Merge pull request #12 from unifio/0.6.14_enhancements

0.2.0 Module release
unifio · Apr 21, 2016 · e4feaeb · e4feaeb
2 parents 9c3dbe0 + b3de1b5
commit e4feaeb
Show file tree

Hide file tree

Showing 24 changed files with 277 additions and 493 deletions.
diff --git a/.ruby-version b/.ruby-version
@@ -0,0 +1 @@
+2.3.0
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,15 @@
+## Unreleased
+
+## 0.2.0 (Apr 20, 2016)
+
+#### FEATURES:
+* Added support for configuring instance tenancy.
+* Added support for enabling ClassicLink.
+
+#### IMPROVEMENTS:
+* Verified with Terraform v0.6.14.
+* Migrated NAT features to VPC NAT gateway.
+
 ## 0.1.1 (Dec 1, 2015)
 
 #### FEATURES:

diff --git a/Gemfile b/Gemfile
@@ -1,5 +1,3 @@
 source "http://rubygems.org"
 
-ruby '2.2.3'
-
 gem "rake"
diff --git a/README.md b/README.md
@@ -9,7 +9,7 @@ Module stack that supports full AWS VPC deployment.  Users can provision a basic
 
 ## Requirements ##
 
-- Terraform 0.6.7 or newer
+- Terraform 0.6.14 or newer
 - AWS provider
 
 ## Base Module ##
@@ -20,10 +20,12 @@ The Base module provisions the VPC, attaches an Internet Gateway, and creates NA
 
 - `stack_item_label` - Short form identifier for this stack.  This value is used to create the "Name" resource tag for resources created by this stack item, and also serves as a unique key for re-use.
 - `stack_item_fullname` - Long form descriptive name for this stack item.  This value is used to create the "application" resource tag for resources created by this stack item.
-- `vpc_cidr` - CIDR block for the VPC.
-- `enable_dns` - (Optional) A boolean flag to enable/disable DNS support in the VPC. Defaults true.
-- `enable_hostnames` - (Optional) A boolean flag to enable/disable DNS hostnames in the VPC. Defaults false.
-- `lan_cidr` - Comma separated list of CIDR blocks to be given ingress access to NAT boxes in each subnet.
+- `vpc_cidr` - The CIDR block you want the VPC to cover. For example: 10.0.0.0/16.
+- `instance_tenacy` - The allowed tenancy of instances launched into the VPC. Defaults to 'default'. Only other option at this time is 'dedicated', which will force any instance launched into the VPC to be dedicated, regardless of the tenancy option specified when the instance is launched.
+- `enable_dns` - (Optional) Specifies whether DNS resolution is supported for the VPC. Defaults to true.
+- `enable_hostnames` - (Optional) Specifies whether the instances launched in the VPC get DNS hostnames. Defaults to true.
+- `enable_classiclink` - (Optional) Specifies whether ClassicLink is enabled for the VPC. Defaults to false.
+- `flow_log_traffic_type` - (Optional) The type of traffic to capture. Valid values: ACCEPT,REJECT,ALL.
 
 
 ### Usage ###
@@ -37,17 +39,15 @@ module "vpc_base" {
   vpc_cidr = "10.10.0.0/22"
   enable_dns = true
   enable_hostnames = false
-  lan_cidr = "10.10.2.0/25,10.10.2.128/25,10.10.3.0/25"
 }
 ```
 
 ### Outputs ###
 
-- `vpc_id` - ID of the VPC
-- `igw_id` - ID of the Internet gateway
-- `rt_dmz_id` - ID of the DMZ routing table
-- `nat_sg_id` - ID of NAT security group
-- `flow_log_id` - ID of the AWS flow log
+- `vpc_id` - ID of the VPC.
+- `igw_id` - ID of the Internet gateway.
+- `rt_dmz_id` - ID of the DMZ routing table.
+- `flow_log_id` - ID of the AWS flow log.
 
 ## DHCP module ##
 
@@ -58,7 +58,7 @@ The DHCP module provisions a DHCP options resource and associates it with the sp
 - `vpc_id` - ID of the VPC to associate the DHCP Options Set with.
 - `stack_item_label` - Short form identifier for this stack.  This value is used to create the "Name" resource tag for resources created by this stack item, and also serves as a unique key for re-use.
 - `stack_item_fullname` - Long form descriptive name for this stack item.  This value is used to create the "application" resource tag for resources created by this stack item.
-- `domain_name` - (Optional) the suffix domain name to use by default when resolving non Fully Qualified Domain Names. In other words, this is what ends up being the search value in the /etc/resolv.conf file.
+- `domain_name` - (Optional) The suffix domain name to use by default when resolving non Fully Qualified Domain Names. In other words, this is what ends up being the search value in the /etc/resolv.conf file.
 - `name_servers` - (Optional) List of name servers to configure in /etc/resolv.conf.
 - `ntp_servers` - (Optional) List of NTP servers to configure.
 - `netbios_name_servers` -  (Optional) List of NETBIOS name servers.
@@ -69,7 +69,6 @@ The DHCP module provisions a DHCP options resource and associates it with the sp
 The usage examples may assume that previous modules in this stack have already been declared, such as the base module, instantiated as "vpc_base".  This declaration is not necessary, but does promote a consistent and maintainable standard.
 
