diff options
| author | Paul Buetow <paul@buetow.org> | 2023-12-23 02:04:50 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2023-12-23 02:05:09 +0200 |
| commit | 30178daecc274cbd90e77ad55d97e804fe02889a (patch) | |
| tree | cc7e22d50881b89d3ef322a820be26393c05bcb3 | |
| parent | 0e5ff097a9c5fae99813eddbed84c136eaafd551 (diff) | |
Initial IPv6
| -rw-r--r-- | Makefile | 1 | ||||
| -rw-r--r-- | README.md | 2 | ||||
| -rw-r--r-- | org-buetow-base/efs.tf | 8 | ||||
| -rw-r--r-- | org-buetow-base/network.tf | 73 | ||||
| -rw-r--r-- | org-buetow-ecs/nginxservice.tf | 14 | ||||
| -rw-r--r-- | org-buetow-elb/alb.tf | 28 | ||||
| -rw-r--r-- | org-buetow-nextcloud/lb.tf | 14 | ||||
| -rw-r--r-- | org-buetow-nextcloud/main.tf | 2 |
8 files changed, 97 insertions, 45 deletions
@@ -9,3 +9,4 @@ destroy: cd org-buetow-ecs && terraform destroy -auto-approve cd org-buetow-elb && terraform destroy -auto-approve cd org-buetow-bastion && terraform destroy -auto-approve +recreate: destroy apply @@ -4,10 +4,10 @@ * Collect uprecords for my EC2 instances * Nextcloud and Bastion: Auto re-create in different AZ on failure. -* Backup EFS, don't let `terraform destroy` erease all my data! * Input variables, for configuring different service hosts. * Enable IPv6 * Use Bastion host to connect to other EC2 instances (internal DNS?) +* Backup EFS, don't let `terraform destroy` erease all my data! ## Create base environment diff --git a/org-buetow-base/efs.tf b/org-buetow-base/efs.tf index 0e916ec..8ef5930 100644 --- a/org-buetow-base/efs.tf +++ b/org-buetow-base/efs.tf @@ -1,6 +1,14 @@ resource "aws_efs_file_system" "self_hosted_services_efs" { creation_token = "self-hosted-services-efs" encrypted = true + + # backup_policy { + # status = "ENABLED" + #} + + tags = { + Name = "self-hosted-services" + } } resource "aws_efs_mount_target" "efs_mt_a" { diff --git a/org-buetow-base/network.tf b/org-buetow-base/network.tf index a128569..86f3dfb 100644 --- a/org-buetow-base/network.tf +++ b/org-buetow-base/network.tf @@ -2,6 +2,8 @@ resource "aws_vpc" "vpc" { cidr_block = "10.0.0.0/16" # Specify your CIDR block enable_dns_support = true enable_dns_hostnames = true + + assign_generated_ipv6_cidr_block = true } resource "aws_internet_gateway" "igw" { @@ -9,24 +11,30 @@ resource "aws_internet_gateway" "igw" { } resource "aws_subnet" "public_subnet_a" { - vpc_id = aws_vpc.vpc.id - cidr_block = "10.0.1.0/24" - availability_zone = "eu-central-1a" - map_public_ip_on_launch = true + vpc_id = aws_vpc.vpc.id + cidr_block = "10.0.1.0/24" + assign_ipv6_address_on_creation = true + ipv6_cidr_block = cidrsubnet(aws_vpc.vpc.ipv6_cidr_block, 8, 1) + availability_zone = "eu-central-1a" + map_public_ip_on_launch = true } resource "aws_subnet" "public_subnet_b" { - vpc_id = aws_vpc.vpc.id - cidr_block = "10.0.2.0/24" - availability_zone = "eu-central-1b" - map_public_ip_on_launch = true + vpc_id = aws_vpc.vpc.id + cidr_block = "10.0.2.0/24" + assign_ipv6_address_on_creation = true + ipv6_cidr_block = cidrsubnet(aws_vpc.vpc.ipv6_cidr_block, 8, 2) + availability_zone = "eu-central-1b" + map_public_ip_on_launch = true } resource "aws_subnet" "public_subnet_c" { - vpc_id = aws_vpc.vpc.id - cidr_block = "10.0.3.0/24" - availability_zone = "eu-central-1c" - map_public_ip_on_launch = true + vpc_id = aws_vpc.vpc.id + cidr_block = "10.0.3.0/24" + assign_ipv6_address_on_creation = true + ipv6_cidr_block = cidrsubnet(aws_vpc.vpc.ipv6_cidr_block, 8, 3) + availability_zone = "eu-central-1c" + map_public_ip_on_launch = true } resource "aws_route_table" "route_table" { @@ -36,6 +44,11 @@ resource "aws_route_table" "route_table" { cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.igw.id } + + route { + ipv6_cidr_block = "::/0" + gateway_id = aws_internet_gateway.igw.id + } } resource "aws_route_table_association" "a" { @@ -72,31 +85,35 @@ resource "aws_security_group" "allow_web" { vpc_id = aws_vpc.vpc.id ingress { - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] } ingress { - from_port = 8080 - to_port = 8080 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + from_port = 8080 + to_port = 8080 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] } ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] } egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] } } diff --git a/org-buetow-ecs/nginxservice.tf b/org-buetow-ecs/nginxservice.tf index da88488..878c929 100644 --- a/org-buetow-ecs/nginxservice.tf +++ b/org-buetow-ecs/nginxservice.tf @@ -1,4 +1,4 @@ -resource "aws_route53_record" "a_record" { +resource "aws_route53_record" "a_record_nginx" { zone_id = data.terraform_remote_state.base.outputs.buetow_cloud_zone_id name = "nginx.buetow.cloud." type = "A" @@ -10,6 +10,18 @@ resource "aws_route53_record" "a_record" { } } +resource "aws_route53_record" "aaaa_record_nginx" { + zone_id = data.terraform_remote_state.base.outputs.buetow_cloud_zone_id + name = "nginx.buetow.cloud." + type = "AAAA" + + alias { + name = data.terraform_remote_state.elb.outputs.alb_dns_name + zone_id = data.terraform_remote_state.elb.outputs.alb_zone_id + evaluate_target_health = true + } +} + resource "aws_ecs_task_definition" "nginx" { family = "nginx" network_mode = "awsvpc" diff --git a/org-buetow-elb/alb.tf b/org-buetow-elb/alb.tf index b8a4504..c02dd8f 100644 --- a/org-buetow-elb/alb.tf +++ b/org-buetow-elb/alb.tf @@ -8,31 +8,33 @@ resource "aws_lb" "alb" { data.terraform_remote_state.base.outputs.public_subnet_b_id, data.terraform_remote_state.base.outputs.public_subnet_c_id, ] - enable_deletion_protection = false } resource "aws_security_group" "alb_sg" { vpc_id = data.terraform_remote_state.base.outputs.vpc_id ingress { - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] } ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] } egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] } } diff --git a/org-buetow-nextcloud/lb.tf b/org-buetow-nextcloud/lb.tf index e6d4ef9..ef5bf96 100644 --- a/org-buetow-nextcloud/lb.tf +++ b/org-buetow-nextcloud/lb.tf @@ -1,6 +1,6 @@ resource "aws_route53_record" "a_record" { zone_id = data.terraform_remote_state.base.outputs.buetow_cloud_zone_id - name = "nextcloud.buetow.cloud." + name = "next.buetow.cloud." type = "A" alias { @@ -10,6 +10,18 @@ resource "aws_route53_record" "a_record" { } } +resource "aws_route53_record" "aaaa_record" { + zone_id = data.terraform_remote_state.base.outputs.buetow_cloud_zone_id + name = "next.buetow.cloud." + type = "AAAA" + + alias { + name = data.terraform_remote_state.elb.outputs.alb_dns_name + zone_id = data.terraform_remote_state.elb.outputs.alb_zone_id + evaluate_target_health = true + } +} + resource "aws_lb_target_group" "nextcloud_tg" { name = "nextcloud-tg" port = 80 diff --git a/org-buetow-nextcloud/main.tf b/org-buetow-nextcloud/main.tf index a7130d4..bbb66d1 100644 --- a/org-buetow-nextcloud/main.tf +++ b/org-buetow-nextcloud/main.tf @@ -35,7 +35,7 @@ resource "aws_instance" "nextcloud" { } } -resource "aws_route53_record" "nextcloud_ec2_aws_buetow_org" { +resource "aws_route53_record" "nextcloud_ec2_buetow_cloud" { zone_id = data.terraform_remote_state.base.outputs.buetow_cloud_zone_id name = "nextcloud-ec2.buetow.cloud" type = "A" |