NRL-1385 Make VPC private

Author: jackleary

terraform/account-wide-infrastructure/dev/ec2.tf

@@ -1,15 +1,16 @@
 module "vpc" {
-  source                        = "../modules/vpc"
-  vpc_cidr_block                = var.vpc_cidr_block
-  enable_dns_hostnames          = var.enable_dns_hostnames
-  vpc_public_subnets_cidr_block = var.vpc_public_subnets_cidr_block
-  aws_azs                       = var.aws_azs
-  name_prefix                   = "nhsd-nrlf--dev"
+  source                         = "../modules/vpc"
+  vpc_cidr_block                 = var.vpc_cidr_block
+  enable_dns_hostnames           = var.enable_dns_hostnames
+  vpc_public_subnets_cidr_block  = var.vpc_public_subnets_cidr_block
+  vpc_private_subnets_cidr_block = var.vpc_private_subnets_cidr_block
+  aws_azs                        = var.aws_azs
+  name_prefix                    = "nhsd-nrlf--dev"
 }
 
-
 module "ec2" {
   source             = "../modules/ec2"
+  use_custom_ami     = true
   instance_type      = var.instance_type
   name_prefix        = "nhsd-nrlf--dev"
   target_bucket_arn  = module.dev-glue.target_bucket_arn
@@ -21,3 +22,31 @@ module "ec2" {
   subnet_id       = module.vpc.subnet_id
   security_groups = module.vpc.security_group
 }
+
+module "powerbi_gw_instance" {
+  source             = "../modules/ec2"
+  use_custom_ami     = true
+  instance_type      = var.instance_type
+  name_prefix        = "nhsd-nrlf--dev-powerbi-gw"
+  target_bucket_arn  = module.dev-glue.target_bucket_arn
+  glue_kms_key_arn   = module.dev-glue.aws_kms_key_arn
+  athena_kms_key_arn = module.dev-athena.kms_key_arn
+  athena_bucket_arn  = module.dev-athena.bucket_arn
+
+  subnet_id       = module.vpc.private_subnet_id
+  security_groups = [module.vpc.powerbi_gw_security_group_id]
+}
+
+module "powerbi_gw_instance_v2" {
+  source             = "../modules/ec2"
+  use_custom_ami     = false
+  instance_type      = var.instance_type
+  name_prefix        = "nhsd-nrlf--dev-powerbi-gw-v2"
+  target_bucket_arn  = module.dev-glue.target_bucket_arn
+  glue_kms_key_arn   = module.dev-glue.aws_kms_key_arn
+  athena_kms_key_arn = module.dev-athena.kms_key_arn
+  athena_bucket_arn  = module.dev-athena.bucket_arn
+
+  subnet_id       = module.vpc.private_subnet_id
+  security_groups = [module.vpc.powerbi_gw_security_group_id]
+}

terraform/account-wide-infrastructure/dev/vars.tf

@@ -38,8 +38,20 @@ variable "vpc_public_subnets_cidr_block" {
   default     = "10.0.0.0/24"
 }
 
+variable "vpc_private_subnets_cidr_block" {
+  type        = string
+  description = "CIDR Block for Private Subnets in VPC"
+  default     = "10.0.1.0/24"
+}
+
 variable "instance_type" {
   type        = string
   description = "Type for EC2 Instance"
   default     = "t2.micro"
 }
+
+variable "use_custom_ami" {
+  type        = bool
+  description = "Use custom image"
+  default     = false
+}

terraform/account-wide-infrastructure/modules/ec2/ec2.tf

@@ -1,7 +1,7 @@
 resource "aws_instance" "web" {
   #   associate_public_ip_address =
   iam_instance_profile = aws_iam_instance_profile.powerbi_profile.name
-  ami                  = data.aws_ami.PowerBI_Gateway.id
+  ami                  = local.selected_ami_id
   instance_type        = var.instance_type
   key_name             = aws_key_pair.ec2_key_pair.key_name
   subnet_id            = var.subnet_id
@@ -15,18 +15,16 @@ resource "aws_instance" "web" {
 
 }
 
-# Key pair for RDP access
 resource "tls_private_key" "instance_key_pair" {
   algorithm = "RSA"
 }
 
 resource "aws_key_pair" "ec2_key_pair" {
-  key_name   = "PowerBI-GateWay-Key"
+  key_name   = "${var.name_prefix}_PowerBI-GateWay-Key"
   public_key = tls_private_key.instance_key_pair.public_key_openssh
 }
 
-# Saving Key Pair for ssh login for Client if needed
-resource "local_file" "ssh_key" {
+resource "local_file" "ssh_key_priv" {
   filename = "${path.module}/keys/${aws_key_pair.ec2_key_pair.key_name}.pem"
   content  = tls_private_key.instance_key_pair.private_key_pem
 }

terraform/account-wide-infrastructure/modules/ec2/iam.tf

@@ -94,12 +94,17 @@ resource "aws_iam_policy" "ec2_service" {
   policy = data.aws_iam_policy_document.ec2_service.json
 }
 
-resource "aws_iam_role_policy_attachment" "ec2_service" {
+resource "aws_iam_role_policy_attachment" "ec2_role_policy" {
   role       = aws_iam_role.ec2_service_role.name
   policy_arn = aws_iam_policy.ec2_service.arn
 }
 
