How To Create A Secure VPC using Terraform

In this blog we are going to configure high availability and secure VPC and will launch EC2 Instances which will communicate each others.

Below is the diagram of what we are planning to do. We will create an architecture with the following AWS resources.

• One VPC
• Two public subnets
• Two private subnets
• Two security groups
• One internet gateway
• One Elastic IP address
• One NAT gateway
• Two EC2 instances

.tf file structure shown below.

1. provider.tf
2. vpc.tf
3. public-subnet.tf
4. private-subnet.tf
5. internet-gateway.tf
6. nat-gateway.tf
7. route-tables.tf
8. route-associations.tf
9. security-groups.tf
10. ssh-key.tf
11. instances.tf
12. vars.tf

Step 1 – Create a AWS Provider – provider.tf

terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 4.0" } } } provider "aws" { region = "eu-west-2" access_key = "put-your-access-key" secret_key = "put-your-secret-key" }

Step 2 – Create a simple VPC configuration – vpc.tf

resource "aws_vpc" "demo_vpc_1" { cidr_block = var.DEMO_VPC_CIDR_BLOCK instance_tenancy = "default" enable_dns_support = "true" enable_dns_hostnames = "true" tags = { Name = var.DEMO_VPC_NAME } }

Let’s quickly look at what we are trying to achieve

• CIDR Block is provided as a variable. Refer to the whole section of cidr blocks above.
• instance_tenancy – Tells AWS that we want to create our EC2 instances on shared infrastructure by default.
• enable_dns_support – This when set to true means that AWS Route 53 to resolve the hostnames to correct IP addresses.
• enable_dns_hostnames – This means AWS will provide the EC2 instance with a public address with a public hostname based on IP address.
• Name – This is a special tag which gives name to the VPC.

Step 3 – Create private subnets – private-subnets.tf

For the purpose of this blog entry we will create two private subnets

# private subnets 1 resource "aws_subnet" "main-private-1" { cidr_block = var.DEMO_PRIVATE_SUBNETS["eu-west-2a"] vpc_id = aws_vpc.demo_vpc_1.id map_public_ip_on_launch = "false" availability_zone = "eu-west-2a" tags = { Name = var.DEMO_PRIVATE_SUBNET_NAMES["eu-west-2a"] } } # private subnets 2 resource "aws_subnet" "main-private-2" { cidr_block = var.DEMO_PRIVATE_SUBNETS["eu-west-2b"] vpc_id = aws_vpc.demo_vpc_1.id map_public_ip_on_launch = "false" availability_zone = "eu-west-2b" tags = { Name = var.DEMO_PRIVATE_SUBNET_NAMES["eu-west-2b"] } }

Step 4 – Create public subnets – public-subnets.tf

# public subnets 1 resource "aws_subnet" "main-public-1" { cidr_block = var.DEMO_PUBLIC_SUBNETS["eu-west-2a"] vpc_id = aws_vpc.demo_vpc_1.id map_public_ip_on_launch = "true" availability_zone = "eu-west-2a" tags = { Name = var.DEMO_PUBLIC_SUBNET_NAMES["eu-west-2a"] } } # public subnets 2 resource "aws_subnet" "main-public-2" { cidr_block = var.DEMO_PUBLIC_SUBNETS["eu-west-2b"] vpc_id = aws_vpc.demo_vpc_1.id map_public_ip_on_launch = "true" availability_zone = "eu-west-2b" tags = { Name = var.DEMO_PUBLIC_SUBNET_NAMES["eu-west-2b"] } }

Step 5 – Create internet gateway – internet-gateway.tf

resource "aws_internet_gateway" "demo_igw" { vpc_id = aws_vpc.demo_vpc_1.id tags = { Name = var.DEMO_IGW_NAME } }

Step 6 – Create NAT gateway – nat-gateway.tf

################# Create an elastic IP address ######################## resource "aws_eip" "demo-eip-for-nat-gateway" { vpc = true tags = { Name = "EIP-for-NAT-Gateway" } } ################# Create The NAT gateway ######################## resource "aws_nat_gateway" "demo-nat-gateway" { allocation_id = aws_eip.demo-eip-for-nat-gateway.id subnet_id = aws_subnet.main-public-1.id depends_on = [aws_internet_gateway.demo_igw] tags = { Name = var.DEMO_NAT_NAME } }

Creation of NAT gateway is a slightly more involved process as it requires a public IP address. It requires us to do the following

• Create an elastic IP address
• Create the NAT gateway
• Assign a public IP address
• Assign a public subnet
• Associate an internet gateway to access the internet

Step 7 – Create route tables – route-tables.tf

################# Public RouteTable ######################## resource "aws_route_table" "demo-public-RT" { vpc_id = aws_vpc.demo_vpc_1.id route { cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.demo_igw.id } tags = { Name = var.DEMO_PUBLIC_RTNAME } } ################# Private RouteTable ######################## resource "aws_route_table" "demo-private-RT" { vpc_id = aws_vpc.demo_vpc_1.id route { cidr_block = "0.0.0.0/0" nat_gateway_id = aws_nat_gateway.demo-nat-gateway.id } tags = { Name = var.DEMO_PRIVATE_RTNAME } }

Step 8 – Associate routes with subnets – route-associations.tf

################# Public Route Association for 1 & 2 ######################## resource "aws_route_table_association" "demo_public_1_RTA" { subnet_id = aws_subnet.main-public-1.id route_table_id = aws_route_table.demo-public-RT.id } resource "aws_route_table_association" "demo_public_2_RTA" { subnet_id = aws_subnet.main-public-2.id route_table_id = aws_route_table.demo-public-RT.id } ################# Private Route Association 1 & 2 ######################## resource "aws_route_table_association" "demo_private_1_RTA" { subnet_id = aws_subnet.main-private-1.id route_table_id = aws_route_table.demo-private-RT.id } resource "aws_route_table_association" "demo_private_2_RTA" { subnet_id = aws_subnet.main-private-2.id route_table_id = aws_route_table.demo-private-RT.id }

Each subnet is now associated with a route via a route association resource.

