var.web_app_port}"
to_port = "${var.web_app_port}"
protocol = "tcp"
cidr_blocks = ["${aws_vpc.this.cidr_block}"]
}
tags = {
Name = "${var.project}-allow-webapp-from-vpc-${terraform.workspace}"
project = "${var.project}"
Environment = "${terraform.workspace}"
}
}
resource "aws_instance" "webserver" {
ami = "${data.aws_ami.amazonlinux.id}"
instance_type = "t3.small"
subnet_id = "${aws_subnet.proxy_internal_a.id}"
associate_public_ip_address = false
vpc_security_group_ids = ["${aws_security_group.allow_ssh_from_bastion.id}","${aws_security_group.allow_webapp_from_vpc.id}","${aws_security_group.allow_outbound.id}"]
user_data = "${data.template_file.user_data.rendered}"
iam_instance_profile = "${aws_iam_instance_profile.webserver.name}"
key_name = "WebServer"
tags = {
Name = "${var.project}-webserver-${terraform.workspace}"
project = "${var.project}"
Environment = "${terraform.workspace}"
}
}