+resource "aws_iam_role_policy_attachment" "ec2_role_policy_ssm" {
+  role       = aws_iam_role.ec2_service_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
+
 resource "aws_iam_instance_profile" "powerbi_profile" {
-  name = "powerbi_profile"
+  name = "${var.name_prefix}-powerbi_instance_profile"
   role = aws_iam_role.ec2_service_role.name
 }

terraform/account-wide-infrastructure/modules/ec2/locals.tf

@@ -0,0 +1,3 @@
+locals {
+  selected_ami_id = var.use_custom_ami ? data.aws_ami.PowerBI_Gateway.id : data.aws_ami.windows-2019.id
+}

terraform/account-wide-infrastructure/modules/ec2/scripts/user_data.tpl

@@ -1,6 +1,8 @@
 
 
 <powershell>
+C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1
+
 Install-WindowsFeature -name Web-Server -IncludeManagementTools
 
 $instanceId   = (Invoke-WebRequest -Uri  http://169.254.169.254/latest/meta-data/instance-id -UseBasicParsing).content

terraform/account-wide-infrastructure/modules/ec2/vars.tf

@@ -6,3 +6,4 @@ variable "glue_kms_key_arn" {}
 variable "athena_kms_key_arn" {}
 variable "target_bucket_arn" {}
 variable "athena_bucket_arn" {}
+variable "use_custom_ami" {}

terraform/account-wide-infrastructure/modules/vpc/outputs.tf

@@ -2,6 +2,14 @@ output "subnet_id" {
   value = aws_subnet.public_subnet.id
 }
 
+output "private_subnet_id" {
+  value = aws_subnet.private_subnet.id
+}
+
 output "security_group" {
   value = [aws_security_group.sg.id]
 }
+
+output "powerbi_gw_security_group_id" {
+  value = aws_security_group.powerbi_gw_sg.id
+}

terraform/account-wide-infrastructure/modules/vpc/vars.tf

@@ -2,4 +2,5 @@ variable "aws_azs" {}
 variable "enable_dns_hostnames" {}
 variable "vpc_cidr_block" {}
 variable "vpc_public_subnets_cidr_block" {}
+variable "vpc_private_subnets_cidr_block" {}
 variable "name_prefix" {}

terraform/account-wide-infrastructure/modules/vpc/vpc.tf

@@ -1,4 +1,3 @@
-# Create the VPC
 resource "aws_vpc" "app_vpc" {
   cidr_block           = var.vpc_cidr_block
   enable_dns_hostnames = var.enable_dns_hostnames
@@ -8,7 +7,6 @@ resource "aws_vpc" "app_vpc" {
   }
 }
 
-# Create the internet gateway
 resource "aws_internet_gateway" "igw" {
   vpc_id = aws_vpc.app_vpc.id
 
@@ -17,7 +15,6 @@ resource "aws_internet_gateway" "igw" {
   }
 }
 
-# Create the public subnet
 resource "aws_subnet" "public_subnet" {
   vpc_id                  = aws_vpc.app_vpc.id
   cidr_block              = var.vpc_public_subnets_cidr_block
@@ -27,29 +24,59 @@ resource "aws_subnet" "public_subnet" {
   tags = {
     Name = "${var.name_prefix}-pubsubnet"
   }
+}
+
+resource "aws_subnet" "private_subnet" {
+  vpc_id            = aws_vpc.app_vpc.id
+  cidr_block        = var.vpc_private_subnets_cidr_block
+  availability_zone = var.aws_azs
 
+  tags = {
+    Name = "${var.name_prefix}-privsubnet"
+  }
 }
 
-# Create the route table
 resource "aws_route_table" "public_rt" {
   vpc_id = aws_vpc.app_vpc.id
 
   route {
     cidr_block = "0.0.0.0/0"
     gateway_id = aws_internet_gateway.igw.id
   }
+}
+
+resource "aws_route_table" "private_rt" {
+  vpc_id = aws_vpc.app_vpc.id
+
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = aws_nat_gateway.nat.id
+  }
+}
+
+resource "aws_eip" "natgw-ip" {
+  domain = "vpc"
+}
+
+resource "aws_nat_gateway" "nat" {
+  allocation_id = aws_eip.natgw-ip.id
+  subnet_id     = aws_subnet.public_subnet.id
 
+  tags = {
+    Name = "${var.name_prefix}-nat"
+  }
 }
 
-# Assign the public route table to the public subnet
 resource "aws_route_table_association" "public_rt_asso" {
   subnet_id      = aws_subnet.public_subnet.id
   route_table_id = aws_route_table.public_rt.id
 }
 
+resource "aws_route_table_association" "private_rt_asso" {
+  subnet_id      = aws_subnet.private_subnet.id
+  route_table_id = aws_route_table.private_rt.id
+}
 
-
-# Create the security group
 resource "aws_security_group" "sg" {
   name        = "allow_ssh_http"
   description = "Allow ssh http inbound traffic"
@@ -79,5 +106,18 @@ resource "aws_security_group" "sg" {
     cidr_blocks      = ["0.0.0.0/0"]
     ipv6_cidr_blocks = ["::/0"]
   }
+}
+
+resource "aws_security_group" "powerbi_gw_sg" {
+  name        = "powerbi-gw-sg"
+  description = "Only allow egress traffic"
+  vpc_id      = aws_vpc.app_vpc.id
 
+  egress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
 }