 ```js
-
 module "dhcp" {
   source = "github.com/terraform-aws-vpc//dhcp"
 
@@ -86,7 +85,7 @@ module "dhcp" {
 
 ### Outputs ###
 
-- `dhcp_id` - ID of the DHCP Options set
+- `dhcp_id` - ID of the DHCP Options set.
 
 ## VPG Module ##
 
@@ -118,30 +117,20 @@ module "vpg" {
 
 ## AZ Module ##
 
-In each Availability Zone provided, this module provisions a NAT instance, and creates subnets and routing tables for a public (DMZ) and private (LAN) sub networks.  The remote access information for the NAT instance is output to user data.
+In each Availability Zone provided, this module provisions subnets and routing tables for a public (DMZ) and private (LAN) sub-networks.
 
 ### Input Variables ###
 
 - `stack_item_label` - Short form identifier for this stack.  This value is used to create the "Name" resource tag for resources created by this stack item, and also serves as a unique key for re-use.
 - `stack_item_fullname` - Long form descriptive name for this stack item.  This value is used to create the "application" resource tag for resources created by this stack item.
-- `vpc_id` - ID of the VPC to use.
-- `region` - AWS region to deploy in.
-- `az` - Comma separated list of Availability Zones (AZs) in which to create the previously described infrastructure.
-- `dmz_cidr` -Comma separated list of CIDR blocks to be used for DMZ subnet.  This list should correspond 1:1 to each AZ.
-- `lan_cidr` - Comma separated list of CIDR blocks to be used for LAN subnet.  This list should correspond 1:1 to each AZ.
-- `lans_per_az` - The number of private subnets to be provisioned per AZ. You will need to double the CIDR blocks specified in the `lan_cidr` variable for each increase in this value.
-- `enable_dmz_public_ips` - Specify true to indicate that instances launched into the subnet should be assigned a public IP address.  Defaults to true.
-- `rt_dmz_id` - ID of the DMZ route table for this VPC.
-- `ami` - AWS AMI to use when creating NAT instance in each AZ.
-- `instance_type` - EC2 instance type to be used.
-- `key_name` -  The key name to use for the NAT instances.
-- `nat_sg_id` - ID of the NAT security group.
-- `user_data` - User data to associate with the NAT instance.
-- `enable_nats` - Set to "true" to allocate NAT instances for each DMZ subnet.  Default is "true"
-- `enable_nat_eip` - Set to "true" to assign an Elastic IP to each of the NAT machines created.  Default is "false"
-- `enable_nat_auto_recovery` - Set to "true" or "false".  "false" disables and "true" enables.  If enabled, CloudWatch alarms will be created that will automatically recover the NAT instances, preserving its instance id, ip, etc. in the case of system failure.  Default is "false".  Please check that the AMI used for the NAT supports recovery of its instances.
-- `period` - The period in seconds over which a system failure in the NAT instance occurs. Not used if enable_nat_auto_recovery is 0.
-- `evaluation_periods` - The number of consecutive periods in which the system failure must occur for the alarm to fire.  Not used if enable_nat_auto_recovery is 0.
+- `vpc_id` - ID of the VPC.
+- `region` - The AWS region.
+- `az` - Availability zone(s).  Will accept a comma delimited string.
+- `dmz_cidr` - The CIDR block(s) you want the DMZ subnet(s) to cover.  Will accept a comma delimited string.  This list should correspond 1:1 to each AZ.
+- `lan_cidr` - The CIDR block(s) you want the LAN subnet(s) to cover.  Will accept a comma delimited string.  This list should correspond 1:1 to each AZ.
+- `lans_per_az` - (Optional) The number of private LAN subnets to be provisioned per AZ.  You will need to double the CIDR blocks specified in the `lan_cidr` variable for each increase in this value.  Defaults to 1.
+- `enable_dmz_public_ips` - (Optional) Specify true to indicate that instances launched into the DMZ subnet should be assigned a public IP address.  Defaults to true.
+- `rt_dmz_id` - The ID of the DMZ routing table.
 