• Public subnets are assigned Internet gateway. It means all the resources in the public subnet will be accessiable from the internet for the servers given in CIDR range for the internet gateway.
• Privates subnets are assigned NAT Gateway if their resource need to access internet but no servers on the internet would be able to access the resources inside the subnet.

Step 9 – Create security groups for EC2 instances – security-groups.tf

The security groups are configured in such a way that. The security group have the following configuration

Only resources inside of the public security group would be able to access the resources inside the private security group.
Both security groups only allow SSH connections.
Resources inside public security group can be accessed from a certain public IP address

resource "aws_security_group" "demo_sg_for_instances" { name = "demo_sg_for_instances" description = "Allow TLS inbound traffic" vpc_id = aws_vpc.demo_vpc_1.id ingress { description = "For HTTP" from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } ingress { description = "FOR SSH" from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = var.DEMO_SG_OF_SSH_CIDR_BLOCKS } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "demo_sg_for_instances" } }

Step 10 – Create SSH file – ssh-key.tf

resource "aws_key_pair" "demo_key_file" { key_name = var.DEMO_KEY_FILE_NAME public_key = file("~/.ssh/id_rsa.pub") tags = { Name = var.DEMO_KEY_FILE_NAME } }

Step 11 – Create EC2 instances – instances.tf


Finally, the last step is to create EC2 instances which will reside inside the subnets of the VPC and would be associated with security groups.

resource "aws_instance" "demo_public_instance" { ami = "ami-0fc841be1f929d7d1" instance_type = "t3.micro" subnet_id = aws_subnet.main-public-1.id disable_api_termination = true key_name = var.DEMO_KEY_FILE_NAME vpc_security_group_ids = [aws_security_group.demo_sg_for_instances.id] tags = { Name = var.DEMO_PUBLIC_EC2_NAME } } resource "aws_instance" "demo_private_instance" { ami = "ami-0fc841be1f929d7d1" instance_type = "t3.micro" subnet_id = aws_subnet.main-private-1.id disable_api_termination = true key_name = var.DEMO_KEY_FILE_NAME vpc_security_group_ids = [aws_security_group.demo_sg_for_instances.id] tags = { Name = var.DEMO_PRIVATE_EC2_NAME } }

Step 12 – Create A variable file – vars.tf

################# Variable For VPC ######################## variable "DEMO_VPC_CIDR_BLOCK" { default = "10.0.0.0/16" } variable "DEMO_VPC_NAME" { default = "demo-vpc-1" } ################# Variable For Public Subnet ######################## variable "DEMO_PUBLIC_SUBNETS" { type = map default = { "eu-west-2a" : "10.0.1.0/24" "eu-west-2b" : "10.0.2.0/24" } } variable "DEMO_PUBLIC_SUBNET_NAMES" { type = map default = { "eu-west-2a" : "main-public-1" "eu-west-2b" : "main-public-2" } } ################# Variable For Private Subnet ######################## variable "DEMO_PRIVATE_SUBNETS" { type = map default = { "eu-west-2a" : "10.0.3.0/24" "eu-west-2b" : "10.0.4.0/24" } } variable "DEMO_PRIVATE_SUBNET_NAMES" { type = map default = { "eu-west-2a" : "main-private-1" "eu-west-2b" : "main-private-2" } } ################# Variable For InterNet Gateway ######################## variable "DEMO_IGW_NAME" { type = string default = "Demo InterNet Gateway" } ################# Variable For NAT Gateway ######################## variable "DEMO_NAT_NAME" { type = string default = "Demo Nat Gateway" } ################# Variable For Public RouteTable ######################## variable "DEMO_PUBLIC_RTNAME" { type = string default = "public route table" } ################# Variable For Private RouteTable ######################## variable "DEMO_PRIVATE_RTNAME" { type = string default = "private route table" } ################# Variable For Security Group For SSH ######################## variable "DEMO_SG_OF_SSH_CIDR_BLOCKS" { type = list(string) default = ["122.160.66.86/32"] } ################# Variable For PEM file ######################## variable "DEMO_KEY_FILE_NAME" { type = string default = "demo-pem-file-for-ec2" } ################# Variable For EC2 Instances ######################## variable "DEMO_PRIVATE_EC2_NAME" { type = string default = "My Private Instance" } variable "DEMO_PUBLIC_EC2_NAME" { type = string default = "My Public Instance"

Demo :

Step 1 – Run terraform init/validate/plan/apply Commands
Step 2 – SSH into the public instance
Step 3 – SSH into private instance from public instance