diff --git a/.amazonq/agents/default.json b/.amazonq/agents/default.json new file mode 100644 index 0000000..06dcefc --- /dev/null +++ b/.amazonq/agents/default.json @@ -0,0 +1,71 @@ +{ + "name": "q_ide_default", + "description": "Default agent configuration", + "prompt": "", + "mcpServers": { + "terraform": { + "command": "docker", + "args": [ + "run", + "-i", + "--rm", + "hashicorp/terraform-mcp-server:0.3" + ] + } + }, + "tools": [ + "fs_read", + "execute_bash", + "fs_write", + "report_issue", + "use_aws", + "@terraform", + "fsRead", + "fsWrite", + "fsReplace", + "listDirectory", + "fileSearch", + "executeBash", + "codeReview", + "displayFindings" + ], + "toolAliases": {}, + "allowedTools": [ + "fs_read", + "report_issue", + "use_aws", + "execute_bash", + "fs_write", + "fsRead", + "listDirectory", + "fileSearch", + "codeReview", + "displayFindings" + ], + "toolsSettings": { + "use_aws": { + "alwaysAllow": [ + { + "preset": "readOnly" + } + ] + }, + "execute_bash": { + "alwaysAllow": [ + { + "preset": "readOnly" + } + ] + } + }, + "resources": [ + "file://AmazonQ.md", + "file://README.md", + "file://.amazonq/rules/**/*.md" + ], + "hooks": { + "agentSpawn": [], + "userPromptSubmit": [] + }, + "useLegacyMcpJson": true +} \ No newline at end of file diff --git a/.amazonq/mcp.json b/.amazonq/mcp.json new file mode 100644 index 0000000..9504274 --- /dev/null +++ b/.amazonq/mcp.json @@ -0,0 +1,37 @@ +{ + "mcpServers": { + "terraform": { + "command": "docker", + "args": [ + "run", + "-i", + "--rm", + "hashicorp/terraform-mcp-server:0.3" + ] + }, + "github": { + "type": "stdio", + "command": "docker", + "args": [ + "run", + "-i", + "--rm", + "-e", + "GITHUB_PERSONAL_ACCESS_TOKEN", + "ghcr.io/github/github-mcp-server:0.20.1" + ], + "env": { + "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_AWS_Q_PERSONAL_ACCESS_TOKEN}" + } + }, + "awslabs.iam-mcp-server": { + "command": "uvx", + "args": ["awslabs.iam-mcp-server@latest"], + "env": { + "AWS_PROFILE": "ippon-data-lab", + "AWS_REGION": "eu-west-3", + "FASTMCP_LOG_LEVEL": "ERROR" + } + } + } +} diff --git a/.amazonq/rules/common.md b/.amazonq/rules/common.md new file mode 100644 index 0000000..ca754ae --- /dev/null +++ b/.amazonq/rules/common.md @@ -0,0 +1,7 @@ +# Common best Practices + +## Linting and testing + +- Use pre-commit to lint the code +- Run "pre-commit run -a" before commiting/pushing to git remote +- Use common hooks from https://github.com/pre-commit/pre-commit-hooks diff --git a/.amazonq/rules/github_actions.md b/.amazonq/rules/github_actions.md new file mode 100644 index 0000000..2add436 --- /dev/null +++ b/.amazonq/rules/github_actions.md @@ -0,0 +1,8 @@ +# GitHub Actions Best Practices + +When generating or modifying GitHub actions template files, follow these best practices: + +## Code Best Practices + +- When you use setup-* actions, try to get the latest versions of the software you need to install +- Use pre-commit to run the hooks of the repository in the CI and install required software so hooks can work diff --git a/.amazonq/rules/terraform_aws.md b/.amazonq/rules/terraform_aws.md new file mode 100644 index 0000000..1012535 --- /dev/null +++ b/.amazonq/rules/terraform_aws.md @@ -0,0 +1,88 @@ +# Terraform AWS Best Practices + +When generating or modifying Terraform code for AWS, follow these best practices: + +## Structure and Organization + +- Use a modular structure with reusable modules +- Prefer to use existing OSS Terraform modules on the internet + - As a priority, use official Terraform registry: https://registry.terraform.io/namespaces/terraform-aws-modules + - Else, use CloudPosse registry: https://registry.terraform.io/namespaces/cloudposse +- Separate environments (dev, staging, prod) with separate workspaces or directories +- Use variables for all configurable parameters +- Prefer relative paths for local modules +- In Terraform root modules, put the Terraform providers' configuration in a file called providers.tf +- Terraform version constraints' and providers' constraints