diff --git a/terraform/aws/templates/base.tf b/terraform/aws/templates/base.tf index e0d2bbdb7..7fc6ca066 100644 --- a/terraform/aws/templates/base.tf +++ b/terraform/aws/templates/base.tf @@ -1,22 +1,22 @@ terraform { required_providers { aws = { - source = "hashicorp/aws" + source = "hashicorp/aws" version = ">= 3.49" } tls = { - source = "hashicorp/tls" + source = "hashicorp/tls" version = ">= 3.1" } } } provider "aws" { - access_key = "${var.access_key}" - secret_key = "${var.secret_key}" - region = "${var.region}" + access_key = var.access_key + secret_key = var.secret_key + region = var.region assume_role { - role_arn = "${var.role_arn}" + role_arn = var.role_arn } } @@ -33,7 +33,7 @@ variable "region" { } variable "role_arn" { - type = string + type = string default = "" } @@ -42,7 +42,7 @@ variable "bosh_inbound_cidr" { } variable "availability_zones" { - type = list + type = list(any) } variable "env_id" { @@ -53,6 +53,11 @@ variable "short_env_id" { type = string } +variable "dualstack" { + type = bool + default = false +} + variable "vpc_cidr" { type = string default = "10.0.0.0/16" @@ -70,13 +75,13 @@ resource "tls_private_key" "bosh_vms" { resource "aws_key_pair" "bosh_vms" { key_name = "${var.env_id}_bosh_vms" - public_key = "${tls_private_key.bosh_vms.public_key_openssh}" + public_key = tls_private_key.bosh_vms.public_key_openssh } resource "aws_security_group" "nat_security_group" { name = "${var.env_id}-nat-security-group" description = "NAT" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id tags = { Name = "${var.env_id}-nat-security-group" @@ -88,48 +93,50 @@ resource "aws_security_group" "nat_security_group" { } resource "aws_security_group_rule" "nat_to_internet_rule" { - security_group_id = "${aws_security_group.nat_security_group.id}" + security_group_id = aws_security_group.nat_security_group.id - type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null } resource "aws_security_group_rule" "nat_icmp_rule" { - security_group_id = "${aws_security_group.nat_security_group.id}" + security_group_id = aws_security_group.nat_security_group.id - type = "ingress" - protocol = "icmp" - from_port = -1 - to_port = -1 - cidr_blocks = ["0.0.0.0/0"] + type = "ingress" + protocol = "icmp" + from_port = -1 + to_port = -1 + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null } resource "aws_security_group_rule" "nat_tcp_rule" { - security_group_id = "${aws_security_group.nat_security_group.id}" + security_group_id = aws_security_group.nat_security_group.id type = "ingress" protocol = "tcp" from_port = 0 to_port = 65535 - source_security_group_id = "${aws_security_group.internal_security_group.id}" + source_security_group_id = aws_security_group.internal_security_group.id } resource "aws_security_group_rule" "nat_udp_rule" { - security_group_id = "${aws_security_group.nat_security_group.id}" + security_group_id = aws_security_group.nat_security_group.id type = "ingress" protocol = "udp" from_port = 0 to_port = 65535 - source_security_group_id = "${aws_security_group.internal_security_group.id}" + source_security_group_id = aws_security_group.internal_security_group.id } resource "aws_nat_gateway" "nat" { - subnet_id = "${aws_subnet.bosh_subnet.id}" - allocation_id = "${aws_eip.nat_eip.id}" + subnet_id = aws_subnet.bosh_subnet.id + allocation_id = aws_eip.nat_eip.id tags = { Name = "${var.env_id}-nat" @@ -147,13 +154,13 @@ resource "aws_eip" "nat_eip" { } resource "aws_default_security_group" "default_security_group" { - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id } resource "aws_security_group" "internal_security_group" { name = "${var.env_id}-internal-security-group" description = "Internal" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id tags = { Name = "${var.env_id}-internal-security-group" @@ -165,7 +172,7 @@ resource "aws_security_group" "internal_security_group" { } resource "aws_security_group_rule" "internal_security_group_rule_tcp" { - security_group_id = "${aws_security_group.internal_security_group.id}" + security_group_id = aws_security_group.internal_security_group.id type = "ingress" protocol = "tcp" from_port = 0 @@ -174,7 +181,7 @@ resource "aws_security_group_rule" "internal_security_group_rule_tcp" { } resource "aws_security_group_rule" "internal_security_group_rule_udp" { - security_group_id = "${aws_security_group.internal_security_group.id}" + security_group_id = aws_security_group.internal_security_group.id type = "ingress" protocol = "udp" from_port = 0 @@ -183,36 +190,38 @@ resource "aws_security_group_rule" "internal_security_group_rule_udp" { } resource "aws_security_group_rule" "internal_security_group_rule_icmp" { - security_group_id = "${aws_security_group.internal_security_group.id}" + security_group_id = aws_security_group.internal_security_group.id type = "ingress" protocol = "icmp" from_port = -1 to_port = -1 cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null } resource "aws_security_group_rule" "internal_security_group_rule_allow_internet" { - security_group_id = "${aws_security_group.internal_security_group.id}" + security_group_id = aws_security_group.internal_security_group.id type = "egress" protocol = "-1" from_port = 0 to_port = 0 cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null } resource "aws_security_group_rule" "internal_security_group_rule_ssh" { - security_group_id = "${aws_security_group.internal_security_group.id}" + security_group_id = aws_security_group.internal_security_group.id type = "ingress" protocol = "TCP" from_port = 22 to_port = 22 - source_security_group_id = "${aws_security_group.jumpbox.id}" + source_security_group_id = aws_security_group.jumpbox.id } resource "aws_security_group" "bosh_security_group" { name = "${var.env_id}-bosh-security-group" description = "BOSH Director" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id tags = { Name = "${var.env_id}-bosh-security-group" @@ -224,81 +233,82 @@ resource "aws_security_group" "bosh_security_group" { } resource "aws_security_group_rule" "bosh_security_group_rule_tcp_ssh" { - security_group_id = "${aws_security_group.bosh_security_group.id}" + security_group_id = aws_security_group.bosh_security_group.id type = "ingress" protocol = "tcp" from_port = 22 to_port = 22 - source_security_group_id = "${aws_security_group.jumpbox.id}" + source_security_group_id = aws_security_group.jumpbox.id } resource "aws_security_group_rule" "bosh_security_group_rule_tcp_bosh_agent" { - security_group_id = "${aws_security_group.bosh_security_group.id}" + security_group_id = aws_security_group.bosh_security_group.id type = "ingress" protocol = "tcp" from_port = 6868 to_port = 6868 - source_security_group_id = "${aws_security_group.jumpbox.id}" + source_security_group_id = aws_security_group.jumpbox.id } resource "aws_security_group_rule" "bosh_security_group_rule_uaa" { - security_group_id = "${aws_security_group.bosh_security_group.id}" + security_group_id = aws_security_group.bosh_security_group.id type = "ingress" protocol = "tcp" from_port = 8443 to_port = 8443 - source_security_group_id = "${aws_security_group.jumpbox.id}" + source_security_group_id = aws_security_group.jumpbox.id } resource "aws_security_group_rule" "bosh_security_group_rule_credhub" { - security_group_id = "${aws_security_group.bosh_security_group.id}" + security_group_id = aws_security_group.bosh_security_group.id type = "ingress" protocol = "tcp" from_port = 8844 to_port = 8844 - source_security_group_id = "${aws_security_group.jumpbox.id}" + source_security_group_id = aws_security_group.jumpbox.id } resource "aws_security_group_rule" "bosh_security_group_rule_tcp_director_api" { - security_group_id = "${aws_security_group.bosh_security_group.id}" + security_group_id = aws_security_group.bosh_security_group.id type = "ingress" protocol = "tcp" from_port = 25555 to_port = 25555 - source_security_group_id = "${aws_security_group.jumpbox.id}" + source_security_group_id = aws_security_group.jumpbox.id } resource "aws_security_group_rule" "bosh_security_group_rule_tcp" { - security_group_id = "${aws_security_group.bosh_security_group.id}" + security_group_id = aws_security_group.bosh_security_group.id type = "ingress" protocol = "tcp" from_port = 0 to_port = 65535 - source_security_group_id = "${aws_security_group.internal_security_group.id}" + source_security_group_id = aws_security_group.internal_security_group.id } resource "aws_security_group_rule" "bosh_security_group_rule_udp" { - security_group_id = "${aws_security_group.bosh_security_group.id}" + security_group_id = aws_security_group.bosh_security_group.id type = "ingress" protocol = "udp" from_port = 0 to_port = 65535 - source_security_group_id = "${aws_security_group.internal_security_group.id}" + source_security_group_id = aws_security_group.internal_security_group.id } resource "aws_security_group_rule" "bosh_security_group_rule_allow_internet" { - security_group_id = "${aws_security_group.bosh_security_group.id}" + security_group_id = aws_security_group.bosh_security_group.id type = "egress" protocol = "-1" from_port = 0 to_port = 0 cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null } resource "aws_security_group" "jumpbox" { name = "${var.env_id}-jumpbox-security-group" description = "Jumpbox" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id tags = { Name = "${var.env_id}-jumpbox-security-group" @@ -310,71 +320,80 @@ resource "aws_security_group" "jumpbox" { } resource "aws_security_group_rule" "jumpbox_ssh" { - security_group_id = "${aws_security_group.jumpbox.id}" + security_group_id = aws_security_group.jumpbox.id type = "ingress" protocol = "tcp" from_port = 22 to_port = 22 cidr_blocks = ["${var.bosh_inbound_cidr}"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null } resource "aws_security_group_rule" "jumpbox_rdp" { - security_group_id = "${aws_security_group.jumpbox.id}" + security_group_id = aws_security_group.jumpbox.id type = "ingress" protocol = "tcp" from_port = 3389 to_port = 3389 cidr_blocks = ["${var.bosh_inbound_cidr}"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null } resource "aws_security_group_rule" "jumpbox_agent" { - security_group_id = "${aws_security_group.jumpbox.id}" + security_group_id = aws_security_group.jumpbox.id type = "ingress" protocol = "tcp" from_port = 6868 to_port = 6868 cidr_blocks = ["${var.bosh_inbound_cidr}"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null } resource "aws_security_group_rule" "jumpbox_director" { - security_group_id = "${aws_security_group.jumpbox.id}" + security_group_id = aws_security_group.jumpbox.id type = "ingress" protocol = "tcp" from_port = 25555 to_port = 25555 cidr_blocks = ["${var.bosh_inbound_cidr}"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null } resource "aws_security_group_rule" "jumpbox_egress" { - security_group_id = "${aws_security_group.jumpbox.id}" + security_group_id = aws_security_group.jumpbox.id type = "egress" protocol = "-1" from_port = 0 to_port = 0 cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null } resource "aws_security_group_rule" "bosh_internal_security_rule_tcp" { - security_group_id = "${aws_security_group.internal_security_group.id}" + security_group_id = aws_security_group.internal_security_group.id type = "ingress" protocol = "tcp" from_port = 0 to_port = 65535 - source_security_group_id = "${aws_security_group.bosh_security_group.id}" + source_security_group_id = aws_security_group.bosh_security_group.id } resource "aws_security_group_rule" "bosh_internal_security_rule_udp" { - security_group_id = "${aws_security_group.internal_security_group.id}" + security_group_id = aws_security_group.internal_security_group.id type = "ingress" protocol = "udp" from_port = 0 to_port = 65535 - source_security_group_id = "${aws_security_group.bosh_security_group.id}" + source_security_group_id = aws_security_group.bosh_security_group.id } resource "aws_subnet" "bosh_subnet" { - vpc_id = "${local.vpc_id}" - cidr_block = "${cidrsubnet(var.vpc_cidr, 8, 0)}" + vpc_id = local.vpc_id + cidr_block = cidrsubnet(var.vpc_cidr, 8, 0) + ipv6_cidr_block = var.dualstack ? "${cidrsubnet(aws_vpc.vpc[0].ipv6_cidr_block, 8, 0)}" : null + + assign_ipv6_address_on_creation = var.dualstack + enable_dns64 = var.dualstack tags = { Name = "${var.env_id}-bosh-subnet" @@ -382,25 +401,36 @@ resource "aws_subnet" "bosh_subnet" { } resource "aws_route_table" "bosh_route_table" { - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id } resource "aws_route" "bosh_route_table" { destination_cidr_block = "0.0.0.0/0" - gateway_id = "${aws_internet_gateway.ig.id}" - route_table_id = "${aws_route_table.bosh_route_table.id}" + gateway_id = aws_internet_gateway.ig.id + route_table_id = aws_route_table.bosh_route_table.id +} + +resource "aws_route" "bosh_route_table_ipv6" { + count = var.dualstack ? 1 : 0 + route_table_id = aws_route_table.bosh_route_table.id + destination_ipv6_cidr_block = "::/0" + egress_only_gateway_id = aws_egress_only_internet_gateway.egress_ipv6[0].id } resource "aws_route_table_association" "route_bosh_subnets" { - subnet_id = "${aws_subnet.bosh_subnet.id}" - route_table_id = "${aws_route_table.bosh_route_table.id}" + subnet_id = aws_subnet.bosh_subnet.id + route_table_id = aws_route_table.bosh_route_table.id } resource "aws_subnet" "internal_subnets" { - count = "${length(var.availability_zones)}" - vpc_id = "${local.vpc_id}" - cidr_block = "${cidrsubnet(var.vpc_cidr, 4, count.index+1)}" - availability_zone = "${element(var.availability_zones, count.index)}" + count = length(var.availability_zones) + vpc_id = local.vpc_id + cidr_block = cidrsubnet(var.vpc_cidr, 4, count.index + 1) + availability_zone = element(var.availability_zones, count.index) + ipv6_cidr_block = var.dualstack ? "${cidrsubnet(aws_vpc.vpc[0].ipv6_cidr_block, 8, count.index + 1)}" : null + + assign_ipv6_address_on_creation = var.dualstack + enable_dns64 = var.dualstack tags = { Name = "${var.env_id}-internal-subnet${count.index}" @@ -412,30 +442,50 @@ resource "aws_subnet" "internal_subnets" { } resource "aws_route_table" "nated_route_table" { - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id route { cidr_block = "0.0.0.0/0" - nat_gateway_id = "${aws_nat_gateway.nat.id}" + nat_gateway_id = aws_nat_gateway.nat.id } } +resource "aws_route" "internal_subnets_route_table_ipv6" { + count = var.dualstack ? 1 : 0 + route_table_id = aws_route_table.nated_route_table.id + destination_ipv6_cidr_block = "::/0" + egress_only_gateway_id = aws_egress_only_internet_gateway.egress_ipv6[0].id +} + resource "aws_route_table_association" "route_internal_subnets" { - count = "${length(var.availability_zones)}" - subnet_id = "${element(aws_subnet.internal_subnets.*.id, count.index)}" - route_table_id = "${aws_route_table.nated_route_table.id}" + count = length(var.availability_zones) + subnet_id = element(aws_subnet.internal_subnets.*.id, count.index) + route_table_id = aws_route_table.nated_route_table.id } resource "aws_internet_gateway" "ig" { - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id + + tags = { + Name = "${var.env_id}" + } +} + +resource "aws_egress_only_internet_gateway" "egress_ipv6" { + count = var.dualstack ? 