forked fromCoalfire-CF/terraform-aws-ec2
- Notifications
You must be signed in to change notification settings - Fork0
Coalfire AWS ec2 Terraform Module
NotificationsYou must be signed in to change notification settings
CiscoOpsStack/terraform-aws-ec2-ops_stack
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
The EC2 general purpose module creates an EC2 instance for your project. Configuration for the EC2 instance includes networking, storage, IAM, and tags.
In order to assign multiple ENIs to a single instance using this module, the "instance_count" variable must be set to 1.
Resources that are created as a part of this module include:
- EC2 instance
- Elastic IP
- Network interface attachment
- IAM role
- IAM instance profile
- KMS RBAC grant
- AWS security group
- Target group attachment
This is an example of how to create an EC2 instance using this module, with generic variables.
module"ec2_test" {source="github.com/Coalfire-CF/terraform-aws-ec2"name=var.instance_nameami=data.aws_ami.ami.idec2_instance_type=var.instance_sizeinstance_count=var.instance_countvpc_id=aws_vpc.main.idsubnet_ids=var.subnet_idsec2_key_pair=var.key_nameebs_kms_key_arn=data.terraform_remote_state.kms.outputs.ebs_kms_key_arn# Storageroot_volume_size=var.instance_volume_size# Security Group Rulesingress_rules={"rdp"= { ip_protocol="tcp" from_port="3389" to_port="3389" cidr_ipv4= var.cidr_for_remote_access description="RDP" } }egress_rules={"allow_all_egress"= { ip_protocol="-1" from_port="0" to_port="0" cidr_ipv4="0.0.0.0/0" description="Allow all egress" } }# Taggingglobal_tags={}}
user_data = templatefile("${path.module}/../../shellscripts/linux/ud-os-join-ad.sh", { aws_region = var.aws_region domain_name = local.domain_name dom_disname = local.dom_disname ou_env = var.lin_prod_ou_env linux_admins_ad_group = var.linux_admins_ad_group domain_join_user_name = var.domain_join_user_name sm_djuser_path = "${var.ad_secrets_path}${var.domain_join_user_name}" is_asg = "false" })Ingress Rules:
ingress_rules = { "rdp" = { ip_protocol = "tcp" from_port = "3389" to_port = "3389" cidr_ipv4 = var.cidr_for_remote_access description = "RDP" } }Egress Rules:
egress_rules = { "allow_all_egress" = { ip_protocol = "-1" from_port = "0" to_port = "0" cidr_ipv4 = "0.0.0.0/0" description = "Allow all egress" } }iam_policies = [aws_iam_policy.test_policy_1.arn, ...]The root ebs volume is handled with the below variables:
However, if additional ebs volumes are required, you can use the below variable:
ebs_block_devices = [ { device_name = "/dev/sdf" volume_size = "50" volume_type = "gp2" }, ... ]The module also supports attaching a security group or IAM Profile from another instance within the same directory. Let's take an example:AD1 creates a security group that can be used by both AD1 and AD2. So, the AD2 module should use the output of the AD1 module to assign the existing security group. Note, AD2 would now have a dependency on AD1.As shown below, the "additional_security_groups" variable can be used for this purpose.
module "ad2" { source = "github.com/Coalfire-CF/terraform-aws-ec2" name = "dc2" ami = "ami-XXXXXX" ec2_instance_type = "m5a.large" ec2_key_pair = var.key_name root_volume_size = "50" subnet_ids = [data.terraform_remote_state.network-mgmt.outputs.private_subnets[X]] vpc_id = data.terraform_remote_state.network-mgmt.outputs.vpc_id private_ip = "${var.ip_network_mgmt}.${var.directory_ip_2}" iam_profile = module.ad1.iam_profile additional_security_groups = [module.ad1.sg_id]}| Name | Version |
|---|---|
| terraform | >=1.5 |
| aws | >= 5.15.0, < 6.0 |
| Name | Version |
|---|---|
| aws | 5.90.0 |
| Name | Source | Version |
|---|---|---|
| security_group | github.com/Coalfire-CF/terraform-aws-securitygroup | b6e9070a3f6201d75160c42a3f649d36cb9b2622 |
| Name | Type |
|---|---|
| aws_ebs_volume.this | resource |
| aws_eip.eip | resource |
| aws_eip_association.eip_attach | resource |
| aws_iam_instance_profile.this_profile | resource |
| aws_iam_role.this_role | resource |
| aws_iam_role_policy_attachment.iam_policy_attach | resource |
| aws_iam_role_policy_attachment.ssm_role_policy_attach | resource |
| aws_instance.this | resource |
| aws_kms_grant.kms_key_grant | resource |
| aws_lb_target_group_attachment.target_group_attachment | resource |
| aws_network_interface_attachment.eni_attachment | resource |
| aws_network_interface_sg_attachment.additional | resource |
| aws_volume_attachment.this | resource |
| aws_ec2_instance_type.this | data source |
| aws_iam_policy.AmazonSSMManagedInstanceCore | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| add_SSMManagedInstanceCore | Whether or not to apply the SSMManagedInstanceCore to the IAM role | bool | true | no |
| additional_eni_ids | This variable allows for an ec2 instance to have multiple ENIs. Instance count must be set to 1 | list(string) | [] | no |
| additional_security_groups | A list of additional security groups to attach to the network interfaces | list(string) | [] | no |
| ami | ID of AMI to use for the instance | string | n/a | yes |
