diff --git a/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf b/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf index 4ad2a0d..c62a2af 100644 --- a/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf +++ b/terraform/aws/aws-ec2-autoscaling-dual-subnet/main.tf @@ -1,16 +1,41 @@ locals { name = "example-${basename(path.cwd)}" - tags = { + aws_tags = { Name = local.name } + + tailscale_acl_tags = [ + "tag:example-infra", + "tag:example-exitnode", + "tag:example-subnetrouter", + "tag:example-appconnector", + ] + tailscale_set_preferences = [ + "--auto-update", + "--ssh", + "--advertise-connector", + "--advertise-exit-node", + "--advertise-routes=${join(",", [ + local.vpc_cidr_block, + ])}", + ] + + // Modify these to use your own VPC + vpc_cidr_block = module.vpc.vpc_cidr_block + vpc_id = module.vpc.vpc_id + subnet_id = module.vpc.public_subnets[0] + private_subnet_id = module.vpc.private_subnets[0] + security_group_ids = [aws_security_group.tailscale.id] + instance_type = "t4g.micro" } +// Remove this to use your own VPC. module "vpc" { source = "../internal-modules/aws-vpc" name = local.name - tags = local.tags + tags = local.aws_tags cidr = "10.0.80.0/22" @@ -23,21 +48,16 @@ resource "tailscale_tailnet_key" "main" { preauthorized = true reusable = true recreate_if_invalid = "always" - tags = [ - "tag:example-infra", - "tag:example-exitnode", - "tag:example-subnetrouter", - "tag:example-appconnector", - ] + tags = local.tailscale_acl_tags } resource "aws_network_interface" "primary" { - subnet_id = module.vpc.public_subnets[0] - security_groups = [module.vpc.tailscale_security_group_id] - tags = merge(local.tags, { Name = "${local.name}-primary" }) + subnet_id = local.subnet_id + security_groups = local.security_group_ids + tags = merge(local.aws_tags, { Name = "${local.name}-primary" }) } resource "aws_eip" "primary" { - tags = local.tags + tags = local.aws_tags } resource "aws_eip_association" "primary" { network_interface_id = aws_network_interface.primary.id @@ -45,9 +65,9 @@ resource "aws_eip_association" "primary" { } resource "aws_network_interface" "secondary" { - subnet_id = module.vpc.private_subnets[0] - security_groups = [module.vpc.tailscale_security_group_id] - tags = merge(local.tags, { Name = "${local.name}-secondary" }) + subnet_id = local.private_subnet_id + security_groups = local.security_group_ids + tags = merge(local.aws_tags, { Name = "${local.name}-secondary" }) source_dest_check = false } @@ -56,8 +76,8 @@ module "tailscale_aws_ec2_autoscaling" { source = "../internal-modules/aws-ec2-autoscaling/" autoscaling_group_name = local.name - instance_type = "t4g.micro" - instance_tags = local.tags + instance_type = local.instance_type + instance_tags = local.aws_tags network_interfaces = [ aws_network_interface.primary.id, # first NIC must be in PUBLIC subnet @@ -65,17 +85,45 @@ module "tailscale_aws_ec2_autoscaling" { ] # Variables for Tailscale resources - tailscale_hostname = local.name - tailscale_auth_key = tailscale_tailnet_key.main.key - tailscale_set_preferences = [ - "--auto-update", - "--ssh", - "--advertise-connector", - "--advertise-exit-node", - "--advertise-routes=${join(",", [module.vpc.vpc_cidr_block])}", - ] + tailscale_hostname = local.name + tailscale_auth_key = tailscale_tailnet_key.main.key + tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.vpc.natgw_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets + module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } + +resource "aws_security_group" "tailscale" { + vpc_id = local.vpc_id + name = local.name +} + +resource "aws_security_group_rule" "tailscale_ingress" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 41641 + to_port = 41641 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "egress" { + security_group_id = aws_security_group.tailscale.id + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [local.vpc_cidr_block] +} diff --git a/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf b/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf index e3e2ebd..4cb7dc8 100644 --- a/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf +++ b/terraform/aws/aws-ec2-autoscaling-session-recorder/main.tf @@ -1,16 +1,36 @@ locals { name = "example-${basename(path.cwd)}" - tags = { + aws_tags = { Name = local.name } + + tailscale_acl_tags = [ + "tag:example-infra", + ] + tailscale_set_preferences = [ + "--auto-update", + "--ssh", + ] + + // Modify these to use your own VPC + vpc_cidr_block = module.vpc.vpc_cidr_block + vpc_id = module.vpc.vpc_id + subnet_id = module.vpc.public_subnets[0] + security_group_ids = [aws_security_group.tailscale.id] + instance_type = "t4g.micro" + vpc_endpoint_route_table_ids = flatten([ + module.vpc.public_route_table_ids, + module.vpc.private_route_table_ids, + ]) } +// Remove this to use your own VPC. module "vpc" { source = "../internal-modules/aws-vpc" name = local.name - tags = local.tags + tags = local.aws_tags cidr = "10.0.80.0/22" @@ -19,18 +39,15 @@ module "vpc" { } resource "aws_vpc_endpoint" "recorder" { - vpc_id = module.vpc.vpc_id - service_name = "com.amazonaws.${aws_s3_bucket.recorder.region}.s3" - route_table_ids = flatten([ - module.vpc.public_route_table_ids, - module.vpc.private_route_table_ids, - ]) - tags = local.tags + vpc_id = local.vpc_id + service_name = "com.amazonaws.${aws_s3_bucket.recorder.region}.s3" + route_table_ids = local.vpc_endpoint_route_table_ids + tags = local.aws_tags } resource "aws_s3_bucket" "recorder" { bucket_prefix = substr(local.name, 0, 37) - tags = local.tags + tags = local.aws_tags force_destroy = true } @@ -73,7 +90,7 @@ resource "aws_s3_bucket_policy" "recorder" { } resource "aws_iam_policy" "recorder" { - tags = local.tags + tags = local.aws_tags policy = <<-EOT { "Version": "2012-10-17", @@ -98,7 +115,7 @@ resource "aws_iam_policy" "recorder" { resource "aws_iam_user" "recorder" { name = local.name - tags = local.tags + tags = local.aws_tags } resource "aws_iam_policy_attachment" "recorder" { @@ -126,18 +143,16 @@ resource "tailscale_tailnet_key" "main" { preauthorized = true reusable = true recreate_if_invalid = "always" - tags = [ - "tag:example-infra", - ] + tags = local.tailscale_acl_tags } resource "aws_network_interface" "primary" { - subnet_id = module.vpc.public_subnets[0] - security_groups = [module.vpc.tailscale_security_group_id] - tags = local.tags + subnet_id = local.subnet_id + security_groups = local.security_group_ids + tags = local.aws_tags } resource "aws_eip" "primary" { - tags = local.tags + tags = local.aws_tags } resource "aws_eip_association" "primary" { network_interface_id = aws_network_interface.primary.id @@ -148,18 +163,15 @@ module "tailscale_aws_ec2_autoscaling" { source = "../internal-modules/aws-ec2-autoscaling/" autoscaling_group_name = local.name - instance_type = "t4g.micro" - instance_tags = local.tags + instance_type = local.instance_type + instance_tags = local.aws_tags network_interfaces = [aws_network_interface.primary.id] # Variables for Tailscale resources - tailscale_hostname = local.name - tailscale_auth_key = tailscale_tailnet_key.main.key - tailscale_set_preferences = [ - "--auto-update", - "-ssh", - ] + tailscale_hostname = local.name + tailscale_auth_key = tailscale_tailnet_key.main.key + tailscale_set_preferences = local.tailscale_set_preferences # # Set up Tailscale Session Recorder (tsrecorder) @@ -178,6 +190,40 @@ module "tailscale_aws_ec2_autoscaling" { ] depends_on = [ - module.vpc.natgw_ids, # for private subnets - ensure NAT gateway is available before instance provisioning + module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } + +resource "aws_security_group" "tailscale" { + vpc_id = local.vpc_id + name = local.name +} + +resource "aws_security_group_rule" "tailscale_ingress" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 41641 + to_port = 41641 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "egress" { + security_group_id = aws_security_group.tailscale.id + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [local.vpc_cidr_block] +} diff --git a/terraform/aws/aws-ec2-autoscaling/main.tf b/terraform/aws/aws-ec2-autoscaling/main.tf index 1ceb9b2..45f84cb 100644 --- a/terraform/aws/aws-ec2-autoscaling/main.tf +++ b/terraform/aws/aws-ec2-autoscaling/main.tf @@ -1,16 +1,40 @@ locals { name = "example-${basename(path.cwd)}" - tags = { + aws_tags = { Name = local.name } + + tailscale_acl_tags = [ + "tag:example-infra", + "tag:example-exitnode", + "tag:example-subnetrouter", + "tag:example-appconnector", + ] + tailscale_set_preferences = [ + "--auto-update", + "--ssh", + "--advertise-connector", + "--advertise-exit-node", + "--advertise-routes=${join(",", [ + local.vpc_cidr_block, + ])}", + ] + + // Modify these to use your own VPC + vpc_cidr_block = module.vpc.vpc_cidr_block + vpc_id = module.vpc.vpc_id + subnet_id = module.vpc.public_subnets[0] + security_group_ids = [aws_security_group.tailscale.id] + instance_type = "t4g.micro" } +// Remove this to use your own VPC. module "vpc" { source = "../internal-modules/aws-vpc" name = local.name - tags = local.tags + tags = local.aws_tags cidr = "10.0.80.0/22" @@ -23,21 +47,16 @@ resource "tailscale_tailnet_key" "main" { preauthorized = true reusable = true recreate_if_invalid = "always" - tags = [ - "tag:example-infra", - "tag:example-exitnode", - "tag:example-subnetrouter", - "tag:example-appconnector", - ] + tags = local.tailscale_acl_tags } resource "aws_network_interface" "primary" { - subnet_id = module.vpc.public_subnets[0] - security_groups = [module.vpc.tailscale_security_group_id] - tags = local.tags + subnet_id = local.subnet_id + security_groups = local.security_group_ids + tags = local.aws_tags } resource "aws_eip" "primary" { - tags = local.tags + tags = local.aws_tags } resource "aws_eip_association" "primary" { network_interface_id = aws_network_interface.primary.id @@ -48,23 +67,51 @@ module "tailscale_aws_ec2_autoscaling" { source = "../internal-modules/aws-ec2-autoscaling/" autoscaling_group_name = local.name - instance_type = "t4g.micro" - instance_tags = local.tags + instance_type = local.instance_type + instance_tags = local.aws_tags network_interfaces = [aws_network_interface.primary.id] # Variables for Tailscale resources - tailscale_auth_key = tailscale_tailnet_key.main.key - tailscale_hostname = local.name - tailscale_set_preferences = [ - "--auto-update", - "--ssh", - "--advertise-connector", - "--advertise-exit-node", - "--advertise-routes=${join(",", [module.vpc.vpc_cidr_block])}", - ] + tailscale_auth_key = tailscale_tailnet_key.main.key + tailscale_hostname = local.name + tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.vpc.natgw_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets + module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } + +resource "aws_security_group" "tailscale" { + vpc_id = local.vpc_id + name = local.name +} + +resource "aws_security_group_rule" "tailscale_ingress" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 41641 + to_port = 41641 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "egress" { + security_group_id = aws_security_group.tailscale.id + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [local.vpc_cidr_block] +} diff --git a/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf b/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf index 5ddb48d..0be5620 100644 --- a/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf +++ b/terraform/aws/aws-ec2-instance-dual-stack-ipv4-ipv6/main.tf @@ -1,16 +1,40 @@ locals { name = "example-${basename(path.cwd)}" - tags = { + aws_tags = { Name = local.name } + + tailscale_acl_tags = [ + "tag:example-infra", + "tag:example-exitnode", + "tag:example-subnetrouter", + "tag:example-appconnector", + ] + tailscale_set_preferences = [ + "--auto-update", + "--ssh", + "--advertise-connector", + "--advertise-exit-node", + "--advertise-routes=${join(",", [ + local.vpc_cidr_block, + ])}", + ] + + // Modify these to use your own VPC + vpc_cidr_block = module.vpc.vpc_cidr_block + vpc_id = module.vpc.vpc_id + subnet_id = module.vpc.public_subnets[0] + security_group_ids = [aws_security_group.tailscale.id] + instance_type = "t4g.micro" } +// Remove this to use your own VPC. module "vpc" { source = "../internal-modules/aws-vpc" name = local.name - tags = local.tags + tags = local.aws_tags cidr = "10.0.80.0/22" @@ -25,41 +49,59 @@ resource "tailscale_tailnet_key" "main" { preauthorized = true reusable = true recreate_if_invalid = "always" - tags = [ - "tag:example-infra", - "tag:example-exitnode", - "tag:example-subnetrouter", - "tag:example-appconnector", - ] + tags = local.tailscale_acl_tags } module "tailscale_aws_ec2" { source = "../internal-modules/aws-ec2-instance" - instance_type = "t4g.micro" - instance_tags = local.tags + instance_type = local.instance_type + instance_tags = local.aws_tags - subnet_id = module.vpc.private_subnets[0] - vpc_security_group_ids = [ - module.vpc.tailscale_security_group_id, - ] - ipv6_address_count = 1 + subnet_id = local.subnet_id + vpc_security_group_ids = local.security_group_ids + ipv6_address_count = 1 # Variables for Tailscale resources - tailscale_hostname = local.name - tailscale_auth_key = tailscale_tailnet_key.main.key - tailscale_set_preferences = [ - "--auto-update", - "--ssh", - "--advertise-connector", - "--advertise-exit-node", - "--advertise-routes=${join(",", [ - module.vpc.vpc_cidr_block, - module.vpc.vpc_ipv6_cidr_block, - ])}", - ] + tailscale_hostname = local.name + tailscale_auth_key = tailscale_tailnet_key.main.key + tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.vpc.natgw_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets + module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } + +resource "aws_security_group" "tailscale" { + vpc_id = local.vpc_id + name = local.name +} + +resource "aws_security_group_rule" "tailscale_ingress" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 41641 + to_port = 41641 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "egress" { + security_group_id = aws_security_group.tailscale.id + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [local.vpc_cidr_block] +} diff --git a/terraform/aws/aws-ec2-instance/main.tf b/terraform/aws/aws-ec2-instance/main.tf index 47c6dd9..93e6771 100644 --- a/terraform/aws/aws-ec2-instance/main.tf +++ b/terraform/aws/aws-ec2-instance/main.tf @@ -1,16 +1,40 @@ locals { name = "example-${basename(path.cwd)}" - tags = { + aws_tags = { Name = local.name } + + tailscale_acl_tags = [ + "tag:example-infra", + "tag:example-exitnode", + "tag:example-subnetrouter", + "tag:example-appconnector", + ] + tailscale_set_preferences = [ + "--auto-update", + "--ssh", + "--advertise-connector", + "--advertise-exit-node", + "--advertise-routes=${join(",", [ + local.vpc_cidr_block, + ])}", + ] + + // Modify these to use your own VPC + vpc_cidr_block = module.vpc.vpc_cidr_block + vpc_id = module.vpc.vpc_id + subnet_id = module.vpc.public_subnets[0] + security_group_ids = [aws_security_group.tailscale.id] + instance_type = "t4g.micro" } +// Remove this to use your own VPC. module "vpc" { source = "../internal-modules/aws-vpc" name = local.name - tags = local.tags + tags = local.aws_tags cidr = "10.0.80.0/22" @@ -23,37 +47,58 @@ resource "tailscale_tailnet_key" "main" { preauthorized = true reusable = true recreate_if_invalid = "always" - tags = [ - "tag:example-infra", - "tag:example-exitnode", - "tag:example-subnetrouter", - "tag:example-appconnector", - ] + tags = local.tailscale_acl_tags } module "tailscale_aws_ec2" { source = "../internal-modules/aws-ec2-instance" - instance_type = "t4g.micro" - instance_tags = local.tags + instance_type = local.instance_type + instance_tags = local.aws_tags - subnet_id = module.vpc.public_subnets[0] - vpc_security_group_ids = [ - module.vpc.tailscale_security_group_id, - ] + subnet_id = local.subnet_id + vpc_security_group_ids = local.security_group_ids # Variables for Tailscale resources - tailscale_hostname = local.name - tailscale_auth_key = tailscale_tailnet_key.main.key - tailscale_set_preferences = [ - "--auto-update", - "--ssh", - "--advertise-connector", - "--advertise-exit-node", - "--advertise-routes=${join(",", [module.vpc.vpc_cidr_block])}", - ] + tailscale_hostname = local.name + tailscale_auth_key = tailscale_tailnet_key.main.key + tailscale_set_preferences = local.tailscale_set_preferences depends_on = [ - module.vpc.natgw_ids, # ensure NAT gateway is available before instance provisioning - primarily for private subnets + module.vpc.natgw_ids, # remove if using your own VPC otherwise ensure provisioned NAT gateway is available ] } + +resource "aws_security_group" "tailscale" { + vpc_id = local.vpc_id + name = local.name +} + +resource "aws_security_group_rule" "tailscale_ingress" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 41641 + to_port = 41641 + protocol = "udp" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "egress" { + security_group_id = aws_security_group.tailscale.id + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] +} + +resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" { + security_group_id = aws_security_group.tailscale.id + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [local.vpc_cidr_block] +} diff --git a/terraform/aws/internal-modules/aws-vpc/main.tf b/terraform/aws/internal-modules/aws-vpc/main.tf index c99e66e..e666fd8 100644 --- a/terraform/aws/internal-modules/aws-vpc/main.tf +++ b/terraform/aws/internal-modules/aws-vpc/main.tf @@ -30,48 +30,3 @@ module "vpc" { public_subnet_ipv6_prefixes = range(0, length(var.public_subnets)) private_subnet_ipv6_prefixes = range(10, 10 + length(var.private_subnets)) } - -resource "aws_security_group" "tailscale" { - vpc_id = module.vpc.vpc_id - name = var.name -} - -resource "aws_security_group_rule" "egress" { - security_group_id = aws_security_group.tailscale.id - type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] -} - -resource "aws_security_group_rule" "internal_vpc_ingress_ipv4" { - security_group_id = aws_security_group.tailscale.id - type = "ingress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = [var.cidr] -} - -resource "aws_security_group_rule" "internal_vpc_ingress_ipv6" { - count = var.enable_ipv6 == false ? 0 : 1 - - security_group_id = aws_security_group.tailscale.id - type = "ingress" - from_port = 0 - to_port = 0 - protocol = "-1" - ipv6_cidr_blocks = [module.vpc.vpc_ipv6_cidr_block] -} - -resource "aws_security_group_rule" "tailscale_ingress" { - security_group_id = aws_security_group.tailscale.id - type = "ingress" - from_port = 41641 - to_port = 41641 - protocol = "udp" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] -} diff --git a/terraform/aws/internal-modules/aws-vpc/outputs.tf b/terraform/aws/internal-modules/aws-vpc/outputs.tf index 234c506..c523e3a 100644 --- a/terraform/aws/internal-modules/aws-vpc/outputs.tf +++ b/terraform/aws/internal-modules/aws-vpc/outputs.tf @@ -30,10 +30,6 @@ output "natgw_ids" { value = module.vpc.natgw_ids } -output "tailscale_security_group_id" { - value = aws_security_group.tailscale.id -} - output "public_route_table_ids" { value = module.vpc.public_route_table_ids }