Aller au contenu

Example - Basic VPC#

  • Includes modification to meet CIS 3.0 standard
Terraform
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
locals {

  network_acls = {
    default_inbound = [
      {
        rule_no    = 50
        action     = "allow"
        from_port  = 22
        to_port    = 22
        protocol   = "tcp"
        cidr_block = "10.0.0.0/16"
      },
      {
        rule_no    = 100
        action     = "deny"
        from_port  = 22
        to_port    = 22
        protocol   = "tcp"
        cidr_block = "0.0.0.0/0"
      },
      {
        rule_no    = 101
        action     = "deny"
        from_port  = 3389
        to_port    = 3389
        protocol   = "tcp"
        cidr_block = "0.0.0.0/0"
      },
      {
        rule_no    = 1000
        action     = "allow"
        from_port  = 0
        to_port    = 0
        protocol   = -1
        cidr_block = "0.0.0.0/0"
      },
    ]
    default_outbound = [
      {
        rule_no    = 1000
        action     = "allow"
        from_port  = 0
        to_port    = 0
        protocol   = -1
        cidr_block = "0.0.0.0/0"
      },
    ]
  }
}


# https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest
module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.15.0"

  name = local.prefix
  cidr = "10.0.0.0/16"

  azs              = ["ca-central-1a", "ca-central-1b", "ca-central-1d"]
  private_subnets  = ["10.0.11.0/24", "10.0.12.0/24", "10.0.13.0/24"]
  database_subnets = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"]
  intra_subnets    = ["10.0.31.0/24", "10.0.32.0/24", "10.0.33.0/24"]
  public_subnets   = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]

  enable_nat_gateway = false
  enable_vpn_gateway = false

  manage_default_network_acl  = true
  default_network_acl_ingress = local.network_acls["default_inbound"]
  default_network_acl_egress  = local.network_acls["default_outbound"]

  enable_flow_log                                 = true
  create_flow_log_cloudwatch_iam_role             = true
  vpc_flow_log_iam_policy_name                    = "${local.prefix}-vpc-flow-log-to-cloudwatch"
  vpc_flow_log_iam_role_name                      = "${local.prefix}-vpc-flow-log-role"
  create_flow_log_cloudwatch_log_group            = true
  flow_log_cloudwatch_log_group_retention_in_days = 30
  flow_log_cloudwatch_log_group_name_suffix       = local.prefix

  tags = local.common_tags
}