Category: Amazon Virtual Private Cloud

Terraform – Reference Resources During Deployment

Terraform is a powerful infrastructure as code (IaC) application. For example, it may be used to deploy an Amazon Virtual Private Cloud (Amazon VPC) along with it’s various components, such as a subnet. Doing so requires you to provide the Amazon VPC ID where the subnet will be deployed.

However, how do you provide Terraform with the VPC ID if it has not already been created? The Terraform solution is to reference the Amazon VPC in the code and below is an example of this (aws_vpc.TERRAFORM-VPC.id). You must specify the service provider and resource type (in this case it is aws_vpc) and append the id attribute.

resource “aws_vpc” “TERRAFORM-VPC” {
cidr_block = “10.0.0.0/16”
enable_dns_support = “true”
enable_dns_hostnames = “true”

tags = {
Name = “VPC-01”
}
}

resource “aws_subnet” “TERRAFORM-SUBNET” {
cidr_block = “10.0.1.0/24”
vpc_id = aws_vpc.TERRAFORM-VPC.id

tags = {
Name = “SUBNET-01”
}
}


Terraform – Specify EC2 Instance Security Group

Using Terraform, you may specify the security group that will be associated with the Elastic Network Interface (ENI) of an Amazon EC2 instance during provisioning using the vpc_security_group_ids argument and the security group ID.

The syntax for the vpc_security_group_ids argument is displayed below.

vpc_security_group_ids = [aws_security_group.security-group.id]


Terraform – EC2 Security Group ICMP Rule

Using Terraform, you may configure a security group for an Amazon EC2 instance. The rule below will create an ingress rule that will allow all ICMP IPv4 traffic from any network.

As this is an example for education purposes, you may consider restricting the source IP address(es) in the cidr_blocks argument.

ingress {
description = “Allow all incoming ICMP – IPv4 traffic”
from_port = -1
to_port = -1
protocol = “icmp”
cidr_blocks = [“0.0.0.0/0”]
}


Amazon Web Services – IAM Role for VPC Flow Logs

Configuring VPC flow logs to publish to CloudWatch logs will require an IAM role to publish the logs to the specified log group in CloudWatch. Amazon Web Services provides great documentation on this which may be found here.

The IAM policy for the role must at a minimum include the following permission.