must stay in file called versions.tf +- Try to regroup resources by the Cloud Provider's services to avoid having all the code in one main.tf file + +## Security + +- Never use hard-coded credentials in code +- Use IAM roles with the principle of least privilege +- Enable default encryption for all services that support it (S3, RDS, etc.) +- Use restrictive security groups for network resources +- Prefer private VPCs with VPC endpoints over public access + +## State Management + +- Use a remote backend to store Terraform state +- Store the configuration of the Terraform backend in backend.tf Terraform file +- Enable versioning on the S3 state bucket +- Use state locking with S3 file lock (not DynamoDB) +- Do not include sensitive data in outputs + +## Naming and Tagging + +- Use a consistent naming scheme for all resources +- Do not add resource type as a suffix or prefix to resource names (for instance, use "my-app" instead of "my-app-vpc") +- Systematically apply tags for: + - Environment (dev, staging, prod) + - Owner + - Project + - Cost Center + - Managed By: “terraform” + - Root Module URL: + +## Performance and Costs + +- Use on-demand instances for development and reserved instances for production +- Configure lifecycle policies for S3 buckets +- Use Auto Scaling Groups to scale resources on demand +- Configure CloudWatch alarms to monitor costs + +## Code Best Practices + +- Always use fixed versions for providers and modules to avoid regressions between two `terraform plan` commands (do not use Terraform version constraint ~>) +- Document code as much as possible with README.md, variable descriptions, output descriptions, and comments (do not over-comment either when datasource/resource are self explaining) +- Use validations for input variables +- Prefer conditional resources over count for optional resources +- Use for_each over count for multiple resources +- Always add .terraform.lock.hcl files to Terraform root modules to be consistent between multiple deployments + +## Networking + +- Use private subnets for resources that do not require direct Internet access +- Configure NAT Gateways only in environments that require them +- Use Transit Gateways for multi-account/multi-VPC architectures + +## Deployment + +- Always use terraform plan before applying changes +- Integrate Terraform into CI/CD pipelines for production environments +- Use blue/green approaches for critical updates + +## Non-regression + +- To avoid regressions, it is best to fix dependency versions. +- For Terraform OSS modules, use a fixed version (preferably the latest available on the Terraform registry) in the module version field + +## Linting and testing + +- Use pre-commit to lint the code with the following hooks: terraform_fmt, terraform_validate, terraform_docs, terraform_docs, terraform_trivy +- Each validator for Terraform input variables must be tested, but only failed cases. +- For each module generated, an example must be provided. +- For each example, there must be a test that runs it. + +## Use of MCP + +- Check each generated code to ensure that everything is correct (syntax, Terraform arguments) using the MCP server `terraform-mcp-server`. Before generating any code, ensure that interaction with this MCP server is working properly. diff --git a/.github/workflows/vpc-demo-deploy.yml b/.github/workflows/vpc-demo-deploy.yml new file mode 100644 index 0000000..68f72a4 --- /dev/null +++ b/.github/workflows/vpc-demo-deploy.yml @@ -0,0 +1,95 @@ +name: VPC Demo - Terraform Deploy + +on: + push: + branches: + - main + paths: + - 'vpc-demo/**' + pull_request: + branches: + - main + paths: + - 'vpc-demo/**' + workflow_dispatch: + +permissions: + id-token: write + contents: read + pull-requests: write + +jobs: + terraform: + name: Terraform + runs-on: ubuntu-latest + defaults: + run: + working-directory: vpc-demo + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: '3.12' + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.13.5 + terraform_wrapper: false + + - name: Install terraform-docs + run: | + curl -sSLo /tmp/terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.19.0/terraform-docs-v0.19.0-linux-amd64.tar.gz + tar -xzf /tmp/terraform-docs.tar.gz -C /tmp + sudo mv /tmp/terraform-docs /usr/local/bin/ + + - name: Install trivy + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + + - name: Run pre-commit + uses: pre-commit/action@v3.0.1 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-role + aws-region: eu-west-3 + + - name: Terraform Init + run: terraform init + + - name: Terraform Plan + id: plan + run: terraform plan -no-color -var="aws_profile=" -out=tfplan + continue-on-error: true + + - name: Comment PR + if: github.event_name == 'pull_request' + uses: actions/github-script@v7 + with: + script: | + const output = `#### Terraform Plan 📖\`${{ steps.plan.outcome }}\` + +
Show Plan + + \`\`\`terraform + ${{ steps.plan.outputs.stdout }} + \`\`\` + +
`; + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) + + - name: Terraform Apply + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + run: terraform apply -auto-approve -var="aws_profile=" tfplan diff --git a/.gitignore b/.gitignore index 6349e36..208a18b 100644 --- a/.gitignore +++ b/.gitignore @@ -10,8 +10,8 @@ crash.log crash.*.log # Exclude all .tfvars files, which are likely to contain sensitive data, such as -# password, private keys, and other secrets. These should not be part of version -# control as they are data points which are potentially sensitive and subject +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject # to change depending on the environment. *.tfvars *.tfvars.json diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..bad13ce --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,20 @@ +repos: + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.96.2 + hooks: + - id: terraform_fmt + - id: terraform_validate + - id: terraform_docs + args: + - --hook-config=--path-to-file=README.md + - --hook-config=--add-to-existing-file=true + - --hook-config=--create-file-if-not-exists=true + - id: terraform_trivy + args: + - --args=--severity=HIGH,CRITICAL + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v6.0.0 + hooks: + - id: check-merge-conflict + - id: end-of-file-fixer + - id: trailing-whitespace diff --git a/README.md b/README.md index 72bf392..a632dee 100644 --- a/README.md +++ b/README.md @@ -49,7 +49,7 @@ git checkout -b live-coding-5 Prompt enrichi via les Q rules, le serveur MCP Terraform et code généré à partir d'un schéma Excalidraw ajouté dans le contexte du prompt suivant : ``` -Create the Terraform code from the schema. +Create the Terraform code from the schema. ``` ## Live coding 6 @@ -58,8 +58,16 @@ Create the Terraform code from the schema. git checkout -b live-coding-6 ``` -Prompt enrichi via des Q rules "prod-ready" (Terraform / GitHub Actions / ...) et de multiples serveurs MCP pour déployer jusqu'en production : +Les prompts sont enrichis via des Q rules "prod-ready" et de multiples serveurs MCP pour déployer jusqu'en production. + +Prompt pour configurer un OIDC provider : + +``` +Could you configure an IAM provider with OIDC in my AWS account with profile ippon-data-lab so that I can use it from GitHub please? You can store the Terraform state in aws-q-academy-terraform-states S3 bucket and use the same profile to store the state on S3. +``` + +Prompt pour déployer un VPC : ``` -Create a VPC with 3 private and 3 public subnets with Terraform and deploy it thanks to GitHub Actions. +Create a VPC with 3 private and 3 public subnets with Terraform in folder vpc-demo and deploy it thanks to GitHub Actions. ``` diff --git a/github-oidc/.terraform.lock.hcl b/github-oidc/.terraform.lock.hcl new file mode 100644 index 0000000..a3fa96c --- /dev/null +++ b/github-oidc/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.82.2" + constraints = "5.82.2" + hashes = [ + "h1:RuPaHbllUB8a2TGTyc149wJfoh6zhIEjUvFYKR6iP2E=", + "zh:0262fc96012fb7e173e1b7beadd46dfc25b1dc7eaef95b90e936fc454724f1c8", + "zh:397413613d27f4f54d16efcbf4f0a43c059bd8d827fe34287522ae182a992f9b", + "zh:436c0c5d56e1da4f0a4c13129e12a0b519d12ab116aed52029b183f9806866f3", + "zh:4d942d173a2553d8d532a333a0482a090f4e82a2238acf135578f163b6e68470", + "zh:624aebc549bfbce06cc2ecfd8631932eb874ac7c10eb8466ce5b9a2fbdfdc724", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9e632dee2dfdf01b371cca7854b1ec63ceefa75790e619b0642b34d5514c6733", + "zh:a07567acb115b60a3df8f6048d12735b9b3bcf85ec92a62f77852e13d5a3c096", + "zh:ab7002df1a1be6432ac0eb1b9f6f0dd3db90973cd5b1b0b33d2dae54553dfbd7", + "zh:bc1ff65e2016b018b3e84db7249b2cd0433cb5c81dc81f9f6158f2197d6b9fde", + "zh:bcad84b1d767f87af6e1ba3dc97fdb8f2ad5de9224f192f1412b09aba798c0a8", + "zh:cf917dceaa0f9d55d9ff181b5dcc4d1e10af21b6671811b315ae2a6eda866a2a", + "zh:d8e90ecfb3216f3cc13ccde5a16da64307abb6e22453aed2ac3067bbf689313b", + "zh:d9054e0e40705df729682ad34c20db8695d57f182c65963abd151c6aba1ab0d3", + "zh:ecf3a4f3c57eb7e89f71b8559e2a71e4cdf94eea0118ec4f2cb37e4f4d71a069", + ] +} diff --git a/github-oidc/README.md b/github-oidc/README.md new file mode 100644 index 0000000..64cd4d8 --- /dev/null +++ b/github-oidc/README.md @@ -0,0 +1,59 @@ +# GitHub OIDC Provider for AWS + +This Terraform configuration creates an IAM OIDC provider for GitHub Actions and an IAM role that can be assumed by your GitHub workflows. + +## Prerequisites + +- AWS CLI configured with profile `ippon-data-lab` +- Terraform 1.10.5 + +## Usage + +1. Copy the example variables file: +```bash +cp terraform.tfvars.example terraform.tfvars +``` + +2. Edit `terraform.tfvars` with your GitHub organization and repository: +```hcl +github_org = "your-org" +github_repo = "aws-q-academy" +``` + +3. Initialize Terraform: +```bash +terraform init +``` + +4. Apply the configuration: +```bash +terraform apply +``` + +## GitHub Actions Workflow + +Use the role in your GitHub Actions workflow: + +```yaml +permissions: + id-token: write + contents: read + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::721665305066:role/github-actions-role + aws-region: eu-west-3 + + - name: Run AWS commands + run: aws sts get-caller-identity +``` + +## Resources Created + +- IAM OIDC Provider for GitHub Actions +- IAM Role with AdministratorAccess (adjust permissions as needed) diff --git a/github-oidc/backend.tf b/github-oidc/backend.tf new file mode 100644 index 0000000..7e38988 --- /dev/null +++ b/github-oidc/backend.tf @@ -0,0 +1,9 @@ +terraform { + backend "s3" { + bucket = "aws-q-academy-terraform-states" + key = "github-oidc/terraform.tfstate" + region = "eu-west-3" + use_lockfile = true + profile = "ippon-data-lab" + } +} diff --git a/github-oidc/iam.tf b/github-oidc/iam.tf new file mode 100644 index 0000000..1b1e978 --- /dev/null +++ b/github-oidc/iam.tf @@ -0,0 +1,49 @@ +data "aws_caller_identity" "current" {} + +resource "aws_iam_openid_connect_provider" "github" { + url = "https://token.actions.githubusercontent.com" + client_id_list = ["sts.amazonaws.com"] + thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"] + + tags = { + Name = "github-actions-oidc" + ManagedBy = "terraform" + Environment = "shared" + } +} + +resource "aws_iam_role" "github_actions" { + name = var.role_name + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Principal = { + Federated = aws_iam_openid_connect_provider.github.arn + } + Action = "sts:AssumeRoleWithWebIdentity" + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + } + StringLike = { + "token.actions.githubusercontent.com:sub" = "repo:${var.github_org}/${var.github_repo}:*" + } + } + } + ] + }) + + tags = { + Name = var.role_name + ManagedBy = "terraform" + Environment = "shared" + } +} + +resource "aws_iam_role_policy_attachment" "github_actions_admin" { + role = aws_iam_role.github_actions.name + policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" +} diff --git a/github-oidc/outputs.tf b/github-oidc/outputs.tf new file mode 100644 index 0000000..2fb36c2 --- /dev/null +++ b/github-oidc/outputs.tf @@ -0,0 +1,14 @@ +output "oidc_provider_arn" { + description = "ARN of the GitHub OIDC provider" + value = aws_iam_openid_connect_provider.github.arn +} + +output "role_arn" { + description = "ARN of the IAM role for GitHub Actions" + value = aws_iam_role.github_actions.arn +} + +output "role_name" { + description = "Name of the IAM role for GitHub Actions" + value = aws_iam_role.github_actions.name +} diff --git a/github-oidc/providers.tf b/github-oidc/providers.tf new file mode 100644 index 0000000..d5759c9 --- /dev/null +++ b/github-oidc/providers.tf @@ -0,0 +1,4 @@ +provider "aws" { + region = var.region + profile = "ippon-data-lab" +} diff --git a/github-oidc/terraform.tfvars.example b/github-oidc/terraform.tfvars.example new file mode 100644 index 0000000..b5a8cae --- /dev/null +++ b/github-oidc/terraform.tfvars.example @@ -0,0 +1,4 @@ +github_org = "your-github-org" +github_repo = "aws-q-academy" +role_name = "github-actions-role" +region = "eu-west-3" diff --git a/github-oidc/variables.tf b/github-oidc/variables.tf new file mode 100644 index 0000000..2c52dd5 --- /dev/null +++ b/github-oidc/variables.tf @@ -0,0 +1,21 @@ +variable "region" { + description = "AWS region" + type = string + default = "eu-west-3" +} + +variable "github_org" { + description = "GitHub organization or username" + type = string +} + +variable "github_repo" { + description = "GitHub repository name" + type = string +} + +variable "role_name" { + description = "IAM role name for GitHub Actions" + type = string + default = "github-actions-role" +} diff --git a/github-oidc/versions.tf b/github-oidc/versions.tf new file mode 100644 index 0000000..78abf9e --- /dev/null +++ b/github-oidc/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.7.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "5.82.2" + } + } +} diff --git a/vpc-demo/.terraform.lock.hcl b/vpc-demo/.terraform.lock.hcl new file mode 100644 index 0000000..505e11b --- /dev/null +++ b/vpc-demo/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "6.19.0" + constraints = ">= 6.0.0, 6.19.0" + hashes = [ + "h1:5qq2jk+G9fymBqnOmtHR30L6TLMlMoZ7TsSXOAYl0qU=", + "zh:221061660f519f09e9fcd3bbe1fc5c63e81d997e8e9e759984c80095403d7fd6", + "zh:2436e7f7de4492998d7badfae37f88b042ce993f3fdb411ba7f7a47ff4cc66a2", + "zh:49e78e889bf5f9378dfacb08040553bf1529171222eda931e31fcdeac223e802", + "zh:5a07c255ac8694aebe3e166cc3d0ae5f64e0502d47610fd42be22fd907cb81fa", + "zh:68180e2839faba80b64a5e9eb03cfcc50c75dcf0adb24c6763f97dade8311835", + "zh:6c7ae7fb8d51fecdd000bdcfec60222c1f0aeac41dacf1c33aa16609e6ccaf43", + "zh:6ebea9b2eb48fc44ee5674797a5f3b093640b054803495c10a1e558ccd8fee2b", + "zh:8010d1ca1ab0f89732da3c56351779b6728707270c935bf5fd7d99fdf69bc1da", + "zh:8ca7544dbe3b2499d0179fd289e536aedac25115855434d76a4dc342409d335a", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:c6ed10fb06f561d6785c10ff0f0134b7bfcb9964f1bc38ed8b263480bc3cebc0", + "zh:d011d703a3b22f7e296baa8ddfd4d550875daa3f551a133988f843d6c8e6ec38", + "zh:eceb5a8e929b4b0f26e437d1181aeebfb81f376902e0677ead9b886bb41e7c08", + "zh:eda96ae2f993df469cf5dfeecd842e922de97b8a8600e7d197d884ca5179ad2f", + "zh:fb229392236c0c76214d157bb1c7734ded4fa1221e9ef7831d67258950246ff3", + ] +} diff --git a/vpc-demo/README.md b/vpc-demo/README.md new file mode 100644 index 0000000..9657756 --- /dev/null +++ b/vpc-demo/README.md @@ -0,0 +1,47 @@ +# VPC Demo + +This Terraform module creates an AWS VPC with 3 private and 3 public subnets across 3 availability zones. + +## Architecture + +- **VPC CIDR**: 10.0.0.0/16 +- **Private Subnets**: 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24 +- **Public Subnets**: 10.0.101.0/24, 10.0.102.0/24, 10.0.103.0/24 +- **NAT Gateway**: Single NAT Gateway for cost optimization +- **Internet Gateway**: Enabled for public subnets + +## Usage + +### Local Deployment + +```bash +terraform init +terraform plan +terraform apply +``` + +### GitHub Actions Deployment + +Push to the repository to trigger automatic deployment via GitHub Actions. + +## Variables + +| Name | Description | Default | +|------|-------------|---------| +| region | AWS region | eu-west-3 | +| aws_profile | AWS profile to use | "" | +| project | Project name | vpc-demo | +| environment | Environment name | dev | +| vpc_cidr | CIDR block for VPC | 10.0.0.0/16 | +| availability_zones | List of availability zones | ["eu-west-3a", "eu-west-3b", "eu-west-3c"] | + +## Outputs + +| Name | Description | +|------|-------------| +| vpc_id | The ID of the VPC | +| vpc_cidr_block | The CIDR block of the VPC | +| private_subnets | List of IDs of private subnets | +| public_subnets | List of IDs of public subnets | +| nat_gateway_ids | List of NAT Gateway IDs | +| internet_gateway_id | The ID of the Internet Gateway | diff --git a/vpc-demo/backend.tf b/vpc-demo/backend.tf new file mode 100644 index 0000000..f10bfd3 --- /dev/null +++ b/vpc-demo/backend.tf @@ -0,0 +1,8 @@ +terraform { + backend "s3" { + bucket = "aws-q-academy-terraform-states" + key = "vpc-demo/terraform.tfstate" + region = "eu-west-3" + use_lockfile = true + } +} diff --git a/vpc-demo/outputs.tf b/vpc-demo/outputs.tf new file mode 100644 index 0000000..f26e8ad --- /dev/null +++ b/vpc-demo/outputs.tf @@ -0,0 +1,29 @@ +output "vpc_id" { + description = "The ID of the VPC" + value = module.vpc.vpc_id +} + +output "vpc_cidr_block" { + description = "The CIDR block of the VPC" + value = module.vpc.vpc_cidr_block +} + +output "private_subnets" { + description = "List of IDs of private subnets" + value = module.vpc.private_subnets +} + +output "public_subnets" { + description = "List of IDs of public subnets" + value = module.vpc.public_subnets +} + +output "nat_gateway_ids" { + description = "List of NAT Gateway IDs" + value = module.vpc.natgw_ids +} + +output "internet_gateway_id" { + description = "The ID of the Internet Gateway" + value = module.vpc.igw_id +} diff --git a/vpc-demo/providers.tf b/vpc-demo/providers.tf new file mode 100644 index 0000000..fa21b68 --- /dev/null +++ b/vpc-demo/providers.tf @@ -0,0 +1,13 @@ +provider "aws" { + region = var.region + profile = var.aws_profile + + default_tags { + tags = { + Environment = var.environment + Project = var.project + ManagedBy = "terraform" + RootModuleURL = "https://github.com/ippontech/aws-q-academy" + } + } +} diff --git a/vpc-demo/variables.tf b/vpc-demo/variables.tf new file mode 100644 index 0000000..18c73e5 --- /dev/null +++ b/vpc-demo/variables.tf @@ -0,0 +1,35 @@ +variable "region" { + description = "AWS region" + type = string + default = "eu-west-3" +} + +variable "aws_profile" { + description = "AWS profile to use" + type = string + default = "" +} + +variable "project" { + description = "Project name" + type = string + default = "vpc-demo" +} + +variable "environment" { + description = "Environment name" + type = string + default = "dev" +} + +variable "vpc_cidr" { + description = "CIDR block for VPC" + type = string + default = "10.0.0.0/16" +} + +variable "availability_zones" { + description = "List of availability zones" + type = list(string) + default = ["eu-west-3a", "eu-west-3b", "eu-west-3c"] +} diff --git a/vpc-demo/versions.tf b/vpc-demo/versions.tf new file mode 100644 index 0000000..06bbda1 --- /dev/null +++ b/vpc-demo/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.7.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "6.19.0" + } + } +} diff --git a/vpc-demo/vpc.tf b/vpc-demo/vpc.tf new file mode 100644 index 0000000..716e35b --- /dev/null +++ b/vpc-demo/vpc.tf @@ -0,0 +1,20 @@ +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "6.5.0" + + name = "${var.project}-${var.environment}" + cidr = var.vpc_cidr + + azs = var.availability_zones + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + enable_nat_gateway = true + single_nat_gateway = true + enable_dns_hostnames = true + enable_dns_support = true + + tags = { + Name = "${var.project}-${var.environment}" + } +} diff --git a/vpc_architecture.excalidraw.png b/vpc_architecture.excalidraw.png new file mode 100644 index 0000000..fc30e20 Binary files /dev/null and b/vpc_architecture.excalidraw.png differ