 ### Usage ###
 
@@ -159,21 +148,20 @@ module "AZs" {
     dmz_cidr = "10.10.0.0/25,10.10.0.128/25,10.10.1.0/25"
     lan_cidr = "10.10.2.0/25,10.10.2.128/25,10.10.3.0/25"
     lans_per_az = "1"
-    enable_dmz_public_ips = "true"
+    enable_dmz_public_ips = true
     rt_dmz_id = "${module.vpc_base.rt_dmz_id}"
-    ami = "ami-xxxxxxxx"
-    instance_type = "t2.micro"
-    key_name = "ops"
-    nat_sg_id = "${module.vpc_base.nat_sg_id}"
-    user_data = "${template_file.templ.rendered}"
 }
 ```
 
 ### Outputs ###
 
-- `lan_id` - List of subnet IDs of the LAN subnetworks.  The order and association of the IDs match the order of the availability zones passed to the module.
-- `dmz_id` - List of subnet IDs of the DMZ subnetworks.  The order and association of the IDs match the order of the availability zones passed to the module.
-- `nat_eip_id` - List of Elastic IP IDs for each of the NAT machines.
+** The order and association of the IDs match the order of the availability zones passed to the module.
+
+- `lan_id` - List of subnet IDs of the LAN subnetworks.
+- `dmz_id` - List of subnet IDs of the DMZ subnetworks.
+- `eip_nat_id` - List of Elastic IP IDs for each of the NAT gateways.
+- `nat_id` - List of NAT gateways IDs.
+- `rt_lan_id` - List of routing table IDs for the LAN subnets.
 
 ## Examples ##
 

diff --git a/Rakefile b/Rakefile
@@ -19,7 +19,7 @@ task :verify do
     vars.push("-var #{var}=\"#{value}\"")
   end
 
-  ['basic', 'full_stack', 'disable_nats'].each do |stack|
+  ['basic', 'full_stack'].each do |stack|
     task_args = {:stack => stack, :args => vars.join(' ')}
     Rake::Task['clean'].execute(Rake::TaskArguments.new(task_args.keys, task_args.values))
     Rake::Task['plan'].execute(Rake::TaskArguments.new(task_args.keys, task_args.values))

diff --git a/az/main.tf b/az/main.tf
@@ -1,4 +1,4 @@
-# VPC AZ
+# VPC Availability Zone
 
 ## Provisions DMZ resources
 
@@ -24,46 +24,16 @@ resource "aws_route_table_association" "rta_dmz" {
   route_table_id = "${var.rt_dmz_id}"
 }
 
-### Provisions NAT instance
-resource "aws_instance" "nat" {
-  count = "${length(split(",",var.az)) * lookup(var.decision_tree,var.enable_nats)}"
-  instance_type = "${var.instance_type}"
-  ami = "${var.ami}"
-  key_name = "${var.key_name}"
-  vpc_security_group_ids = ["${var.nat_sg_id}"]
+### Provisions NAT gateway
+resource "aws_nat_gateway" "nat" {
+  count = "${length(split(",",var.az))}"
+  allocation_id = "${element(aws_eip.eip_nat.*.id,count.index)}"
   subnet_id = "${element(aws_subnet.dmz.*.id,count.index)}"
-  source_dest_check = false
-  user_data = "${var.user_data}"
-
-  tags {
-    Name = "${var.stack_item_label}-nat-${count.index}"
-    application = "${var.stack_item_fullname}"
-    managed_by = "terraform"
-  }
 }
 
-resource "aws_eip" "nat_eip" {
-  count = "${length(split(",",var.az)) * lookup(var.decision_tree,var.enable_nat_eip) * lookup(var.decision_tree,var.enable_nats)}"
+resource "aws_eip" "eip_nat" {
+  count = "${length(split(",",var.az))}"
   vpc = true
-  instance = "${element(aws_instance.nat.*.id,count.index)}"
-}
-
-## Add CloudWatch alarm to recover instance in the case of a fault
-resource "aws_cloudwatch_metric_alarm" "recover_alarm" {
-  count = "${length(split(",",var.az)) * lookup(var.decision_tree,var.enable_nats) * lookup(var.decision_tree,var.enable_nat_auto_recovery)}"
-  alarm_name = "${var.stack_item_label}-nat-${count.index}-alarm"
-  dimensions = {
-    InstanceId = "${element(aws_instance.nat.*.id, count.index)}"
-  }
-  metric_name = "StatusCheckFailed"
-  namespace = "AWS/EC2"
-  statistic = "Average"