| associate_eip | Whether or not to associate an Elastic IP | bool | false | no |
| associate_public_ip | Whether or not to associate a public IP (not EIP) | bool | false | no |
| assume_role_policy | Policy document allowing Principals to assume this role (e.g. Trust Relationship) | string | "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n },\n \"Effect\": \"Allow\",\n \"Sid\": \"\"\n }\n ]\n}\n" | no |
| ebs_kms_key_arn | The ARN of the KMS key to encrypt EBS volumes | string | n/a | yes |
| ebs_optimized | Whether or not the instance is ebs optimized | bool | true | no |
| ebs_volumes | A list of maps that must contain device_name (ex. '/dev/sdb') and size (in GB). Optional args include type, throughput, iops, multi_attach_enabled, final_snapshot, snapshot_id, outpost_arn, force_detach, skip_destroy, stop_instance_before_detaching, and tags | list(object({ | [] | no |
| ec2_instance_type | The type of instance to start | string | n/a | yes |
| ec2_key_pair | The key name to use for the instance | string | n/a | yes |
| egress_rules | The list of rules for egress traffic. Required fields for each rule are 'protocol', 'from_port', 'to_port', and at least one of 'cidr_blocks', 'ipv6_cidr_blocks', 'security_groups', 'self', or 'prefix_list_sg'. Optional fields are 'description' and those not used from the previous list | map(object({ | {} | no |
| get_password_data | Whether or not to allow retrieval of the local admin password | bool | false | no |
| global_tags | a map of strings that contains global level tags | map(string) | n/a | yes |
| http_tokens | Whether or not the metadata service requires session tokens, required=IMDSv2, optional=IMDSv1 | any | "required" | no |
| iam_policies | A list of the iam policy ARNs to attach to the IAM role | list(string) | [] | no |
| iam_profile | A variable to attach an existing iam profile to the ec2 instance(s) created | string | "" | no |
| ingress_rules | The list of rules for ingress traffic. Required fields for each rule are 'protocol', 'from_port', 'to_port', and at least one of 'cidr_blocks', 'ipv6_cidr_blocks', 'security_groups', 'self', or 'prefix_list_sg'. Optional fields are 'description' and those not used from the previous list | map(object({ | {} | no |
| instance_count | Number of instances to launch | number | 1 | no |
| keys_to_grant | A list of kms keys to grant permissions to for the role created. | list(string) | [] | no |
| name | The name of the ec2 instance | string | n/a | yes |
| private_ip | The private ip for the instance | string | null | no |
| root_volume_size | The size of the root ebs volume on the ec2 instances created | string | n/a | yes |
| root_volume_type | The type of the root ebs volume on the ec2 instances created | string | "gp3" | no |
| sg_description | This overwrites the default generated description for the security group | string | "Managed by Terraform" | no |
| source_dest_check | Whether or not source/destination check should be enabled for the primary network interface | bool | true | no |
| subnet_ids | A list of the subnets to be used when provisioning ec2 instances. If instance count is 1, only the first subnet will be used | list(string) | n/a | yes |
| tags | A mapping of tags to assign to the resource | map(string) | {} | no |
| target_group_arns | A list of aws_alb_target_group ARNs, for use with Application Load Balancing | list(string) | [] | no |
| user_data | The User Data script to run | string | null | no |
| user_data_base64 | Can be used instead of user_data to pass base64-encoded binary data directly. Use this instead of user_data whenever the value is not a valid UTF-8 string. For example, gzip-encoded user data must be base64-encoded and passed via this argument to avoid corruption | string | null | no |
| user_data_replace_on_change | When used in combination with user_data or user_data_base64 will trigger a destroy and recreate when set to true. Defaults to false if not set | bool | null | no |
| vpc_id | The id of the vpc where resources are being created | string | n/a | yes |
| Name | Description |
|---|---|
| iam_profile | The name of the iam profile created in the module |
| iam_role_arn | The AWS IAM Role arn created |
| iam_role_name | The AWS IAM Role arn created |
| instance_id | The AWS Instance id created |
| network_interface_id | The network interface ID for the AWS instance |
| primary_private_ip_addresses | A list of the primary private IP addesses assigned to the ec2 instance |
| sg_id | The id of the security group created |
| tags | List of tags of instances |
If you're interested in contributing to our projects, please review theContributing Guidelines. And send an email toour team to receive a copy of our CLA and start the onboarding process.
Copyright © 2023 Coalfire Systems Inc.
About
Coalfire AWS ec2 Terraform Module
Resources
Contributing
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Packages0
No packages published
Uh oh!
There was an error while loading.Please reload this page.
Languages
- HCL100.0%