1 : 0 + vpc_id = local.vpc_id + + tags = { + Name = "${var.env_id}" + } } locals { director_name = "bosh-${var.env_id}" - internal_cidr = "${aws_subnet.bosh_subnet.cidr_block}" - internal_gw = "${cidrhost(local.internal_cidr, 1)}" - jumpbox_internal_ip = "${cidrhost(local.internal_cidr, 5)}" - director_internal_ip = "${cidrhost(local.internal_cidr, 6)}" + internal_cidr = aws_subnet.bosh_subnet.cidr_block + internal_gw = cidrhost(local.internal_cidr, 1) + jumpbox_internal_ip = cidrhost(local.internal_cidr, 5) + director_internal_ip = cidrhost(local.internal_cidr, 6) } resource "aws_kms_key" "kms_key" { @@ -443,16 +493,16 @@ resource "aws_kms_key" "kms_key" { } output "default_key_name" { - value = "${aws_key_pair.bosh_vms.key_name}" + value = aws_key_pair.bosh_vms.key_name } output "private_key" { - value = "${tls_private_key.bosh_vms.private_key_pem}" + value = tls_private_key.bosh_vms.private_key_pem sensitive = true } output "external_ip" { - value = "${aws_eip.jumpbox_eip.public_ip}" + value = aws_eip.jumpbox_eip.public_ip } output "jumpbox_url" { @@ -464,19 +514,19 @@ output "director_address" { } output "nat_eip" { - value = "${aws_eip.nat_eip.public_ip}" + value = aws_eip.nat_eip.public_ip } output "internal_security_group" { - value = "${aws_security_group.internal_security_group.id}" + value = aws_security_group.internal_security_group.id } output "bosh_security_group" { - value = "${aws_security_group.bosh_security_group.id}" + value = aws_security_group.bosh_security_group.id } output "jumpbox_security_group" { - value = "${aws_security_group.jumpbox.id}" + value = aws_security_group.jumpbox.id } output "jumpbox__default_security_groups" { @@ -488,53 +538,61 @@ output "director__default_security_groups" { } output "subnet_id" { - value = "${aws_subnet.bosh_subnet.id}" + value = aws_subnet.bosh_subnet.id } output "az" { - value = "${aws_subnet.bosh_subnet.availability_zone}" + value = aws_subnet.bosh_subnet.availability_zone } output "vpc_id" { - value = "${local.vpc_id}" + value = local.vpc_id } output "region" { - value = "${var.region}" + value = var.region } output "kms_key_arn" { - value = "${aws_kms_key.kms_key.arn}" + value = aws_kms_key.kms_key.arn } output "internal_az_subnet_id_mapping" { - value = "${ - zipmap("${aws_subnet.internal_subnets.*.availability_zone}", "${aws_subnet.internal_subnets.*.id}") - }" + value = zipmap("${aws_subnet.internal_subnets.*.availability_zone}", "${aws_subnet.internal_subnets.*.id}") } output "internal_az_subnet_cidr_mapping" { - value = "${ - zipmap("${aws_subnet.internal_subnets.*.availability_zone}", "${aws_subnet.internal_subnets.*.cidr_block}") - }" + value = zipmap("${aws_subnet.internal_subnets.*.availability_zone}", "${aws_subnet.internal_subnets.*.cidr_block}") +} + +output "internal_az_subnet_ipv6_cidr_mapping" { + value = var.dualstack ? zipmap("${aws_subnet.internal_subnets.*.availability_zone}", "${aws_subnet.internal_subnets.*.ipv6_cidr_block}") : null } output "director_name" { - value = "${local.director_name}" + value = local.director_name } output "internal_cidr" { - value = "${local.internal_cidr}" + value = local.internal_cidr +} + +output "internal_cidr_ipv6" { + value = var.dualstack ? aws_subnet.bosh_subnet.ipv6_cidr_block : null } output "internal_gw" { - value = "${local.internal_gw}" + value = local.internal_gw } output "jumpbox__internal_ip" { - value = "${local.jumpbox_internal_ip}" + value = local.jumpbox_internal_ip } output "director__internal_ip" { - value = "${local.director_internal_ip}" + value = local.director_internal_ip +} + +output "dualstack" { + value = var.dualstack } diff --git a/terraform/aws/templates/cf_dns.tf b/terraform/aws/templates/cf_dns.tf index c7ab9cdf6..f2b37b8cb 100644 --- a/terraform/aws/templates/cf_dns.tf +++ b/terraform/aws/templates/cf_dns.tf @@ -9,9 +9,9 @@ variable "parent_zone" { } data "aws_route53_zone" "parent" { - count = "${var.parent_zone == "" ? 0 : 1}" + count = var.parent_zone == "" ? 0 : 1 - name = "${var.parent_zone}" + name = var.parent_zone } output "env_dns_zone_name_servers" { @@ -24,9 +24,9 @@ locals { } resource "aws_route53_zone" "env_dns_zone" { - count = "${var.parent_zone == "" ? 1 : 0}" + count = var.parent_zone == "" ? 1 : 0 - name = "${var.system_domain}" + name = var.system_domain tags = { Name = "${var.env_id}-hosted-zone" @@ -34,7 +34,7 @@ resource "aws_route53_zone" "env_dns_zone" { } resource "aws_route53_record" "wildcard_dns" { - zone_id = "${local.zone_id}" + zone_id = local.zone_id name = "*.${var.system_domain}" type = "CNAME" ttl = 300 @@ -43,7 +43,7 @@ resource "aws_route53_record" "wildcard_dns" { } resource "aws_route53_record" "ssh" { - zone_id = "${local.zone_id}" + zone_id = local.zone_id name = "ssh.${var.system_domain}" type = "CNAME" ttl = 300 @@ -52,7 +52,7 @@ resource "aws_route53_record" "ssh" { } resource "aws_route53_record" "bosh" { - zone_id = "${local.zone_id}" + zone_id = local.zone_id name = "bosh.${var.system_domain}" type = "A" ttl = 300 @@ -61,7 +61,7 @@ resource "aws_route53_record" "bosh" { } resource "aws_route53_record" "tcp" { - zone_id = "${local.zone_id}" + zone_id = local.zone_id name = "tcp.${var.system_domain}" type = "CNAME" ttl = 300 @@ -70,9 +70,9 @@ resource "aws_route53_record" "tcp" { } resource "aws_route53_record" "iso" { - count = "${var.isolation_segments}" + count = var.isolation_segments - zone_id = "${local.zone_id}" + zone_id = local.zone_id name = "*.iso-seg.${var.system_domain}" type = "CNAME" ttl = 300 diff --git a/terraform/aws/templates/cf_lb.tf b/terraform/aws/templates/cf_lb.tf index 344c362f0..8521f8cb2 100644 --- a/terraform/aws/templates/cf_lb.tf +++ b/terraform/aws/templates/cf_lb.tf @@ -1,25 +1,27 @@ variable "elb_idle_timeout" { - type = number + type = number default = 60 } resource "aws_security_group" "cf_ssh_lb_security_group" { name = "${var.env_id}-cf-ssh-lb-security-group" description = "CF SSH" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id ingress { - cidr_blocks = ["0.0.0.0/0"] - protocol = "tcp" - from_port = 2222 - to_port = 2222 + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null + protocol = "tcp" + from_port = 2222 + to_port = 2222 } egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null } tags = { @@ -32,13 +34,13 @@ resource "aws_security_group" "cf_ssh_lb_security_group" { } output "cf_ssh_lb_security_group" { - value = "${aws_security_group.cf_ssh_lb_security_group.id}" + value = aws_security_group.cf_ssh_lb_security_group.id } resource "aws_security_group" "cf_ssh_lb_internal_security_group" { name = "${var.env_id}-cf-ssh-lb-internal-security-group" description = "CF SSH Internal" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id ingress { security_groups = ["${aws_security_group.cf_ssh_lb_security_group.id}"] @@ -48,10 +50,11 @@ resource "aws_security_group" "cf_ssh_lb_internal_security_group" { } egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null } tags = { @@ -64,7 +67,7 @@ resource "aws_security_group" "cf_ssh_lb_internal_security_group" { } output "cf_ssh_lb_internal_security_group" { - value = "${aws_security_group.cf_ssh_lb_internal_security_group.id}" + value = aws_security_group.cf_ssh_lb_internal_security_group.id } resource "aws_elb" "cf_ssh_lb" { @@ -86,7 +89,7 @@ resource "aws_elb" "cf_ssh_lb" { lb_protocol = "tcp" } - idle_timeout = "${var.elb_idle_timeout}" + idle_timeout = var.elb_idle_timeout security_groups = ["${aws_security_group.cf_ssh_lb_security_group.id}"] subnets = flatten(["${aws_subnet.lb_subnets.