-  comparison_operator = "GreaterThanThreshold"
-  threshold = "0"
-  period = "${var.period}"
-  evaluation_periods = "${var.evaluation_periods}"
-  alarm_description = "Recover instance upon series of StatusCheckFailed events"
-  alarm_actions = [ "arn:aws:automate:${var.region}:ec2:recover" ]
 }
 
 ## Provisions LAN resources
@@ -87,11 +57,6 @@ resource "aws_route_table" "rt_lan" {
   count = "${length(split(",",var.az)) * var.lans_per_az}"
   vpc_id = "${var.vpc_id}"
 
-  route {
-    cidr_block = "0.0.0.0/0"
-    instance_id = "${element(aws_instance.nat.*.id,count.index)}"
-  }
-
   tags {
     Name = "${var.stack_item_label}-lan-${count.index}"
     application = "${var.stack_item_fullname}"

diff --git a/az/outputs.tf b/az/outputs.tf
@@ -9,6 +9,16 @@ output "lan_id" {
   value = "${join(",",aws_subnet.lan.*.id)}"
 }
 
-output "nat_eip_id" {
-  value = "${join(",",aws_eip.nat_eip.*.id)}"
+## Returns information about the NATs
+output "eip_nat_id" {
+  value = "${join(",",aws_eip.eip_nat.*.id)}"
+}
+
+output "nat_id" {
+  value = "${join(",",aws_nat_gateway.nat.*.id)}"
+}
+
+## Returns the routing table ID
+output "rt_lan_id" {
+  value = "${join(",",aws_route_table.rt_lan.*.id)}"
 }
diff --git a/az/variables.tf b/az/variables.tf
@@ -1,49 +1,47 @@
 # Input variables
 
 ## Resource tags
-variable "stack_item_label" {}
-variable "stack_item_fullname" {}
+variable "stack_item_label" {
+  type = "string"
+  description = "Short form identifier for this stack. This value is used to create the 'Name' resource tag for resources created by this stack item, and also serves as a unique key for re-use."
+}
+variable "stack_item_fullname" {
+  type = "string"
+  description = "Long form descriptive name for this stack item. This value is used to create the 'application' resource tag for resources created by this stack item."
+}
 
 ## VPC parameters
-variable "vpc_id" {}
-variable "region" {}
-variable "az" {}
-variable "dmz_cidr" {}
-variable "lan_cidr" {}
-variable "enable_dmz_public_ips" {
-  default = true
+variable "vpc_id" {
+  type = "string"
+  description = "The ID of the VPC"
 }
-variable "lans_per_az" {
-  default = 1
+variable "region" {
+  type = "string"
+  description = "The AWS region"
 }
-variable "rt_dmz_id" {}
-
-## NAT parameters
-variable "user_data" {}
-variable "ami" {}
-variable "instance_type" {}
-variable "key_name" {}
-variable "nat_sg_id" {}
-variable "enable_nats" {
-  default = "true"
+variable "az" {
+  type = "string"
+  description = "Availability zone(s). Will accept a comma delimited string."
 }
-variable "enable_nat_auto_recovery" {
-  default = "false"
+variable "dmz_cidr" {
+  type = "string"
+  description = "The CIDR block(s) you want the DMZ subnet(s) to cover. Will accept a comma delimited string."
 }
-variable "period" {
-  default = 60
+variable "lan_cidr" {
+  type = "string"
+  description = "The CIDR block(s) you want the LAN subnet(s) to cover. Will accept a comma delimited string."
 }
-variable "evaluation_periods" {
-  default = 2
+variable "lans_per_az" {
+  type = "string"
+  description = "The number of private LAN subnets to be provisioned per AZ"
+  default = 1
 }
-variable "enable_nat_eip" {
-  default = "false"
+variable "enable_dmz_public_ips" {
+  type = "string"
+  description = "Specify true to indicate that instances launched into the DMZ subnet should be assigned a public IP address"
+  default = true
 }
-
-# Internal variables
-variable "decision_tree" {
-  default = {
-    "false" = 0
-    "true" = 1
-  }
+variable "rt_dmz_id" {
+  type = "string"
+  description = "The ID of the DMZ routing table"
 }