*.id}"]) @@ -97,44 +100,48 @@ resource "aws_elb" "cf_ssh_lb" { } output "cf_ssh_lb_name" { - value = "${aws_elb.cf_ssh_lb.name}" + value = aws_elb.cf_ssh_lb.name } output "cf_ssh_lb_url" { - value = "${aws_elb.cf_ssh_lb.dns_name}" + value = aws_elb.cf_ssh_lb.dns_name } resource "aws_security_group" "cf_router_lb_security_group" { name = "${var.env_id}-cf-router-lb-security-group" description = "CF Router" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id ingress { - cidr_blocks = ["0.0.0.0/0"] - protocol = "tcp" - from_port = 80 - to_port = 80 + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null + protocol = "tcp" + from_port = 80 + to_port = 80 } ingress { - cidr_blocks = ["0.0.0.0/0"] - protocol = "tcp" - from_port = 443 - to_port = 443 + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null + protocol = "tcp" + from_port = 443 + to_port = 443 } ingress { - cidr_blocks = ["0.0.0.0/0"] - protocol = "tcp" - from_port = 4443 - to_port = 4443 + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null + protocol = "tcp" + from_port = 4443 + to_port = 4443 } egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null } tags = { @@ -147,13 +154,13 @@ resource "aws_security_group" "cf_router_lb_security_group" { } output "cf_router_lb_security_group" { - value = "${aws_security_group.cf_router_lb_security_group.id}" + value = aws_security_group.cf_router_lb_security_group.id } resource "aws_security_group" "cf_router_lb_internal_security_group" { name = "${var.env_id}-cf-router-lb-internal-security-group" description = "CF Router Internal" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id ingress { security_groups = ["${aws_security_group.cf_router_lb_security_group.id}"] @@ -163,10 +170,11 @@ resource "aws_security_group" "cf_router_lb_internal_security_group" { } egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null } tags = { @@ -179,7 +187,7 @@ resource "aws_security_group" "cf_router_lb_internal_security_group" { } output "cf_router_lb_internal_security_group" { - value = "${aws_security_group.cf_router_lb_internal_security_group.id}" + value = aws_security_group.cf_router_lb_internal_security_group.id } resource "aws_elb" "cf_router_lb" { @@ -206,7 +214,7 @@ resource "aws_elb" "cf_router_lb" { instance_protocol = "http" lb_port = 443 lb_protocol = "https" - ssl_certificate_id = "${aws_iam_server_certificate.lb_cert.arn}" + ssl_certificate_id = aws_iam_server_certificate.lb_cert.arn } listener { @@ -214,10 +222,10 @@ resource "aws_elb" "cf_router_lb" { instance_protocol = "tcp" lb_port = 4443 lb_protocol = "ssl" - ssl_certificate_id = "${aws_iam_server_certificate.lb_cert.arn}" + ssl_certificate_id = aws_iam_server_certificate.lb_cert.arn } - idle_timeout = "${var.elb_idle_timeout}" + idle_timeout = var.elb_idle_timeout security_groups = ["${aws_security_group.cf_router_lb_security_group.id}"] subnets = flatten(["${aws_subnet.lb_subnets.*.id}"]) @@ -231,7 +239,7 @@ resource "aws_lb_target_group" "cf_router_4443" { name = "${var.short_env_id}-routertg-4443" port = 4443 protocol = "TCP" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id health_check { protocol = "TCP" @@ -243,30 +251,32 @@ resource "aws_lb_target_group" "cf_router_4443" { } output "cf_router_lb_name" { - value = "${aws_elb.cf_router_lb.name}" + value = aws_elb.cf_router_lb.name } output "cf_router_lb_url" { - value = "${aws_elb.cf_router_lb.dns_name}" + value = aws_elb.cf_router_lb.dns_name } resource "aws_security_group" "cf_tcp_lb_security_group" { name = "${var.env_id}-cf-tcp-lb-security-group" description = "CF TCP" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id ingress { - cidr_blocks = ["0.0.0.0/0"] - protocol = "tcp" - from_port = 1024 - to_port = 1123 + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null + protocol = "tcp" + from_port = 1024 + to_port = 1123 } egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null } tags = { @@ -279,13 +289,13 @@ resource "aws_security_group" "cf_tcp_lb_security_group" { } output "cf_tcp_lb_security_group" { - value = "${aws_security_group.cf_tcp_lb_security_group.id}" + value = aws_security_group.cf_tcp_lb_security_group.id } resource "aws_security_group" "cf_tcp_lb_internal_security_group" { name = "${var.env_id}-cf-tcp-lb-internal-security-group" description = "CF TCP Internal" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id ingress { security_groups = ["${aws_security_group.cf_tcp_lb_security_group.id}"] @@ -302,10 +312,11 @@ resource "aws_security_group" "cf_tcp_lb_internal_security_group" { } egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null } tags = { @@ -318,7 +329,7 @@ resource "aws_security_group" "cf_tcp_lb_internal_security_group" { } output "cf_tcp_lb_internal_security_group" { - value = "${aws_security_group.cf_tcp_lb_internal_security_group.id}" + value = aws_security_group.cf_tcp_lb_internal_security_group.id } resource "aws_elb" "cf_tcp_lb" { @@ -333,707 +344,18 @@ resource "aws_elb" "cf_tcp_lb" { timeout = 3 } - listener { - instance_port = 1024 - instance_protocol = "tcp" - lb_port = 1024 - lb_protocol = "tcp" - } - - listener { - instance_port = 1025 - instance_protocol = "tcp" - lb_port = 1025 - lb_protocol = "tcp" - } - - listener { - instance_port = 1026 - instance_protocol = "tcp" - lb_port = 1026 - lb_protocol = "tcp" - } - - listener { - instance_port = 1027 - instance_protocol = "tcp" - lb_port = 1027 - lb_protocol = "tcp" - } - - listener { - instance_port = 1028 - instance_protocol = "tcp" - lb_port = 1028 - lb_protocol = "tcp" - } - - listener { - instance_port = 1029 - instance_protocol = "tcp" - lb_port = 1029 - lb_protocol = "tcp" - } - - listener { - instance_port = 1030 - instance_protocol = "tcp" - lb_port = 1030 - lb_protocol = "tcp" - } - - listener { - instance_port = 1031 - instance_protocol = "tcp" - lb_port = 1031 - lb_protocol = "tcp" - } - - listener { - instance_port = 1032 - instance_protocol = "tcp" - lb_port = 1032 - lb_protocol = "tcp" - } - - listener { - instance_port = 1033 - instance_protocol = "tcp" - lb_port = 1033 - lb_protocol = "tcp" - } - - listener { - instance_port = 1034 - instance_protocol = "tcp" - lb_port = 1034 - lb_protocol = "tcp" - } - - listener { - instance_port = 1035 - instance_protocol = "tcp" - lb_port = 1035 - lb_protocol = "tcp" - } - - listener { - instance_port = 1036 - instance_protocol = "tcp" - lb_port = 1036 - lb_protocol = "tcp" - } - - listener { - instance_port = 1037 - instance_protocol = "tcp" - lb_port = 1037 - lb_protocol = "tcp" - } - - listener { - instance_port = 1038 - instance_protocol = "tcp" - lb_port = 1038 - lb_protocol = "tcp" - } - - listener { - instance_port = 1039 - instance_protocol = "tcp" - lb_port = 1039 - lb_protocol = "tcp" - } - - listener { - instance_port = 1040 - instance_protocol = "tcp" - lb_port = 1040 - lb_protocol = "tcp" - } - - listener { - instance_port = 1041 - instance_protocol = "tcp" - lb_port = 1041 - lb_protocol = "tcp" - } - - listener { - instance_port = 1042 - instance_protocol = "tcp" - lb_port = 1042 - lb_protocol = "tcp" - } - - listener { - instance_port = 1043 - instance_protocol = "tcp" - lb_port = 1043 - lb_protocol = "tcp" - } - - listener { - instance_port = 1044 - instance_protocol = "tcp" - lb_port = 1044 - lb_protocol = "tcp" - } - - listener { - instance_port = 1045 - instance_protocol = "tcp" - lb_port = 1045 - lb_protocol = "tcp" - } - - listener { - instance_port = 1046 - instance_protocol = "tcp" - lb_port = 1046 - lb_protocol = "tcp" - } - - listener { - instance_port = 1047 - instance_protocol = "tcp" - lb_port = 1047 - lb_protocol = "tcp" - } - - listener { - instance_port = 1048 - instance_protocol = "tcp" - lb_port = 1048 - lb_protocol = "tcp" - } - - listener { - instance_port = 1049 - instance_protocol = "tcp" - lb_port = 1049 - lb_protocol = "tcp" - } - - listener { - instance_port = 1050 - instance_protocol = "tcp" - lb_port = 1050 - lb_protocol = "tcp" - } - - listener { - instance_port = 1051 - instance_protocol = "tcp" - lb_port = 1051 - lb_protocol = "tcp" - } - - listener { - instance_port = 1052 - instance_protocol = "tcp" - lb_port = 1052 - lb_protocol = "tcp" - } - - listener { - instance_port = 1053 - instance_protocol = "tcp" - lb_port = 1053 - lb_protocol = "tcp" - } - - listener { - instance_port = 1054 - instance_protocol = "tcp" - lb_port = 1054 - lb_protocol = "tcp" - } - - listener { - instance_port = 1055 - instance_protocol = "tcp" - lb_port = 1055 - lb_protocol = "tcp" - } - - listener { - instance_port = 1056 - instance_protocol = "tcp" - lb_port = 1056 - lb_protocol = "tcp" - } - - listener { - instance_port = 1057 - instance_protocol = "tcp" - lb_port = 1057 - lb_protocol = "tcp" - } - - listener { - instance_port = 1058 - instance_protocol = "tcp" - lb_port = 1058 - lb_protocol = "tcp" - } - - listener { - instance_port = 1059 - instance_protocol = "tcp" - lb_port = 1059 - lb_protocol = "tcp" - } - - listener { - instance_port = 1060 - instance_protocol = "tcp" - lb_port = 1060 - lb_protocol = "tcp" - } - - listener { - instance_port = 1061 - instance_protocol = "tcp" - lb_port = 1061 - lb_protocol = "tcp" - } - - listener { - instance_port = 1062 - instance_protocol = "tcp" - lb_port = 1062 - lb_protocol = "tcp" - } - - listener { - instance_port = 1063 - instance_protocol = "tcp" - lb_port = 1063 - lb_protocol = "tcp" - } - - listener { - instance_port = 1064 - instance_protocol = "tcp" - lb_port = 1064 - lb_protocol = "tcp" - } - - listener { - instance_port = 1065 - instance_protocol = "tcp" - lb_port = 1065 - lb_protocol = "tcp" - } - - listener { - instance_port = 1066 - instance_protocol = "tcp" - lb_port = 1066 - lb_protocol = "tcp" - } - - listener { - instance_port = 1067 - instance_protocol = "tcp" - lb_port = 1067 - lb_protocol = "tcp" - } - - listener { - instance_port = 1068 - instance_protocol = "tcp" - lb_port = 1068 - lb_protocol = "tcp" - } - - listener { - instance_port = 1069 - instance_protocol = "tcp" - lb_port = 1069 - lb_protocol = "tcp" - } - - listener { - instance_port = 1070 - instance_protocol = "tcp" - lb_port = 1070 - lb_protocol = "tcp" - } - - listener { - instance_port = 1071 - instance_protocol = "tcp" - lb_port = 1071 - lb_protocol = "tcp" - } - - listener { - instance_port = 1072 - instance_protocol = "tcp" - lb_port = 1072 - lb_protocol = "tcp" - } - - listener { - instance_port = 1073 - instance_protocol = "tcp" - lb_port = 1073 - lb_protocol = "tcp" - } + dynamic "listener" { + for_each = range(1024, 1124, 1) - listener { - instance_port = 1074 - instance_protocol = "tcp" - lb_port = 1074 - lb_protocol = "tcp" - } - - listener { - instance_port = 1075 - instance_protocol = "tcp" - lb_port = 1075 - lb_protocol = "tcp" - } - - listener { - instance_port = 1076 - instance_protocol = "tcp" - lb_port = 1076 - lb_protocol = "tcp" - } - - listener { - instance_port = 1077 - instance_protocol = "tcp" - lb_port = 1077 - lb_protocol = "tcp" - } - - listener { - instance_port = 1078 - instance_protocol = "tcp" - lb_port = 1078 - lb_protocol = "tcp" - } - - listener { - instance_port = 1079 - instance_protocol = "tcp" - lb_port = 1079 - lb_protocol = "tcp" - } - - listener { - instance_port = 1080 - instance_protocol = "tcp" - lb_port = 1080 - lb_protocol = "tcp" - } - - listener { - instance_port = 1081 - instance_protocol = "tcp" - lb_port = 1081 - lb_protocol = "tcp" - } - - listener { - instance_port = 1082 - instance_protocol = "tcp" - lb_port = 1082 - lb_protocol = "tcp" - } - - listener { - instance_port = 1083 - instance_protocol = "tcp" - lb_port = 1083 - lb_protocol = "tcp" - } - - listener { - instance_port = 1084 - instance_protocol = "tcp" - lb_port = 1084 - lb_protocol = "tcp" - } - - listener { - instance_port = 1085 - instance_protocol = "tcp" - lb_port = 1085 - lb_protocol = "tcp" - } - - listener { - instance_port = 1086 - instance_protocol = "tcp" - lb_port = 1086 - lb_protocol = "tcp" - } - - listener { - instance_port = 1087 - instance_protocol = "tcp" - lb_port = 1087 - lb_protocol = "tcp" - } - - listener { - instance_port = 1088 - instance_protocol = "tcp" - lb_port = 1088 - lb_protocol = "tcp" - } - - listener { - instance_port = 1089 - instance_protocol = "tcp" - lb_port = 1089 - lb_protocol = "tcp" - } - - listener { - instance_port = 1090 - instance_protocol = "tcp" - lb_port = 1090 - lb_protocol = "tcp" - } - - listener { - instance_port = 1091 - instance_protocol = "tcp" - lb_port = 1091 - lb_protocol = "tcp" - } - - listener { - instance_port = 1092 - instance_protocol = "tcp" - lb_port = 1092 - lb_protocol = "tcp" - } - - listener { - instance_port = 1093 - instance_protocol = "tcp" - lb_port = 1093 - lb_protocol = "tcp" - } - - listener { - instance_port = 1094 - instance_protocol = "tcp" - lb_port = 1094 - lb_protocol = "tcp" - } - - listener { - instance_port = 1095 - instance_protocol = "tcp" - lb_port = 1095 - lb_protocol = "tcp" - } - - listener { - instance_port = 1096 - instance_protocol = "tcp" - lb_port = 1096 - lb_protocol = "tcp" - } - - listener { - instance_port = 1097 - instance_protocol = "tcp" - lb_port = 1097 - lb_protocol = "tcp" - } - - listener { - instance_port = 1098 - instance_protocol = "tcp" - lb_port = 1098 - lb_protocol = "tcp" - } - - listener { - instance_port = 1099 - instance_protocol = "tcp" - lb_port = 1099 - lb_protocol = "tcp" - } - - listener { - instance_port = 1100 - instance_protocol = "tcp" - lb_port = 1100 - lb_protocol = "tcp" - } - - listener { - instance_port = 1101 - instance_protocol = "tcp" - lb_port = 1101 - lb_protocol = "tcp" - } - - listener { - instance_port = 1102 - instance_protocol = "tcp" - lb_port = 1102 - lb_protocol = "tcp" - } - - listener { - instance_port = 1103 - instance_protocol = "tcp" - lb_port = 1103 - lb_protocol = "tcp" - } - - listener { - instance_port = 1104 - instance_protocol = "tcp" - lb_port = 1104 - lb_protocol = "tcp" - } - - listener { - instance_port = 1105 - instance_protocol = "tcp" - lb_port = 1105 - lb_protocol = "tcp" - } - - listener { - instance_port = 1106 - instance_protocol = "tcp" - lb_port = 1106 - lb_protocol = "tcp" - } - - listener { - instance_port = 1107 - instance_protocol = "tcp" - lb_port = 1107 - lb_protocol = "tcp" - } - - listener { - instance_port = 1108 - instance_protocol = "tcp" - lb_port = 1108 - lb_protocol = "tcp" - } - - listener { - instance_port = 1109 - instance_protocol = "tcp" - lb_port = 1109 - lb_protocol = "tcp" - } - - listener { - instance_port = 1110 - instance_protocol = "tcp" - lb_port = 1110 - lb_protocol = "tcp" - } - - listener { - instance_port = 1111 - instance_protocol = "tcp" - lb_port = 1111 - lb_protocol = "tcp" - } - - listener { - instance_port = 1112 - instance_protocol = "tcp" - lb_port = 1112 - lb_protocol = "tcp" - } - - listener { - instance_port = 1113 - instance_protocol = "tcp" - lb_port = 1113 - lb_protocol = "tcp" - } - - listener { - instance_port = 1114 - instance_protocol = "tcp" - lb_port = 1114 - lb_protocol = "tcp" - } - - listener { - instance_port = 1115 - instance_protocol = "tcp" - lb_port = 1115 - lb_protocol = "tcp" - } - - listener { - instance_port = 1116 - instance_protocol = "tcp" - lb_port = 1116 - lb_protocol = "tcp" - } - - listener { - instance_port = 1117 - instance_protocol = "tcp" - lb_port = 1117 - lb_protocol = "tcp" - } - - listener { - instance_port = 1118 - instance_protocol = "tcp" - lb_port = 1118 - lb_protocol = "tcp" - } - - listener { - instance_port = 1119 - instance_protocol = "tcp" - lb_port = 1119 - lb_protocol = "tcp" - } - - listener { - instance_port = 1120 - instance_protocol = "tcp" - lb_port = 1120 - lb_protocol = "tcp" - } - - listener { - instance_port = 1121 - instance_protocol = "tcp" - lb_port = 1121 - lb_protocol = "tcp" - } - - listener { - instance_port = 1122 - instance_protocol = "tcp" - lb_port = 1122 - lb_protocol = "tcp" - } - - listener { - instance_port = 1123 - instance_protocol = "tcp" - lb_port = 1123 - lb_protocol = "tcp" + content { + instance_port = listener.value + instance_protocol = "tcp" + lb_port = listener.value + lb_protocol = "tcp" + } } - idle_timeout = "${var.elb_idle_timeout}" + idle_timeout = var.elb_idle_timeout security_groups = ["${aws_security_group.cf_tcp_lb_security_group.id}"] subnets = flatten(["${aws_subnet.lb_subnets.*.id}"]) @@ -1044,9 +366,9 @@ resource "aws_elb" "cf_tcp_lb" { } output "cf_tcp_lb_name" { - value = "${aws_elb.cf_tcp_lb.name}" + value = aws_elb.cf_tcp_lb.name } output "cf_tcp_lb_url" { - value = "${aws_elb.cf_tcp_lb.dns_name}" + value = aws_elb.cf_tcp_lb.dns_name } diff --git a/terraform/aws/templates/concourse_lb.tf b/terraform/aws/templates/concourse_lb.tf index 9d35bb952..f72597528 100644 --- a/terraform/aws/templates/concourse_lb.tf +++ b/terraform/aws/templates/concourse_lb.tf @@ -1,7 +1,7 @@ resource "aws_security_group" "concourse_lb_internal_security_group" { name = "${var.env_id}-concourse-lb-internal-security-group" description = "Concourse Internal" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id tags = { Name = "${var.env_id}-concourse-lb-internal-security-group" @@ -13,43 +13,47 @@ resource "aws_security_group" "concourse_lb_internal_security_group" { } resource "aws_security_group_rule" "concourse_lb_internal_80" { - type = "ingress" - protocol = "tcp" - from_port = 80 - to_port = 80 - cidr_blocks = ["0.0.0.0/0"] + type = "ingress" + protocol = "tcp" + from_port = 80 + to_port = 80 + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null - security_group_id = "${aws_security_group.concourse_lb_internal_security_group.id}" + security_group_id = aws_security_group.concourse_lb_internal_security_group.id } resource "aws_security_group_rule" "concourse_lb_internal_2222" { - type = "ingress" - protocol = "tcp" - from_port = 2222 - to_port = 2222 - cidr_blocks = ["0.0.0.0/0"] + type = "ingress" + protocol = "tcp" + from_port = 2222 + to_port = 2222 + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null - security_group_id = "${aws_security_group.concourse_lb_internal_security_group.id}" + security_group_id = aws_security_group.concourse_lb_internal_security_group.id } resource "aws_security_group_rule" "concourse_lb_internal_443" { - type = "ingress" - protocol = "tcp" - from_port = 443 - to_port = 443 - cidr_blocks = ["0.0.0.0/0"] + type = "ingress" + protocol = "tcp" + from_port = 443 + to_port = 443 + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null - security_group_id = "${aws_security_group.concourse_lb_internal_security_group.id}" + security_group_id = aws_security_group.concourse_lb_internal_security_group.id } resource "aws_security_group_rule" "concourse_lb_internal_egress" { - type = "egress" - protocol = "-1" - from_port = 0 - to_port = 0 - cidr_blocks = ["0.0.0.0/0"] + type = "egress" + protocol = "-1" + from_port = 0 + to_port = 0 + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null - security_group_id = "${aws_security_group.concourse_lb_internal_security_group.id}" + security_group_id = aws_security_group.concourse_lb_internal_security_group.id } resource "aws_lb" "concourse_lb" { @@ -63,13 +67,13 @@ resource "aws_lb" "concourse_lb" { } resource "aws_lb_listener" "concourse_lb_80" { - load_balancer_arn = "${aws_lb.concourse_lb.arn}" + load_balancer_arn = aws_lb.concourse_lb.arn protocol = "TCP" port = 80 default_action { type = "forward" - target_group_arn = "${aws_lb_target_group.concourse_lb_80.arn}" + target_group_arn = aws_lb_target_group.concourse_lb_80.arn } } @@ -77,7 +81,7 @@ resource "aws_lb_target_group" "concourse_lb_80" { name = "${var.short_env_id}-concourse80" port = 80 protocol = "TCP" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id health_check { healthy_threshold = 10 @@ -92,13 +96,13 @@ resource "aws_lb_target_group" "concourse_lb_80" { } resource "aws_lb_listener" "concourse_lb_2222" { - load_balancer_arn = "${aws_lb.concourse_lb.arn}" + load_balancer_arn = aws_lb.concourse_lb.arn protocol = "TCP" port = 2222 default_action { type = "forward" - target_group_arn = "${aws_lb_target_group.concourse_lb_2222.arn}" + target_group_arn = aws_lb_target_group.concourse_lb_2222.arn } } @@ -106,7 +110,7 @@ resource "aws_lb_target_group" "concourse_lb_2222" { name = "${var.short_env_id}-concourse2222" port = 2222 protocol = "TCP" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id tags = { Name = "${var.env_id}" @@ -114,13 +118,13 @@ resource "aws_lb_target_group" "concourse_lb_2222" { } resource "aws_lb_listener" "concourse_lb_443" { - load_balancer_arn = "${aws_lb.concourse_lb.arn}" + load_balancer_arn = aws_lb.concourse_lb.arn protocol = "TCP" port = 443 default_action { type = "forward" - target_group_arn = "${aws_lb_target_group.concourse_lb_443.arn}" + target_group_arn = aws_lb_target_group.concourse_lb_443.arn } } @@ -128,7 +132,7 @@ resource "aws_lb_target_group" "concourse_lb_443" { name = "${var.short_env_id}-concourse443" port = 443 protocol = "TCP" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id tags = { Name = "${var.env_id}" @@ -136,33 +140,35 @@ resource "aws_lb_target_group" "concourse_lb_443" { } resource "aws_security_group_rule" "concourse_lb_internal_8844" { - type = "ingress" - protocol = "tcp" - from_port = 8844 - to_port = 8844 - cidr_blocks = ["0.0.0.0/0"] + type = "ingress" + protocol = "tcp" + from_port = 8844 + to_port = 8844 + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null - security_group_id = "${aws_security_group.concourse_lb_internal_security_group.id}" + security_group_id = aws_security_group.concourse_lb_internal_security_group.id } resource "aws_security_group_rule" "concourse_lb_internal_8443" { - type = "ingress" - protocol = "tcp" - from_port = 8443 - to_port = 8443 - cidr_blocks = ["0.0.0.0/0"] + type = "ingress" + protocol = "tcp" + from_port = 8443 + to_port = 8443 + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = var.dualstack ? ["::/0"] : null - security_group_id = "${aws_security_group.concourse_lb_internal_security_group.id}" + security_group_id = aws_security_group.concourse_lb_internal_security_group.id } resource "aws_lb_listener" "concourse_lb_8844" { - load_balancer_arn = "${aws_lb.concourse_lb.arn}" + load_balancer_arn = aws_lb.concourse_lb.arn protocol = "TCP" port = 8844 default_action { type = "forward" - target_group_arn = "${aws_lb_target_group.concourse_lb_8844.arn}" + target_group_arn = aws_lb_target_group.concourse_lb_8844.arn } } @@ -170,7 +176,7 @@ resource "aws_lb_target_group" "concourse_lb_8844" { name = "${var.short_env_id}-concourse8844" port = 8844 protocol = "TCP" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id tags = { Name = "${var.env_id}" @@ -178,13 +184,13 @@ resource "aws_lb_target_group" "concourse_lb_8844" { } resource "aws_lb_listener" "concourse_lb_8443" { - load_balancer_arn = "${aws_lb.concourse_lb.arn}" + load_balancer_arn = aws_lb.concourse_lb.arn protocol = "TCP" port = 8443 default_action { type = "forward" - target_group_arn = "${aws_lb_target_group.concourse_lb_8443.arn}" + target_group_arn = aws_lb_target_group.concourse_lb_8443.arn } } @@ -192,7 +198,7 @@ resource "aws_lb_target_group" "concourse_lb_8443" { name = "${var.short_env_id}-concourse8443" port = 8443 protocol = "TCP" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id tags = { Name = "${var.env_id}" @@ -200,7 +206,7 @@ resource "aws_lb_target_group" "concourse_lb_8443" { } output "concourse_lb_internal_security_group" { - value = "${aws_security_group.concourse_lb_internal_security_group.name}" + value = aws_security_group.concourse_lb_internal_security_group.name } output "concourse_lb_target_groups" { @@ -214,9 +220,9 @@ output "concourse_lb_target_groups" { } output "concourse_lb_name" { - value = "${aws_lb.concourse_lb.name}" + value = aws_lb.concourse_lb.name } output "concourse_lb_url" { - value = "${aws_lb.concourse_lb.dns_name}" + value = aws_lb.concourse_lb.dns_name } diff --git a/terraform/aws/templates/iam.tf b/terraform/aws/templates/iam.tf index ab355e267..dc0338e1f 100644 --- a/terraform/aws/templates/iam.tf +++ b/terraform/aws/templates/iam.tf @@ -3,21 +3,21 @@ variable "bosh_iam_instance_profile" { } locals { - iamProfileProvided = "${var.bosh_iam_instance_profile == "" ? false : true}" - iamProfileCount = "${var.bosh_iam_instance_profile == "" ? 0 : 1}" + iamProfileProvided = var.bosh_iam_instance_profile == "" ? false : true + iamProfileCount = var.bosh_iam_instance_profile == "" ? 0 : 1 } data "aws_iam_instance_profile" "bosh" { - name = "${var.bosh_iam_instance_profile}" + name = var.bosh_iam_instance_profile - count = "${local.iamProfileCount}" + count = local.iamProfileCount } resource "aws_iam_role" "bosh" { name = "${var.env_id}_bosh_role" path = "/" - count = "${1 - local.iamProfileCount}" + count = 1 - local.iamProfileCount lifecycle { create_before_destroy = true @@ -44,7 +44,7 @@ resource "aws_iam_policy" "bosh" { name = "${var.env_id}_bosh_policy" path = "/" - count = "${1 - local.iamProfileCount}" + count = 1 - local.iamProfileCount policy = < 0 ? length(var.availability_zones) : 0 } resource "aws_subnet" "iso_subnets" { - count = "${local.iso_az_count}" - vpc_id = "${local.vpc_id}" - cidr_block = "${cidrsubnet(var.vpc_cidr, 4, count.index + length(var.availability_zones) + 1)}" - availability_zone = "${element(var.availability_zones, count.index)}" + count = local.iso_az_count + vpc_id = local.vpc_id + cidr_block = cidrsubnet(var.vpc_cidr, 4, count.index + length(var.availability_zones) + 1) + ipv6_cidr_block = var.dualstack ? "${cidrsubnet(aws_vpc.vpc[0].ipv6_cidr_block, 8, count.index + 2 + length(var.availability_zones))}" : null + availability_zone = element(var.availability_zones, count.index) + assign_ipv6_address_on_creation = var.dualstack + enable_dns64 = var.dualstack tags = { Name = "${var.env_id}-iso-subnet${count.index}" @@ -35,13 +38,13 @@ resource "aws_subnet" "iso_subnets" { } resource "aws_route_table_association" "route_iso_subnets" { - count = "${local.iso_az_count}" - subnet_id = "${element(aws_subnet.iso_subnets.*.id, count.index)}" - route_table_id = "${aws_route_table.nated_route_table.id}" + count = local.iso_az_count + subnet_id = element(aws_subnet.iso_subnets.*.id, count.index) + route_table_id = aws_route_table.nated_route_table.id } resource "aws_elb" "iso_router_lb" { - count = "${var.isolation_segments}" + count = var.isolation_segments name = "${var.short_env_id}-iso-router-lb" cross_zone_load_balancing = true @@ -66,7 +69,7 @@ resource "aws_elb" "iso_router_lb" { instance_protocol = "http" lb_port = 443 lb_protocol = "https" - ssl_certificate_id = "${aws_iam_server_certificate.lb_cert.arn}" + ssl_certificate_id = aws_iam_server_certificate.lb_cert.arn } listener { @@ -74,7 +77,7 @@ resource "aws_elb" "iso_router_lb" { instance_protocol = "tcp" lb_port = 4443 lb_protocol = "ssl" - ssl_certificate_id = "${aws_iam_server_certificate.lb_cert.arn}" + ssl_certificate_id = aws_iam_server_certificate.lb_cert.arn } security_groups = ["${aws_security_group.cf_router_lb_security_group.id}"] @@ -86,11 +89,11 @@ resource "aws_elb" "iso_router_lb" { } resource "aws_lb_target_group" "iso_router_lb_4443" { - count = "${var.isolation_segments}" + count = var.isolation_segments name = "${var.short_env_id}-isotg-4443" port = 4443 protocol = "TCP" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id health_check { protocol = "TCP" @@ -102,10 +105,10 @@ resource "aws_lb_target_group" "iso_router_lb_4443" { } resource "aws_security_group" "iso_security_group" { - count = "${var.isolation_segments}" + count = var.isolation_segments name = "${var.env_id}-iso-sg" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id description = "Private isolation segment" @@ -115,10 +118,10 @@ resource "aws_security_group" "iso_security_group" { } resource "aws_security_group" "iso_shared_security_group" { - count = "${var.isolation_segments}" + count = var.isolation_segments name = "${var.env_id}-iso-shared-sg" - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id description = "Shared isolation segments" @@ -128,83 +131,83 @@ resource "aws_security_group" "iso_shared_security_group" { } resource "aws_security_group_rule" "isolation_segments_to_bosh_rule" { - count = "${var.isolation_segments * length(var.iso_to_bosh_ports)}" + count = var.isolation_segments * length(var.iso_to_bosh_ports) description = "TCP traffic from iso-sg to bosh" - security_group_id = "${aws_security_group.bosh_security_group[count.index].id}" + security_group_id = aws_security_group.bosh_security_group[count.index].id type = "ingress" protocol = "tcp" - to_port = "${element(var.iso_to_bosh_ports, count.index)}" - from_port = "${element(var.iso_to_bosh_ports, count.index)}" - source_security_group_id = "${aws_security_group.iso_security_group[count.index].id}" + to_port = element(var.iso_to_bosh_ports, count.index) + from_port = element(var.iso_to_bosh_ports, count.index) + source_security_group_id = aws_security_group.iso_security_group[count.index].id } resource "aws_security_group_rule" "isolation_segments_to_shared_tcp_rule" { - count = "${var.isolation_segments * length(var.iso_to_shared_tcp_ports)}" + count = var.isolation_segments * length(var.iso_to_shared_tcp_ports) description = "TCP traffic from iso-sg to iso-shared-sg" - security_group_id = "${aws_security_group.iso_shared_security_group[count.index].id}" + security_group_id = aws_security_group.iso_shared_security_group[count.index].id type = "ingress" protocol = "tcp" - to_port = "${element(var.iso_to_shared_tcp_ports, count.index)}" - from_port = "${element(var.iso_to_shared_tcp_ports, count.index)}" - source_security_group_id = "${aws_security_group.iso_security_group[count.index].id}" + to_port = element(var.iso_to_shared_tcp_ports, count.index) + from_port = element(var.iso_to_shared_tcp_ports, count.index) + source_security_group_id = aws_security_group.iso_security_group[count.index].id } resource "aws_security_group_rule" "isolation_segments_to_shared_udp_rule" { - count = "${var.isolation_segments * length(var.iso_to_shared_udp_ports)}" + count = var.isolation_segments * length(var.iso_to_shared_udp_ports) description = "UDP traffic from iso-sg to iso-shared-sg" - security_group_id = "${aws_security_group.iso_shared_security_group[count.index].id}" + security_group_id = aws_security_group.iso_shared_security_group[count.index].id type = "ingress" protocol = "udp" - to_port = "${element(var.iso_to_shared_udp_ports, count.index)}" - from_port = "${element(var.iso_to_shared_udp_ports, count.index)}" - source_security_group_id = "${aws_security_group.iso_security_group[count.index].id}" + to_port = element(var.iso_to_shared_udp_ports, count.index) + from_port = element(var.iso_to_shared_udp_ports, count.index) + source_security_group_id = aws_security_group.iso_security_group[count.index].id } resource "aws_security_group_rule" "isolation_segments_to_bosh_all_traffic_rule" { - count = "${var.isolation_segments}" + count = var.isolation_segments description = "ALL traffic from iso-sg to bosh" depends_on = [aws_security_group.bosh_security_group] - security_group_id = "${aws_security_group.bosh_security_group[count.index].id}" + security_group_id = aws_security_group.bosh_security_group[count.index].id type = "ingress" protocol = "-1" from_port = 0 to_port = 0 - source_security_group_id = "${aws_security_group.iso_security_group[count.index].id}" + source_security_group_id = aws_security_group.iso_security_group[count.index].id } resource "aws_security_group_rule" "shared_diego_bbs_to_isolated_cells_rule" { - count = "${var.isolation_segments}" + count = var.isolation_segments description = "TCP traffic from shared diego bbs to iso-sg" depends_on = [aws_security_group.iso_security_group] - security_group_id = "${aws_security_group.iso_security_group[count.index].id}" + security_group_id = aws_security_group.iso_security_group[count.index].id type = "ingress" protocol = "tcp" from_port = 1801 to_port = 1801 - source_security_group_id = "${aws_security_group.iso_shared_security_group[count.index].id}" + source_security_group_id = aws_security_group.iso_shared_security_group[count.index].id } resource "aws_security_group_rule" "nat_to_isolated_cells_rule" { - count = "${var.isolation_segments}" + count = var.isolation_segments description = "ALL traffic from nat-sg to iso-sg" - security_group_id = "${aws_security_group.nat_security_group[count.index].id}" + security_group_id = aws_security_group.nat_security_group[count.index].id type = "ingress" protocol = "-1" from_port = 0 to_port = 0 - source_security_group_id = "${aws_security_group.iso_security_group[count.index].id}" + source_security_group_id = aws_security_group.iso_security_group[count.index].id } output "cf_iso_router_lb_name" { @@ -216,15 +219,15 @@ output "iso_security_group_id" { } output "iso_az_subnet_id_mapping" { - value = "${ - zipmap("${aws_subnet.iso_subnets.*.availability_zone}", "${aws_subnet.iso_subnets.*.id}") - }" + value = zipmap("${aws_subnet.iso_subnets.*.availability_zone}", "${aws_subnet.iso_subnets.*.id}") } output "iso_az_subnet_cidr_mapping" { - value = "${ - zipmap("${aws_subnet.iso_subnets.*.availability_zone}", "${aws_subnet.iso_subnets.*.cidr_block}") - }" + value = zipmap("${aws_subnet.iso_subnets.*.availability_zone}", "${aws_subnet.iso_subnets.*.cidr_block}") +} + +output "iso_az_subnet_ipv6_cidr_mapping" { + value = var.dualstack ? "${zipmap("${aws_subnet.iso_subnets.*.availability_zone}", "${aws_subnet.iso_subnets.*.cidr_block}")}" : null } output "iso_shared_security_group_id" { diff --git a/terraform/aws/templates/lb_subnet.tf b/terraform/aws/templates/lb_subnet.tf index 2e4811cd7..a20f9bf65 100644 --- a/terraform/aws/templates/lb_subnet.tf +++ b/terraform/aws/templates/lb_subnet.tf @@ -1,8 +1,11 @@ resource "aws_subnet" "lb_subnets" { - count = "${length(var.availability_zones)}" - vpc_id = "${local.vpc_id}" - cidr_block = "${cidrsubnet(var.vpc_cidr, 8, count.index+2)}" - availability_zone = "${element(var.availability_zones, count.index)}" + count = length(var.availability_zones) + vpc_id = local.vpc_id + cidr_block = cidrsubnet(var.vpc_cidr, 8, count.index + 2) + ipv6_cidr_block = var.dualstack ? "${cidrsubnet(aws_vpc.vpc[0].ipv6_cidr_block, 8, count.index + 1 + length(var.availability_zones))}" : null + availability_zone = element(var.availability_zones, count.index) + assign_ipv6_address_on_creation = var.dualstack + enable_dns64 = var.dualstack tags = { Name = "${var.env_id}-lb-subnet${count.index}" @@ -14,19 +17,26 @@ resource "aws_subnet" "lb_subnets" { } resource "aws_route_table" "lb_route_table" { - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id } resource "aws_route" "lb_route_table" { destination_cidr_block = "0.0.0.0/0" - gateway_id = "${aws_internet_gateway.ig.id}" - route_table_id = "${aws_route_table.lb_route_table.id}" + gateway_id = aws_internet_gateway.ig.id + route_table_id = aws_route_table.lb_route_table.id +} + +resource "aws_route" "lb_route_table_ipv6" { + count = var.dualstack ? 1 : 0 + route_table_id = aws_route_table.lb_route_table.id + destination_ipv6_cidr_block = "::/0" + egress_only_gateway_id = aws_egress_only_internet_gateway.egress_ipv6[0].id } resource "aws_route_table_association" "route_lb_subnets" { - count = "${length(var.availability_zones)}" - subnet_id = "${element(aws_subnet.lb_subnets.*.id, count.index)}" - route_table_id = "${aws_route_table.lb_route_table.id}" + count = length(var.availability_zones) + subnet_id = element(aws_subnet.lb_subnets.*.id, count.index) + route_table_id = aws_route_table.lb_route_table.id } output "lb_subnet_ids" { @@ -40,3 +50,7 @@ output "lb_subnet_availability_zones" { output "lb_subnet_cidrs" { value = ["${aws_subnet.lb_subnets.*.cidr_block}"] } + +output "lb_subnet_ipv6_cidrs" { + value = var.dualstack ? aws_subnet.lb_subnets.*.ipv6_cidr_block : null +} diff --git a/terraform/aws/templates/ssl_certificate.tf b/terraform/aws/templates/ssl_certificate.tf index bcd17809e..ccbca0d17 100644 --- a/terraform/aws/templates/ssl_certificate.tf +++ b/terraform/aws/templates/ssl_certificate.tf @@ -11,11 +11,11 @@ variable "ssl_certificate_private_key" { } resource "aws_iam_server_certificate" "lb_cert" { - name_prefix = "${var.short_env_id}" + name_prefix = var.short_env_id - certificate_body = "${var.ssl_certificate}" - certificate_chain = "${var.ssl_certificate_chain}" - private_key = "${var.ssl_certificate_private_key}" + certificate_body = var.ssl_certificate + certificate_chain = var.ssl_certificate_chain + private_key = var.ssl_certificate_private_key lifecycle { create_before_destroy = true diff --git a/terraform/aws/templates/vpc.tf b/terraform/aws/templates/vpc.tf index 6167570e8..f62bbb41d 100644 --- a/terraform/aws/templates/vpc.tf +++ b/terraform/aws/templates/vpc.tf @@ -5,15 +5,16 @@ variable "existing_vpc_id" { } locals { - vpc_count = "${length(var.existing_vpc_id) > 0 ? 0 : 1}" - vpc_id = "${length(var.existing_vpc_id) > 0 ? var.existing_vpc_id : join(" ", aws_vpc.vpc.*.id)}" + vpc_count = length(var.existing_vpc_id) > 0 ? 0 : 1 + vpc_id = length(var.existing_vpc_id) > 0 ? var.existing_vpc_id : join(" ", aws_vpc.vpc.*.id) } resource "aws_vpc" "vpc" { - count = "${local.vpc_count}" - cidr_block = "${var.vpc_cidr}" - instance_tenancy = "default" - enable_dns_hostnames = true + count = local.vpc_count + cidr_block = var.vpc_cidr + instance_tenancy = "default" + enable_dns_hostnames = true + assign_generated_ipv6_cidr_block = var.dualstack tags = { Name = "${var.env_id}-vpc"